There are a lot of conflicting articles on whether or not we have a cyber skills drought or deluge currently. Some say HR teams are setting the bar too high even for entry level roles, some say we just don't have enough people with cyber skills, and yet others bemoan the salaries offered.
But which ever way you look at it, candidates are complaining about not being able to get jobs, and companies are having trouble hiring into roles. So there is a disconnect somewhere.
I have actually seen a dramatic improvement in the way the process seems to work (at least in the UK) for experienced hires over the last 6 or 7 years. With organisations like the Institute of Information Security Professionals providing skills frameworks, the majority of experienced individuals I know have reference benchmarks, a clearly defined skill set, awareness of salaries and packages, and a strong understanding of where they fit in security departments. But few have a solid alignment with risk, with conduct, with the business - so the wider knowledge and experience needed for a CISO is still in short supply.
At the mid-tier, I honestly think we are actually oversubscribed with a large number of skilled individuals available for hire. The problem here appears to be expectations. I see people with 5 years' experience asking for £80k and over, despite only having experience in penetration testing - a fairly narrow niche compared with what many companies are looking for. From the business perspective, that can rule these individuals out completely - which leads to HR looking at less experienced individuals for these roles and being disappointed in their capabilities.
At more junior grades I am starting to see universities producing graduates with not just technical expertise, but a more broadly applicable security skill set than previously, with luminaries such as Prof Bill Buchanan OBE leading the way in this respect - look at Zonefox as an incredibly successful company spun out from Napier University by Jamie Graves.
But conversely, I'm still seeing companies having challenges hiring graduates. In looking into this, it is obvious that some of the problems are down to how HR teams are trying to build "cyber" graduates into their existing frameworks. Some want a CISSP for an entry level role, despite CISSP requiring 5 years experience... Some assume that the normal grad process will pick up cyber grads, despite the process not including universities with cyber degrees.
And I would like to see more graduates coming onto the market with a broader knowledge of the jobs available. They all seem to know about penetration testing, but few seem to be aware of roles in operational risk, security audit, secure architecture design, monitoring and logging, and those jobs that don't appear so much in the media.
So can we do something about this? Of course we can, at many levels:
- Universities and industry need to continue to develop relationships for internships, development of course materials, industry days etc.
- We need to educate HR teams who may not fully understand the various aspects of Cyber.
- Individuals need to be realistic about their skill set - security is one part of a package, and if you don't have business and risk awareness you seriously reduce the opportunities that will be offered to you.
- Use frameworks such as the IISP one to define roles and skills against industry baselines.