Career Advice Tuesday – “Industry Confusion”

August 10, 2010

The following is another question that we received during our presentation at Black Hat:

Dear Infosecleaders:

I have been hearing some conflicting things about the industry and I am hoping that you can help provide me with some clarity.  On one front, I have been hearing that the need for information security skills is decreasing, and more technical information security positions are disappearing.  However, I recently have heard that our government is in need of between 1,000 and 2,000 “Cyber Security” specialists.

How can this be?  What should I believe?


Black Hat Attendee

Here was our response:

It turns our that both of these statements are true, and here is the explanation.

Many information security skills are being absorbed into other areas of technology, like networking, application development, and systems administration.  The main reason for this, is that information security is being recognized as a key area of expertise for someone to be proficient and effective in these roles.

For example, in the late 90′s and early 2000′s, an information security professional who had firewall skills and expertise was considered valuable.  However, as network engineering and architecture have evolved as skills, information security knowledge has been absorbed by these larger job functions.  In today’s job market, you could not be an effective network engineer without knowledge of firewalls, intrusion detection/prevention, or security event management/threat correlation skills.

What this means to us, is that security knowledge has become a requirement for these positions – but has disappeared as a stand alone skill, for core technical positions.   It can be assumed that any accomplished networking professional will have a degree of security expertise.  So in essence, candidates that exclusively have security skills, but lack a strong understanding of network architecture or engineering, are being bypassed for candidates who do possess this skill background.

To your other point, regarding the government’s need for 1000-2000 information security professionals, this is correct as well.  It is well documented that the government has a need for information security professionals who want to dedicate themselves to securing our nation’s infrastructure.   What makes things difficult for the government in hiring these information security professionals – are things that face all entities that are undergoing significant information security staffing initiatives.

These factors include the following:  career opportunity, skill requirements,  compensation, location, and the effective management of a recruitment process.   In addition, the government has a different obstacle, the need for people who can receive security clearances and who are willing to submit themselves to these rigorous background checks.   The government is competing with corporations, security consulting firms, and security product vendors for this talent – and in many cases they do not have the necessary resources to win in competitive recruitment scenarios.

To further make this point – We would welcome  the opportunity to assist the US government in solving this human resource/recruitment problem.  As a US citizen, I (Lee) would be able to do so, however since Mike is Canadian, he may not be able to get the clearances to be able to do so.

In closing, as we have said before, we do not believe that there is a shortage of information security talent, but there is a shortage of good opportunities that meet the goals of many information security pros – career advancement, career development, compensation, and quality of life.

Hope this provides some clarity – we can see why you could be confused with all of the mixed messages out there.

We really appreciated the question – and are glad that you asked.

Lee and Mike

Posted by lee | Filed Under Advice, Career Advice Tuesday, Uncategorized 


Comments are closed.