ironic November 10, 2015 2:56 PM

Ironically I had to sift through 6 different request sources, including a 2nd-level request once one of the primary requests were allowed, and about 10 different script sources before I could load the entire article (including graphics).

Guess web developers have to justify their salaries somehow.

Clive Robinson November 10, 2015 3:00 PM

@ Bruce,

I know from personal experience that demand far exceeds supply.

It does and it does not. It rather depends on what the C Level execs want to spend money on.

My findings are that there are quite a number of “compliance” type jobs based around particular “product”, but much less in the way of actual “security” jobs, where depth of knowledge, experience and that all important “thinking hinky” ability get suitably rewarded.

Further as many will testify many of those compliance jobs are at best thankless through to “full time whipping boy” posts. Where no matter what you do you can never win, at best and with luck get a draw.

There is also a less talked about issue of candidate province. For some reason “an appropriate military background” is considered by some to be a key requirement. The truth of the matter is “Maybe for compliance work, but not otherwise”. In the UK we have seen this “military experience is good” mentality for “prison warder”, “teaching”, “software coding” and any other job where there is currently a shortage of candidates that politicos get to hear of. Almost invariably the mentality proves to be wrong at many levels.

That’s not to say that “military background” is bad, it’s not, but it’s not magic pixie dust either. Any candidate needs job specific skills and these days those skills are not taught in the military any longer (they’ve been “outsourced” in the main). Thus it’s the other “personaly developed skills” that count, that is what they have done over and above what the military has taught them.

My advice for many prospective employers is to look at the ubder / graduate level education is. Personaly I tend not to favour traditional IT CompSci etc, but look at those who did subjects where the indepth use of a computer was as a tool to other research, maths, physics, chemistry and other sciences rate more highly. Especially when interviewing, the fact they have had to use computers to do very real world tasks, generally comes through very clearly when discussing their experience.

Brim November 10, 2015 3:01 PM

Seems risky to try to learn anything about security these days that doesn’t involve shelling out several grand to people for a questionable education. And I mean risky as in physical safety – prosecutors have shown time and time again that they know next to nothing about the Internet and will treat slight missteps or childish pranks as if they were violent felonies.

Why should I learn more about security and work in associated fields? The Department of Justice has made it clear that prosecution is arbitrary and both minor and severe crimes are prosecuted in a similar vein.

Department of Justice prosecutors and a few state prosecutors screwing up “head on a pike” prosecutions over-and-over again has indeed scared hackers off – the good kind of hackers.

Daniel November 10, 2015 3:21 PM

For a different perspective let us turn to Brian Krebs recent AMA.

Unfortunately, for every 100 data breaches we read about in the news, we probably get this level of detail on about one of them. Returning to your first question to answer this one, I often hear from security people at organizations that had breaches where I actually broke the story. And quite often I’ll hear from them after they lost their job or quit out of frustration, anger, disillusion, whatever. And invariably those folks will say, hey, we told these guys over and over…here are the gaps in our protection, here’s where we’re vulnerable….we need to address these or the bad guys will. And, lo and behold, those gaps turned out to be the weakest link in the armor for the breached organization. Too many companies pay good money for smart people to advise them on how to protect the organization, and then go on to ignore most of that advice. Go figure.

So apparently the money is good but the respect is not there.

Rich November 10, 2015 3:44 PM

I’m live in one of the top 25 cities listed on the map and currently there are very few entry level jobs in it. Unless you have a good path into the field you aren’t going to get many applicants.

Gweihir November 10, 2015 4:34 PM

Matches my observations. While some of our customers now have to jump though hoops to find the money to pay for our work, so far they always found it, often with some tricks. I do expect that at some time they will fail and then they will escalate or actually get attacked because of that. Hence while there may be a scarce year or two ahead, that will not last. Not being reasonably secure is and will continue to be very, very expensive. And being reasonably secure requires expertise and work that not many people have and can do.

That said, from my personal experience, I conclude that not only do you need to have a lot of specific talent and motivation, you also need something like 5-10 years before your work in the security area becomes good. This, of course, makes people that can do it even rarer.

Brim November 10, 2015 4:45 PM


Would be good for Feds to do a PR campaign on how they value talent more than they want to make public examples of random people doing crimes that just happen to involve a computer. They do a better job of scaring ethical talent away from the industry.

Wordman November 10, 2015 10:24 PM

Yep, tons and tons of comp sec jobs — great niche.

Don’t know about the federal section.

Contractors get the best pay for gov workers, and haven’t seen a lot go to anyone there but guys that do shady bug finding work.

Corporations need solid security resumes, and that is growing.

IT Depends November 11, 2015 2:47 AM

Remember the good engineering answer of ‘it depends’ and then watch all five seasons of The Wire. I would venture to say, justified in a post-Snowden universe, that having a great career in IT security requires a lot of compromises, and knowing when to hold your tongue. The more skillfull and successful you are, the more big conglomerate’s radar you will get on. That is a double edged sword at best.

Pops November 11, 2015 6:48 AM

What does the career path even look like? Coming from a programming background, the only security people I’ve worked with have been contractors who in the main are kept away from the development teams. After a few weeks, we get a report of high-priority problems. We resolve these, and that’s security “fixed” for another year or two.

FamilyMan November 11, 2015 7:46 AM

Speaking as a long-term IT administrator at a conservative (read: not innovative from IT perspective) company, I have the distinct impression that if I don’t produce a result — a tool, a vulnerability, a cryptanalysis, a stunt to get in somewhere I shouldn’t be able to — then I’m not going to get attention as a candidate. Only rock stars get the jobs, because so much is on the line.

Am I wrong? Is it worth the long hours of getting the CISSP, CEH, whatever, in an attempt to break into security if I don’t have substantial experience in the field already?

Family life precludes obsessively building a new tool or hacking something, in the manner of those dedicated to security innovation. If someone needs a bright, architecturally-minded person who gets security and can provide valuable insight and service, I can help. But if only experienced rock stars need apply, then I’ll go elsewhere. It’s not that I’m stupid — I was evaluated among the top 2% of graduate students (when I was in school) by many measures — but I can’t afford time from family to make a name for myself (nor am I inclined — I dislike self-promotion, what little taste I’ve had on social media).

Olaf November 11, 2015 8:24 AM

Plenty of work if you’ve have the time and money to get the right letters after your name.

Doesn’t matter if you can do the job or not just make sure you pay for the certs.

FamilyMan November 11, 2015 8:37 AM


“Doesn’t matter if you can do the job or not just make sure you pay for the certs.”

For all our sake, I hope that your opinion is not representative of the majority of our workforce in security.

Or perhaps you mean merely that, if I am intelligent (as I claim), then I can learn the work as I go (assuming I have the theory via certs)…?

Clive Robinson November 11, 2015 8:47 AM

@ Familyman,

… but I can’t afford time from family to make a name for myself (nor am I inclined — I dislike self-promotion, what little taste I’ve had on social media).

I fully understand the dislike of “fame”, in the UK we have a saying about the way journos treat people,

    First we build you up, then we tear you down, both are news, and the faster and higher you rise the more profitable the fall.

Also there is the issues of “Only so much room at the top”, and “The quickest way to the top is climbing the corpses of those you stab in the back”.

I do not envy those at the top because it’s just a “guilded cage, on the mountain top”. The only way is down and there are always those looking to be “Jack the Giant Killers” who’s only claim to fame is by being “Ultra PC” etc. If you have no freedom to be wrong, you won’t push the limits, and thus you imprison an enquiring mind…

But it’s not just the want of family life, that can stop a career before it gets started, there is a much more insidious way insiders ensure only certain people get plumb jobs.

As you and others have noted a key requirment is “experience” and you can not get a paid job to get the experience… Which is the clue to what to look for. You will see unpaid “summer work experience” and “internships”, which will get you as much experience as you want. But to do it you have to have the financial reserves to not earn for three years but be able to travel, feed and accommodate yourself. All at that time of life where you have not had the opportunity to earn money. Thus it’s the “Bank of Mummy and Daddy” which only the upper middle class with one child can afford to do…

Such are the way insiders ensure the drawbridge stays up behind them and only the select few get to scale the moat and walls to join the party.

The other way is to “find another bank” as an “academic journyman” by finding an influential supervisor to do donky work for on their research. All in the hope your name will get sufficiently known that you can get other sponsorship and grants… And eventually get to publish in your own name…

Hopefully the significantly rising need for ITsec bodies will cause a break in these effective “walled gardens” but, this brings us back ti that “hamsterwheel of pain” of the “certificates game”. Where the certificate process is set up as an endless “profit center” where you have to pay 15,000USD over three years to qualify, then requalify every three years there after. Such systems favour insiders however…

Chelloveck November 11, 2015 9:03 AM

I don’t want to namedrop, so suffice it to say that the company where I work is a big name in network visibility and security products. We’re located in several of the spots on the map. We hire a lot of programmers, and we like our QA people to have a solid network admin background. It’s not a typical IT gig but it’s largely the same skill set.

@Rich: We’re definitely hiring entry-level people. I go on recruiting trips to colleges, I just interviewed a college senior (BSCS) to whom we’ve made an offer, and today I’m interviewing someone who expects to receive an MSCS by the end of the year. We also have a thriving internship program.

@Pops: We make security products, so we’re looking for permanent programmers. I’d say that a programmer who wants to work in the security space should look for a company whose core business is security products or services rather than one which is just looking to put out a fire so they can get on with whatever their core business is. Either that or look for a really large company (Ford, GE, etc.) that can support a full-time security team for their own internal use.

CISO November 11, 2015 9:47 AM

  1. I keep hearing this “shortage of security people” everywhere but I don’t see where organizations are willing to pay the salaries these shortages demand. And if they do they require 80 hour workweeks and a 24/7 smartphone leash to go with it.

  2. If they do hire a good candidate for a decent salary, then it’s by and large like Krebs said, they don’t do what the security guy tells them to do.

  3. Also, at least do enough research into the field to not expect a candidate to act as the CISO while also doing email administration. Know the difference between security program management and technical security.

  4. If companies can’t find the talent they need, they should invest in a training pipeline that gets the talent to where it needs to be. Too many orgs expect a rockstar god on day one.

  5. To those asking about certs; employers pay attention to certs because it’s a quick way to differentiate one candidate from another. It’ll get you an interview because it checks the box that HR thinks it needs. Whether or not it’s the correct way to go about it, that’s just the reality of the field. If you have a knowledgeable person sitting across from you at the interview table, however, you better be able to talk the talk and walk the walk.

albert November 11, 2015 11:36 AM

“…salaries are booming…”

That’s great. So we can expect a big increase in the quality of security in the IT realm.

I’m also waiting for our incredible military spending to end the wars, bailouts to improve our financial system, and gov’t subsidies to reduce energy and food prices. Oh, and that $5B to be spent on the next ‘election’ will definitely improve our political system.

Everythings comin’ up roses.

. .. . .. _ _ _ ….

Chris November 11, 2015 4:26 PM

Having just completed my job search, I can say that alot of what I saw is contract work for 6-12 months. It feels like companies are still in the band-aid mode for security, which is better than total head in the sand, but still short of real investment.

Unbob November 11, 2015 7:06 PM

I have to agree with Chris and Clive R. I’ve been on the market recently, and there are a lot of contract jobs that look like the company just wants an individual to do the compliance work before an audit. I’ve seen several postings for positions with x number of years with y product, as if they lost a key team member and want a drop in replacement. There are also the DoD SOC type positions where there is a high burn out rate and the supplying contract organizations plan for this by only hiring on 1 to 2 year contracts.

When I see complaints about the lack of available skilled workers, I can’t help but think a lot of executives are looking for a very specific cog and getting annoyed that they can’t just pull one off the shelf and place it in their organization.

Frank Wilhoit November 11, 2015 7:19 PM

Anecdotal data point #1: the company whose cybersecurity department contains ~30 full-time personnel whose job is to review, line by line, the source code of vendor software (under escrow, of course), with veto power over any proposed purchases

Anecdotal data point #2: the company whose cybersecurity personnel are asked every day “what are you doing to protect us from the ?”

Putting these together with the other comments, I think the conclusion must be that it is pointless to generalize about the cybersecurity employment market or the skills that are in demand.

Bernard Hopkins November 11, 2015 11:43 PM

@ Family Man, @ Olaf, @ clive robinson • November 11, 2015 8:24 AM
“Doesn’t matter if you can do the job or not just make sure you pay for the certs.”

Without a doubt, the “Certs” game is by design and does not limit to security. It’s a game borrowed from other tried and true standards of procedures, applied to security industry en mass scale.

A product is a tried and true piece of knowledge produced by its creators, who held expertise in an area because it sells. As the smarts are limited each expertise must meet problems of scale, thus its experts create products to scale its application by enlisting people with less expertise to become effective operators of their expertise. We saw this in the OS market, now we are seeing this exploding in the security industry making riches for the few.

As all expertise don’t come free, apprenticeship doesn’t either. Paying the due continuously to stay in the game can be rewarding for most people because most people don’t have the interest to continuously innovate. They have families to care.

Short Term Contract November 12, 2015 9:12 AM

I concur with the Unbob: most of what I’m seeing available are short-term contract jobs for 6 to 12 months or so with a required skillset a mile long. Pay seems good on the surface till you realize you need to subtract for the benefits you’re not getting and the extra taxes you’ll pay for working on a 1099. Not to mention that you’ll have to temporarily move to a different city and live in a hotel for half a year that you’ll probably have to pay for yourself.

Maybe the shortage isn’t lack of workers, but a proliferation of gimmicky pie-in-the-sky “jobs” that are obviously not worth the compensation and show us the company could care less about the worker.

Employers need to show that they’re serious about security by creating security job slots that are actual solid jobs with a salary, benefits and a career track like any other.

I’d also say that the security practitioner industry is ripe for unionizing. The need for apprenticeship is there, the need for a standardized career structure is there, and the demand is there.

albert November 12, 2015 12:47 PM

In software development, the ‘contract job’ thing has been around for decades. In an economic system that views workers as a necessary evil, people are commodity items. You might as well hire through your Purchasing Dept. Why bother with HR? Many companies, large and small, find it cheaper to hire contract coders and H1Bs. Since the system is based on ‘next quarter’ shortsightedness, God help your customers if last years code need some support. Who cares? That quarter is long past. That’s what you’re paying your contractant du jour for, n’est-ce pas? Since making you product run is more important than making it secure, there’s nothing to see here, folks, just move along…
Yeah, I know the post is about IT security. I’m just pointing out the long history of contracting in the software business. BTW, all kinds of engineering jobs are contracted now. For some reason, contracting is more prevalent in the s/w sector. Thoughts?
Slightly OT, does anyone know if large corporations carry insurance policies specifically against hacking losses?
. .. . .. _ _ _ ….

Paul Dodd November 12, 2015 8:59 PM

@ Short Term Contract

“I’d also say that the security practitioner industry is ripe for unionizing. The need for apprenticeship is there, the need for a standardized career structure is there, and the demand is there.”

Apprentice-ship is often times a life-long relationship, that pays for itself in several different ways. What I’m looking at is a knowledge curve, at some point, the apprentice outgrows the mentor in certain areas, but not in experience, and they tend to complement the mentor’s skills if mentored well. Short term contracts may put a bother in this relationship, but people stay in touch.

veld November 12, 2015 9:59 PM

I really wish there was apprenticeships in this field. Currently short of luck or connections there really is no way to move into security efficiently. Any recommendations where to start?

Paul November 13, 2015 2:40 AM

@ veld

Apprenticeship in any field does not come cheap. There are those who seek to mentor apprentices but for the most part you need to exhibit a penchant for or be on somebody’s statistics. Those tend to be kept tracked at a young age going forward as it can groom into life-long relationships that those involved cherish well like a childhood friend. For the rest of us, we can visit local guilds of our trades. See if we can buy someone a beer or cup of coffee and go from there. Good luck.

Shadeflayer November 16, 2015 7:42 AM

Having just completed the job search myself, which was a quick flip fortunately, I agree that many of the positions out there are temp contractor slots, 6-12 months as mentioned. Those are band aid positions. Operational budget protection racket at its finest.

Reminds me of a past employer and the crap they pulled on me. Fail a major federal IT audit and a re-inspection in 18 months. Federal auditors mandated they hire a Security Manager. I get hired into a fancy title (VP) and asked to build a security program from the ground up and pass the re-inspection. Finish building a world class SOC, pass the re-inspection with flying colors, only to have my position cut 5 months later by a “reorg”.

So many, many organizations are still playing lip service to real, long term cyber security.

ianf November 16, 2015 4:31 PM

@ Shadeflayer […] “many organizations are paying lip service to real, long term cyber security.

And not only cyber security, but that’s basically what all capitalist entities are governed by: the need to keep budgets, next quarterly results, and maintaining the growth curve (if not in real dollars, then in market share, etc). Else the capital may as well be invested in index-following mutual funds or something. So why should cyber security afford special financial-outlay treatment, when there are ready made scenarios for Crisis Management should the need arise (paid from contingency reserves).

I’m no IT wizard, but it seems to me that when tasked with building that “world class SOC” you should have added, built in a degree of temporal obsolescence. Like a death-man’s grip function that causes it to “hick up” when you’re not around. Not sabotage it chugging along, merely cause delays and awaken the need for ongoing maintenance (say a random periodic overflow condition that prevents garbage collection(hint, hint).)

Having spent around half a year of my life on unraveling the structure of a 50s FORTRAN engineering simulation routine, and, later, deciphering inner workings of an undocumented huge BASIC-with-local-embellishments (compiling to p-code) inventory program, I am positively sure that parts of both were written with that future-employment-hook in mind (only I, fresh off the Uni, turned out to be cheaper ;-)) My Aha! moment came when I realized that the original programmer “absentmindedly” reassigned variables with trailing CRs to local new instances that only worked once per sequence. Clever.

So treat that experience of yours as “educational,” and better luck next time.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.