Hand in your notice – by 2022 there'll be 350,000 cybersecurity vacancies The General Data Protection Regulation (GDPR) will force European organisations to expand their cyber workforce, causing demand to outstrip the supply of expertise. Two in five governments and companies will expand their cybersecurity divisions by more than 15 per cent in the next 12 months, according to a survey by the …
Exactly my thoughts.
These days, no boss will think of emplying people here. According to the IT Business world, it can all be done in India at half the price, to a higher standard and in half the time.
In reality, only one of the above is even remotely true.
But by the time the PHB's realise this, all the people with the skills will have retired, on the dole or are thoughly sick of training up their 'nodding donkey' Indian replacement.
Been there, done that and now I'm more interested in my Allotment than firewalls, penetration testing and the like.
These days, no boss will think of emplying people here.
Why, then, is unemployment is lower than it's been since the early 1970s and employment at an all time record high?
Just for S&G I typed "IT security" into Jobserve just now:
9,909 jobs for IT security
http://www.jobserve.com/gb/en/JobSearch.aspx?shid=9CC35AE07E68E9A9F5
9,909 jobs for IT security
And out of that
990 that don't ask for 10 years experience in a 5 year old technology
99 that actually want to pay anything near market rate
9 that are within 100km of where I live
-9 that EXACTLY match my skill set (Oh you don't have experience with foo v9.0 sorry foo v1.0 thru v8.9 doesn't count
Pint Icon: As we all need some(lots) libations to clear the palete after dealing with HR/Recruiting muppets
the problem is (not will be) that all that outsourcing has now driven wages and expectations *up*. To the extent that a lot of Indian outfits are slowly sliding their prices up. Which against the fall (and yet to fall) Sterling rate is starting to make those deals look a tad expensive.
It's ironic, really, as it's the trickle-down economics so beloved of the free-marketeers in action.
There is also an additional fly in the ointment that some skills simply can't be offshored, as no one in their right minds in Kolkatta is going to study 1970s COBOL.
Cloud Cuckoo Land
"In order to manage the skills gap, (ISC)2 is calling on employers to do more to embrace newcomers and a changing workforce ahead of the adoption of GDPR, which comes into force next May. Training and a willingness to hire promising people from outside the existing cybersecurity workforce will be crucial."
Real world
"In order to manage the skills gap,companies will need "restructure" the current workforce, outsource to cheaper locations and not bother to invest in current staff."
350K more jobs in India most of them filled by dead souls (as per Gogol).
Why should I care?
Disclaimer - I quite happily abandoned infosec as a field in 1999. I never regretted it.
By the way, before honing your CV double-check if you have a Russian grandma, know a Russian grandma or have inadvertently breathed in some Russian grandma fart at some point. If you have - you are not getting the job in this climate (*). You are hereby disqualified on grounds of national security as you obviously have a red under your bed.
(*)While it is OK for the royal family to have an occasional Russian relative, for the proles it is not
... where we already have such mandatory rules, the job of the "Datenschutzbeauftragter" typically isn't staffed by someone particularly adept with technology. It's more a compliance type of position. You make sure you have an overview about what kinds of data are stored and when they are supposed to be deleted.
It's not an infosec position.
"You make sure you have an overview about what kinds of data are stored and when they are supposed to be deleted."
In the UK you'd need to supplement that with making sure data are actually deleted according to schedule (will this finally bring the DNA and ANPR data to heel?) and making sure marketing don't spaff customer lists to their chums in spamming businesses.
Ah but do you have the right skill set? Communicating risk to the board is an essential part of the job.
If the phrases "gotta have the right hashtags" and "security depends on removing the scourge of end-to-end encryption" do not sound right to you, and if "pen testing" for you does not involve vigorously scribbling with your BIC biro then you're never going to earn £87K I'm afraid.
Depends on demand in your local area.. but it is possible, but you have to be willing to move or travel.
15 months ago, I earned a conformable £55k pa managing an IT team in Hampshire, then got made redudant. 5 months ago I earned £65k managing an IT team in London. Now I earn £85k as a Security Administrator in the City, no management responsibility and I get a decent work life balance (purely because they know if they treat me like a bitch, I can walk next door straight into a new job) .. so it is possible, you just have to look.
A/C to protect innocence.
85k in London vs 55k next door... with the excessive commuter fare and the extra 3 hours a day travelling.. not enough by a long stretch
And still not the 87k the report claims
I agree with the posters that say ...
a) if you don't have exactly the right experience you won't be considered (even though government ministers can go from managing hospitals to managing defence etc. and CEOs can go from crashing banks to running chemist shops).
b) Companies just dont pay, which is why people aren't interested in doing engineering jobs of any description, 50k pa? yup, sounds good but then look at what it costs you (home near work in the expensive areas of the country... Cambridge, Reading, London, degree, suit, car, travel) and compare that with sitting at home all day watching tv and playing on your xbox in Cumbria on the dole with housing paid for ... suddenly doesn't look so good
c) Training... just a joke, companies never have and never will in this country, they just dont have the foresight
d) Outsourcing... yup, the answer to all 3 of the above, despite the continual failures of the idea (BA latest example whatever they claim... a pound to a pinch of the proverbial it was a bodged software upgrade)
This post has been deleted by its author
"It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society."
Welcome to an IT career in the 21st Century! I well remember when my career started back in the late 1980's they couldn't throw enough training at you, pushed from course to course all the time. Roll forward 30 years and I haven't seen the inside of training room in 10 years, when I want to learn something these days I'm expected to do it off my own bat in my own time.
Those were the days when UK IT companies often had their own dedicated training centres. New courses were added as products were introduced. In many cases a good techie wrote and delivered the first course. Then a professional lecturer took it over for future delivery.
Courses were also good for company integration. You had several days socialising with people you hadn't met before. Eating, drinking, sharing rooms, playing squash or croquet, and even early morning swims.
That old thing.
Yep, A Job advert wanted 5 years of Windows 8.1 two months after it was released. For a laught, I said that I had the experience. I got the interview but the PHB was a complete tosspot.
The same with SQLserver 2012. Hadn't even been released and adverts were wanting 2 years experience with SQLServer 2012. The Recuitment agencies are idiots.
Win some, lose some.
£87k is a huge salary for the UK, what do these jobs actually entail? Our Cybersecurity people mostly seem to run around with Excel sheets of vulnerabilities found in scans and nag the system owner to fix it - an important job but not one that commands a £90k salary. Penetration testing etc is a lot harder, but I can't believe that the UK needs 350k of them.
Happy to be corrected on my assumptions above...
You're talking about vulnerability management and auditing there, which involves scanning, pen-testing and interminable meetings about how to fix the problems with 0 resources.
There's also Incident Response (Long periods of boredom followed by a few hours of frantic activity), Policy and Compliance (that no-one listens to), and Identify and Access Management (The nasty people who make it difficult for techies to do their jobs).
I do the technical bits for free, as I enjoy that. But I get paid handsomely for the meetings and paperwork.
Its just fucking expensive to certify and there are pointless barriers to entry.
The CEH for example requires you to attend the course or prove two years experience. Given how easy the cert is these are silly requirements.
The OSCP takes 6 months and a few thousand to pass.
The CISSP is largely a management cert and worthless to a hands on practioner or pentester.
I could go on.
Theres also the issue of credibility. The CEH for example is the security industry equivalent of banging a fat chick. You'll do it because tje recruiters want it, but you'd be ashamed to tell your mates about it.
OSCP doesn't take 6 months. I'm doing mine next week starting & I will take the exam in a month.
I'm already CREST certified, I'm doing OSCP next because it appears to be a more internationally accepted qualification and when I have that, I'll be working towards another higher certification with CREST, I think your right in that CEH and CISSP are something people get because they're easy and just keywords for a CV. I for one hope CREST and OSCP certs continue to be hard to get and the value placed on holders of them are priced accordingly.
The poster going on about lack of training & unwilling to invest on talent inhouse is close to the mark. I worked in security for the past 15 years solid, watched all the people around me get cyber stuck in their titles and fed breadcrumbs of courses and free training & just carried on doing the work quietly. I decided I should take some time off and have a extended holiday as I was starting to burn out and now I hold a number of very fresh shiny new certs I've paid for myself and when I'm all rested and certified I reckon I'll be hungry and sharp for a new role and I'll hit the ground running and make a asset of myself instead of grinding my way through the week like so many people do. So this whole article is good news for me.
"The poster going on about lack of training & unwilling to invest on talent inhouse is close to the mark."
This is where freelancing scores. You make your own decisions about training. Clearly it means loss of billable hours as well as fees and travel and accommodation if you don't live near enough to the training centre. But a client unwilling to train up their own staff is going to have to take in a freelancer to fill the skills gap.
"The CISSP is largely a management cert and worthless to a hands on practioner or pentester."
It's certainly at a higher level than most practitioner or pentester exams, and I would suggest therefore far more valuable. Its by far the widest and in depth knowledge base of any certification I have otherwise come across. For instance a 6 hour! exam.
Bullshit. There seems to be a quorum here in the comments that the "cyber" positions that need to be filled are all show and little substance. Business (and government) gave up a long time ago on actually doing anything of substance to reduce computer security risk. This is window-dressing to lull the shareholders into a false sense of security. Those positions don't require computer science skills because they won't be *doing* computer science. They'll be taking inventory and transcribing reports by computer scientists. What those responsible for the headline gloss over is that the ranks of real computer scientists (and technologists whose experience gets them close to the mark) is shrinking. A huge percentage of those currently in the field are happily retiring year over year, and warning their sons and daughters to find some other more lucrative pursuit. Interesting how this comes on the heels of reports that there are massive layoffs now happening in the Indian tech sector.
Personally I can't wait to see the tweet in ALL CAPS from a frustrated CEO who can't browse the Internet because the company PC on his desk is infested with malware, and whose twitter account then gets hijacked by some young pup from Eastern Europe who used a key logger to grab the passwords and account numbers for all the moron's offshore slush funds.
The children of those retiring now will already be in mid-career. It's our grandchildren we should be warning off. Why did I just give grandson/apprentice my copy of Unix The Book? (I just looked inside the cover. Publication date 1982. 35 years I've been doing this stuff. Where did they all go?)
@Doctor Syntax
Know how you feel mate; 32 years at the coal face myself. No sprogs therefor no grand-sprogs, but mates have; I've been telling the fresh faced little bastards that Bio-Tech would be where I would be investing my interest if I was in their shoes.
Luckily none of them seem interested in IT; They have watched their fathers grey & burn out. The money has been mostly good, but those days are behind the industry now I think.
Other suggestions than biotech...
for girls, get boob implants and get on a tv show... plenty of follow on work for a big boobed star (no brains needed)
for boys, go and kick a football around a park
for either try doing a few hours of acting school then if you can't do film work you can be a politician or CEO (basically they are both just acting roles)
All of these pointless activities lead to multi-million pound salaries for the lucky few, multiple chance by reward and decide that it pays better to try ... and fall back to the dole in a quiet cheap corner of the UK if you fail, nothing to lose really.
This post has been deleted by its author
Clearly all certs are a meaningless racket, created as a self fulfilling business for cert companies to fool HR robots into insisting that having a cert is the be all and end all of infosec.
Except for the one I've just done, you have to be a technical genius, business guru and sexual tyrannosaur to get that one. Natch.
And £87k, many lols. I've seen a few advertised above 60k outside London and they are invariably CISO roles or CHECK team leaders.
@AC
"What those responsible for the headline gloss over is that the ranks of real computer scientists (and technologists whose experience gets them close to the mark) is shrinking. A huge percentage of those currently in the field are happily retiring year over year, and warning their sons and daughters to find some other more lucrative pursuit."
As one of the latter, technologists with experience, and with kids, I have encouraged them to pursue careers in anything but IT. Not development (shit hours, low pay), not infrastructure (declining need). My son is pursuing aerospace engineering, and my daughters are undecided at this point (young). They are all smart and will do fine after college.
It isn't helped by the cloudification of everything. Companies see an IT salary that can be cut since infra moves to the cloud. Problem solved! So there are less positions open as the infrastructure is consolidated to the big players. As such, salaries will go down for those roles in the short term.
Folks that grew up tinkering with PCs to get games to work are aging out (myself included). Its all plug and play these days and doesn't require any troubleshooting skills or thinking to make things work. And the next step was a career in IT because not everyone could do it. You should see how useless our help desk guys are when there is an actual problem with hardware or operating systems...
So you are either very adept at technology or go to college and get a high paying job, or you don't have the exposure that a lot of folks had to get them started and get low pay and low prospects. Doesn't bode well for the industry in the next 20 years.
"Its all plug and play these days and doesn't require any troubleshooting skills or thinking to make things work."
But when things go wrong - that is when experience and an aptitude for troubleshooting become essential***.
When I took early retirement there was no one who could take my technical trouble-shooting role. I was pulling rabbits out of hats after a couple of years in the industry - but it took a lot of hard graft to find my way round both the hardware and software on many different new systems.
In my sunset years the technical youngsters either wanted a career progression into middle management - or expected external diagnostic tools products to give them instant answers.
***The obligatory reference to E.M.Forster's 1909 story "The Machine Stops"
It was NCE, MCSE, CCIE, now there's some new "must have" cert for the 20 (or 30) somethings to shell out for. All by paying your money to some "training" company that trains you in cramming answers; critical thinking NOT required.
Cue loads of bods getting certified and depressing wages again.
*Full disclosure, I completed my MCSE in two weeks; but you know what, it didn't teach me how to figure out NT4 won't install from CD if you call your CD drive, "CDROM" under DOS. *$^"* ^$&"£%%*"$!!!1! I don't know if the bug still happens in a VM, in theory it should as it's a DOS/NT issue. Go on, try it, you know you want to....
No longer a Windows User, just a bum ----->
"Cyber" work is ideal of use of AI deep learning agents, looking for unusual patterns in the matrix.
Cloud will also reduce the attack surface as box patching is systemically undertaken by AWS/Microsoft at their hyper scale data centres.
All this GDPR nonsense sounds like former CLAS consultants hoping to get back to billing £1k/day!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
