On the Cybersecurity Jobs Shortage

In April, Cybersecurity Ventures reported on extreme cybersecurity job shortage:

Global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021, according to Cybersecurity Ventures. The number of unfilled jobs leveled off in 2022, and remains at 3.5 million in 2023, with more than 750,000 of those positions in the U.S. Industry efforts to source new talent and tackle burnout continues, but we predict that the disparity between demand and supply will remain through at least 2025.

The numbers never made sense to me, and Ben Rothke has dug in and explained the reality:

…there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp.

[…]

Most entry-level roles tend to be quite specific, focused on one part of the profession, and are not generalist roles. For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. They are not looking for someone interested in security.

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

That makes a lot more sense, and matches what I experience.

Tags: cybersecurity, employment

Posted on September 20, 2023 at 7:06 AM • 36 Comments

Comments

Winter • September 20, 2023 8:06 AM

For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems.

If this is anything I have seen they want to hire 2023 graduates with 10 years of experience.

Muhammad Naveed Khurshid • September 20, 2023 8:42 AM

Assuming Ben is right that the provided facts and figures are not true. There are still unfilled jobs in USA alone and many of those job requires U.S. Citizenship and top security clearance. This I believe is an issue here. Due to the nature of such jobs, no foreigner on a U.S. work visa can be hired.

Solutions:
1. Motivate U.S. citizens (who are citizen by birth) to come forward and do contribute to fulfill such job requirements.
2. Recruiters in U.S. should accept people with skills (minor trainings or industrial certification) but not only university degrees (as many people can’t afford or not willing to do university degrees).
3. Online courses offered by Coursera, EdX etc. can be a game changer here. Potential employers should promote such courses as they are not as expensive as universities (university fees are much higher as compared with Coursera, EdX etc).

Keith Douglas • September 20, 2023 9:01 AM

I think we (as a species and in each jurisdiction) should think about professionalization. While that might appear to reduce candidate pools, I think long term it may help. For example, if software development became actual engineering, with that as a protected title (as it is here in Canada), there might be a drop (long term) in crappy software – so less work for application security specialists like me. 🙂

Clive Robinson • September 20, 2023 9:03 AM

@ Bruce, ALL,

A very real question is,

“Why do Cyber-security?”

The article points out,

“Industry efforts to source new talent and tackle burnout continues”

But fails to mention that there is no career progression, acceptable renumeration in later life to hwve a family and zero chance of getting up the managment ladder for what is a very intensive training from realistically a very early age (if you’ve not shown the “bug” by the time you are in 5th grade, you are probably not going to make it up the ranks on the technical side).

Realistically it’s not a career that goes anywhere but hospital due to physical or mental illness due to stress.

Worse it has a quite low “glass ceiling” and practitioners are seen by many responsible for promotion as little more than “Garage oiks” that have swapped their “oily rags and coveralls” for “pocket protectors and glasses”. Worse others see them as an obstruction to get around and defy rather than work with.

Then there is the lack of real metrics… Thus it enables “snake oil” to be produced by the bucket full as “Security Applications” that lets be honest in many cases are little more than traffic light dashboards ontop of dubious rules.

But as I keep noting, the “professionals” do not appear to learn from the industry history, even when it’s less than a decade old…

Then we manage to alienate half the potential candidates by apparantly being a bunch of misogynists at best if not active sexual preditors…

d m • September 20, 2023 9:09 AM

The real problem is that people will not read logs. It takes very little skill but it is very rarely done. While hiring for a sysadmin/security position the question was “How much of your day is spent reviewing logs. The expected answer was 10-15% of their time, the usual answer was less tham 10 minutes, 20% of candidates spent less than 10 seconds

YMMV

Garage Oik • September 20, 2023 9:24 AM

How many who’ve got the “bug” – who are computer nerds and genuinely interested in arcane details – would really want to “get up the managment ladder”? Sure, it pays better and is stereotypically presented as the only way to “have a career”, whatever that really means. But unless money is really tight, wouldn’t a typical nerd prefer intellectual progression instead? Learning more, doing more advanced stuff, maybe some teaching to others.

Becoming a manager means less, if any, time to work on what interests us in the first place. It can mean longer hours / less work environment protection as well. Is that worth it? I don’t think so. Of course those who live/work somewhere with very low pay and no work environment protections anyway, might have more reason to “climb the ladder”.

Ben Rothke • September 20, 2023 10:00 AM

If you can’t see the entire article referenced, use this link: https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823?sk=9dfae4d5614a4ad4681bbfb8e58a99dc

TimH • September 20, 2023 10:20 AM

Cybersecurity Jobs Shortage?

Shirley it’s a talent shortage, not a jobs shortage…

Terence Kam • September 20, 2023 10:37 AM

I agree with the author that the so-called cybersecurity skills shortage is largely a demand-side dysfunction rather than an actual supply shortage.

That’s the point I was trying to make at:
Why ‘dead bodies’ of cybersecurity victims will pile up faster?

Unless the demand-side is reformed, the problem will not be solved. Ben Rothke hit the nail on the head in the last paragraph of his article.

Clive Robinson • September 20, 2023 12:51 PM

@ Garage Oik,

‘would really want to “get up the managment ladder”?’

I’m guessing you are not married nor have children.

As for,

‘Sure, it pays better and is stereotypically presented as the only way to “have a career”, whatever that really means.’

Pays better? I know of people who are not very good javascript coders without degrees that get payed two to three times what a cyber security “worker” with a masters and five years under their belt gets.

Yes it’s better than “stacking shelves money” but not by much and the hours are longer than being a shelf stacker.

The usual work life is they get no encoragment or support and seen as an unwaranted and unproductive cost. And when the inevitable happens because some idiot enabler gets their way over sound security, guess who gets the blaim?

Not the idiot that’s for sure…

Nearly all software written by major software houses with more programmers than you could physically count in a day is flawed security wise and often badly so. Hence for instance NS Patch Tuseday just gets bigger and bigger and harder to properly check, to see what detrimental effect it’s going to have.

Then you’ve got that in house javascript guy who realy does not understand something as basic and important as serialization…

He’s seen as increasing the bottom line, whilst the cyber security guy if he’s even consulted is seen as not just an obstacle to business progress but a business cost that is too high even on a junior salary. And when it goes wrong as it always will because the number of skilled attackers trying to get in is several a day and thus the cyber security guy is out numbered he gets his cards marked and is at best at the bottom of the pay raise and annual bonus lists.

Worse the C suit boss of the cyber security is almost certainly technically unknowledgable and has an MBA or legal background…

As for the HR and recruitment process, they want the impossible and want to pay less than a junior programmer earns. They’ve know clue as to what the very many knowledge domains of cyber security are and don’t care they expect a candidate to have it all which is impossible.

The burn out rate for cyber security practitioners is realy very high as realistically they can not do all that their job description says they should be able to do… And even if they knew how there are just not enough hours in the day to do it, even if you were never to leave the office and only sleep a couple of hours under the desk…

Back in the 1980’s you used to hear of “Network Admins” moaning about the fact nobody cared about them till something went wrong. Well trust me having done the jobs, I can tell you the Network guys back then had it easy in comparison to quite a few cyber security guys these days.

Ken • September 20, 2023 4:42 PM

Most CISOs are like Engineers acting like Doctors with useless certifications. Only companies like Google, Amazon have competent CISOs with security engineering backgrounds. They have to, to support these CISOs who have never done any real cybersecurity work in their entire career except learn to talk some lingos.

In general, in the US, any job that requires hard-to-attain skills like chip design, security/software engineering, etc., there is always a dearth. But there is plenty of supply for sales/marketing/pseudo-cybersecurity types of jobs.

Stacy Chen • September 20, 2023 5:00 PM

Ken wrote ”Most CISOs are like Engineers acting like Doctors with useless certifications”. I live that nightmare.

A big problem also is that a lot of these non technical CISO’s get all their information from Gartner. If it is not on a Magic-Quadrant, these CISO’s are blind.

It’s a very sorry and sad state of things.

Avery Moody • September 20, 2023 8:23 PM

Garage and Clive, some people are just not cut out for “the management ladder”; the type of company that would make them a manager is maybe one for every job-seeker to stay away from. When interviewing, ask about a “technical track”—that is, non-management opportunities for career advancement. I know several people, with families, who make that a strict requirement when looking for work. Basically, the company keeps increasing your pay and giving you fancier job titles, like “software architect”, “chief pentester”, or “senior security researcher” (small companies will often let you make up your own title; pick something you think will look good to future employers).

Kraaa • September 21, 2023 1:50 AM

I looked into the source of maby of the “cybersecurity jobs shortage” claims years ago and I kept arriving at two groups:

Feds and Cert-granting organizations.

denton scratch • September 21, 2023 6:25 AM

@d m

The real problem is that people will not read logs.

You can spend 100% of your time reading logs (depending on how mach stuff you are logging). It’s tedious and repetitive; consequently it’s highly error-prone. Reviewing logs is a task that cries out for automation; the only log that should need human review is the log_reviewer.log.

When I was responsible for this kind of thing, I usually spent 10 minutes at the start of the day, scanning some of the logs. But mainly I use logs to track down problems that became evident in other ways.

P Coffman • September 21, 2023 11:09 AM

…and all of this “stuff”…

While I tend to agree, my disclaimer? I have invested in learning about cybersecurity. On the other hand, I have a slight passive income and a background in computer science.

We have created every variation on a theme, and the industry has promoted hiring those with the array of skills to glue it all together. A lot of innovation is by necessity.

Next, recall when Microsoft had many buffer overflow issues and said the product was an operating system. I beg to differ. How could it be an operating system with “I get to read/update somebody else’s data?”

See, we keep patting ourselves on the back for moving at lightspeed. Then, when our IT platforms start doing the shake, rattle, and roll, we need to bring in a new class.

At present, I am dealing with variations in cloud offerings. Mostly, they are reinventing the wheel of system administration and then taking their cut.

Mahhn • September 21, 2023 1:36 PM

I’ve been infosec for 9 years. Was in great health when started, had a mini stroke from stress (not a fat guy, very athletic) and constantly under red alert. I’m done, will never recommend this job to anyone. It was fun and interesting 5 years ago – but now I know, it never gets better, just alarms and management that things advertisers have the answers and keep loading us up with crap products because of some sales pitch that can’t deliver. It’s like trying to put out a fire that never dies, and can’t because the company is leaking gas on it. hope I get out before it kills me.

Givon Zirkind • September 21, 2023 2:00 PM

Cybersecurity jobs require trust and the standards are either too high or erroneous. For example, a bad credit rating. There’s no proof that this will affect job performance. Yet, in totally civilian jobs, HR will hot hire you. NYC passed a law that makes this illegal. (All the contradictions to other laws notwithstanding.) That’s for a totally civilian job. Many cybersecurity jobs are military or quasi military. Protecting the power grid for example. So, stricter standards apply. Then, entities like the NSA, whose hiring standards will eliminate many with capable cybersecurity skills as risks; has a culture that clashes with the private sector that has those skills. That becomes a problem. We are usually privacy freaks (although I know of no studies), pay cash a lot, maybe don’t order online, maybe use real maps and not a GPS, etc. Ditto the banks, bank management and HR but, not on the same level as the NSA.

It is not for lack of skills that I have been denied such jobs in the past. Rebuilding a disk. Recreating data and trolling through bits & bytes is just for me. I didn’t know what kind of images needed restoring. But, the police would like a police officer to find child porn. They left that part out of the job ad.

To catch a thief you need a thief. Banks, hospitals, gov’t and esp. anything military are not interested in ppl who can code on a low level and have written logic bombs; disk wipes; studied ransomware code, reversed engineered ransomware code — for fun. Don’t get me started on our hobbies and areas of study (rockets, radar, submarines, underwater fuses, pyrotechnics, infrared vision, the list goes on). We are too oddball and considered loss canons. But, we would lock down their systems like no tomorrow and would just refuse to leave the door open — not caring who you are or; if you sign my check, “I will not send credit card information in the clear. Deal with it.”

Ken • September 21, 2023 2:20 PM

If you have Competent security leadership in place, most issues including unnecessary burnouts, easy exploits we see in Healthcare/Fintech are rare. Continued data breaches from the credit bureaus in the US are really laughable if you look at their security leadership.

Competent: One who has a strong- security engineering foundation, risk management, and data privacy engineering. Rest can be easily learned on the job including laws, regulations, compliance, etc., In fact, you may be already more than compliant with whatever obligated regulations with such Competent leadership with compliance being the lowest bar on security maturity.

It is hard to find such strong all-round security leadership in the US because most of the hard parts including software development have been outsourced to so-called cheap labor countries 3 decades ago.

Clive Robinson • September 21, 2023 2:34 PM

@ Mahhn,

“Was in great health when started, had a mini stroke from stress (not a fat guy, very athletic) and constantly under red alert.”

Yup you have my sympathies and understanding having trod a similar path.

I had the advantage that I started out as an electronics engineer that did design for various parts of the broadcast and comms industry including for “bomb disposal” so got labeled “RF Expert” and later developed an interest in industrial control and associated safety system of various types so got further “Expert” labels tacked on.

Computer security was yet another hobby I turned into a profession that grew out of working on designing Comms Security and certain types of covert surveillance equipment (using not just encrypted systems but LPI as well).

So when the crap piled up to the point it stunk, I would just jump not just jobs but professions.

The advice I always give people is,

“Build up 6-18 months of ‘drop dead’ money”

So you can just decide not to turn up to work any more, and spend your time either learning a new skill or seting up your self as a contractor or small business.

Likewise if they “let you go” you can laugh all the way out the door.

A big thing incompetent managment rely on is that the employees are quite literally “wage slaves” thus live in perpetual fear, and that alone from primate studies shows is enough to knock a decade off of your work life or more off of your life expectancy.

The other thing I advise is always have hobbies that you can make use of to keep the wolf away from the door. But… try not to make the mistake I made over and over, of turning hobbies into professions thus work life. Not only do you loose a hobby, you have to find another one to replace it to keep the life balance.

But another piece of advice is always try to work within a relatively short distance from home. Every hour you spend sitting behind the wheel of a car is effectively two hours of your life lost. I used to run cycle or walk to work as it was as good as a visit to the gym but atleast you got somewhere at the same time. The furthest I did on a regular basis was walk/run 10miles either way or cycle 60miles either way. I won’t say I was fit, but I did one or two “Ironman” events when they first started in the UK, but I hated the swiming in what was probably sewage infested waters.

I have a toast that I use when socialising,

“To health, to wealth, and the time to enjoy them both.”

It’s worth remembering that to me “wealth” does not mean money or physical possessions.

name.withheld.for.obvious.reasons • September 21, 2023 6:48 PM

Just to relate an on the job experience, working at a leading university in the U.S. I had the opportunity to build out their first world class data center. An on campus network, very robust by standards of the day and still is, and online data and course resources for multiple campus sites. Discovering the sub-seven root kit on a solaris install, I notified the FBI’s National Infrastructure Protection Center and informed them.

The FBI came out for a site visit, three persons from their field office, as they were looking at what I’d been doing for our build outs, the computer scientist with the team remarked, “We should be doing this.” For every “firmware” based install set, always updating manufacturer’s hardware where ever found whether in a NAS/SAN or FDDI card, screen shots were taken of each screen and added to the hardware inventory data set (paper, and digital). I described to the FBI the exercise was to catch anything changing on the displays indicating differing behavior, an additional sanity check.

After the site meeting from the FBI, I received a return call from the NIPC, Washington DC, I indicated we had something in process. I also said, please do not hit the big red button, but of course they did.

Having their lead scientist affirm the process and then stating it was something they want to do, I could feel my confidence sink. But it only got more interesting from there. Sometime at a later date, I’ll explain.

Tom Boucher • September 21, 2023 7:26 PM

My oldest kid went through a boot camp, got the security+ cert, all the things they could do to prep for an entry job

Ghosted on every application.

I think it’s gonna take a few more Las Vegas style ransoms before hiring folks wake up.

Brian Goldson • September 21, 2023 8:08 PM

It’s about time someone called out Cybersecurity Venture for their crappy data.
And it’s not just the ‘millions’ of security jobs they say are out there. They also claim that: Cybercrime To Cost The World $10.5 Trillion Annually By 2025
https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/
Maybe if they had a high school student do the numbers, they’d see it’s so very bogus.

Brian Goldson • September 21, 2023 8:10 PM

Tom Boucher – your oldest kid may have bene sold a bill of goods for that boot camp. And the Security+ cert is the equivalent of a GED. Won’t get a person a real security job.

JonKnowsNothing • September 21, 2023 10:24 PM

@Tom, @Brian, All

re: The High Tech Job Mill-Stone

As has been mentioned in other posts, getting a job in any High Tech field is not that easy. The Ads and Promos make it sound a cinch, however it is anything but. Additionally, there is a high turn over and if you are not moving UP (see title and money) you are not going to be employable for long as the rate of tech change accelerates.

A few years back AI was a dead end. Colleagues who got extra papers in AI couldn’t get a phone interview. Now it’s the rage and if you don’t know “something” about AI, you are going to get passed over for the one who claims they can make it Sing, Dance and Play A Whistle at the same time.

When considering the competition consider this:

Which will a company want: a Newbe with a Cert or a BruceClone?

They might not want a CliveClone because a CliveClone would show them the error of their ways, in manner the CEO, CFO, Board of Directors and Venture Vultures won’t like.

So not too worry you got nothing (yet) but take it as a Big Hint, what ever you put down was not enough to get past the AI Resume Scan.

Once you fix the AI Resume Scan Halt, the next hurdle is the one (there is always at least one) who is going to run the interview through a Mensa-Lens. It’s notorious as means for rejection but it shows exactly how much the “potential boss or co-worker” fears that an up and comer will displace them.

===

ht tps://en.wikipedia.o r g/wiki/Mensa_International

(url fracture)

JonKnowsNothing • September 21, 2023 10:45 PM

@Muhammad Naveed, All

re: US Security Clearance Citizenship

fwiw: There is an entire ladder of security clearances and for many “U.S. Citizenship by birth” is not a requirement, only US Citizenship (birth or naturalized). (1)

Where would we be without Wernher von Braun…

As far as why no one in their right mind would want such “distinction”? Clearly you have not seen the light. Here’s a torch for you: CIA, NSA, FBI and the 27+ other Federal Law Enforcement Agencies, followed right behind with their Hat and Gloves High Tech friends in First Class Private Jets that make it all possible.

===

1) There maybe some thing above the bottom drawer.

ht tps://en.wikipedia.o r g/wiki/Wernher_von_Braun

(url fractured)

Winter • September 22, 2023 1:30 AM

@Tom Boucher

I think it’s gonna take a few more Las Vegas style ransoms before hiring folks wake up.

The money is in cleaning up, not in prevention.

Think about health. Who earns the money, the people that keep you healthy, or the MDs that stitch you up after you smoked and ate yourself into hospital?

Think about company physical and financial security. Who gets the money, those who keep people’s hands and feet out of the premises and tills[1], or those that capture the people who did manage to enter?

Cyber forensics and pen testing are reasonably well paid. Cleaning up after a ransomware attack earns you money.

The reason is simple. Maintenance is a cost, repair leads to income. Prevention is invisible, cleaning up after the fact is very visible, both in the eye and the books.

[1] See, eg, Mark Twain
‘https://americanliterature.com/author/mark-twain/short-story/the-mcwilliamses-and-the-burglar-alarm?PageSpeed=noscript

Clive Robinson • September 22, 2023 6:42 AM

@ Muhammad Naveed, JonKnowsNothing, All

Re: US Security Clearance and foreign birth / former citizenship.

Further to @JonKnowsNothing’s comment above, is a case in point that is just comming into the news, and presumably eventually the MSM.

It concerns a case of spying to Ethiopia and someone with multiple clearances who was once an Ethiopian, and still had ties there,

https://www.theregister.com/2023/09/21/it_help_desk_guy_arrested/

But to be honest their alleged behaviour makes you wonder why they were not caught earlier…

Mike Herbert • September 22, 2023 7:51 AM

Cybersecurity Ventures is a 1-man operation that churns out a lot of press releases which the general media treats as the Gospel.
You can see hundreds of articles spewing the same figures of millions of security jobs that are open. But not a single one of them challenges the validity of the figures.
If you read deeply, Cybersecurity Ventures is just making predictions, but all the articles quotes it as official research. It’s stupid on so many levels.

Chris Larsson • September 22, 2023 8:12 AM

Here’s an article: The Crucial Role of Entry-Level Cybersecurity Positions; that this week quotes the same figures of millions of open jobs. Need to ‘trust, but verify’. And no one has verified Security Ventures data.

https://cybersec.thrivedx.com/s/the-crucial-role-of-entry-level-cybersecurity-positions-11143

Steve Stinson • September 22, 2023 10:04 AM

So there’s millions of open cybersecurity jobs?????

There’s a very technical term for that. Its called: Irrational exuberance.

Eitan Caspi • September 23, 2023 8:25 AM

We will never fix the infosec skill shortage by doing the same thing we are doing today, not even if we will through more “power” into it – it does not sum app against the risks we face and the resources we get.

We, and even more important – the top non-sec managers, have to change the paradigm – most of the work and responsibility needs to be distributed to the folks we work with – IT, Dev, DevOps, etc., and we will focus on helping them, managing the process from above and handling core security-only tasks.

As long as infosec is perceived as the sole work and responsibility of us, the infosec folks, infosec will not get better.
Infosec needs to be a core part of any product and service, hence getting attention and resources by everyone in the lifecycle chain.

I wrote about this in details at https://fudie.net/we-must-change-how-we-do-information-security-here-is-my-suggestion/

fib • September 23, 2023 8:55 AM

Sorry for the rant-ish words but it looks like youth is too distracted to learn hard things and living too fast to be computer nerds like we were back int the 70’s and 80’s – though, as everyone knows, there is no shortage of young, videogenic ‘security experts’ on YouTube. I wonder what will be made of the infrastructure of the world in the not too distant future.

It’s not in my spirit and I hate to say it, but given what I’d call deterioration of the ICT production environment, I’m starting to flirt with the idea that at least part of the ICT activities should be regulated [like engineering].

My anedocte: In the part of the world where I live [SESA], the field of technology – at least the part of it that is visible to the public, the commentary – is getting increasingly colonized by lawyers, journalists and sociologists, who very obviously understand nothing about engineering or hard sceinces. I even see it as minor social phenomenon. Much of the ‘discussion’ about security is superficial and focused on banalities of life on the internet and social networks. The most respected security expert around is a journalist. You will never hear someone refute the ‘I have nothing to hide’ argument, and you will never hear the word Linux. In the various soviets, ahem, government councils that swarm in all spheres and have an inordinate influence on technological matters, you will hardly find a real computer science professional, the kind that would frequent this forum.

The society of the spectacle, where being an expert is also an spectacle.

Bob • September 27, 2023 2:50 PM

@Muhammad Naveed Khurshid

Jobs that require security clearance also require you to treat cannabis like it’s exponentially more dangerous than alcohol.

Intelligent folks with options aren’t trying to play dumbass pretend games.

Bob • September 27, 2023 2:56 PM

@fib

Maybe these things are exponentially more complex and intertwined, as well as changing faster than they did in the 70s and 80s.

Your post has the hallmarks of out-of-touch “just walk in and ask for a job” career advice, with a dash of “kids these days” myopia.

It’s good for your ego, I’m sure. Not so good for being informed, however. Without exception, when I’m untangling some god-awful mess of data center, it got that way through years and decades of malfeasance by “computer nerds like we were back int the 70’s and 80’s” not bothering to keep up with the times.

The people just now walking into various technical nightmares are not responsible for the creation of the nightmares they’re just now walking into.

D • October 22, 2023 4:26 AM

The shortages are structural.

No entry level jobs means you have no pipeline for development. No reinforcements means no vacations, no work life balance which then translates to more shortages. Its a deflationary spiral.

Education from academic institutions in general hasn’t been practical. They often optimize not for graduation rates but for keeping people in school as long as possible at their and government expense. You see this in weed-out courses where the testing you are evaluated on may structurally be invalid (impossible, a guess, not logical inference).

There is also not enough mention of how many high-powered IT professionals, simply refuse to work in government (state or federal), this includes academia. They won’t even bother applying. To do these technical jobs well you have to be rational, and structurally most government positions I have seen have to primarily deal with the irrational in its various forms.

The disincentives of structural bureaucracy far outweigh any potential incentive provided. This often may broadly include positions that require clearances and academia, segmenting the factor market pool available significantly.

Any shortage is the result of a factor market breakdown, and rationally predictable if you’ve happened to have read or been familiar with essays by Ludwig von Mises, written back in the 1950s. They were focused on structural aspects of socialism, but it broadly applies to most centralized (bureaucratic) structures.

There are also many generalists that do not have degrees, and most mid-large companies completely discard these applicants as non-viable when in fact they may have the skills and experience. They are often selectively and arbitrarily filtered out, either at the business level, or because their insurance or regulatory affairs impose additional requirements for coverage of these positions such as credentialing (for 3rd-party requirements).

Being a self-taught generalist with about 9 years in the industry, I’ve heard more than my fair share of “We see you don’t have a degree, we can’t pay you what we would pay someone who is qualified but we do have another position available at $(1/3 the salary) with similar responsibilities.” The desperate say yes, everyone else will walk with a No thank; and they simply won’t reapply.

Many certifications for the most part are also optimized for arbitrary failure without accountability; just like most of academia. Interestingly, so far AWS Certifications are a notable pleasant exception, ironically given their current antitrust litigation, they handle this area better than any other provider I’ve seen.

There are also many companies that say they are looking to hire, but are not actually looking, with no real position available. These companies misrepresent positions which in fact are not available, and are doing so for some other purpose.

Maybe it is just to interfere in employee-labor relations to drive labor to middlemen, or data mining the applicant, or for competitive intelligence; segmenting the market.

I’ve personally had some experiences where companies misrepresent prospective interviews and then during those interviews keep circling back to questions about previous employer’s environments, which were unprofessional and inappropriate. (i.e. asking questions about confidential information, where I had already said I couldn’t answer legally as that’s confidential information).

There are a lot of shenannigans with no way real way to vet prospective employers beyond to see who still has their job postings rotating every x number of months as a lagging indicator.

State-run job boards ironically don’t have this problem because they require attestation under penalty of perjury that the position is real, and available and will be filled (I believe, I could be wrong on that part); Unlike other more commonly used commercial services.

Job seekers only have a finite amount of time they can spend on job seeking each day with no real way to discern the viable jobs from the downright fraudulent. They aren’t paid for job seeking either; its at their fundamental cost (or the governments expense if they happen to live in a state with unemployment/benefits programs).

Labor shortages are largely the result of undue interference in the market with lack of any kind of rational policy or timely enforcement against bad actors. This is unlikely to change.

Eventually any motor will stall if it has enough resistive friction.

On the Cybersecurity Jobs Shortage

Comments

Leave a comment Cancel reply