We've all heard the familiar refrain any time cyber security professionals gather: There aren't enough qualified security employees to fill the glut of available positions. In fact, Forbes recently went so far as to label this shortage of security workers a crisis.
The author of the Forbes piece, Brian NeSmith, CEO of security operations center-as-a-service provider Arctic Wolf Networks, argues that it's this shortage, more than flawed security practices or the emerging set of tools hackers are using, that's emboldening the bad guys.
"They’re doing everything they can to take advantage of understaffed firms that have little ability to prevent, detect and responds to attacks," wrote NeSmith. "These companies are at high risk of suffering a data breach that may take years to recover from."
Reading between the lines, the implication is that there's nothing companies can do to shore up their security strategies more effectively than finding good people. And that means abundant opportunity for security pros.
That said, just because there are a ton of jobs for security workers to consider doesn't mean they're all good jobs. In fact, it can mean the opposite: Many of today's cyber security jobseekers have to work that much harder to find the desirable positions in the haystack of openings.
Meanwhile, employers are reluctant to fill cyber security positions with people who lack the required skills and experience.
So, in this environment, what's a cyber security job-seeker to do? Fortunately, there's no shortage of perspectives on how to find security jobs, and the University of San Diego has a really helpful primer on how cyber security pros can find the right jobs. In addition to a rundown of cyber security positions and their average salaries, USD makes it clear that a combination of certification, experience and education is the key to ending up in the right gig.
While education and experience are both components of a career that must be accumulated over time, certifications represent the most immediate way for security pros to boost their resumes and make themselves more attractive to a wider swath of potential employers.
USD recommends a handful of certifications that carry weight with potential employers. Among these are CISSP (especially critical for jobs with the Department of Defense), CISM (addresses governance, risk management and compliance), CISA (focuses on auditing and monitoring information systems, GIAC (helps in developing hands-on technical capabilities such as intrusion detection and forensics), and CEH (validates the lawful use of hacking abilities).
With so many available security positions, however, not every job requires candidates to come via a cyber security career path. In fact, a recent CNBC piece made it clear that there are plenty of opportunities for people to switch from other career tracks into cyber security, and that many positions can be a good fit for people coming from different disciplines. One source even suggested that many technical skills can be taught on the job, and that problem-solving capabilities might be the most critical skill a candidate can possess.
"I think we have perpetuated this myth that cyber security is based on this hacker stuff, sitting in a basement and only working on technical things," Vyas Sekar, an associate professor of electrical and computer engineering at Carnegie Mellon's Cylab, told CNBC. "In fact, it's those with an analytical mindset that can do very well in the cyber security field. The sort of basic computer science that is necessary can be taught later. It's maybe more useful to think of cyber security as solving a bunch of interesting puzzles."
In other words, people in law enforcement or the military, or those with abundant experience in analytical roles, may find a soft landing in cyber security if they're looking for a new career path. And while these converts eventually will want to obtain a CISSP certification, among others, they don't necessarily need this validation out of the gate.
Pete Metzger, a cyber security recruiter for DHR International, told CNBC that many security executives have entered the field from IT and risk-management leadership positions, and later obtained critical certifications.
"The key is really having those strong leadership skills and the ability to communicate and put a price on how these issues could hurt the company financially," he said.
If it sounds like job seeking in cyber security is a mixed bag, it is. Some roles call for lots of hands-on experience in security, as well as numerous certifications. Others can be filled by analytical minds bringing discipline from other areas of business. And still others are ideal for entry level people that can be trained on the job.
There really is a role for every occasion in cyber security, enabling job seekers to come at the field in a variety of ways. The hard part for candidates is figuring out which roles are right for them and finding those jobs in the expanding pile of openings.