In this episode of the Cyber Work with Infosec podcast, host Chris Sienko interviews Tim Herbert, vice president of research and market intelligence at CyberSeek, the foremost online cybersecurity career research engine and CompTIA, one of the IT industry’s top certification associations. CyberSeek combines job posting data with localized job market data to create an interactive tool that can map out cybersecurity career paths.
This article will explore this podcast episode and present every question asked in detail, laying out Tim’s invaluable insight into this useful cybersecurity online career research engine. The second half of the podcast is a demo of CyberSeek which is so interactive and hands-on that no written article can do it justice. CyberSeek can be found here.
How did you get involved in security and get into your role at CompTIA and CyberSeek?
Tim Herbert describes himself as a data junkie and he has been fascinated with it for years. His security journey has been deeply entwined with research, which he does full time at CompTIA as their head of research. This passion has led Tim to delve into the burgeoning field of data analytics. Part of his passion is due to his love for understanding the world around him and playing around with data mapping.
Where did the idea for CyberSeek come from and what problem was it trying to address?
CyberSeek has been trying to fill a void that has existed in cybersecurity career path planning. While the Bureau of Labor Statistics does a good job with high-level information, there is a major lag when it comes to technology. In the case of cybersecurity, they only count 100,000 professionals as working in the field.
Since technology touches everything today, CyberSeek wanted to better size the work force and show what employers are looking for and a more accurate picture of what the workforce looks like.
Why does the Bureau of Labor Statistics say there are only 100,000 people working in cybersecurity?
The choke point here is that many jobs show up in different job categories than what the job is. The Bureau does not want to jump on to every new job buzzword there is for consistency’s sake, so it takes a long time for them to catch up to the reality of the job market for cybersecurity. Tim hopes that within the next few years will take a more granular approach to this.
What do you believe is the biggest cause of the skills gap?
This is a nuanced question as the “skills gap” is a catch-all for a collection of different labor market challenges. These include soft skills, location, pay gap and employer perception gaps.
The big causes include the fact that technology is changing so rapidly that it strains both employees and trainers. The other cause is the fact that security has so many more moving parts now than it did just five years ago. Security is not just about securing the perimeter anymore but also soft skills, learning the business, knowing where your data is stored and more.
What are your thoughts on the theory that the skills gap doesn’t really exist, but that it’s more of a training gap?
There may be an issue with how the net is cast out for prospective hires. Tim says there’s a joke floating around that goes this way: they demand five years of experience working with technology that has only existed for two years.
Aside from demanding the impossible, Tim said that under-investing in training and not crafting training well is another major contributing factor. The fact is the unemployment rate for IT is around 2% and for information security this rate is approaching 0%. The response has been to cast out a bigger net and even remove the requirement of a four-year degree in certain situations.
Are there any job areas where the skills gap is shrinking?
It is difficult to precisely quantify the size of the skills gap. For certain jobs, such as where security makes up only 30% of the job (not security-dedicated), there has been great progress in incorporating a security element into the training. Gaps emerge where there is a certain specific security skill set required that the jack-of-all-trades security professional does not have.
The other components are soft skills-related, including employers increasingly wanting industry-specific expertise (healthcare and manufacturing, for example) and an increasing desire for employees to know the business behind the technology.
How can infosec workers avoid burnout when the technology advances so quickly?
Avoiding burnout stems from an in-built characteristic of the best infosec workers — being a good learner. This means not only that you are open to learning but also you enjoy it and are constantly learning.
Employers prefer candidates with a broad foundation of technology, education and training. Candidates with this broad foundation are likely to be better equipped to learn. Keep in mind that organizations have a learning mindset.
Tell us about how CyberSeek works and its alignment with the NICE Cybersecurity Workforce Framework?
One of the foundational pieces of building it out was when Tim created the beta version of the CyberSeek map in 2015 and presented it to great applause at a cybersecurity conference. There was a decision made to scale it and then partnered with Burning Glass, a data company that provides job posting data.
CyberSeek then aligned with NICE, the cybersecurity education arm of the National Institute of Standards and Technology (NIST). The NICE cybersecurity workforce framework is incorporated into CyberSeek and uses seven top-level job domains and 53 job skills to provide a holistic approach to analyzing cybersecurity jobs.
In this episode of the Cyber Work podcast, Chris Sienko interviewed Tim Herbert — Vice President of research at CyberSeek and head of research at CompTIA. Tim provided a valuable look into CyberSeek, including the path that he took to get there.
You can watch this episode here: https://youtu.be/raTeCStoUGU
- Cybersecurity Supply/Demand Heat Map, CyberSeek
- Take Control of Your InfoSec Career with CyberSeek, Cyber Work (YouTube)
- NICE Cybersecurity Workforce Framework Resource Center, NIST