The Cybersecurity Industry Is Hiring, But Young People Aren't Interested

Daniel_Stuckey writes "Cybersecurity, as an industry, is booming. According to the Bureau of Labor Statistics, jobs as network systems and information security professionals are expected to grow by 53 percent through 2018. Yet, young people today aren't interested in getting jobs in cybersecurity. By all accounts it's a growing and potentially secure, lucrative job. But according to a new survey by the defense tech company Raytheon, only 24 percent of millennials have any interest in cybersecurity as a career."

hire me

I'm not a millennial, but I am familiar with computer system security, and while I don't have a security clearance, I do have a clean record which makes it possible to get one. Perhaps raytheon et al are simply expecting too much for too little pay. They're not going to find BS degree'd, clean cut 20 somethings with no criminal record if they insist on offering $12/hr wages. That mythical 22 year old working 22 hours a day for 22k a year doesn't exist.

The employees are out there but they cannot work for chinese slave labor wages, nor do they want that lifestyle.

Re:hire me

[InfiniteLoopCounter]

I have to agree. I would have worked for Raytheon if they were interested in me as I have all the required study and would work initially for cheap, but they have basically said f*** o** to me in the past with no response. How am I supposed to now be interested in working for a company that only seems to want people with existing experience as well as skills? Sounds like they want to avoid training anybody and have poor HR people, do little advertising at universities, and cry like babies when they "can't find anybody."

Re:hire me

[Samantha+Wright]

Fun science fact: that figure may soon be below minimum wage in Ontario.

Re:hire me

[gl4ss]

I don't know who the fuck made the conclusions but 24% is a friggin big portion.

that's like bigger than firemen, airline pilots or what have you. it's such a big pile of people that there's no frigging way for them all to have jobs in "cybersecurity".

would be rather pointless too if more than a quarter of a generation was needed for it. that would be quite telling of the fact that they wouldn't be actually doing any cybersecurity work but working as STASI.

Re:hire me

[NJRoadfan]

If the job required any sort of federal security clearance, chances are they were looking for someone who already had one. They don't want to spend the time and money on getting clearances.

Re:hire me

[CRC'99]

The employees are out there but they cannot work for chinese slave labor wages, nor do they want that lifestyle.

11 months ago I finished my Commercial Pilots License - I haven't been able to find any work at all since completing it. That was the last time I touched a plane.

The same problem exists. People are expected to splash $100k AUD on their license, then work for ~$25k a year. Not to mention get themselves to jobs on their own dime etc... I hear the same lines "There is a massive pilots shortage!!" - which is absolute bullshit. We just have to take other jobs to pay off the loans etc we took for our training.

It just about gutted my career - but this is the world we live in. Now I'm only casually employed - and making about the same amount as I would as a pilot - while working only a handful of hours.

Re:hire me

They don't want to spend the time and money on getting clearances.

First, the contracting companies that hire the people do not pay for the clearance. The fed pays a third party to do all the investigations. It is all about the time. It can take a year or more to get a clearance. The government will not put any one in for a clearance unless they are working on a contract that requires that the person has a clearance and most contract will not allow a person to work on the contract unless they already have a clearance. It is a catch-22.

Re:hire me

[Notabadguy]

What the civilian world calls cyber security, the military calls information assurance (IA) and information warfare (IW).

My personal story:

I was in the army's IA ranks. I had an active TS/SCI clearance, had published policy papers within my...inner specialty, was a welcome addition to Defcon - I have an Ivy League education, at the time had an incredible network of IA/IW contacts, and left the army as a JMO (Junior Military Officer).

When I left the army (at 28) I was considered a hot commodity in the cybersecurity world. I interviewed with both Raytheon and SAIC, and turned down head-hunters from several other companies. Both companies made me an offer; SAIC for $55,000 a year, and Raytheon for $42,000 a year. Both offers were less than I was already making, and both companies explained that everyone starts at the bottom and works their way up. I declined both and took a position outside cybersecurity for $79,000/yr.

At the time, cybersecurity wasn't willing to pay a clean-cut, clean-record military officer already in the field with requisite training, clearances, background screening and aptitude as much as I already made in the military, and the military isn't where high dollar jobs are.

Re:hire me

[Salgak1]

It's the same way at higher levels and higher clearances: I accepted a job some years back, as a task and team lead to hire and train up some newbie security types.

For that, they paid me $125K. (I've got nearly 30 years of experience). Then I found out, that some of the sub-contractors I was training were making 137K. Needless to say, after pointing that out to my management, they weren't interested in doing anything about it, in fact, they told me that **MY** cost was stretching them. I left a month or so later. . .

Re:hire me

former raytheon employee here; nobody who know anything about cybersecurity wants to work for them. The RayCERT is a joke. Raytheon has one very young and extremely unqualified person in charge of cybersecurity. How did he get his job? He was born to a Raytheon family. Nepotism rules that organization more than any Japanese Keiretsu or Korean Chaebol. Then you have people who treat computers as "those new fangled dohickies" in charge of IT security. My supervisor considered anybody born after 1959 a millenial. That doesn't even begin to address the turf war between the IT security and industrial security types that leaves a lot of stepping on each other toes in some areas and huge holes in coverage in others. In short, nobody who know anything about Raytheon and cybersecurity wants to work for Raytheon cybersecurity.

Re:hire me

[ebno-10db]

SSDD. Companies that complain the loudest about "not being able to find people" generally pay squat and/or are a miserable place to work. Oddly, the companies that pay decently and are decent places to work have much less of a problem finding qualified people. Glad you found a better job.

Re:hire me

[thoth]

No, that's not how it works now (recently).

Somebody pays for that clearance process and it boils down to the hiring company, granted they may reflect that in their rates and the difference between what they charge the customer and pay the employee (rolled up into their nebulous "overhead"). The process is typically a few months, rarely a year.

The way the catch-22 is resolved is you'll be hired as a short-term contractor (~6 mo) and given minor/lower level work while waiting for the clearance. If it doesn't come, the contract ends and you look for something else.

It is just less risk for them to hire somebody with one already - modern corporate America doesn't want the risk and prefers not to invest in their workforce unless they have to - such a person can start earlier.

I'm not surprised.

[Xenkar]

I certainly wouldn't take a job that would force me to flee to another country for asylum if my conscience makes me become a whistle blower.

Re:I'm not surprised.

[cardpuncher]

Cybersecurity doesn't necessarily mean surveillance. There's a more attractive side, too - you could spend your entire life running change control on a library of hundred-page procedure documents and reviewing firewall logs. Now, what kid could turn down *that* opportunity?

Re: I'm not surprised.

[O('_')O_Bush]

This. What the article doesn't explain is what cyber security usually entails at a defense contractor. I did that kind of work for about a year, and wanted to pull me own fingers off.

It was where they took bright engineers, gave them tedious and excruciatingly boring tasks, burned them out, and replaced them. You'd think cyber security would be somewhat cool, but in reality, it was taking several multi-thousand line spreadsheet checklists, run some scripts, and manually put passes or fails for the things the scripts didn't cover. Do that all day every day for every type of server and every project, repeatedly, till all or almost all checks were passed. And then, do documentation.

I would say that where I worked, the youngest crowd were the only suckers willing to take that work. Everyone else knew better.

Does everyone have to work in cybersecurity?!?!

I would've thought 24% of young people being interested is pretty good. Especially for a niche job like this.

millenials

[Idimmu+Xul]

such a retarded word

Re:millenials

[Sockatume]

Referring to them as "young adults" would force people from older generations to engage with the fact that they've aged out of their role as the dominant cultural and economic force. It would tie with the enormous cottage industry in writing editorials about how my generation is going to ruin the planet, at any rate.

Re:millenials

[IndustrialComplex]

Systems that were written largely by members of Generation X and marketed by Baby Boomers. But no, keep thinking that everything is the fault of which ever generation is the youngest.

Good point. I always shake my head at articles about how poor the millenial generation turned out. Isn't it the responsibility of the previous generation to guide the new generation? It's not like you are born with a life instruction manual. If there are problem with the current generation, the blame falls squarely on the preceeding generations. This is the world the millenials were born into, and they grew up with the guidance from the existing generations.

Like raising a dog, if it's ill-tempered, look to the owner.

Re:millenials

[IndustrialComplex]

For those of us born in the early 80s, we get to pick and choose the best parts of generation X and the millenials. We are the generation that fell through the cracks as far as media labeling is concerned. It's great!

Media complains about Generation X, we get to poke fun on our 'cloud' access devices.
Media complains about Millenials, we quickly skip to Nirvana in the playlist and scoff at this new generation.

Bulls**t: 24% is a _lot_!

[Terje+Mathisen]

Please give me a big list of other occupations which more than 24% of a random sample of kids are interested in, then I'll allow you to claim that too few youngsters are interested in cybersecurity.

Terje

Not just security

[jandersen]

It isn't just security either; I see lots of jobs advertised at the moment here in London. It is overwhelmingly what they call "DevOps" and Java development. I have been following the market for a long while, and I can see the same roles coming up again and again, so clearly the companies are having trouble finding people.

Having worked in IT for far too many years, I know how it goes: when you hire new employees, you know they aren't going to be up to speed for at least 3 - 6 months. However, these companies are mostly new start-ups, so they think it is like hiring a contractor, and they want their new staff to be up to speed immediately. It's just not going to happen, but until they see sense and learn to plan for the long term, the situation will be that way; lots of jobs that go unfilled, and lots of well qualified people the can't find jobs. And it's not about money, really; these web companies could afford to think ahead and invest in people with good potential - and one could argue that they can't really afford NOT to do so.

On top of that, they don't actually know what they are looking for. Take this new buzzword, "DevOps"; it comes from "development" and "operations", and it means somebody who sits in the middle, between a development department and system administration; ideally this is a person who can do everything a developer does and everything a system administrator does, and such person is probably a developer who has grown into system administration. In the old mainframe days you would call them System Programmers, and they would be your most sacred asset. But what the web companies really mean when they say "DevOps" is just a low ranking build engineer, who knows how to use Puppet, Chef or Jenkins and is doing the same, repetitive task over and over, provisioning into the cloud. And they all want somebody who has "at least 5 years experience with the cloud"; has "The Cloud" even existed that long?

only 24 percent of millennials have any interest

[Chrisq]

only 24 percent of millennials have any interest in cybersecurity as a career

That is not a lack of interest - it is an enormous interest. Think of when you were in class - if a quarter of the whole class were interested in one career. It is so high that I have difficulty believing it. If you assume that in any class you are going to have a 5% with no academic interest, maybe another 5% who truly want to pursue something non-technical, be it lawyer, politician, professional musician, sportsman, minister of religion, or artist - then I would say that it would be all the non-security related scientific, technical, and computer related industries that should be worried. If that figure were true it would mean that *most* people who are going to want a technical career would be looking at jobs in computer security.

Re:Soon to be obsolete

[mysidia]

Progress is slowly being made in the use of capability based security.

If you think a technology will solve all our security problems, then you don't understand what security is all about.

Securty is a process, not a technology.

Every time you think you've built something idiot-proof; nature comes right in, and delivers you a more idiotic idiot.

Until you can eliminate all humans in organizations; computer security can never be a solved problem.

Because most security problems are caused by humans, AND IT security falls within the broader umbrella of risk management.

You will never own a perfectly secure system. Not now. Not in a thousand years.

It doesn't matter what fancy new capability-based models you come up with; there will always be threats and vulnerabilities.

Re:Because Corps are Distusting!

[ImOuttaHere]

A very surprisingly large number of corporations do NOT spend money on security.

Which is why the FBI surprised over 70 companies a couple years back when the FBI told them their systems had been hacked for the company's intellectual property. The companies in question had _no_ idea they'd been hit. Which is also why the NSA makes a point of touring US-based companies to present corporate execs (primarily in the IT end of things) un-classified reports on the latest security threats (if you don't already know, take a look at the NSA Information Assurance program). Which is why I was laid off because one such company was not going to listen to someone suggesting to them their computer security really sucked and were actually in the process of slashing intellectual property protection and computer security jobs. Again. For the eighth time in four years. So they could use the money "saved" on the salaries of people at my level who were also laid off to "buy" low level grunt "talent" in their China operations. That company's security still sux and remains far too easily hacked, and this is in a sixty year old high tech company that would've known better had they not be bought out by an aggressive "rollup" company to then be run by a bunch of greedy WallStreet-types who extract, literally, $100's of millions of dollars for themselves from the companies they've absorbed and stripped of assets.

So, no, many companies could give a rat's rear about security.

Only large corps really spend money on security...

Re:only 24 percent of millennials have any interes

[Hognoxious]

Think of when you were in class - if a quarter of the whole class were interested in one career.

Pretty even split between train drivers and astronauts.

That's the boys, obviously. I have no idea about the girls and they have cooties anyway.

Lies, damn lies, and statistical illiteracy

[taikedz]

From the Raytheon article key figures: "Young men (35 percent) are far more interested than young women (14 percent) in a career in cybersecurity." If that many people are interested in cybersecurity, I'd call that "an overwhelming proportion" of persons being interested in cybersecurity. By that count, that's an enormous population of paranoid technofreaks.

"The survey also found less than one-quarter of young adults aged 18 to 26 believed the career is interesting at all." And how much of the total population gets employed in computer security AS A WHOLE? Less than 0.1% easily. How many other types of jobs, areas of interest and careers are there WITHOUT EVEN leaving the IT world?

The study page even highlights that they didn't target IT graduates. This is from a general, untargeted smattering of 1,000 members of the population. That's not even a proper sample size.

Bad journalism. Bad study report. Bad.

Security is an ungrateful business

[gnasher719]

When your job is security, the best thing that can happen is that you do an excellent job, and the end result is - nothing. That's the whole idea of it. If you do your job right, nothing happens. If you do your job badly, shit happens. Stuff gets stolen, and so on.

So will anyone congratulate you for a job well done? No, they will only see money spent on your salary with zero results. You will look as if the company could do without you. You know better, but the people who might give you a raise don't. And the people who could fire you to safe on salaries and increase profits don't.

You get much better recognition in a job that visibly produces positive results.