Let’s talk jobs and InfoSec. We know InfoSec jobs pay very well, relatively speaking. We know the work can be personally rewarding. We also know there's a significant skill shortage that’s led to a lot of unfilled positions. A perplexing situation. 1/

You'd think companies would be incentivized to invest more time and resources improving their recruitment processes and training programs to support entry level candidates to build them up. BUT, it’s not that simple. There are important economic counteracting forces are play. 2/

First, often recruiters and hiring managers don’t know much about InfoSec in general. So they have a hard time finding good candidates. They also won’t have the organizational apparatus (ie curriculum and teachers) to support on the job InfoSec training. 3/

Secondly, the job switching cost, both financially and culturally, is very low. This is especially true now in a COVID world where so much work is remote and skill demand is so high. Someone can take a new job virtually anywhere quickly — not just in driving radius. 4/

So employers are expectedly hesitant to make significant investments in entry level personnel because they risk seeing the benefit go out the door soon after. They will be instead more incentivized buy a product to automate the job out of existence. 5/

We’re already seeing a lot of this happening now, but I think we’re going to see a lot more of this coming up. The skill gap will not be allowed to exist as it does as long as all these breaches are taking place. 6/

There are ways to solve for these competing economic forces, as we did back in the day in AppSec at WhiteHat Security, and solve the skill gap with entry level people. But it would seem to be a custom training program for each particular company for it to work well. 7/

My first infosec role was at WhiteHat (eternally grateful!) and I’ve paid it forward by giving others their first role over the years. The problem isn’t the companies, the problem is the employees who don’t push to do it.

I've been several places which had several positions open for over a year because all the candidates have either terrible interview skills or "not enough experience". A lot of good sec is (constantly) learning on the job, but it's hard to convince corps to hire junior folks.