More on the lack of skilled security professionals
A while ago I commented on an article that I saw that talked about how some people seem to think that there's now a shortage of skilled security professionals and that this shortage is going to get worse in the future.
After I commented on that article, I received several emails from people teling me that their experience seems to indicate that this particular concern is very premature. In particular, lots of people who are currently system administrators who've installed and supported enterprise security applications told me that they've had trouble getting jobs that have a title like "security administrator" instead of "system administrator" and were told that they were unqualified for these jobs because they had no actual experience in information security.
So are HR people really what's causing this perceived shortage of skilled information security professionals?
The combination of hiring managers and HR people can sometimes be a scary combination. That's the combination that made five years of Java programming experience required for jobs when Java had only been around for a year or two. More recently, the same thing has happened with jobs working with the Android OS and other trendy skills.
Fortunately, the survival of the fittest that free markets enforce means that organizations that insist on impossible requirements like those tend to end up being beaten by competitors who manage to have more reasonable requirements, so this sort of problem will eventually correct itself. But don't forget that, like many other changes that markets force, this can end up being painful to many people. It's much better to not get in the bad situation in the first place.
(If you're an HR person, you might want to note that the very engineers that you're trying to hire will laugh at both you and your company if you ask for things that simply aren't possible. Arguing with engineers about the validity of impossible requirements makes you look even worse.)
In any case, from the (admittedly anecdotal) evidence that I've seen there seem to be lots of cases of people who are actually skilled information security professionals (even if their job title doesn't actually contain the right words) being unable to get jobs in the field while I have yet to see any cases where companies are simply unable to find the right people.
Maybe there's no shortage after all.