Cyber security skill shortage: real problem or result of bad hiring practices?

Whenever you Google "Cyber Security", you can easily find tons of references to a dramatic skill shortage.

Most companies complain they can't fill their information security openings due to lack of qualified candidates.

If this is undoubtedly true and represents a real challenge, these reports don't do a good job explaining how much this situation is the result of lacks in the educational system and how much is due to bad hiring practices.

I'm not an HR and this isn't my field of expertise, but I can't help noticing an underlying contradiction in this situation. Companies bitching about this are unclear in setting their expectations, and their job descriptions should be totally rethought.

It's not uncommon for companies to list 3-5 years experience for entry-level info sec position, or set up a list of requirements that are absolutely unrealistic.

They set the bar too high and aren't willing to pay a candidate what he/she would deserve. 

For example, I often see a job posting like this below (DISCLAIMER: I redacted the company's name here, for privacy reasons, and the below considerations aren't referred to that specific company. I only chose it as a generic example).

Click to enlarge

If any such candidates would be available for this job, maybe they'd get offered something like $80,000-100,000 per year. Not surprisingly, they don't find any suitable candidates. 

If such a security engineer exists, he/she'll have plenty of better offers available. You need to do much better than that.

All this and many more factors concur in determining the current situation.

Another thing I find to be deeply unfair is a discrimination between Associate's Degrees and Bachelor's Degrees.

Employers often require a Bachelor's Degree as a rigid requirement, without caring to check what type of contents the candidate has actually dealt with in his/her study.

It's well known that Bachelor's curricula often include content classes that don't make any big difference, such as History, College Composition or stuff like that. They don't always dig deep in technical stuff. 

I talked to a recruiter for a well-known university one time and all they had to offer me was Criminal Justice.

Yup, I studied in a community college and I got two Associate's degrees, so I can be biased, I know.

However, I configured IDS detection rules with Snort, I set up Linux network configurations, I performed hands-on forensic analysis with Wireshark (see an example here), password cracking with aircrack-ng, I studied Ethical Hacking, etc.

What I don't know, I can learn. Firing up a virtual machine to run any software is a normal practice to me and it's part of what my job should be.

Can all Bachelor's programs always offer this same knowledge? I don't know about that.

Below is an egregious example of such discrimination.

Click to enlarge

But don't think this post is only about the rant of an old geeky fart like myself.

I was actually surprised to find out that a hiring manager for a large corporation, too, agrees with these concepts (see embedded video for more details).

In other words, all this situation is undoubtedly true, but the reason for a skill shortage lies in bad hiring decisions as well.

A bunch of misleading words and no actions.

Sadly, unless hiring policies in information security get vastly redesigned, this situation isn't destined to change any time soon.