Is there an Infosec Cybersecurity Talent Shortage?

Published: 2016-10-02
Last Updated: 2016-10-02 22:38:53 UTC
by Guy Bruneau (Version: 1)
13 comment(s)

Over the past few months there has been a lot of discussion about a shortage in data scientist and cybersecurity analyst, to name a few, where organizations find it difficult in filling cyber security positions. Some organizations are in some case, in a bidding war to attract or retain top talents. For example, Cisco launched in June a $10 Million Global Cybersecurity Scholarship to Increase Talent Pool [1] to help educate and add new talent into cybersecurity. We all know that every day somewhere, an organization is being attacked or worse, hacked.

A global study (eight countries were selected) by Center for Strategic and International Studies (CSIS) got some interesting results. This study reports that eighty-two percent of all respondents surveyed report a shortage of cybersecurity skills, seventy-one percent say the talent deficit has hurt their organization and nine out of ten say "cybersecurity technology could help compensate for skill shortage". [2][3] In the end, technology isn't perfect and a “human” needs to verify what it is firing on.

The questions I’m asking our readers are: How difficult is it to find and hire Cybersecurity Talent? Is the lack of Cybersecurity Talent impacting your organization?


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

13 comment(s)


In my experience it isn't a lack of "talent" that holds back the SOC in an organization. It is the management's lack of security knowledge that halts everything, including hiring the appropriate "talent".
Well, as for our organization, finding senior talent is truly difficult. Finding intro-level folks that want to get into the business has never been an issue, but if you want senior level folks, you will likely have to compete with another organization that they are currently employed at. It is strange having to sell your organization to get good security candidates.
This is an interesting subject for sure. I agree with the Beau's comment. I believe that there is a shortage of cybersecurity talent, but I think that more importantly, there are organizational issues that are lurking behind this as well. I think in a some instances, going into cybersecurity means fighting the current to be able to implement best practices or the tools needed to do the job. I believe it is well known that people will follow the path of least resistance. There are definitely progressive organizations that take care of their people, but most of the businesses that I've seen still don't believe in having a CIO, and they still feel like cybersecurity is a responsibility of their base IT team. On top of that, I think there are a lot of IT staff out there that are well aware of missing controls, but when it comes to putting up the $ for either additional staff, software, or contractors to perform that work, organizations aren't coming up with it. I feel like another challenge is that security involves people, which means organizational change. I guess what I'm boiling this down to as I write is that it is a multifaceted issue, but one of the key dependencies is that there needs to be a fundamental change in business models to account for, value, and invest in cybersecurity.
On average when hiring someone for InfoSec positions at my organization it takes approximately 6 months to find someone. I've had a few cases where qualified individuals have been grabbed by others due to a slow hiring cycle as well.

On the more philosophical side of the issue, I'll echo earlier comments. There needs to be a commitment by the whole organizations management to security. If this is done & partially incorporated into all IT jobs and non-IT jobs in some way, then the need for as many security specialists would not be as noticeable or painful. We'd also spend less time chasing others problems.
Hey All,

Speaking as a Co-op student starting out in this crazy wonderful field I have to say this statement for the skills gap mainly applies to the "experienced" talent. as most job offers I see are for companies looking for candidates with 2-3 MIN years of experience. Which is understandable but I find this a massive problem in the industry all together as this seems to also apply for the certifications as well.

I mean when I start looking at certs to obtain after my college diploma because this is something within my budget I see most certs require someone to have been in the field for 5 years at times before they can even take the exam. If they wish to get this faster they can take a course which helps out with the exam, but at a lovely sum of $5000+- US dollars.

I mean for my self, I know what I want and I am willing to fight to get there (late night studies, VM practice on the spare time). But it strikes me as odd that this field states we have talent gaps and then when you try to look for how to bridge that through with education, it seems you either have to be really lucky with how much money you have, or you already have the work experience to prove it and you just need to pretty much buy the pretty piece of paper to say "yup, I know it."

Cisco's Cyber Ops seems promising, but I don't know how much this will even be able to achieve if other educating organizations don't follow suit. Something thats going to help is having more affordable training camps/education. So people who are starting new families, needing to pay bills, can afford to educate themselves and bridge this gap in the later years.

As a final remark though, thank you all for posting, this community is one of the reason I got a co-op in the field and able to start off my career :)
One of the things I'm seeing for all of the open positions that show up in my "business social media account" is that employers are looking for a Swiss army knife individual. Someone that would, in most organizations be up to 3 separate people. This shows a level of ignorance in management. The other aspect, which has been mentioned here, is the lack of understanding within the human resources departments. I don't know how to solve this issue, but I see it everywhere.
Dude, send me a resume. ;)
There isn't a shortage per-se, but when I worked in a SOC, we lost 20 analysts in 30 months, usually due to the issues of getting a clearance (which took on average 9-18 months back in 2008 or so), the pay issue (most of the people wound up going to places where they could make 1.5 to 2x what they were earning), and while management did understand the issues, the ability to cross train into different areas was non-existant (or discouraged).

We lost a promising young guy in his mid 20's due to this issue, and he got snatched up by an out of state firm inside of 2 weeks of his leaving (companies taking too long to get back to prospective employees is a good reason why positions aren't filled either).

I also see the same positions open on a constant basis where I am, and that leads to a lot of people asking the question 'what is wrong with this organization that they can't hold on to their staff?'...

Also, employers have un-realistic ideas on their requirements on skills, IMO, if you understand one SIEM or Virtual Machine, you can pretty much figure them all out (it ain't rocket science, companies)...LOL
As many have mentioned, finding talent is one part of the challenge – the other is hiring. Those organizational issues and leadership buy-in that are impeding finding and hiring talent (salary & benefits, expectations of the role, not providing resources and the wherewithal to facilitate change = scapegoat). Additionally, hiring managers are typically horrible at selling themselves, the role, and the organization.

There is a falsehood regarding a lack of talent to hire. As hiring managers, we need to adjust our expectations to the market and be realistic to the candidates that are out there. Waiting for that 'perfect candidate', using excuses that candidates are 'not technical enough', and leveraging contractors/consultants for FTE roles but then refusing to hire folks that have been contractors/consultants are straw man arguments perpetuating this so-called problem. When there are associates of mine having a hard time getting a FTE role in InfoSec, then there is not a hiring shortage but hiring managers not adjusting to the market.
What is being done about the world-wide shortage of "mainframe COBOL" programmers?

As I remember, there was an initiative to recruit & train "Generation X" fresh Computer Science graduates, to replace the "grey-beards" who were retiring to Florida, Port Townsend, or Salt Spring Island?

Is it time for a similar initiative?

Diary Archives