Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Is there an Infosec Cybersecurity Talent Shortage? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is there an Infosec Cybersecurity Talent Shortage?

Over the past few months there has been a lot of discussion about a shortage in data scientist and cybersecurity analyst, to name a few, where organizations find it difficult in filling cyber security positions. Some organizations are in some case, in a bidding war to attract or retain top talents. For example, Cisco launched in June a $10 Million Global Cybersecurity Scholarship to Increase Talent Pool [1] to help educate and add new talent into cybersecurity. We all know that every day somewhere, an organization is being attacked or worse, hacked.

A global study (eight countries were selected) by Center for Strategic and International Studies (CSIS) got some interesting results. This study reports that eighty-two percent of all respondents surveyed report a shortage of cybersecurity skills, seventy-one percent say the talent deficit has hurt their organization and nine out of ten say "cybersecurity technology could help compensate for skill shortage". [2][3] In the end, technology isn't perfect and a “human” needs to verify what it is firing on.

The questions I’m asking our readers are: How difficult is it to find and hire Cybersecurity Talent? Is the lack of Cybersecurity Talent impacting your organization?


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


507 Posts
ISC Handler
Oct 2nd 2016
In my experience it isn't a lack of "talent" that holds back the SOC in an organization. It is the management's lack of security knowledge that halts everything, including hiring the appropriate "talent".

3 Posts
Well, as for our organization, finding senior talent is truly difficult. Finding intro-level folks that want to get into the business has never been an issue, but if you want senior level folks, you will likely have to compete with another organization that they are currently employed at. It is strange having to sell your organization to get good security candidates.

2 Posts
This is an interesting subject for sure. I agree with the Beau's comment. I believe that there is a shortage of cybersecurity talent, but I think that more importantly, there are organizational issues that are lurking behind this as well. I think in a some instances, going into cybersecurity means fighting the current to be able to implement best practices or the tools needed to do the job. I believe it is well known that people will follow the path of least resistance. There are definitely progressive organizations that take care of their people, but most of the businesses that I've seen still don't believe in having a CIO, and they still feel like cybersecurity is a responsibility of their base IT team. On top of that, I think there are a lot of IT staff out there that are well aware of missing controls, but when it comes to putting up the $ for either additional staff, software, or contractors to perform that work, organizations aren't coming up with it. I feel like another challenge is that security involves people, which means organizational change. I guess what I'm boiling this down to as I write is that it is a multifaceted issue, but one of the key dependencies is that there needs to be a fundamental change in business models to account for, value, and invest in cybersecurity.

6 Posts
On average when hiring someone for InfoSec positions at my organization it takes approximately 6 months to find someone. I've had a few cases where qualified individuals have been grabbed by others due to a slow hiring cycle as well.

On the more philosophical side of the issue, I'll echo earlier comments. There needs to be a commitment by the whole organizations management to security. If this is done & partially incorporated into all IT jobs and non-IT jobs in some way, then the need for as many security specialists would not be as noticeable or painful. We'd also spend less time chasing others problems.

1 Posts
Hey All,

Speaking as a Co-op student starting out in this crazy wonderful field I have to say this statement for the skills gap mainly applies to the "experienced" talent. as most job offers I see are for companies looking for candidates with 2-3 MIN years of experience. Which is understandable but I find this a massive problem in the industry all together as this seems to also apply for the certifications as well.

I mean when I start looking at certs to obtain after my college diploma because this is something within my budget I see most certs require someone to have been in the field for 5 years at times before they can even take the exam. If they wish to get this faster they can take a course which helps out with the exam, but at a lovely sum of $5000+- US dollars.

I mean for my self, I know what I want and I am willing to fight to get there (late night studies, VM practice on the spare time). But it strikes me as odd that this field states we have talent gaps and then when you try to look for how to bridge that through with education, it seems you either have to be really lucky with how much money you have, or you already have the work experience to prove it and you just need to pretty much buy the pretty piece of paper to say "yup, I know it."

Cisco's Cyber Ops seems promising, but I don't know how much this will even be able to achieve if other educating organizations don't follow suit. Something thats going to help is having more affordable training camps/education. So people who are starting new families, needing to pay bills, can afford to educate themselves and bridge this gap in the later years.

As a final remark though, thank you all for posting, this community is one of the reason I got a co-op in the field and able to start off my career :)

1 Posts
One of the things I'm seeing for all of the open positions that show up in my "business social media account" is that employers are looking for a Swiss army knife individual. Someone that would, in most organizations be up to 3 separate people. This shows a level of ignorance in management. The other aspect, which has been mentioned here, is the lack of understanding within the human resources departments. I don't know how to solve this issue, but I see it everywhere.
2 Posts
Dude, send me a resume. ;)

24 Posts
There isn't a shortage per-se, but when I worked in a SOC, we lost 20 analysts in 30 months, usually due to the issues of getting a clearance (which took on average 9-18 months back in 2008 or so), the pay issue (most of the people wound up going to places where they could make 1.5 to 2x what they were earning), and while management did understand the issues, the ability to cross train into different areas was non-existant (or discouraged).

We lost a promising young guy in his mid 20's due to this issue, and he got snatched up by an out of state firm inside of 2 weeks of his leaving (companies taking too long to get back to prospective employees is a good reason why positions aren't filled either).

I also see the same positions open on a constant basis where I am, and that leads to a lot of people asking the question 'what is wrong with this organization that they can't hold on to their staff?'...

Also, employers have un-realistic ideas on their requirements on skills, IMO, if you understand one SIEM or Virtual Machine, you can pretty much figure them all out (it ain't rocket science, companies)...LOL

21 Posts
As many have mentioned, finding talent is one part of the challenge – the other is hiring. Those organizational issues and leadership buy-in that are impeding finding and hiring talent (salary & benefits, expectations of the role, not providing resources and the wherewithal to facilitate change = scapegoat). Additionally, hiring managers are typically horrible at selling themselves, the role, and the organization.

There is a falsehood regarding a lack of talent to hire. As hiring managers, we need to adjust our expectations to the market and be realistic to the candidates that are out there. Waiting for that 'perfect candidate', using excuses that candidates are 'not technical enough', and leveraging contractors/consultants for FTE roles but then refusing to hire folks that have been contractors/consultants are straw man arguments perpetuating this so-called problem. When there are associates of mine having a hard time getting a FTE role in InfoSec, then there is not a hiring shortage but hiring managers not adjusting to the market.

2 Posts
What is being done about the world-wide shortage of "mainframe COBOL" programmers?

As I remember, there was an initiative to recruit & train "Generation X" fresh Computer Science graduates, to replace the "grey-beards" who were retiring to Florida, Port Townsend, or Salt Spring Island?

Is it time for a similar initiative?
There is definitely a shortage of talent, but management and businesses do not help the issue and are being excessively picky.

Sometimes, the requirements they ask for , are a bit to much, such as: Expert in Windows, Linux, SQL, VMware, Firewalls, Cisco, security, and excellent at presenting ideas to management. I consider myself a generalist, but there is no way I know all of that really well.

Some companies, I wanted to work for, because I like their product, or the people sound nice, really turn me off to them, when they do things like:

recruiter misses scheduled phone calls, repeatedly
hiring manager misses scheduled phone calls, and you cant leave them a message, because their VM is full.
you have an interview that you think went well, then radio silence from the company, voice mail and emails go un-answered. no rejection emails.
after being told how great their security team is, you sign up for their web app, and are able to set your password to a really lame one, and when you ask them about this, they tell you thats how management wants it, and wont answer when you ask them how they passed the PCI audit.

I give up on these companies, and they may wonder why they cant find any good talent.
I think that the problem may be the expectations of the "non cyber" management folks, as a defender, it is always an uphill battle, we have to be correct every time, but the adversary only needs to get lucky once, and they when a company is "hacked" one time, they clean house of their security staff, a waste of good talent. Nothing is unhackable, and when the upper management of the major corporations expect that just because they have a crack team of cyber experts, it means that they are immune to threats, when they do get attacked, they immediately blame their team and fire them to keep a "good public image". I have been in the industry for almost 6 years now, and in that time, i have seen a lot of people blamed for compromises that aren't their fault. I don't think its a lack of talent necessarily, but the perception of what "talent" is by management.
I'd like to echo one of the fellows above me in this thread.

I'm a generalist sysadmin (including security) for 5 years, and I can't get a foothold in the Infosec, not even as a noob...

It's actually pretty much the same getting into IT.
I was really lucky to become a full sysadmin after less than 2 years in the field.
My luckiest friends managed to start as a helpdesk and slowly go up.
Others just got stuck somewhere until they gave up.

Everyone wants you to have all the knowledge, but no one is willing to do a (small) leap of faith for it.

Sign Up for Free or Log In to start participating in the conversation!