Is there really a security skills shortage?

In their recent report released at the RSA conference, ISACA continued to play on a theme that has been a topic of theirs for years - the cybersecurity skills shortage. I’ve read estimates as low as 300,000 and as high as 3,000,000 unfilled jobs. But, I want to pick apart some of the claims, and instead of focusing on the raw numbers, come to understand the trends behind the numbers.

Claim 1:

Over a quarter of enterprises report that the time to fill cyber security and information security positions is one-half year. In more detail, they claim 23% of positions are filled in 2 months or less, 30% in three months, 26% in six months.

I don’t believe this is evidence of a skills gap. These are not jobs flipping burgers or washing floors, they are specialized skill areas. I’ve hired over 100 information security professionals in my career, and I’d be surprised if I had 50% of the roles filled in 3 months or less, but not due to a lack of applicants or talent. It simply takes time to hire people. You need to write up a job posting, wrestle with your HR department, wait a few weeks for candidates to apply (you don’t want to just hire the person fastest to hit “submit” do you?), go through the candidates, call, schedule interviews, make job offers and often wait for their notice period at their previous employer. Doing all that for ANY type of job at an enterprise simply takes time, and 3 months is pretty typical.

Claim 2:

On average, 59 percent of enterprises get at least five applicants for each open cyber security position, but most of these applicants are unqualified.

This is an interesting one. “At least 5 applicants” is a good sign. But lack of qualifications is a bad sign. I’ve found there are a number of contributing factors here:

  1. Cybersecurity is extremely diverse. Skill sets range from technologies (firewalls, SIEM, encryption, etc) to process (standards, software development, governance, etc) to strategy and planning (architecture, roadmaps, etc), etc, etc, etc. There are a tremendous number of subdomains in security and the needs for talent flexes between these domains. Many security professionals are generalists (have experience in a range of technologies, for example) but an employer might be looking for a specialist. And unlike traditional IT (Windows systems, Cisco networking, etc) the security market is much more fragmented by technology and approach, meaning it may be difficult to find your particular subset of skill.
  2. Job postings are often crap. When people write a job post, usually they write it for an ideal candidate. ‘Must have a bachelors degree in computer science, 10 years of work experience, 5 years working with a technology that was released 3 years ago, 16 certifications, great people skills, etc, etc, etc’. The nature of the security industry (as with many new industries) is that people come to it from a diversity of backgrounds and experience, and so it is unlikely that someone will meet an idealized job description. 
  3. They have unrealistic expectations on compensation. A subset of employers (not all) really have no idea what the appropriate pay grades are for information security professionals.

I find that often when talking to employers about ‘lack of qualified applicants’ it comes down to one of the three items above - poor pay packages and poorly written job descriptions lead to a mismatch in candidates.

I’d like to close out this post on a few pieces of advice for prospective employers:

Tip 1:

Start recruiting early, and think about your organization’s security brand when you’re doing it. Attend local security events and meet ups, sponsor forums, have your experts out in the field talking about cool things they are working on and the fact that you’re looking for talent.

Tip 2:

Be prepared to develop and promote talent. It will be unlikely that you’ll be able to hire a perfect fit for your budget, skills gap in a short period of time. Instead focus on making sure you’ve got a great development and on boarding program, you understand what’s required to develop security talent, and you’ve got a team culture that encourages people to grow and stay. A significant number of breaches occur during staff turnover periods, so maintaining the staff you have and investing in them is key.

Tip 3:

Partner with others. It may not be necessary to hire for every skill set need in your business. Many security needs are focused on a specific project or implementation, and once up and running require a different skill set than the one required for starting out. Partnering effectively with 3rd parties can help bring skills into your organization on a project basis, and help drive more rapid skills transfer to the staff you have. Make sure you engage partners in a way that drives enablement of your in house team, who have the continuity and business insight to put those security skills to work.

Regardless of the above, I do believe that cyber security is an excellent career path and there are significant opportunities for people with those skills, and would encourage young professionals in computer science, information technology or other similar backgrounds to consider it.

I hope you’ve found this article helpful, please feel free to share it to the security hiring managers in your circles. If you need some talented help to assist you on a security project, drop us a services request.