Has anyone else noticed that talk about a cybersecurity talent shortage has ramped up lately?  It’s almost FUD-like.  If you buy into all the online rhetoric, it seems as though anyone who works in cybersecurity with at least a couple years of experience, and the requisite “excellent oral and written communication skills” could walk into an organization and get hired on the spot. 

With so much material on the perceived talent shortage, my inner academic pondered doing a review of the literature on this topic.  Take heart though; I’ll spare you the analysis, cut to the chase, and add my perspective as a security recruiter.

What Are People Saying?

Let’s start with the lay of the land.  The Intel Security/Center for Strategic and International Studies report, “Hacking the Skills Shortage”, states that 71% of respondents report the shortage in cybersecurity skills does direct and measurable damage.  According to another industry survey, 54% of respondents indicate that it takes between 3 and 6 months to fill a cybersecurity position in their organization.

Conversely, others say that the cybersecurity skills shortage is a myth.  Angela Bailey, Chief Human Capital Officer, Department of Homeland Security, reflects on a recent cybersecurity hiring event in a blog post, which has been referenced in numerous media outlets.  “Actually, over 14,000 people applied for our positions, with over 2,000 walking in the door. And while not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event.” 

Interesting.  It’s not uncommon for some security postings to be open for 6 months, yet others report over 10,000 applicants.  I’m not going to play the role of security talent fact-checker here.  My experience tells me that the truth is roughly somewhere in the middle.

Digging Deeper

It’s human nature to overreact to bit-sized bits of eye-popping data and get caught up in the myopic prism of your own profession. But, security isn’t the only profession that talks of a talent deficit. Take several common professions (doctors, programmers, teachers, even lawyers . . . in rural areas), google the name of that profession followed by the word shortage, and you’ll see headlines of doom and gloom and pundits questioning the shortage.  Wake up Chicken Little, ours isn’t the only profession that professes to have only a pinch of the people-power needed.  Prioritize, document, document, document, form strategic partnerships, and do the best you can with who you’ve got in the time allotted.

Indeed, 14,000 of the “mostly-qualified” candidates at the DHS cybersecurity hiring event is definitely one of those things that makes you go “hmmmm”.  Unfortunately, many of the comments surrounding Bailey’s blog post focus on this one number instead of what the agency did to make this event a success.  The article mentions a strong alignment and cooperation between HR and hiring managers both at the executive and team level. 

In other words, the power play between HR and business leaders over hiring matters was diminished.  The teams also acted “collaboratively, deliberately, and quickly with a can-do attitude.”  Actions were taken to speed up and eliminate the internal procedures that too often cause companies to lose excellent candidates.

There IS a Leadership and Talent Identification Problem

All too often, here’s how security jobs get posted.  A team leader wakes up and says, “We really need a security person.”

“What are they going to do?” someone asks.

“Well, we’re not really sure.”

So, the team leader goes out and creates a job posting which is an unrealistic mismatch of several postings they found online.  They want a purple squirrel that they will never find, because the job description is written so poorly.  So, HR and the team leader conclude that there just isn’t “anybody out there.”

On top of that, the team leader’s friend who is a security “expert” has convinced them that it is impossible to take someone like a system administrator and provide them with security training to fill the need.  After all, only true security people have the magic pixie dust, and we want this person to be a master of all trades.

I hope, my friends, you can sense the playful sarcasm in this scenario.  There will always be a cybersecurity talent shortage until several things in the organization happen consistently.

  • People know how to look for and cultivate the right talent.
  • HR becomes more of a business enabler.
  • Cybersecurity is recognized as a business problem first, and hiring managers and executive leadership can articulate a compelling cybersecurity vision.

With such differing views on the supply of cybersecurity talent, I went to Snopes to see if, by some chance, there was an urban legend around the cybersecurity talent shortage.  But alas, my search did not yield any results.  So then, it must be true that the challenges surrounding availability of talent are bigger than simply calling it a talent shortage crisis.