Reframing the Cybersecurity Talent Shortage

Today’s conversations about the cybersecurity talent shortage are generating activity but limited results. Rarely does a week go by without the drumbeat of another article, study, or amplified social media thread bemoaning the crisis. Entry level job postings have unattainable unicorn requirements for below-market compensation, applicants have unreasonable expectations for what they will be doing their first year out of college, and job-hopping and burnout continue along with the broader technical job market. Meanwhile colleges, accelerators, and mentorship programs have jumped at this market opportunity and are funneling more “purpose-built” talent into the market than ever before, often with the promise of ballooning demand for their skills in an “exciting and lucrative” career. The talent market should be signaling correction given the attention and investment it has received for years, but by most accounts it is not.

This is an existential problem in security because while technology plays a critical role in supplying novel and more efficient solutions to security programs, a security program’s ability to evaluate, invest in, and operationalize those technologies depends on the availability of quality people in the right positions. Technology and security vendors have outpaced the market, offering greater advancements each year that require greater investment from customers who are struggling to maintain talent and keep up with technology sprawl. This is softened by the continuing trend of security vendors offering managed services bundled with their products, operationalizing their offerings for customers immediately and cost-effectively to the benefit of both sides. However, the business is still challenged to rationalize these investments and continuously reevaluate coverage as its environment evolves, requiring expertise even if that is only a small security team managing a program made up entirely of managed services.

While the macabre “unhealthily stressed security leader who never sleeps” jokes still ring true, it is rarely advanced threat actors or Hollywood plotlines that prevent sleep. It is human questions like whether the team is okay, whether they have what they need, whether the right people are in the right roles, what new roles or people are needed, the team’s credibility with peer organizations, the leader’s credibility with their executive peers, and on. This is a cost of leadership, not limited to security leadership. It goes against the market’s narrative and surprises people when I tell them that I more often see security leaders recommending business and management books to one another than I do technical or security books. Yes, there are discussions about the last hyped breach or how peers are solving technical problems, but there’s equal or greater excitement over sharing a new process, team structure, or communication method that was successful.

We have a security skills and leadership shortage, not a broader security talent shortage. This is slowing the broad security talent market correction that we must see for increased resiliency across all businesses, not just in the traditional silos of 1%’er security programs. For example:

• The rapidly growing pipeline of entry level security talent may only be leveraged with a positive return if leaders are in place to recognize and grow that talent. This is especially critical as many early-to-mid career professionals in parallel fields are interested in pivoting their careers into security, providing a wider talent pool with greater workplace maturity.
• The security program should only be allowed to grow if it can rationalize itself into the business’s context to enable and contribute to its success, requiring broader business understanding and communication skills than are usually expected of a pigeonholed deep domain leader. The program and its efficacy are capped without these abilities.
• Quality mid and senior level individual contributors will more likely be attracted to an empathetic leader who is building a program with a vision to set them up for success within the business, not be whipsawed reactively by fires and hype to build yet another “Office of Risk Acceptance.” You need a diversity of responsibilities and seniority for the team’s work, but also to mentor and help grow the junior talent. The security leader shouldn’t do this alone, especially as the program scales.
• Once the security organization is sustaining junior, mid, and senior level talent without consistently churning too deeply, new opportunities will emerge. A sustainable organization can begin opportunistically targeting talent with advanced, specialist skills as their organization matures closer to being a “1%’er.” Experienced practitioners with skills like application and cloud security and threat hunting and modeling will continue to be in short supply until this broader talent farming yields such practitioners.

In the last 5+ years we have seen progress in lifting the executive role of security leaders in the business driven by regulation, a tidal wave of corporate spending on technology trends like open source and cloud and bring your own device, a booming ransomware business, and high-profile data mishandling and unsafe practices by corporate data stewards. This is reminiscent of the progression businesses went through with their finance leaders after Sarbanes-Oxley (SOX) was enacted in response to high profile corporate and financial scandals, elevating their unique point of view in the C-suite and boardroom. The measures enacted in the security domain have not yet achieved the rigor of SOX. The next two years will be telling as to whether security leaders’ progress continues, supported by the continued global expansion of security and privacy regulations and boardroom attention, or whether it decelerates or reverts as the macro-economic climate has businesses reevaluating their technology and security investments.

If we repeat history, then deceleration or reversion is probable since businesses’ security and safety investments typically correlate with market conditions despite their impacts typically being uncorrelated. An example of this asymmetry is that defenders' budgets shrink with the company’s top or bottom line, which may be reasonable (fiduciary responsibility), but attackers’ funding and incentives do not. The elephant in the room is that this would happen while security leaders’ role definition, corporate accountability, and personal liability are being publicly scrutinized. It is reasonable to expect that some percentage of security leaders will opt out of the company or the role if a deceleration or reversion is compounded by undesirable answers to these questions, worsening a security leadership shortage and rippling into the broader security talent pool. Security leaders and their companies should do themselves the service of discussing these challenges now, not when headwinds are strongest, to understand how the security leadership role and organization may evolve and what that means for the sustainability of the program and its people.