The subject of the cyber security talent shortage has been over-reported to the extent that no one wants to talk about it anymore. Even more than that, the only solution that really ever gets mentioned is developing more university cyber programs.

But that solution is dead wrong—or at least it misses the crux of the issue completely.

Before I go any further, let’s set the record straight on just how acute the problem really is. According to results from a recent CSO Magazine survey, the majority of respondents have open headcount which, as the respondents describe it, has led to dismal outcomes. Namely, their companies’ security teams either cannot meet the demand of their existing responsibilities, or they purchase new security tools that become shelfware. Or both.

Let’s switch gears now. If you’re curious about which skills appear to be in the most demand, I’ve got the latest and greatest (albeit based on anecdotal evidence because job titles vary so much):

  1. Incident Detection and Response
  2. Penetration Testers and Red Teamers
  3. Cloud Security
  4. Application Security and DevOps

Looking at the types of people whom companies want to hire (i.e. the list above), these are senior people—and here’s the issue with that. Even when you can hire senior people in these four roles (and it’s really hard to find them), you’re just poaching them from another company. Then what happens?

Well, one thing we’re seeing is senior cyber talent having shorter tenures in their current roles. (Again, this is anecdotal, but I’ve heard several other colleagues say the same thing.) Why? Because some other company with a better offer or better benefits poaches them again.

At this point, you would probably agree with me that you can’t hire your way out of this problem—at least not today—because there just aren’t (Read more...)