Cybersecurity Talent Bubble Keeps Growing
All bubbles burst—but with around 2.72 million unfilled cybersecurity jobs as of October 2021 according to (ISC)2, it seems the cybersecurity talent bubble will be floating around for the foreseeable future.
The fact is, there simply aren’t enough experienced cybersecurity professionals to go around, said Mark Sasson, managing partner at Pinpoint Search Group. But while in the present that gives experienced candidates a lot of leverage and the ability to write their own ticket, when the bubble does burst eventually, they could be in a world of hurt if they burned bridges in the industry or didn’t keep up with necessary skills.
“It’s always hard to hire, but these times are particularly difficult,” Sasson said. “There’s so much noise right now in the industry and about the industry, there’s a lot that could slip through the cracks in the interest of trying to fill these vacant roles. That could mean trouble in the future,” he said.
In 2021 alone, investors threw $20.2 billion into approximately 300 cybersecurity vendors, according to Pinpoint’s data, and all of those companies must hire additional employees so they can continue to scale and grow. While some of these companies were already well-known, a significant portion of them were startups. In fact, Sasson said, based on Pinpoint’s data, of the 300 funding rounds the company tracked, more than half (158) were series A and series B—which means they were very, very new.
“Innovation is outpacing M&A activity in this space, too,” he said. “A lot of times, when we’re finding candidates, we not only have to present the candidate to the company but introduce the company and what they do and their value proposition to the candidate. Nobody knows who these companies are—that’s how new they are. And so, to an extent, if what they’re doing is bleeding-edge, the candidates often don’t have those skills,” he explained.
But even so, because of the severity of the skills gap, these cybersecurity vendors are bending over backward whenever they come across top performers, Sasson said. This trend is growing right alongside the explosion of new attack vectors and the rise of ransomware-as-a-service and ready-made exploit kits.
At the other end of the spectrum, Sasson said, are the companies focusing on staid areas like firmware security or critical infrastructure who’ve only recently woken up to their own vulnerabilities.
“In the critical infrastructure segments like water, electric, gas, refineries and the like, after witnessing the Colonial Pipeline attack in the U.S. or the Ukraine cyberattacks, they are just now realizing they need to be more secure,” he said. That’s kicking off a flurry of hiring demand, much as digital transformation and cloud migration initiatives are—and the security stakes are just as high.
Automation and security-as-code solutions are becoming hot, too, Sasson said, as organizations try to offload security work to technology in the absence of enough qualified personnel. But despite the fact that these are big investment areas, he said the demand for the human element will remain for the foreseeable future.
“So many companies are taking apps into the cloud, and that’s a very manual process. Security-as-code and automation, along with AI/ML are big areas of interest and investment, but those still require people—it’s going to be a long time before the demand goes away,” he said.
Aside from keeping up with industry trends and making sure technical skills remain cutting-edge, Sasson said the most important things cybersecurity professionals can learn are entrepreneurial skills. Not necessarily to strike out on your own and start a business—unless that’s what you want—but to encourage something that most believe is taboo: Job-hopping.
“Cybersecurity is a really entrepreneurial industry. Turnover in tech is 13.2%—that’s even higher than in retail. So, the way I think about this, especially in light of the Great Resignation, is accepting the fact that, as a cybersecurity pro with these incredible, highly marketable, valuable skills, you are a transactional asset.”
While that might sound like a cold, clinical, hypercapitalist take, this mindset shift can reap great benefits in the long run, Sasson said. It’s really about agility; shifting your mindset can actually help you gain new skills, experiences and exposure in the industry.
“There’s an ingrained and outdated mindset that your employment equals stability; that you need to stay put. I disagree. I think agility is what equals stability,” he said. “You can consistently fill a company’s needs with your skills, and then they pay you money. That’s the transaction. You are exposed to new situations and gain new skills. You are the service, your work output is the product. Then, you jump to a new situation, say, every six months, a year, two years and do it all over again. That’s a better way to think about this market,” Sasson said.
What you don’t want to do is attach yourself and your career prospects to a dinosaur. There are some major companies out there that used to have major name cachet and street cred that have been resting on those laurels for decades, he said. Don’t necessarily avoid them entirely, but be careful if you do. Many have been acquired by private equity, gutted, merged, repurposed—and they just aren’t the same as they used to be. The key point to remember is that, unlike in years past when long tenures meant that you were a loyal, solid employee who could be counted on, nowadays, if you’ve been at the same company for seven or 10 years, recruiters and hiring managers are going to think you’re complacent, Sasson said.
“Unless you can show a clear, upward career trajectory at that company where you’re getting promoted regularly and taking on more responsibility and proven innovation, they’re going to think, ‘Why is that person still there? Don’t they have ambition and drive to go do something new?’”
Finally, if you are putting yourself out there, remember that for all its hyper-growth, the cybersecurity space is still insular. It’s really a small world, and it’s likely your path will cross with the same folks over and over again.
“It would be surprising if you don’t have at least a few connections, acquaintances, friends, former or current colleagues in common with a recruiter or hiring manager or a potential coworker. Don’t burn bridges. The word will get around quickly and your chances of success in the industry will go up in flames, too,” he said.
