Is there really an information security jobs crisis?

https://endgamepr.com/

In April, Cybersecurity Ventures reported that there will be 3.5 million unfilled cybersecurity jobs in 2025. Their research shows that global cybersecurity job vacancies grew by 350%, from one million openings in 2013 to 3.5 million in 2021. The number of unfilled jobs leveled off in 2022, and remains at 3.5 million in 2023, with more than 750,000 of those positions in the U.S.

As to the predictions from Cybersecurity Ventures, it’s my experience that, and in speaking with other information security professionals, their figures are highly exaggerated. It’s not just my opinion. I’ll show here how other information security professionals feel the same way.

This has led in part, to the situation where information security boot camps and other quick fixes have been created to give people the impression that they are but a few months away from a high-paying job in information security.

I get, as do many of my information security friends and colleagues, at least one call a week from a parent, student, or IT professional asking how they can get into information security. They hear, often on news radio or general media, that there are countless opportunities in the highly lucrative field of information security.

As I wrote last year in The Continued Fallacy Of The Information Security Skill Shortage, much of the so-called shortage has to do with firms that won’t pay market rates for information security professionals. They create job listings with significant information security requirements, but offer salaries that are not much higher than entry-level salaries.

Where is the real security jobs shortage?

Lee Kushner is someone who has his pulse on the information security job market. As someone who has been doing information security recruitment for close to 30 years, he has seen the ups and downs, recessions, dot com hype, and much more. One is hard-pressed to find a more experienced and qualified information security recruiter as Kushner.

He placed me in an information security role at E&Y, and countless security professionals owe their jobs to him. His recruitment firm LJ Kushner and Associates was the premier information security recruitment firm until it was acquired in 2019 by BGSF Inc.

As to the cybersecurity talent shortage, Kushner notes that one of the main issues regarding the term “cybersecurity talent shortage” is the assumption that all cybersecurity jobs and information security professionals are created equal.

Kusher notes that there is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp.

Adding to the issue is the human resources (HR) system. Often an HR generalist will be tasked to find information security people. An HR generalist is someone who runs the daily functions of the HR department including hiring and interviewing staff, administering pay, benefits, vacations, and dealing with HR policies and practices.

For many positions in IT, an HR generalist is adequate. When it comes to information security, that is often not the case. As information security requires unique talents, the HR generalist (due in no fault to their own, as they are generalists, not information security specialists), often lack the understanding to effectively hire competent information security staff.

When tasked to fill open information security roles, the generalist will often start and end a hiring conversation by asking Are you a CISSP?, as if that is the only thing that matters. As noted above, the problem should not be laid at the feet of the HR generalist says Edwin Covert, an information security professional with decades of experience.

Covert says “HR should be pushing back on the job requirements they get if they don’t understand what is in them. The hiring manager needs to be clear about what they want the candidate to do; they should do some research about what they think they need and have discussions with HR long before they throw a job description over the wall.”

Kushner notes that the recent influx of cyber security recruitment specialists, who seem to be quite excellent in self-promotion, but have a difficult time either finding clients to retain their services.

He notes that if they were such excellent recruiters and the marketplace was ripe with available qualified talent, there would be no need to advertise their open positions and job postings in the public domain. He believes if they truly understood the industry they were servicing, that they would understand that security professionals are more interested in discretion and confidentiality.

Joe Shenouda is a Netherlands-based cybersecurity consultant. He feels that the talent shortage in cybersecurity is nothing more than a smokescreen. And that the real issue is outdated and inefficient recruitment practices, that are not only failing companies but also jeopardizing our national security.

Shenouda says that “honestly, it’s like we’re fishing with the wrong bait and then wondering why we’re not catching anything.” He says that it’s high time we rethink the game plan.

Do entry level information security jobs even exist?

Many of the people exiting security boot camps expect there to be a plethora of entry level information security jobs waiting for them. But Helen Patton, CISO at Cisco Security Business Group, writes in her book Navigating the Cybersecurity Career Path (which is required reading for anyone considering a career in information security) that there are very few truly entry-level jobs in cybersecurity.

She writes that most entry-level roles tend to be quite specific, focused on one part of the profession, and are not generalist roles. For example, hiring managers will want a network security engineer with knowledge of networks or an identity management analyst with experience in identity systems. They are not looking for someone interested in security.

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

That should be a wake-up call for those who think they can get a security certificate and expect to have the industry welcome them with open arms and a six-figure salary.

So how does someone break into information security?

Mitch Zahler has been in the cyber security field for over 20 years and is currently a CISO at a New York City financial technology firm. He says that he looks for highly technical people either internally or externally that have a passion for security and have a good work ethic.

Zahler said he was amazed at how many internal IT and coders staff members have come to him saying they want to move into information security because they seem to have a passion for it. He observed that most of his successful employees for the past 20+ years were those who moved from technical positions into information security, with two of them currently serving CISOs at large firms.

Something is broken — but what is the fix?

First off, empirical data around information security jobs is sorely needed. The media often uses Cybersecurity Ventures as a single source which is precarious. Objective, verifiable data is sorely needed. The figures from Cybersecurity Ventures have the potential to derail a person’s career path, as they will spend time and money on quick information security courses, for a job that may never appear.

Second, realize that there are no quick fixes. Information security is a specialty within IT, the larger area of risk management. Much like there are specialties in medicine — a doctor can only enter specialties such as cardiology and radiology, only after completing a residency in internal medicine.

So too with information security — it requires a thorough understanding of risk management, generalized IT, networks, operating systems, and more. That simply can’t be obtained in a boot camp.

Human resources needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best.

Israel Bryski is a veteran CISO at an investment firm in New York City. He says that “firms should organically grow and cross-train their IT staff into security professionals. Many IT people are more than eager to enter information security. Creating an internal program to mentor and train them is a long-term, but highly effective approach.”

So is there really an information security jobs crisis? Yes, but not in the way most people portray it to be.