The continued fallacy of the information security skill shortage

Ben Rothke
11 min readJun 23, 2022

You need to show security professionals the money

In March 2020, I wrote in The fallacy of the information security skill shortage, that the notion of a critical shortage of information security professionals was partly due to firms that don’t pay market rates. Many security jobs go unfilled not because there is no one to fill them, but because the firm obstinately refuses to provide a salary commensurate with the position.

The problem has been exacerbated due to the highest inflation levels in nearly half a century. Unfortunately, many firms have their head in the sand and refuse to invest in information security by hiring qualified professionals.

Some of these positions are consulting spots, with rates of $60 — $70 per hour. But based on this recent article in the Wall Street Journal — Teen Babysitters Are Charging $30 an Hour Now, Because They Can — those rates are simply inadequate.

I get about 20 emails and LinkedIn messages weekly from recruiters about jobs (isn’t that what LinkedIn is all about?), and I see that not much has changed.

Here are 13 recent examples of firms that won’t offer salaries or rates appropriate for the job. I received these from recruiters over the past few months via email and LinkedIn, which indicate the overall hiring problem. The details are exactly as I received them, with the only editing to anonymize the employer.

Finally, most of these positions are in the New York City area, where salaries will be higher.

1. Security Risk Assessment Manager

Required skills:

· Application Security experience in S-SDLC Threat Modeling, Code Review, Vulnerability Assessment, Penetration Testing. Web Service/API security testing, Firmware Assessment.

· Exposure on DevSecOps implementation/integration.

· Hands on experience into Mobile application Security Android/iOS — reverse engineering/memory analysis etc.

· Security tool experience

Rate: $60 per hour



Ben Rothke

I work in information security at Tapad. Write book reviews for the RSA blog, & a Founding member of the Cloud Security Alliance and Cybersecurity Canon.