We've Been Fooled. There Is No Talent Shortage.

We've never had a cybersecurity talent shortage. We're being sold that story from certification vendors and companies not wanting to pay for talented security professionals. We believe there's a shortage because so many job postings for cybersecurity professionals go unfilled. But there are so many people who want cybersecurity jobs. What's going on?

Check out this post by Rachel Bicknell of Dell Technologies quoting Mic Merritt of Merritt Collective for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series, and Jimmy S, CISSP, CRISC, CISM , president, (ISSA) International Sports Sciences Association . Joining them is Ngozi Eze , CISO, 利维·斯特劳斯公司

Thanks to our sponsor, ThreatLocker .

Stop the unicorn hunt

The cybersecurity talent shortage is often cited as a major industry challenge, but many security professionals argue that the problem isn’t a lack of skilled workers—it’s unrealistic hiring expectations and underwhelming compensation. "There is no shortage, never has been. And given that the colleges and 'boot camps' keep churning out diplomas into a massively glutted field, there never will be," said Leeland Heins of AMD . The real issue, he argues, is companies insisting on hiring only “unicorn” candidates. This sentiment is echoed across IT and cybersecurity. As Justin St Amour of Agio put it, "I don't think this is just cybersecurity but IT in general. I have been saying for a long time that companies just don’t want to pay good people what they are worth."?

Job post inflation

The perceived cybersecurity talent shortage is driven by misaligned expectations and inflated job postings. "There is some disparity between what is allegedly being reported (cyber skills shortages) and what we in the industry are experiencing," said Jim Seaman of IS Centurion Consulting Ltd , noting that many roles list excessive requirements yet offer salaries that don’t reflect the investment needed to meet them. These hiring practices significantly distort the job market.“ A company with just a few openings can make it appear as though there are hundreds by duplicating listings across locations and job boards,” said Christy B. , BISO at Regions Bank .?

Structural misalignment

Discussing this issue often focuses on entry-level roles. That’s where we get a lot of noise from people trying to break into the industry. But as Danny Hetzel of Accuray noted, “There really is a shortage in what is required. Most shops are short-handed and need individuals of mid-level skill.” Elias Avgoulas of Foodtastic raised the point that there are significant government subsidies available for cybersecurity education, which feeds the entry-level pipeline but doesn’t add to where there is the biggest need. We can see that there is no shortage in this entry-level space because of how organizations structure those positions. “If there were jobs demand, there would also be part-time jobs. There appear to be just about zero part-time cyber security jobs,” said Joseph Wyckoff .??

We’ve got to do better

The cybersecurity talent shortage isn’t just misleading—it may be a convenient excuse for struggling security programs. "The whole thing is just devious, an excuse for why their security program stinks (or keeps getting hacked)," said Brandy Gordon , CSO at Gordon Digital Forensics . She envisions security leadership “rubbing their hands together” and whispering to the board, “Tell them there are no skilled workers so they can’t replace us. Just put an ad out and go through the motions.” If organizations are serious about hiring, they should focus less on blaming the talent pool and more on realistic job expectations, competitive pay, and meaningful workforce investment.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, ThreatLocker

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Join us TOMORROW, Friday [03-14-25], for "Hacking Competitive GRC"

Join us Friday, March 14, 2025, for?“Hacking Competitive GRC: An hour of critical thinking about how to get ahead of your competition with a well-structured program.”

It all begins at 1 PM ET/10 AM PT on Friday, March 14, 2025?with guests Markindey Sineus , GRC SME, Vanta , and Quincy Castro , CISO, Redis .

We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Vanta

Cyber Security Headlines - Week in Review

Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa , Host, The Deep Dive Radio Show. Thanks to our sponsor Vanta !

Thanks to our Cyber Security Headlines sponsor, Vanta

Jump in on these conversations

"Why do hackers sometimes target hospitals?" (More here)

"Majority of my team isn't doing any work and I have no chill."?(More here)

"What are the myths about incident response teams that are less known?"?(More here)

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [03-14-25] "Hacking Competitive GRC”
• [03-21-25] "Hacking Narrative Threats”
• [03-28-25] “Hacking Fragmented IAM”
• [04-04-25] NO SHOW
• [04-11-25] “Hacking Social Engineering”

?Save your spot and register for them all now!

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.