Thursday, December 04, 2014

Is There A Cyber Security Talent Shortage?

Why Do Cyber Security Jobs Not Get Filled?

Recently, I was invited to a panel discussion to address the topic of a talent shortage in information / cyber security.  My panel colleagues were “C” level security leaders from very large companies.

As the panel discussion got rolling, I heard a significant amount of dialogue focused on the lack of available talent to fill cyber security jobs.  While this is true and there are many reasons why there are not enough educated, skilled and prepared cyber security professionals, my mind went in a different direction.

As I listened to these two “C” level corporate panelists next to me, my wheels started turning.  While they were bringing up very legitimate reasons why their jobs were difficult to fill, I started thinking of some of the reasons that I’ve run into that cause jobs to not be filled.

A Large Insurance Company

A Senior Director of Information Security called me to discuss multiple hiring needs in his group.  I took notes to begin to understand this hiring decision maker’s needs.

At the end of our conversation, the Director told me he could not send job descriptions.  The Director told me that the job descriptions wouldn’t be very helpful anyway because they did not align with his actual hiring needs. 

I wanted to ask the Director why he didn’t work with his Human Resource department to get the jobs aligned with his actual hiring needs but I knew better than to ask. This is not the first time I’ve run into job descriptions that are not aligned with the actual hiring need. This happens more than you might believe.  This disconnect between the hiring manager’s needs and the job descriptions I had not yet seen was a red flag.

The Director stated that I would have to now work with his Human Resource department to get a contract signed before they could send job descriptions.  A few days later, I received an email from the HR department with an attached contract.  The contract was right up there with the worst contracts I’ve ever seen in 25 years of recruiting.  This was my second clue that I might be headed for a challenge. 

The contract had a clause in it stating that we would start with a 30 day trial relationship.  Okay, if that’s what they wanted, I didn’t need to argue.  I signed and returned the contract and then waited for the HR department to send job descriptions.

Days turned into weeks.  I let the hiring decision maker know that his HR department had not sent jobs on three different occasions over the course of several weeks.  The weeks added up to 30 days and our contract expired.  I still did not have job descriptions.  The red flag is definitely flying in this situation.

Another Big Insurance Company

A year or so ago, one of my career coaching clients sent a job description to me that he was thinking about responding to.  He sent the description mostly to get my opinion.  The description was what I’ll call a typical job description.  It asked for 3 years of this, 4 years of that, 2 years of something else, a college degree and any of the following certifications.

This particular job description was boxy and mechanically written.  It looked like a design diagram for assembling a motor. Nowhere in this job description did it even come close to addressing what might in it for a gainfully employed, highly skilled cyber security leader to leave the comfort and security of their current job in order to join this company.

Anytime a person leaves the known situation that is their current job and they move on to an unknown situation that we’ll refer to as the “opportunity”, there is a certain amount of inherent risk.  I talked through this job with my coaching client.  He decided to not pursue the “opportunity”. 

Job descriptions are sales letters.  If the description is nothing more than a laundry list of we want, we need, we expect repeated three times, the description is not going to attract top-shelf talent.

Why Do Cyber Security Jobs Go Unfilled?

Yes, there is a shortage of talent in the cyber security profession.  However, in the two examples I shared above, the disconnect between a large insurance company’s human resource department and the CISO’s department caused this company’s jobs to go unfilled.

In the second example, allowing somebody to write a job description like a technical design diagram caused a viable candidate to step back and wonder if the company attached to the job description had a human element to it.  He determined that the human element he was looking for might not be present in the prospective company so he chose to not share his resume.

Final Thoughts

When a skill set is in high demand, the talent acquisition strategy required to get to potentially available talent must be strategic and well-thought-out.  Job descriptions written to attract gainfully employed talent must be compelling and they need to sell.

Compelling means that if the job description does not tell a prospective candidate what’s in it for them to take the risk of moving from company “A” to company “B”, company “B” may never get an opportunity to interview highly talented gainfully employed candidates.

In order to attract highly skilled, gainfully employed talent, a talent acquisition strategy needs to go beyond simply posting jobs to reach the small percentage of the talent pool that might be looking for a job at any given moment.  Recruiting is sales. If a talent acquisition strategy is not built around selling a company’s opportunities, it will seldom if ever attract and secure top talent.

When highly skilled, gainfully employed candidates are interviewed, everybody involved in a company’s interview process needs to be trained to conduct their part of the interview.  Top-shelf candidates can tell when a company has its act together and they can just as quickly tell when interviewers are unprepared and when they’re working from the seat of their pants.

Is there a talent shortage in the cyber security profession?  Yes there is.  However, there are many things companies can do that they are frequently not doing to make themselves attractive to available cyber security talent.

Jeff Snyder, @SecurityRecruit, is the President of,, and  Jeff is a public speaker and a daily blog writer for the Security Recruiter Blog.'s Security Recruiter Blog