On the “shortage” of InfoSec professionals…

It was interesting that two podcasts I listen to – PVCSec and Down the Security RabbitHole – both covered the ‘shortage in InfoSec’ topic. Both discussed the nuances and uncertainty around it. This is my contribution to that debate, just looking at things from a different perspective.

Getting things out of the way: yes, I think there is a shortage, and the sooner we acknowledge it, the sooner we can work on addressing it. I don’t have the hard data I wished to have to back up this claim, unfortunately, and will have to make semantic and anecdotal arguments. Yes, “plural of anectode is not data“.

Semantically, the very definition of shortage (from Oxford Dictionary) is:

{noun} A state or situation in which something needed cannot be obtained in sufficient amounts:

shortage of hard cash

food shortages


Yes, I admit there might be confirmation bias in my perspective.

I really enjoyed @catalyst‘s position here (and Rafal had a brilliant description of why we’re failing at training Tier1-type resources in the podcast), but I wanted to approach the problem from a different angle.

Let’s drill down into this a bit more and explore what this ‘shortage’ really means. To me, when people refer to ‘InfoSec professional shortage’, they really mean that:

“the current hiring process is not finding a large enough supply of professionals with a particular skillset and/or experience, for these roles within these teams at these companies, at these levels of compensation.”
So, as we analyze each of these sections, we can inquire/debate things such as:
  • current hiring process – is it broken? is the flow between HR and hiring managers appropriate? Is the screening process contributing to this? Are responsibilities and incentives for each party in this process properly allocated?
  • not finding – are they looking in the right place? Just waiting for resumes to arrive? Actively engaging with communities?
  • large enough supply – is the number of people being required a true necessity, or a reflection of inefficiencies somewhere else in the environment?
  • with these skills – are the skills being required actually relevant? How much of asking for a particular skill is not ‘playing it safe’, as opposed to understanding that some skills are easily transferable (especially products in same space: FWs, IDS, …)?
  • this type of experience – same as with skills, are the experience requirements really required, or are they a byproduct of inefficiency somewhere else?
  • for these roles – are we looking at the right roles for these people? Is it something that should be done within InfoSec or another team? Internal or outsourced? Human-driven or automated?
  • these teams at these companies -is it a matter of leadership? are the teams structured in a way that encourages professionals to apply? is the reputation of the team, manager, company such that would attract qualified candidates?
  • at these levels of compensation – finally, “rubber meets the road”. Is the overall compensation acceptable? Is the package of benefits attractive to the professionals looking into these roles?

I think @catalyst is right in that any one of these areas present an opportunity for enlightened leadership. All of them can be ‘fixed’:

  • adjust the hiring process to not “throw baby out with bathwater” – collaborate with HR to screen candidates adequately at all stages, look for candidates in different ways.
  • take a good look at the skills and experience being required.
  • reconsider the role and looks for alternatives, but considering the ‘whole’ picture and not just the immediate need to fill a seat.
  • take a good look in the mirror and check to see if there’s anything in the structure, culture, or leadership approach that might be driving candidates away.
  • finally, understand that there may be a case of ‘surge pricing’ and adjust expectations on compensation.

In economics, the labour market is a perfect example of information asymmetry at play. George Akerlof, Michael Spence and Joseph Stiglitz were awarded the Noble prize for their work on this. They have incorporated two mechanisms of reducing that asymmetry – signalling & screening. Learn about them and consider how your process currently implements them (even if unconsciously).

Finally, there may be perverse incentives at play: is the hiring manager (or HR) evaluated on the short term of ‘stopping the pain’ (just get someone!) or are there broader considerations about the health of the business (Raf’s point is poignant here).

So many opportunities here for leadership, like @catalyst said… but still, IMHO, there is a shortage of information security professionals.

As I look at the breakdown of what the shortage really means, I’m reminded of that adage: “Good, Fast, and Cheap. Pick Two.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s