Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

Summary: A small talent pool, an inflated wage bubble and high tension in a virulent attack landscape have made cybersecurity's hiring crisis "the billion dollar" problem.


At no time in history has there been a greater need to hire security professionals to protect and defend infrastructures from an inexhaustible onslaught of organized crime, industrial espionage, and nation-state attacks.

A small talent pool, an inflated wage bubble and the high tensions of a virulent attack landscape have made cybersecurity's hiring crisis the "billion dollar" problem.

The tight talent pool poses a multitude of problems for intellectual property, non-compete agreements, and every hacker's never-healing wound: hackers ripping each other off.

Richard Bejtlich, the Chief Security Strategist at FireEye said, "The prevalence of breaches is driving the creation of incident response teams, often from the ground up."

With Cisco's 2014 Annual Security Report projecting a global cybersecurity jobs shortage starting at 500,000 and domestically at least 30,000, the situation has become what James Arlen at Leviathan Security Group calls "literally the billion dollar question."

That's more truth than jest: the current state of infosec's tight talent pool means that its hiring challenges come with inflated price tags -- as well as all the problems that come with this singularly complex and specialized industry's "rockstar syndrome."

Bejtlich notes that in an acute shortage such as this, the top talent "make their own rules."

He cautions, "Do not expect to hire a top person and require them to relocate to your corporate HQ. Corporate culture can also be an obstacle. Top security people expect free to innovate, and do not tolerate bureaucracy."

Leviathan's Arlen says, "The reality of this is that in order to acquire new talent, companies are forced to go hunting and must be ready to put down the biggest pile of compensation." Arlen continued:

Too often, less-than-great people are demanding a price which was over-the-top for a 'rockstar' two years ago. As with all price bubbles, it’s going to pop at some point and the reset is going to be quite painful for some individuals.

Another challenge is the upward pressure on pricing that comes in part from what a great person can bring to the table but more from the overall lack of available people which permits less-than-great people to push the pricing higher as well.

Bejtlich agrees. “The simple answer is that reduced supply of security people plus increased demand for their services equals higher wages. Until supply and demand become more closely matched, expected higher-than-normal overall wage growth for security talent, plus increased tendencies for people to change jobs.”

The churn at the top compounds the problem. Mr. Bejtlich explains, "It’s easier for a top security person to get a raise by changing jobs than it is to accept a 3 percent salary rise in the same job."

And then there's the problem that companies are well aware of, yet never speak about: That top cybersecurity talent are being passed from company to company.

Companies are sharing secret-keepers

As one can imagine in an industry of secrets, exploits and espionage -- where trust is a looming shadow over every relationship, every exchange, the tight talent pool poses a multitude of problems for intellectual property, non-compete agreements, and every hacker's never-healing wound: hackers ripping each other off.

Vice President, Strategy and Technical Marketing Engineering – Security, Switching, and Solutions BU at Juniper Networks Chris Hoff tells ZDNet:

The security industry and community are reasonably small and well-connected, and the demand for skilled employees simply outweighs the supply.

This talent trade anecdotally points to a 2-3 year average tenure in security.

The problems this poses is inadvertent intellectual property leakage and loosely transferred tradecraft 'secrets,' a lack of institutionalized security and operational knowledge and a general retraining problem for new employees which introduces gaps in expertise, coverage and skills transfer.

Hoff explained that the factors in this already hostile, competetive climate are constantly shifting.

He said, "There are many sub-disciplines within security and we’re subject to somewhat cyclical patterns of selling and buying behaviors that are often disrupted by technological, economic, political, cultural or legislative influences." Hoff continued:

As one technology approach dealing with a particular threat matures, a new variant emerges providing a new class of solutions to mitigate, and those often demand more specialization.

This is also made more difficult by the fact that many threat actors utilize tactics, techniques and procedures that many defenders cannot or do not know how to use.

In this small talent pool, according to Hoff, it means that even highly qualified hackers who specialize in one discipline or skill set "may not have the skills to expand or reinvent themselves as the talent pool shrinks."

The conditions of this labor shortage works against itself, and more bodies may not even solve the problem.

A "pathetic" lack of investment

FireEye’s Bejtlich isn’t so sure that throwing more hackers at the crisis is going to lead to solutions. "I’m more concerned that the people in the industry spend their time effectively."

He explains, "A 10 person team administering an antivirus solution is probably a waste of 9 people. I would like to see IT assume more of the maintenance and deployment tasks of security and have security people spend more time on detection and response, as well as collaboration with the development community."

Mr. Hoff didn't mince words when ZDNet asked where infosec needs to go from here. "I think that the industry needs to grow up as much as it needs to grow out." Hoff continued:

While we need to ensure a trained and ready replacement workforce is prepared to supplement and succeed the current generation of security professionals, we should invest heavily in training those that already occupy the positions that protect our companies today.

The lack of investment in training, skills update and mentorship is really pathetic.

If companies don’t invest in the people they have today, it’s pretty clear they won’t in the future.

Photo credit: Image courtesy of Black Hat USA/UBM Tech, used with permission.

See also: Cybersecurity's hiring crisis: A troubling trajectory

Topics: Security, Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sigh

    I need to switch jobs. I'd rather make secure systems but no one wants to pay for that, they'd rather wait until there is a mess and pay someone 10x to clean it up. Hacking doesn't provide anywhere near the fulfillment that quality engineering does, but its easier and people are paying more for it.
    • Sadly...

      There is a lot of truth in what you say.
    • Ya well....

      in a way it amuses me that suddenly we talking about some sort of security talent crisis here.
      To me this is a problem of the sw industry as a whole, even though in security area it's probably felt most.
      I'm coming from mechanical engineering specialisation nuclear powerstations, moved to sw about 15years ago because it was more fun and very innovative.
      Now it's a mess full of self proclamed 'best practices', funny interview questions, attempts to use security as an exuse to block access which is then monetised through different 'secure' channel and 'agile' which is an sw alias for 'trial-error':)
      Don't get me wrong, I'm not complaining, I'm also making my buck out of this mess so as everyone else involved:)
      I'm just simply saying that had engineers built nuclear powerstations the same way as people execute any sw project today there would probably be no one left living on the planet today.:)
      • Perhaps there needs to be an equivalent

        of the Nuclear Regulatory Commission (nee ERDA and nee AEC) for computer software. Along with professional registration for software engineers, including web developers. Not to mention companies being held liable for their defective software products (EULAs currently protect them from any liability). In short, there's lots of regulations involving commercial nuclear power plants and engineers (nuclear, mechanical, electrical, civil).

        P.S. Let's never forget Chernobyl (U.S.S.R.) and Fukushima (Japan). Three-mile island (U.S.A.) was merely a close call compared to these.
        Rabid Howler Monkey
        • Yes, but....

          IMHO the problem is non-existence of any physical laws in sw. E.g. in mechanical industry there are no 'best practices', no funny interviews mostly designed to make interviewers to feel superior, no agile. Why, because all this is replaced by physics and it's natural laws. Plain and simple.
          I'm guessing that, because of the above, any such a body would inevitably result in yet another bureaucratic 'security and safety' enforcerer mostly used by competitors to claw each other out of business or to prevent new companies entering it.
          We see this already happening when it comes to riduculous patent trials and some goverment policies suporting monopoly of some companies.
          When it comes to liability then when a bridge over a river breaks it's reasonably easy to pinpoint any liability. This is so because that bridge as a man-made 'application' running on an 'OS' called Nature. Whereas when an man-made HW with a man-made OS corrupts one's precious files or allows one's bank account to be emptied while running a man-made application, then? Buggy application, running on a buggy OS on a buggy HW, how one is going to proove who's responsible? Based on what? the financially weakest link? Which is almost always the application developper?
          This is only possible if an sw designed precisely for a particular hw with no OS or proprietary 'OS' involved controls physical environment, like planes or the said powerstations. Then and only then,again based on physics, one can determine liability and companies creating such an sw-hw packages are indeed responsible for the sw-hw functions.
          • spalda2: "in mechanical industry there are no 'best practices'"

            Were 'best practices' followed at Chernobyl? And at Fukushima?

            I'd say that there were 'best practices' for operating the nuclear power plant at Chernobyl and that they were ignored. And at Fukushima, were 'best practices' followed by siting the facility within reach of a tsunami? Tsunamis aren't exactly unknown in Japan nor are floods unknown in flood plains:

            "River Levels on the Rise – The NRC At The Ready"

            Interesting that the Fort Calhoun, Nebraska, nuclear power plant which sits in the Missouri River floodplain was shut down for "extensive flooding improvements and other safety upgrades".

            "UK firm admits nuclear plant was shut down due to flooding fears"

            Best practices also apply to siting a nuclear power plant.
            Rabid Howler Monkey
          • @Rabid Howler Monkey: misunderstanding perhaps

            no there are not any 'best practices' in a sense of sw domain. All this is fully given by natural laws. And yes, the disasters you mention are result of us not fully understanding or perhaps undestimating/ignoring some aspects of these laws as you pointing at in your example.
            To be precise there are no self proclamed man-made 'best practices', there is only natural laws and our level of understanding/compliance with it.
          • Best practices do exist for secure software development

            There are number of security development life-cycles (SDLC) out there that one can review and choose from (or build one's one). The open source OpenBSD project is a great example of secure software development (since 1996). Green Hills Integrity is another fine example of secure software development. QNX, now part of BlackBerry, is a great example of reliability. Last I heard, QNX was used by GE for its nuclear power plants.

            There are many other resources for best practices:

            o secure coding books/papers
            o software testing
            o penetration testing
            o lists, descriptions and mitigation of common coding errors books/papers

            Finally, just one example:

            "2011 CWE/SANS Top 25 Most Dangerous Software Errors"
            Rabid Howler Monkey
  • AHA!

    THERE'S the other shoe. I was wondering if you were going to continue the thought from yesterday's piece. Good show, VB
  • USA needs help

    As I have lived over seas for 15 years, and notice the lack of security with in the IT industry, when I returned to the USA it was my surprise that the situation was even worse over here. Companies seem to not be prepared to pay from the start to have proper security implemented with in there companies. So they leave doors open and I mean wide open for the not so nice people to walk in. When the breaches happen they go oh what did I do wrong. I see it everyday. I agree with the lack of training with in the IT industry, employers expect you to know everything and keep up with it at your own expense and time. Sorry it is just not happening as things are changing all the time. If we are not allowed to network with fellow worker within our fields of work then how are we do understand what other folks are doing and how they are implementing things. Sorry need to vent, have been working in this industry since the Com64 days, and still managers and companies only see the almighty Dollar. Some day they might wake up, I only hope and pray it will not be to late. There are so many doors open and the people who you do not want are just waiting to walk in. The next nightmare in the US will the one you least expect.. I hope people wake up and smell the flowers before it is to late. As the gentlemen stated "I think that the industry needs to grow up as much as it needs to grow out." so true.
    thanks for letting me vent
    • "baldeagle30" - have you never heard of LinkedIn or Spiceworks?

      You said: "...If we are not allowed to network with fellow worker within our fields of work "

      Nobody is preventing you from "networking with like-minded individuals." Look at LinkedIn and Spiceworks - those are two user-based communities, self-supporting, and full of like-minded individuals in all types and flavors of groups: networking, security, etc. And LinkedIn is not just for "job searching & recruting;" as was its original purpose; I have found more technical problem resolutions there and at Spiceworks than at the actual technical vendors' sites!

      Now, if you are using the *incredibly lame* excuse of "Well, I *must* [travel] to a seminar/class;" that's crap! These days, with on-line courseware, webinars, teleconferencing (Skype, LogMeIn, Join,Me, etc.), recorded sessions and so forth; there is precious little or zero need to actually "travel" to some far-away seminar. That was/is a HUGE waste of money! I found those seminars (and some classes; but not all) highly wasteful, with very little true "networking" results; instead, I came home with free t-shirts, coffee mugs and thumb drives.

      No, I hate to break it to you, but those days are over. In most companies, if they are medium to large, you still have to plead your case that you need training but, as stated, NO SINGLE TRAINING will suffice in today's security landscape; you have to kludge together what you need; think on your feet; and dig deeply into the technologies and methodologies being utilized to break networks and security. It can be as obscure as those "free thumb drives" from seminars; that you may think are so innocent; yet contain "signature-free, unknown, zero-day malware" that, as soon as you install the "new contact manager" (or whatever program they put on it), then you are "owned."

      Bottom line: Don't give up - but, don't forget to justify how integral security; and your position; are to maintaining the bottom-line integrity of the company; because one lawsuit can wipe out an entire company overnight!
  • Horrors!

    The techies are at risk of being paid more than befits their station (they might even end up making more than their bosses). What will the stockholders say?

    In reality, these sorts of problems tend to sort themselves out as more people are encouraged to enter in-demand fields; and if they don't then why is it that overpaid techies are more of a problem than (let's say) overpaid athletes or overpaid corporate executives?

    If people are going to plead the free market when defending executive salaries, then it behooves them to be consistent and defend the high salaries of underlings when they are similarly dictated by current market conditions.
    John L. Ries
    • John, you are so right!

      I couldn't agree more. There are cases where underlings make more than their supervisors or managers - rare, but not as rare as it used to be. Now, if you count salary [and] added perks, that's almost never the case; but if you mean just outright salary, then yes, it's more common now than in the days of old, when knights were bold, and the king's word was as good as gold. The article also is correct: Security defense involves a LOT more than just passing some "holier-than-thou" CISSP exam - you have to be able think "outside the modem."
  • Supply is low, Demand is high = wage bubble

    If you want to purchase something that is short supply but the demand is high - yes you will pay a premium. That the first law of economics.

    From the past these types of complaints come from upper management earning over $1M/yr. They don't like paying high salaries to anyone else who is not in the upper chain of command. Too bad.
  • Job security for those that produce crappy code...

    And then there are the people originally needed to manage the crappy code in the first place.

    And vendors that sell additional crappy code to cover up the original crappy code...

    and people to manage the crappy code that covers up the crappy code...

    Yess... a new management position to manage the....
  • Thank-you!

    The lack of investment in training, skills update and mentorship is really pathetic.
  • The Situation is Dire!

    Tthe situation is dire:
    1. The increasing dependence of industry and government on an immature software
    profession whose promise exceeds its delivery has now become a source of risk that
    teeters at the tipping point.
    2. The convergence of software, national security, and global competitiveness
    interactions and their fragile dependencies are capable of unleashing a destructive
    synergy of propagating and cascading effects. They don’t play well together, and
    together they heighten complexity.
    3. All this, while both industry and government continue to play the role of free rider as
    users of software lacking both the ability and will to act while insulated by stove
    pipes that are deeper and more narrow.
    Top ten Reasons
    1. Industry and government continue to increase dependence on software produced by an
    immature profession that has stumbled in delivering trustworthy software components,
    systems, and systems of systems to the nation's critical infrastructure and defense
    industrial base.
    2. The result is Cyber Security weaknesses and vulnerabilities seeded by our best and
    brightest that are being exploited at will by persistent adversaries whose capabilities and
    motivation can only be guessed at by assessing the trace of consequences they inflict.
    3. Essential Cyber Security foundations are lacking, and so Cyber Security practice is ad
    hoc, not well understood, and ineffective.
    4. Premature Cyber Security training and certification programs do not yield the capability
    to secure large scale software intensive systems, research programs are misdirected,
    STEM initiatives promise what they cannot deliver, and executives and senior managers
    are disconnected from the realities they face.
    5. Citizen concerns about privacy, civil liberties, and liability serve as obstacles to deter
    effective information sharing erecting barriers to achieving Cyber Security. Government,
    industry, and the public are not on the same page.
    6. The increasing dependence on software to boost productivity and achieve
    competitiveness is not being met with increasing domestic workforce capability and
    7. Instead, enterprises in search of value continue to choose offshore outsourcing for skills
    and cheap labor despite vigorous attempts to stigmatize this practice by politicians.
    8. Cyber Security shortfall threatens competitiveness by easy and continuing loss of
    intellectual capital to nation states who drive on an information highway without rules or
    Software 2015- Situation Dire copy.pages
    Don O’Neill, Independent Consultant! 2
    9. Government tax policy, misguided regulations, and antitrust litigation offer additional
    impediments and uncertainty.
    10. Underlying all this, the nation's austerity and affordability challenge has the effect of
    tying our hands just when the starter’s gun signals the start of the race for the twentyfirst
    century. On top of all this, the will to act is lacking as the nation finds itself in a
    leadership crisis.
    • Not enough casualties yet

      Oneilldon: a thoughtful contribution and one with which I agree. But I think the situation is simpler than people suggest. We (as in we the programmers) simply haven't killed enough people yet for anyone to take notice and do something.

      In the early application of steam engines in the British industrial revolution, mechanical engineers killed a lot of people. Factory steam boilers tended to explode quite readily, destroying not on the the factory and the people working in it at the time, but also all the workers' families. It was usual in those times for workers and their families to be housed in close proximity to the factory where they worked, hence families were often collateral damage, as we say today.

      When the social and economic impact was sufficiently high, government regulated the manufacture of steam boilers and licences those who were allowed to carry out assembly tasks such as riveting and welding. In the UK, this gave birth ti a specialism called Boiler Making and one of the largest trade unions for many years was the Boiler Makers Union.

      When we programmers kill enough people with our incompetence and neglect and cause enough economic damage, regulators will step in a regulate. The industry will be forced to accept licensing for those practitioners in lead positions and they in turn will be forced to accept liability, as will their employers. For programmers, improvement will then be a matter of personal survival.

      I am English so I hate instinctively all regulators but in reality, this is the only way to align the business interests of SW developers with the social and economic interests of society at large.

      I am saddened that neither the IEEE nor the ACM (I am a long standing member of both) support licensing and regulation; on the contrary, the ACM at least actively opposes it.

      In our business, we call ourselves professionals and what we do a profession. This is self delusion. It is still a craft; some craftsmen are very skilled and very talented and I have worked with many over the past 40 years or so. But a craft is still a craft and it is nothing on which to base the economic and social welfare of the nation and its citizens.