Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

A small talent pool, an inflated wage bubble and high tension in a virulent attack landscape have made cybersecurity's hiring crisis "the billion dollar" problem.
Written by Violet Blue, Contributor

At no time in history has there been a greater need to hire security professionals to protect and defend infrastructures from an inexhaustible onslaught of organized crime, industrial espionage, and nation-state attacks.

A small talent pool, an inflated wage bubble and the high tensions of a virulent attack landscape have made cybersecurity's hiring crisis the "billion dollar" problem.

The tight talent pool poses a multitude of problems for intellectual property, non-compete agreements, and every hacker's never-healing wound: hackers ripping each other off.

Richard Bejtlich, the Chief Security Strategist at FireEye said, "The prevalence of breaches is driving the creation of incident response teams, often from the ground up."

With Cisco's 2014 Annual Security Report projecting a global cybersecurity jobs shortage starting at 500,000 and domestically at least 30,000, the situation has become what James Arlen at Leviathan Security Group calls "literally the billion dollar question."

That's more truth than jest: the current state of infosec's tight talent pool means that its hiring challenges come with inflated price tags -- as well as all the problems that come with this singularly complex and specialized industry's "rockstar syndrome."

Bejtlich notes that in an acute shortage such as this, the top talent "make their own rules."

He cautions, "Do not expect to hire a top person and require them to relocate to your corporate HQ. Corporate culture can also be an obstacle. Top security people expect free to innovate, and do not tolerate bureaucracy."

Leviathan's Arlen says, "The reality of this is that in order to acquire new talent, companies are forced to go hunting and must be ready to put down the biggest pile of compensation." Arlen continued:

Too often, less-than-great people are demanding a price which was over-the-top for a 'rockstar' two years ago. As with all price bubbles, it’s going to pop at some point and the reset is going to be quite painful for some individuals.

Another challenge is the upward pressure on pricing that comes in part from what a great person can bring to the table but more from the overall lack of available people which permits less-than-great people to push the pricing higher as well.

Bejtlich agrees. “The simple answer is that reduced supply of security people plus increased demand for their services equals higher wages. Until supply and demand become more closely matched, expected higher-than-normal overall wage growth for security talent, plus increased tendencies for people to change jobs.”

The churn at the top compounds the problem. Mr. Bejtlich explains, "It’s easier for a top security person to get a raise by changing jobs than it is to accept a 3 percent salary rise in the same job."

And then there's the problem that companies are well aware of, yet never speak about: That top cybersecurity talent are being passed from company to company.

Companies are sharing secret-keepers

As one can imagine in an industry of secrets, exploits and espionage -- where trust is a looming shadow over every relationship, every exchange, the tight talent pool poses a multitude of problems for intellectual property, non-compete agreements, and every hacker's never-healing wound: hackers ripping each other off.

Vice President, Strategy and Technical Marketing Engineering – Security, Switching, and Solutions BU at Juniper Networks Chris Hoff tells ZDNet:

The security industry and community are reasonably small and well-connected, and the demand for skilled employees simply outweighs the supply.

This talent trade anecdotally points to a 2-3 year average tenure in security.

The problems this poses is inadvertent intellectual property leakage and loosely transferred tradecraft 'secrets,' a lack of institutionalized security and operational knowledge and a general retraining problem for new employees which introduces gaps in expertise, coverage and skills transfer.

Hoff explained that the factors in this already hostile, competetive climate are constantly shifting.

He said, "There are many sub-disciplines within security and we’re subject to somewhat cyclical patterns of selling and buying behaviors that are often disrupted by technological, economic, political, cultural or legislative influences." Hoff continued:

As one technology approach dealing with a particular threat matures, a new variant emerges providing a new class of solutions to mitigate, and those often demand more specialization.

This is also made more difficult by the fact that many threat actors utilize tactics, techniques and procedures that many defenders cannot or do not know how to use.

In this small talent pool, according to Hoff, it means that even highly qualified hackers who specialize in one discipline or skill set "may not have the skills to expand or reinvent themselves as the talent pool shrinks."

The conditions of this labor shortage works against itself, and more bodies may not even solve the problem.

A "pathetic" lack of investment

FireEye’s Bejtlich isn’t so sure that throwing more hackers at the crisis is going to lead to solutions. "I’m more concerned that the people in the industry spend their time effectively."

He explains, "A 10 person team administering an antivirus solution is probably a waste of 9 people. I would like to see IT assume more of the maintenance and deployment tasks of security and have security people spend more time on detection and response, as well as collaboration with the development community."

Mr. Hoff didn't mince words when ZDNet asked where infosec needs to go from here. "I think that the industry needs to grow up as much as it needs to grow out." Hoff continued:

While we need to ensure a trained and ready replacement workforce is prepared to supplement and succeed the current generation of security professionals, we should invest heavily in training those that already occupy the positions that protect our companies today.

The lack of investment in training, skills update and mentorship is really pathetic.

If companies don’t invest in the people they have today, it’s pretty clear they won’t in the future.

Photo credit: Image courtesy of Black Hat USA/UBM Tech, used with permission.

See also: Cybersecurity's hiring crisis: A troubling trajectory

Editorial standards