"Save me, oh God, from people who have no sense of humor."
— Ludlow Porch

Cyber-Security Talent Shortage.

An article published in CSOOnline back in September of 2016, stated that unemployment in the Cyber-Security field was zero percent, and that there were over 1 million un-filled jobs with nobody chasing them. Now I may be a bit over-critical, but isn't that the textbook definition of something of a NEGATIVE unemployment rate?

Many experts are saying that we are currently sitting on a -5% unemployment rate in the Cyber-Security world and expect the shortage in qualified candidates to grow to upward of 3.5 million by 2020.

Some think that part of the problem is companies trying to "hire a unicorn" by writing job descriptions with cross-cutting requirements that no single person is ever going to have; hence recruiters are unable to find anyone who's qualified.

I keep getting calls from recruiters trying to place cyber-security experts in cubicles. Some are offering relocation packages and some are not. One client was willing to let a good candidate work remotely as long as they were willing to spend one week each month traveling to the client's offices in Northern Virginia... AT THE EMPLOYEE'S OWN EXPENSE.  :-/

Some employers are waking up and realizing that they must pay more than they are used to for cyber talent, AND allow them to work flexibly... meaning REMOTELY if possible. Whenever I hear of a hiring manager who says, "We need the best and are willing to pay $120k/yr. or $60/hr. W2 for the right person, and it is 100% onsite only!"

What they are really saying is,

"We want the best but aren't willing to pay for it, oh and limit your search to a 20-mile radius from our office. Be sure to tell the candidates how lucky they are to be considered by us, 'cause we're great. Oh... and we won't pay for relocation and it's a six-month contract, meaning the applicants get the pleasure of uprooting themselves from their current location at their expense for the privilege of working on a contract at a rate far below what they're worth and when we're done with them we're kicking them to the curb."

When you push back a little, the hiring managers say, "This is a technical resource, level 3 position and that's all our rate card pays for a position like this."  Um... You aren't in the driver's seat hiring manager. The ball isn't in your court. Your rate card is not calibrated with the reality of the services you seek.

A friend bought a new pickup recently and the dealer wanted $55,000 for it. The friend told them that this is only a pickup and not a Mercedes, and that his rate card only allows up to $28,000 for pickups; but they just wouldn't let him take it home until he gave them $55,000 for it.

Is it any wonder these positions are languishing with no viable applicants?

Current roadblocks are...

  1. There just aren't as many cyber-security experts as are desperately needed. Each reported cyber-attack or data-breach represents only a small percentage of the actual activity, and creates more demand for experts to help mitigate the issue.
  2. Universities can't graduate cyber-security experts fast enough and even if they could, a freshly-minted undergrad doesn't have the requisite experience.
  3. Existing hiring practices are woefully inadequate to address the problem.
  4. Managers are unwilling to pay cyber-security experts the salaries necessary to lure them away from their current positions. In many cases this will be an amount far above what the manager himself makes.
  5. Most people are unwilling to relocate in order to take a job that can very easily be done remotely. 
  6. We are living in a time of huge disruption. Hiring managers don't understand the need, or the talent necessary to service the need. The talent pool being mostly millennials, just won't accede to warming a cubicle in a client's building for eight to ten hours a day, on top of two hours of commute time. Those days are gone.

The rules aren't changing... they HAVE changed. Read The Year Without Pants and get with the program.