Why Are Some Cybersecurity Professionals Not Finding Jobs?

Last week, I posted a CNBC technology article on LinkedIn titled: ‘We are outnumbered’ — cybersecurity pros face a huge staffing shortage as attacks surge during the pandemic.

The article starts with this video claiming that there is a tremendous shortage of about 4 million skilled workers needed for cyber jobs. Here’s an excerpt:

“The group reported in late 2019 that 2.8 million professionals work in cybersecurity jobs globally, but the industry would need another 4 million trained workers in order to properly defend organizations and close the skills gap. That includes about half a million workers needed in the U.S. to meet demand. A separate survey of more than 300 cybersecurity professionals from ISSA shows that 70% of organizations report being impacted by the worker shortage and 45% of respondents say the cybersecurity skills shortage and its associated impacts have only gotten worse in recent years. …”

I suspect this story will not surprise most readers. In fact, this "cyber pro shortage" trend has existed for several years. I wrote about this issue in 2012 and in 2016 and spoke with my friend John McCumber from ISC2 about this topic in a BrightTalk webcast last year. Numerous other more recent stories provide a similar message. Consider these headlines:

• Center for Strategic & International Studies (CSIS) in January 2019: The Cybersecurity Workforce Gap
• Cybersecurity Ventures in February 2020: Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021
• Dark Reading in April 2020: Demand for Cybersecurity Jobs Declines But Still Outperforms Other Sectors
• CSO Magazine in August 2020: The cybersecurity skills shortage is getting worse
• Asia Insurance Review in September 2020: Cyber security skills gap continues to widen

“Not True” – Or - “Experts Can’t Find Jobs”  

When I posted these articles, most people agreed; however, a significant minority disagreed. Here are some quotes from LinkedIn comments, with the author names removed:

• “'Outnumbered', yet so many people like me with a B.S. in cybersecurity and we can't even get an interview for tier one help desk."
• “From the Asia insurance review, may be an issue, within local areas, but unfortunately here in the States seen 1) many cybersecurity staff unemployed (not due to the economy), 2) training in any silo has to be driven by the individual. This study is troubling “The participants in the study included 327 cyber security professionals and ISSA members from North America (92%), Europe (4%), Asia (3%), and about 1% from Central and South America.” Kinda a small sample. I have driven my own training based on needs and future vision of where the market will demand skills. While a CISO both in the commercial and Gov contracting sectors I always sliced off part of my budget to rotate staff every 6 months into a different Certificate training, and provide flex time to attend organizational meetings like the InfraGard. The skills are there, but are companies willing to pay for them?”
• “What a continuous pile of (horse manure). Plenty of certified cybersecurity staff out there, but to many companies are offering pay in line with the '80s, or have Position recs written by someone who failed their drug tests, or in many cases after 40, many companies practice ageism and boot the talent out the door - here’s a hint, a large pool of experience older staff available, but they do expect to be compensated....”
• “I have been off work basically since July 2019, focusing on school. With 20 years In IT, 14 in Security, certs, volunteering and working on my Masters’. I am spending 4-5 hours interviewing with one company only to find out no one is actually hiring, this is happening repeatedly. Job descriptions that are pages and pages long, they do realize I am a single person right? To say there is a lack of qualified individuals is a lie. In their magical world of what they are looking for, including lower pay than industry then sure but there are plenty of qualified ITSec people out there!”
• "I have said it before and I will say it again, the skills shortage is utter nonsense. The outmoded, outdated and idiotic hiring systems/requirements and failure to hire and train is the problem. In a field with supposedly 0 percent unemployment, I personally know a couple of certified (of some sort) experienced people recently laid off who are still looking 1 month later. This should not be happening. What do I do about it you are asking? Well, let's see. I prepare people for the CISSP, generally for free. I know and support people who train people for the CISSP. Again, primarily for free. I mentor colleagues and friends whenever they ask. I provide career path advice, again primarily for free. Are you doing what you can to support our colleagues and future colleagues?"

How Can We Reconcile These Two Different Perspectives?

In my experience, comments similar to those listed above, have been with us for at least the past decade, well before the current pandemic. However, the pandemic may have made things even worse as organizations curtail hiring due to budget constraints or other business difficulties. I am writing this blog after hearing more than a few respected industry colleagues argue that this abundance of cybersecurity jobs simply do not exist.

Simply stated, these good people cannot get hired in a cyber job. Going much further, they argue that select organizations (who discuss millions of unfilled jobs) are pushing their own training agendas, certifications offered, want to boost certain company stock prices or have other reasons to encourage this “abundance of cyber jobs remain vacant” narrative, even though it is not true, in their opinion.   

I want to be clear up front that, I disagree with this narrative. I do believe that many (perhaps millions but we can argue the numbers in another blog) global cybersecurity job vacancies do exist. Nevertheless, I truly sympathize with these people who disagree, and I want to try and help as many as I can find employment. I also want hiring managers to set proper expectations. 

In addition to my blogs and articles, I have personally mentored and helped dozens of people find cyber jobs, from high school students to new college graduates to CISOs and CSOs. (Note: this is not my "day job" but one way I try to give back to the security community – just like so many others are doing as well.) I also champion ways that government CISOs struggle in this area, and how tech leaders can find more cyber talent.  

I realize that it is very frustrating for anyone who is unemployed, and it doesn’t help if repeated narratives say that millions of cyber jobs exist that you cannot find. (Note: For others not in this situation, imagine the very different experience for a group of airline pilots, who may be unemployed due to COVID-19 and the drop-off in airline travel. Their family, friends and neighbors “understand” their situation and will likely be more sympathetic.)

So if the the shortage of qualified cyber pros is real, and the cyber jobs vacancies do exist, how can we bridge the gap of these different perspectives?

Here is a partial list of reasons that people are not getting hired or finding the right cyber job matches, in my personal experience:

1. People are living or looking in the wrong places. They want a local job, and do not want to move. (Note: More remote hiring is happening now with COVID-19, but it is still unclear if many of these jobs will go “back to the office” after the pandemic. This leads to hesitancy in taking a job in another part of the country.)
2. The pay scale is too low for their (perceived) skills.
3. Lack of experience – at least on their resume.
4. Timing. Or, that "perfect job" was just filled - after you learned about it yesterday.
5. Limiting their “desired” role or companies/governments considered.
6. Insistence on remote work. While this is easier during the pandemic, some people want 100% remote without travel, which can limit options. Also, some hiring managers are not clear if remote jobs will last after the pandemic restrictions are lifted - so they want to hire locally.  
7. Company discrimination due to older worker applicants. Yes, I agree with my colleagues that this is alive and well in 2020. Other forms of discrimination exist as well, such as race and gender.
8. Lack of professional networking – especially true during Covid-19. They don’t have personal connections and have a hard time meeting the right people who are hiring or can help them find the right job.
9. Attitude, Character, Work Ethic, Humility, etc. I have written several blogs just on this topic, but some people never get the job because they come across in interviews as entitled or too angry or with a bad attitude. They scare off hiring managers. For more on this topic, see: Why security pros fail (and what to do about it) and Problem #3 for Security Professionals: Not Enough Humble Pie and Problem 5: Are You An Insider Threat?
10. Putting this all together, I love my brother Steve’s perspective on individual career opportunities and selling your ideas (and yourself) to those both inside and outside your organization. “It’s all about the right product at the right place at the right time at the right price—with the right person delivering the message to the right decision maker.” See this blog for more details, whether you are a football fan or not, we can learn from Kirk Cousins.

Closing Thoughts & Tips For Jobseekers

I want to restate, that my heart goes out to those of you who are struggling in your cyber career. Perhaps you are in a cyber job, but want out of your organization or role, but feel trapped. Others can’t find any job right now – despite certifications and experience and trying for months or even years.

There are many people and organizations who want to help you. My blogs have many career articles and tips. Also, consider a career move in government cyber service. Here are some reasons why government is a good option.  

These blogs can help from ISC2. Also, perhaps consider switching to a security leadership role in another industry. Here are some expert friends who show their journey. 

Also, Dark Reading offers these 10 resume and interview tips.

If you are a student in high school or college, I urge you to get tech experience early with an internship or summer job in technology or cybersecurity. Many companies and governments hire those people first.

For everyone with a good cyber or technology job - all of us need to continue to grow in our knowledge and networking and try to help these colleagues and cyber pros in their careers. You will benefit personally and professionally when you do.

I want to close with these two quotes:

“Friendship ... is born at the moment when one man says to another "What! You too? I thought that no one but myself . . .” C.S. Lewis, The Four Loves

And, “He has a right to criticize, who has a heart to help.”  Abraham Lincoln

Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.