The Cyber Security Talent Shortage: Part I – The Law of Supply and Demand
Updated: Sep 12
The law of supply and demand is a fundamental economic principle that impacts all businesses. Simply put, the more an item is in demand, the greater the price that a seller can charge for that product. The more difficult it is to source the product, the more valuable manufacturers who can produce the product become. As supply becomes more constrained and demand increases, the price of that product will continue to escalate and manufacturers of the product will have increasing leverage and pricing power, leaving those in need with a difficult decision. They must either agree to pay the market price or accept the consequences of going without that product, absorbing the business impact of their decision.
Since the onset of the pandemic, the law of supply and demand has impacted our daily lives in many ways:
The shortage of toilet paper
Not being able to find hand sanitizer
The availability of ventilators and oxygen devices
The scarcity of hospital beds
The ability to get a vaccine or a booster shot
These items had a direct impact on our personal lives, some of these with greater consequences than others. However, depending on your financial means and your ability to gain access, acquiring these items was easier for some than others. For some, it meant a certain level of comfort, for others it was the difference between living and dying.
Supply and Demand in Cyber Security
While Cyber Security does not have life or death consequences like healthcare, a company’s ability to protect itself and conduct its business securely and responsibly can be the difference in its ability to meet its business objectives and long-term sustainability.
The best way that a company can ensure that they are protected against threats and adversaries is to build a competent and effective cyber security program under the leadership of a capable Chief Information Security Officer. Hiring and retaining a qualified security team, with technical capabilities and relevant business acumen, is the most significant contributing factor in a successful security program that will both enable and protect the business.
While there is an infinite number of security products and services that are easy to acquire, the talented security professionals needed to operate and manage them are not nearly as easy to come by. There are about 1 million “Cyber Security Professionals” currently working in the United States and about 500,000 cyber security job openings, right now, in the United States. That means for every cyber security professional who is currently employed, there are two (2) open positions currently available in the market.
While these statistics alone are daunting, this is not necessarily “new news” and some of these headline-grabbing numbers can be misleading and manipulated to prove a point and gain attention.
Telling the Whole Story
What you don’t know is that the shortage in pure numbers does not tell the whole story. All cyber security jobs are not created equal and the shortage of people in the market as a data point alone is misleading.
The real shortage of cyber security talent is in quality and experienced cyber security professionals. These are the professionals who really can impact an organization. These are people who have technical foundations, are adaptive learners, and have kept themselves technically current. These are professionals who have made continual investments in their careers. These are people who have the ability to communicate and garner respect with technology and business leaders. These are people who have practical skills and domain expertise that can easily dissect problems and architect and implement solutions that make a difference in how securely and seamlessly business is conducted.
These are people who Google, Netflix, Amazon, Facebook, Microsoft, and Apple all want to hire. These are the people who the large global banks, payment companies, crypto exchanges, and hedge funds want to hire. These are the people that all of the “hot new start-ups” want to hire.
These are the people who the aforementioned companies can afford to pay, as they understand how valuable they are to their business. These are the people who are in the shortest supply and who are in the greatest demand.
For every one of these capable and qualified security professionals, there are 50-100 open positions.
The Talent Gap
This is the law of supply and demand in its truest form. What makes things more difficult is that the market is creating opportunities and needs for cyber security talent much more quickly than our universities can create Computer Scientists and Technologists. So, the problem is not going to dissipate for quite some time, in fact, it will likely get worse before it gets better.
While companies are attempting to figure out how to compete with these global giants in their core businesses, they also need to figure out how to compete with these companies for cyber security talent. And if they are lucky enough to hire some strong capable cyber security talent, how do you retain them and keep them on “your team” and prevent them from seeking greener pastures.
Yes, this problem is daunting, but it’s real. You can no longer plead ignorance. The board of directors, investors, and customers are all going to want to know how you are addressing cyber security, and you need to have a strategy.
The most important part of that strategy is the people. How do you attract them? How can you compete? What can you offer that goes beyond money? In a situation when Cyber Security professionals have a choice in employers – why will they choose your company?
These are questions that you need to be able to answer.