No InfoSec Talent for Open Positions? “Well,That Figures?”

June 11, 2009

I read a blog post by Meridith Levinson, on CSO Online,  in response to the recent ISC2 survey which stated that 80% of hiring managers who are looking to fill IT security positions are having a hard time filling these openings.   The report cited the following reasons for this situation – wrong skills, not enough qualified people in the local area, and security professionals are commanding too much money.

It appears that Meridith was quite frustrated wtith the results of the survey.  She titled her post with the dreaded “WTF” which I know is not an abbreviation for “Well, That Figures.”   

So, how could this be?  Are the reasons valid?  Can this be possible when so many talented information security professionals are looking for work?  

If you are listening Meridith, I hope this helps to explain these findings and alleviate some of your fury:

1)  There is a Big Difference Between Shopping and Buying.  

Information Security Managers are short staff in general, and are always looking for talent to address the work load.    However, looking for people, and actually being able to hire them are two entirely different actions.  Corporations are dealing with many more -pressing business needs in this climate, and hiring full time employees (Information Security professionals or others) are down on their list.   Currently, hiring decisions are being scrutinized at every organizational level and business function. 

The desire to hire is not in doubt.  The ability to hire definitely has some resistance.

2) Job Opening – Information Security Superhero

Employers are looking for Information Security Superheroes, when in many cases what they are able to afford is a one trick pony (especially one that can perform a really cool trick).  Often employers receive permission to add a single headcount.  When this happens, they often try to cram all of the possible skill sets that they are searching for into one singular position. 

Throughout my time as a recruiter, I have seen many job descriptions that require skill matrices that rarely exist in the real world.   Due to the rarity of the skill combos, the candidate is able to command a higher salary.  This salary is often outside the compensation range that HR has allocated for the role. 

Remember, just like in the comics, Superheroes do not ever have to look for work, work finds them.

3) Employers  Are Not Searching Correctly

Information Security leaders are only part time recruiters and often cannot dedicate the necessary time to the talent acquisition process.  They often rely on other resources to help locate the right candidates for their open positions.    Due to the complex skills that these roles require, your recruiters need to be educated to properly filter candidates best suited for the roles.  Many times, qualified candidates are overlooked for consideration during the early stages of the process.  The more detailed the position, the more elaborate the  search process needs to be.  Whether employers are utilizing their shared internal recruitment resources or external search partners,  this level of education is generally lacking.

4)  The “Right” Candidates are Happy with their Current Position.

This would make sense.  Many talented information security professionals are gainfully employed and well thought of by their current employer.  In these economic conditions, many Information Security professionals are not keen on jeopardizing the “security”of their current role, for the potential opportunity that exists with another employer.

5) We are Information Security Professionals not Professional Resume Writers

First, we are generally guilty of producing generic resumes that are not geared to specific positions that we are applying for.  (See Mike’s last post).  Second, many people in the recruitment process only consider the resume, and never pick up the phone to discuss the candidate’s skill and the position requirements.   Since they are currently inundated with so many resumes, it is near impossible for them to go into this level of depth.  This fault is shared by both the candidates and the hiring entities.

6) Too Many Pre-Existing Notions About Candidates’ Individual Circumstances

We are always making judgment of others, especially in the hiring process.   As security professionals we are skeptical by nature (it is why we are well suited for our profession) .  Throughout our careers, we have been preconditioned to think certain things when we learn about a candidate’s employment history.    Here are a few that should sound familiar – “Overqualified, ” Short Term Job Durations,” “Big Company Person,” “A Consultant not an Operator,” and “If they are so good, why are they out of work.”  When we think these things, we immediately create doubt in our mind about the person’s ability to be a valued employee.   Sometimes these prejudices prohibit hiring managers from considering suitable applicants.

7) Employers Have a Right To Be Picky

Why shouldn’t they be? Don’t they have this right?  Team building is one of the characteristics used to judge their effecitveness as an Information Security leader.  When you create an information security culture, it is critical that you utilize a high level of scrutiny is being used in all of your hiring decisions.   If you relax these standards, for even one hire, it could have a negative impact on your existing team and the function as a whole. 

Hiring managers also understand that theri is a consequence for being too selective.  If the hiring process takes too long, it will sometimes be determined that the position is not necessary, and the job opening will be eliminated.  In that case, there are no winners.    


I do believe that all of the items that ISC2 cited in their survey are valid and accurate.  I have a great respect for the organization and the professionals that hold their certifications.    As the report referenced, there is still a demand for Information Security professionals, who have a high level of skill and contribute fair value for their compensation. 

If you listen closely, you will hear what the industry is telling us. 

Keep investing in your career, keep current with your skills, develop new ones, and demonstrate your value.  

It should be comforting to know that 80% of the hiring managers are looking for someone just like you!

Posted by lee | Filed Under Security Industry 


One Response to “No InfoSec Talent for Open Positions? “Well,That Figures?””

  1. Rob Fuller on June 11th, 2009 10:46 am

    So my view is on the other end of the stick. I talk to a lot of upcoming infosec wiz kids, and junior IT/Security professionals, and 9 out of 10 are complaining that it’s hard to find a job “in this economy” and “I don’t have the skills to even be considered for a position yet”. A lot of 4th wall doubt, that I have a hard time answering because of my enlistment in the Marine Corps. How would you and Mike respond to people like this?

    Rob Fuller | Mubix | |