April 1, 2020

Last Updated on January 18, 2024

Beyond doubt, one of the biggest challenges we face in the information security industry is a shortage of skilled professionals for the roles we need them to fill. The numbers speak for themselves:

  • 500,000 unfilled jobs in the US and about 2 million globally.
  • It takes most companies 3 to 6 months to fill a vacant InfoSec position, and over 25% of companies fail to recruit the talent they need.
  • Average tenure of a newly hired CISO is about 18 months.
  • Security salaries are 25% higher on average than comparable IT and software development roles.
  • The actual cost to recruit cybersecurity professionals is an eye-popping 5 times the cost to fill comparable technical jobs in IT and software.

In a recent episode in Pivot Point Security’s The Virtual CISO Podcast, our CISO and Managing Partner, John Verry, spoke with industry staffing thought leader Deidre Diamond of CyberSN on what’s really behind these statistics, and what businesses need to do differently to successfully hire and retain InfoSec talent. This episode is a must-see/listen for anyone involved in hiring or managing information security professionals.

“Another way that many companies set themselves up to fail in the hiring arena is by “not budgeting appropriately” for either recruiting or hiring.”


While Deidre is a highly successful entrepreneur and leader across multiple for-profit and nonprofit businesses, her deeply insightful perspective into what she calls “a massive national security issue” is guided by her deep, applied understanding of sociology. “Job is at the heart of happiness; it’s at the heart of stability,” Deidre points out.
She then goes on to say: “For us, no job is hard [to fill]. Why? Because most organizations have no idea how to treat their people. Which means most people don’t love where they work—so they’re recruitable if you understand what kind of role they’re really in and capable of. You’ve got to get the right role in front of them, which is why you’ve got to speak cyber and be cyber.”
Deidre explains although they do not struggle to recruit, the talent shortage creates a much higher cost for information security personnel vs IT personnel of the same caliber, “staffing (InfoSec vs. IT) is 9.5 times more expensive.” This is due not just to salary escalation, but also several other critical, industry-wide factors:

  • InfoSec is still a relatively new industry, so it’s “super under-budgeted, with people doing two or three jobs in one. So how are you going to convince someone to take that job? You’re not! You’ll just keep talking to people until you can stretch the salary cap or change the job description or never fill it, which costs a lot of money regardless.”
  • Internal recruiters and recruiters in general not speaking cybersecurity, which makes it hard to connect people and roles.
  • Only 35% of cyber professionals are on LinkedIn, according to Deidre. “They see it as a privacy violation to put up a profile and talk about the technologies they use and what they’re doing…”

While nontechnical job categories, like risk and compliance, may be somewhat easier to fill, technology roles comprise the great majority of open jobs—and this situation isn’t likely to change overnight. “There’s a real timeframe that it takes to get that kind of skill set, of an attacker or a defender. Is it three years? Is it five years?” Deidre observes.
Deidre further notes that privacy and leadership (e.g., CISO) roles are among the hardest to fill. One reason she often sees is hiring teams undermining themselves. These higher-level roles “… have so many stakeholders tied to the decision-making around who is this person, who’s right for that job, what are they really going to be doing… And those jobs are so vast in strategy that there are so many stakeholders [involved] that it’s paralysis by analysis. We see it on a regular basis: [hiring organizations] regrouping and restarting because of [changing] opinions.”
Another way that many companies set themselves up to fail in the hiring arena is by “not budgeting appropriately” for either recruiting or hiring. “One of the biggest things I see is firms not filing their roles because they’re not budgeting to fill their roles with recruiting costs that make sense.”
But successful hiring is not a problem companies can just throw money at—if they even have it on tap. Deidre’s experience has unfailingly shown that the human side of the equation is what really matters. What does that mean for hiring firms? More will be revealed in a future post!

ISO 27001 is manageable and not out of reach for anyone!

It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times