Is there a skill shortage in infosec? Are we failing to bring new people in?
It may sound contradictory but I think the answers are "no" and "yes" in that order.

To be clear, in the last 10 years I've been in the private sector, I haven't seen a shortage. But....(1 of many ofc)

But before I continue, a quick side note. This thread was inspired by a tweet from @bettersafetynet who is genuinely one of the most awesome people I've met. His tweet about this was nuanced, which is why I've felt the need to have a massive thread in reply. Follow him right now.

(back to the thread)
But, the real problem is massively broken expectations, misunderstanding, gatekeeping, corporate ignorance and most importantly monumental misspending in the realm of cybers.
There isn't even a shortage of money, it just goes on tools rather than people.

First - skills. For example, right now I know many more skilled cybersecurity people looking for work than companies looking to hire new people. This has been true for the last 10 years.
We have good employment rates in the "Industry" but we still have lots of good people

out of work at any given time. This "skill shortage" implies the reason they can't find work is down to a lack of skills and this is 100% not true.
The reason is that infosec jobs are, on the whole, insane. With very, very, few exceptions, hiring manager expectations are broken.

I'll come back to that.

We dont do ourselves any favours. We tend to criticise anyone who doesn't have full domain knowledge of every possible domain - and this is a million times worse for URMs. We think having CVEs makes you better at writing policies.

Then, because we are a bit weird, we spend half our lives criticising the certs and training people do get. We ridicule the certs people get to start in the industry and then wonder why they feel isolated and disillusioned.

If your first cert isn't OSCE, do you really cyber?

Now in some very specialised roles, there *may* be a lack of skills but, I still haven't seen it in practice. I have seen a related problem where people with good pentesting skills are hired as risk analysts and where people with skills in writing policies are moved into roles

where they are expected to technical deployments. This isn't a skill shortage, its a confusion about what is needed in infosec roles in the first place.

This brings me back to the hiring point.

This is 100% where the problem exists.

First off, funding. Most infosec money is badly spent. Organisations will think nothing of spending £10m a year on shiny new tool but go insane at the thought of paying £75k to hire someone to operate it. I've seen this at dozens of places and it astounds me.

Next, the money is reluctantly spent on consultancies to try and "shore up" the gap. This costs more than employees but gets slipped into different budgets. Then the hiring managers ask the consultancies to help them hire employees... Amazingly this ends badly.

If we ever solve this, we have another problem. No one really knows what skills are needed for a job. We just know that "we" can do it and other people can't. This is another issue I'll park for a minute and move onto the issue of bringing new people in.

Infosec has almost no actual "entry-level" roles. We have an assumption (incorrect but this is an argument for another day) that everyone has to have an IT/HelpDesk background to work in Infosec.
This means we eliminate people new into working life.

It kind of means we expect everyone to have worked for 2-3 years *somewhere else* before we allow them into our hallowed grounds.
The problem is, we also expect them to do "entry-level" jobs at entry-level salaries. It's hard to incentivise people to take a pay cut.

Alternatively, we have to pay them above-entry-level salaries (this is a good thing IMHO), but it creates the skill problem.

Sidenote: This is a self-imposed issue. We don't have to demand an IT background, but we seem to do it anyway.

Back to the skill problem. Pay grades in an organisation create an expectation that to be "Grade 2", you have to have something over and above "Grade 1" - you can't normally say "it's just to hire people." So HR pressure means hiring managers ask for skills.

But they are a mix of dump/underskilled themselves/busy so they reach for defaults.

This is why you see entry-level roles which say "CISSP required" (min 5 years of work experience & management qual).

Or less obviously bad - demanding GCIH/GCIA for SOC analysts.

Now I love the certs. I really do. But no one who has a hard to get, expensive cert, is "entry-level." If they've been sent on the course, they are already in a security role. It's literally that simple.
I've seen forensics roles which ask for CEH. I can't explain this.

The only solution seems unpalatable to hiring managers. We need to hire people and train them. We cant ask for skills on entry, because you only learn most of this *on entry*. Yes some helpdesk experience will help if you do an infosec role which relates to that **BUT**

The uncomfortable truth is most roles don't relate to this, its just the ones we like to talk about the most. No amount of help desk experience helps you do 3rd party risk assessments or review the legal framework for a supply chain agreement.

Alternatively, we say "all entry-level roles are basically security help desk" and then complain when the people doing the other stuff have no experience in doing it. Infosec is a super broad church. If every strand needs people to reset back to "entry-level" we are doomed.

We need to recognise you can lead a full, valuable, effective career in infosec without ever once using Metasploit or slinging nc shells across the internet. The problem is the lack of sane career paths. Instead, it's all about the TechSkillz.

This brings me to my last part of the rant. How we hire people.

Badly is the short answer.

Two things tend to cause this.

First companies try to hire people with the skill/knowledge of the person they are replacing, not the skill/knowledge of the person when they started.
This is a massive mission creep and largely unrealistic.
It is nearly impossible to replace the knowledge you've lost. Dont try.

Lastly, we interview live sharks. We expect candidates to know everything about everything. We often try to show off by asking super hard questions that only we know the answer to.
This isn't a skill shortage, its an ego problem.

If we really want to fix it, we will formalise the skills we expect and stop asking people to know things they don't really need to know, just because we know it.

We will also create *actual* entry-level roles rather than just have badly paid roles. (FIN)

And yeah, there are inevitable typos. Sorry.