Why information security jobs go unfilled

In this 3-part series, Ben Rothke deals with the issue of a shortage of people in the information security sector.

isolated people

Just last week, the U.S. Office of Personnel Management granted the Department of Homeland Security (DHS) permission to hire 1,000 cybersecurity specialists. Due to government hiring issues and the overall Washington bureaucracy, the approval for DHS was the easy part. Getting those 1,000 cybersecurity specialists to actually start working is entirely a different matter.

In the private sector, there is another challenge. While there may be budgets for hiring information security staff, where do you find these elusive professionals? The job boards may seem like a great avenue for finding people, but most who have used popular job boards find themselves inundated with huge numbers of highly unqualified applicants.

The waters of information security hiring are well chartered; the key point is to find someone who can help you through those waters.

While there are a number of reasons why firms struggle to find good information security talent, there are two significant reasons exacerbating the problem.

Lee Kushner, president, of LJ Kushner and Associates has been recruiting information security professionals for almost 20 years and understands the nuances and complexities of the industry. Kushner notes that often job descriptions are created in a vacuum, without taking the availability of the specific information security skills into account.

[ PART 1: Prospective security employees see too many low-ball offers ]

Unlike other professions, information security has a number of sub-domains and niches that are not as plentiful as others. No different than other markets, the laws of supply and demand apply. When this is not factored into the initial equation, information security positions often go unfilled for quite some time.

Kushner notes that one of the bigger issues in the recruitment of information security professionals are standard job requirements like years of experience. Due to the speed of technology and the evolving threat landscape, years of experience is not as reliable of an indicator of competency, as it may be in other careers. In many organizations, years of experience is directly correlated with compensation, which often hamstrings these companies from making competitive offers.

He also observed that the effectiveness of an information security leader or CISO can often be directly tied to the caliber of talent that they can attract to their programs. It is essential that the CISO develops a strong relationship with their internal human resources professionals, so that they can work together to design a practical and flexible recruitment and compensation strategy which can attract the specific information security talent that they will require to keep their organization secure.

[ PART 2: Don’t use general recruiters in salary negotiations ]

For firms that are serious about finding information security, they would be better served by using a recruiter with a specific focus on information security. These firms often have a sizable pool of information security professionals, and are much better attuned to the nuances of the information security hiring space.


With some license, the famous line from the baseball movie Bull Durham can be used for information security: this is a very simple game. You throw the ball, you catch the ball, you hit the ball.

As to winning the information security hiring game: you define what you need for your information security staff, you set a reasonable salary, and you find someone to help you hire these people. This is not such a hard game.


Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.