• United States




Why information security jobs go unfilled

Nov 16, 20153 mins
CareersIT Jobs

In this 3-part series, Ben Rothke deals with the issue of a shortage of people in the information security sector.

isolated people
Credit: Thinkstock

Just last week, the U.S. Office of Personnel Management granted the Department of Homeland Security (DHS) permission to hire 1,000 cybersecurity specialists. Due to government hiring issues and the overall Washington bureaucracy, the approval for DHS was the easy part. Getting those 1,000 cybersecurity specialists to actually start working is entirely a different matter.

In the private sector, there is another challenge. While there may be budgets for hiring information security staff, where do you find these elusive professionals? The job boards may seem like a great avenue for finding people, but most who have used popular job boards find themselves inundated with huge numbers of highly unqualified applicants.

The waters of information security hiring are well chartered; the key point is to find someone who can help you through those waters.

While there are a number of reasons why firms struggle to find good information security talent, there are two significant reasons exacerbating the problem.

Lee Kushner, president, of LJ Kushner and Associates has been recruiting information security professionals for almost 20 years and understands the nuances and complexities of the industry. Kushner notes that often job descriptions are created in a vacuum, without taking the availability of the specific information security skills into account.

[ PART 1: Prospective security employees see too many low-ball offers ]

Unlike other professions, information security has a number of sub-domains and niches that are not as plentiful as others. No different than other markets, the laws of supply and demand apply. When this is not factored into the initial equation, information security positions often go unfilled for quite some time.

Kushner notes that one of the bigger issues in the recruitment of information security professionals are standard job requirements like years of experience. Due to the speed of technology and the evolving threat landscape, years of experience is not as reliable of an indicator of competency, as it may be in other careers. In many organizations, years of experience is directly correlated with compensation, which often hamstrings these companies from making competitive offers.

He also observed that the effectiveness of an information security leader or CISO can often be directly tied to the caliber of talent that they can attract to their programs. It is essential that the CISO develops a strong relationship with their internal human resources professionals, so that they can work together to design a practical and flexible recruitment and compensation strategy which can attract the specific information security talent that they will require to keep their organization secure.

[ PART 2: Don’t use general recruiters in salary negotiations ]

For firms that are serious about finding information security, they would be better served by using a recruiter with a specific focus on information security. These firms often have a sizable pool of information security professionals, and are much better attuned to the nuances of the information security hiring space.


With some license, the famous line from the baseball movie Bull Durham can be used for information security: this is a very simple game. You throw the ball, you catch the ball, you hit the ball.

As to winning the information security hiring game: you define what you need for your information security staff, you set a reasonable salary, and you find someone to help you hire these people. This is not such a hard game.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.