Solving the Cybersecurity Talent Shortage: Avoid These Common Pitfalls
Security professionals are not as inaccessible as the headlines claim. Toptal’s Information Security Practice Lead explains new ways to engage the professionals you need.
Security professionals are not as inaccessible as the headlines claim. Toptal’s Information Security Practice Lead explains new ways to engage the professionals you need.
Michael is the Information Security Practice Lead at Toptal. He holds a bachelor’s degree in brain and cognitive sciences from the Massachusetts Institute of Technology and a master’s degree in high-tech crime investigations from George Washington University. Before joining Toptal, Michael served as executive director of the Advanced Cyber Security Center, and held other roles in the field, including consultant, principal investigator, advisor to government officials, and chief information security officer.
PREVIOUSLY AT
Security executives live life on repeat. Each year brings new evidence of a persistent shortage of qualified security talent and a hiring environment in which demand consistently outpaces supply. In its 2023 Cybersecurity Workflow Study, ISC2 reported that the cybersecurity talent gap grew by 12.6% year over year to 4 million professionals while the available talent only grew by 8.7%. As a longtime information security professional who has worked amid that narrative for my entire career, I have watched that talent market asymmetry make adequate security practices broadly inaccessible.
As the Information Security Practice Lead at Toptal, I approach this problem knowing one thing is certain: There is no null hypothesis for exploiting weakness. No matter how effective we are at “shifting left” to proactively implement security measures, our defenses will always lag behind those of an attacker. This harsh truth makes quickly covering your cybersecurity workforce gaps all the more imperative. To do so at modern speed and scale requires thinking outside the box of traditional hiring and adding global, on-demand talent acquisition capabilities to your resourcing toolbox.
The Current State of the Cybersecurity Skills Gap
Less than five years before I started college, the first major internet cyberattack was launched from my eventual alma mater. After hacking into a Massachusetts Institute of Technology computer, a young Cornell student unleashed a virus, the Morris worm, on November 2, 1988—and the modern information security profession was born. The collective efforts of the world’s top computer experts were insufficient for defending against a single attack. There were too few people who understood how the internet could be misused to spread malicious code. Their systems were defenseless.
Since then, the exponential expansion of the internet and the rapid advancement of the technologies that utilize it consistently outpace the ability to train subsequent generations of information security professionals.
Technology advances, such as generative artificial intelligence (Gen AI), are expanding the threat landscape and outmoding traditional resourcing strategies, leaving hiring managers exposed and waiting months to acquire the specialists they need to secure new deployments.
Other advancements, however, provide new solutions to address the talent acquisition struggle. The rise and acceptance of remote work fueled by COVID-19 has disrupted the cybersecurity talent shortage. Companies are now open to innovative approaches for delivering highly experienced specialists beyond the traditional hiring model.
In my role at Toptal, I help clients apply new strategies to navigate the talent shortage. Companies that capitalize on these new talent acquisition approaches are better positioned to accelerate their initiatives without compromising security.
To further support your organization’s ability to meet the current moment, hiring managers and security leaders should avoid the following common mistakes.
Prioritizing Skills Over Potential
One of the first mistakes I see clients make is focusing their attention on candidates with a specific skill set instead of those with experiential potential. In one recent example, a client sought talent with current experience deploying an AI security assistant that a major productivity software and cloud services company had released in beta only one week prior. There are many things wrong with this approach, the most critical being that the desired skill set is:
- Immaterial. Any professional who has evaluated software tools will attest that one week is barely enough time to install and gain familiarity with a given technology.
- Inconsequential. Under the most practical conditions, even gained knowledge in the targeted skill set will be fractional, likely no more than five to 10 hours. As such, training will be a lower priority than fulfilling daily work duties. That limited exposure would substantially impact the ability to employ the skill set in a real environment, especially one based on a disruptive technology like Gen AI.
- Inaccessible. Under the beta distribution terms, the tool was only available to existing enterprise customers who met a series of conditions and constraints. That fact alone reduces an already constrained talent pool to near zero, almost guaranteeing failure.
These errors in the skill-based approach represent the flawed logic in the idea that acquired skills solve exploratory problems. Skills may be important for routine tasks, such as coding a security monitoring interface, configuring cloud platform security features, or administering an endpoint protection tool, but they are tactical commodities generally ill-suited for discovery.
Instead, I advise clients to focus on the prerequisite experience that will best serve their business objectives. In the AI assistant case, experience evaluating a competing product or integrating a Gen AI solution into other business workflows would be valuable. Experience evaluating and integrating new solutions in a similar operational environment would establish a common baseline for evaluating new solutions.
Having a partner with the expertise to assess and validate these kinds of qualitative characteristics in potential talent can be the difference between leading and falling behind the competition. Waiting for specific talent to enter an already severely constrained talent pool is a waste of valuable time.
Hoarding Employees Versus Resourcing Needs
In the early years of internet commercialization, security professionals excelled at solving previously unforeseen problems by employing “hacker” troubleshooting mindsets. However, today’s commercialized internet is a landscape of distinct cloud platforms and software-as-a-service (SaaS) applications—a fractionalized operating environment that requires highly specialized talent to properly secure it.
Despite this evolution, most legacy-minded organizations continue to resource their information security needs with a handful of reliable generalists, seeking full-time talent capable of supporting an expanding list of specializations. Hiring managers with that mindset usually make one of the following missteps, seeking to find candidates who are:
- The Everything Specialists. We have all seen job descriptions that ask for just about every qualification a hiring manager can imagine. One client I work with often started looking for talent with solution architecture; security certifications for two separate cloud platforms; and specific expertise with their chosen products for endpoint protection, vulnerability assessment, containers, and testing. They also wanted several years of scripting experience in a security operations environment. Someone who checks all of those boxes would have to be a specialist in running that organization’s specific environment: They could only be found already working on that client’s team. That organization-centric approach is why jobs remain open for months with hundreds or thousands of applicants being dismissed while the hiring manager seeks the perfect match.
- The Part-time Specialists. Some security executives choose to hoard talent with strongly specialized expertise that the company will only utilize for a fraction of time, simply so they are ready to respond when needs arise. One common example of this behavior is when organizations hire ethical hackers to conduct occasional red team vulnerability assessments. Another trend is hiring security engineers with recent experience testing Gen AI solutions. In those cases, expected utilization of the specialized expertise is much less than full time. The result is a lose-lose scenario that causes friction on both sides. Companies lose productivity by paying talent a premium for limited benefit. The talent quickly becomes dissatisfied when asked to fulfill lower-skilled commodity roles, like policy compliance assessment or security operations support, instead of expanding expertise.
The organizations that succeed at accelerating their enhanced security control investments—defending against emergent threats and complying with new industry regulations—address their talent needs with an agile approach that optimizes what is needed to accomplish their goals, instead of who should be hired. Implementing a more efficient resourcing strategy empowers organizations to respond to emerging threats faster than competitors that wait to hire. Once my clients shift to embracing an on-demand engagement model that identifies the right specialists at the right time, they begin to appreciate the productivity potential.
Restricting the Talent Pool to Local Options
Legacy organizations often fixate on sourcing talent locally. Specific justifications vary, but they tend to revolve around the notion that physical presence has benefit because their business has been built around that presence. Some may argue that ideation and whiteboarding is only effective when done in person. Others suggest that in-person work fosters a sense of community that improves productivity. Still others point to the importance of a strong local ecosystem to empower a network effect that benefits all of the participating organizations. Regardless of the validity of those arguments, we cannot rationally assess the benefits of in-person work without also addressing the related costs. Those include:
- Overhead. Maintaining the facilities to persistently support sporadic in-person work can be a drain on financial resources for seemingly little tangible benefit. For example, large capital investments to build centralized security operations centers (SOCs), historically considered an essential facility need, are no longer palpable considering that all modern SOC solutions are distributed to support remote monitoring and administration. When discussing the advantages of looking beyond the local talent ecosystem, my colleague Erik Stettler argues that “the tools and techniques exist today to replicate the very best of what we mentally associate with all of us being in the same room together.” Outside of the rare exceptions where functions may require physical presence, such as to manage physical data center security infrastructure, I find that companies realize significant productivity and efficiency benefits when they can draw on a global, remote workforce and utilize sporadic in-person engagements much more intentionally and purposefully.
- Location Bias. Effectively responding to evolving cyber threats requires creative thinking and alternative approaches. Organizations that constrain their workforces geographically risk reinforcing biases and missing out on diverse viewpoints accessible through global hiring and remote work. Localization naturally promotes homogeneous thinking, which can blind legacy enterprises to innovative competitors that emerge outside of their local workforce bubbles. Security incidents often result from failures of imagination that stem from that kind of bias.
- Wage Inflation. The security talent market is already subject to elevated hiring costs because of unfavorable supply-and-demand dynamics. When companies collectively reinforce those conditions with localized isolation, they pay a cost for attracting security talent to keep the ecosystem healthy. When discussing how global talent will shape the future of venture capital, Stettler correctly noted that “the very strength of local ecosystems makes them brutally competitive places to staff a team.” That competition for limited resources accelerates security workforce costs locally and ultimately may drive the cost of effective cyber defenses beyond the value of the assets under protection.
Modern organizations understand that optimizing productivity and staying current in a dynamic operating environment requires a resourcing strategy that balances the real costs with the benefits. There will always be scenarios where localization makes sense, but proactively identifying ways to gain access to global talent provides a sensible alternative for those looking to quickly gain specialized security expertise without overinvesting or being limited by the local talent pool.
Defending against sophisticated attackers is already a daunting challenge for overworked, and often under-resourced, security teams. Rather than continue making the same old mistakes, accomplish more by augmenting your talent strategy with new, innovative approaches for navigating the cybersecurity talent shortage.
Have a question for Michael or his Information Security team? Get in touch.
About the author
Michael is the Information Security Practice Lead at Toptal. He holds a bachelor’s degree in brain and cognitive sciences from the Massachusetts Institute of Technology and a master’s degree in high-tech crime investigations from George Washington University. Before joining Toptal, Michael served as executive director of the Advanced Cyber Security Center, and held other roles in the field, including consultant, principal investigator, advisor to government officials, and chief information security officer.
PREVIOUSLY AT