The Cybersecurity Skills Shortage That Isn’t There

Key Takeaways

• The widely reported cybersecurity skills shortage is largely artificial, self-inflicted by the industry’s unrealistic hiring practices.
• Companies are overlooking a pool of capable and non-traditional talent and underinvesting in training and development.
• The solution lies in workforce development, not continued talent hoarding.

For years, the cybersecurity industry has perpetuated a tale of desperate skills shortages. Hackers wreak havoc, the story goes, while companies scramble to fill millions of vacant positions. Industry reports paint struggling firms desperately competing for scarce talent in an increasingly dangerous online world.

This narrative is misleading. The industry has inflicted this shortage on itself. While specific skills may genuinely be scarce (advanced threat hunting, certain compliance specialties, etc.) unrealistic hiring practices, tunnel vision about qualifications and experience, and stubborn refusal to train available talent have created an artificial crisis.

Phantom jobs and real problems

Surveys by employers and industry bodies and job postings report millions of unfilled positions, not real hiring data. ISC2, a global member association for cybersecurity professionals, reported a global deficit of 4.8 million workers based on surveys of 15,852 practitioners. This methodology (surveying existing workers about theoretical staffing needs) likely inflates the actual shortage. Many reported vacancies represent phantom positions: openings that companies list indefinitely while rejecting capable candidates who fail to meet unreasonable requirements.

Were the shortage genuine, market forces would drive predictable responses: aggressive poaching, higher wages, accelerated hiring. Instead, the opposite occurs. New graduates with cybersecurity degrees struggle to find entry-level positions, while companies subject experienced workers to complex interview processes. This indicates companies are chasing perfect candidates rather than addressing genuine staffing needs.

Overreaching Requirements and Overlooked Talent

Today’s entry-level cybersecurity postings routinely demand five to ten years experience, multiple certifications and expertise from penetration testing to regulatory compliance. In reality, most cybersecurity roles are specialised: a SOC analyst needs vastly different skills than a compliance officer. By insisting on an impossibly broad skill set, companies shut out otherwise qualified candidates (e.g. university and boot-camp graduates, career-changers, and military veterans) whose demonstrable abilities could serve focused positions well.

The Training Paradox: A Crisis of Investment

If there were a genuine talent shortage, organisations would develop pipelines through apprenticeships, university partnerships and clear career paths, as seen in other sectors such as retail or manufacturing. Instead, many cybersecurity employers are reluctant to develop junior staff, preferring to poach experienced professionals. This approach perpetuates the myth of scarcity. Companies that commit to structured mentorship and on-the-job development would not only fill their own needs but also help stabilize the broader market.

Specialisation, not stagnation

Part of the confusion comes from treating ‘cybersecurity professional’ as one job. In fact, the field has many specialisations requiring different skills. Penetration testers need different capabilities from compliance officers, who differ again from incident responders or security architects.

When companies combine demand across all specialisations and declare a general shortage, they hide what is really going on. There may indeed be a lack of workers in highly specialised, advanced areas. However, there are people who could handle many security jobs if they had foundational technical skills and companies provided specific training.

Where next?

Solving hiring challenges requires abandoning false assumptions about shortages and focusing on real workforce development. Serious companies must identify candidates with strong foundations and learning ability, then invest in their growth.

A good foundation will include:

• Recognising that cybersecurity skills grow from experience, not just natural talent.
• Writing clear, realistic job descriptions that specify essential skills rather than impossible wish lists.
• Creating onboarding programs that transform capable candidates into productive team members.
• Considering non-traditional candidates – e.g. military veterans bring incident response experience and process discipline, technical professionals from related fields can offer transferable skills and fresh perspectives, and career-changers from unrelated fields may provide communication abilities and business context that complement technical training.

The cybersecurity industry faces a choice: continue spreading shortage myths that justify current practices or acknowledge that talent exists but requires different approaches to development. The latter offers better outcomes for companies seeking effective security and individuals wanting meaningful careers.

The skills shortage narrative will persist only as long as the industry finds it more convenient than confronting the need for change. The talent exists. The question is whether the industry has the wisdom to recognise and nurture it.