We’ve never had a cybersecurity talent shortage. Turns out we’re being sold that story from certification vendors and companies not wanting to pay for talented security professionals. We believe there’s a shortage because there are so many job postings for cybersecurity professionals that go unfilled. But there are so many people who want cybersecurity jobs. What’s going on?
Check out this post from Rachel Bicknell for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Ngozi Eze, CISO, Levi Strauss. Joining us is Jimmy Sanders, president, ISSA International.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Intro
0:00.000
[David Spark] We’ve never had a cybersecurity talent shortage. Turns out we’re being sold that story from certification vendors and companies not wanting to pay for talented security professionals. We believe there’s a shortage because there are so many job postings for cybersecurity professionals that go unfilled, but there are so many people who want cybersecurity jobs.
What’s going on?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series, and joining me as my guest co-host for this episode is none other than Jimmy Sanders, who’s the president of ISSA International. Jimmy, he’s waving by the way, and only people are listening to this.
Jimmy does not understand how this is working, but Jimmy, say hello to our audience.
[Jimmy Sanders] Hello, it’s great to be here, David.
[David Spark] Our sponsor for today’s episode is ThreatLocker, Zero Trust Endpoint Protection Platform. More on just that a little bit later in the show. Our sponsor for today’s episode is ThreatLocker. Huge thanks to ThreatLocker, a phenomenal sponsor of the CISO Series. We greatly appreciate their support.
If you’re not familiar with them, Zero Trust Endpoint Protection Platform, that’s what they’re all about. More about that later in the show.
But first, let me talk about today’s topic, and it really is all launched from one quote. It’s a pretty spectacular quote that caused a lot of response, and it’s from Mic Merritt, a cybersecurity executive, penned this statement about the lack of cybersecurity shortage, and kudos to Rachel Bicknell of Dell for reposting this.
So, I’m going to read this in full, “There is no talent shortage, never was. You can check to see the first place that rumor started, and it was in industry certification vendors in schools. But companies don’t want skilled candidates either because they don’t want to pay for them. What we’re seeing in the industry today are companies pretending they’re security-focused and advertising roles they never plan to fill, so they can convince their current overworked employees they’re trying, while telling their board they can’t find the right skills.
Any company that is actually interested in addressing the risks and securing their company is having no difficulty at all finding the people to do it.”
Now, there are a lot of people that will agree and strongly disagree with that statement. It’s pretty incendiary, but it has a lot of sort of interesting takes in it, I will say that. Jimmy, I want your first response to it. What do you think?
[Jimmy Sanders] If anyone has read the latest CISO salary report, you see that not paying talent is the last thing that’s been happening. CISOs are making better salaries than ever. So, I don’t understand how they can say the companies don’t want to pay.
[David Spark] But it’s not just CISOs that are getting higher. It’s all levels of security professionals, too.
[Jimmy Sanders] Of course. But when you make a statement that says companies don’t want to pay, and then you see CISOs making $2 million and a security architect making $300,000, then that’s kind of hard to swallow that they don’t want to pay people.
[David Spark] Although what Mike’s comment is at the end is those companies in addressing their risks, so it might be the ones that are addressing the risks, are having no problem finding talent or difficulty hiring. So, they’re the ones that appear to fall into that category.
[Jimmy Sanders] Yes, but my main contention with the statement is that the last sentence, any company, you can’t make blanket statements. It’s like saying any employee or anything. There are niche cases in almost any instance, but to say that people don’t want good security is to say people don’t want to do a good job.
[David Spark] All right. Now, there’s many takes all through this episode on this quote, and the person who’s going to be joining us in this conversation is the CISO over at Levi Strauss, none other than Ngozi Eze. Ngozi, thank you so much for joining us.
[Ngozi Eze] Thanks so much for having me, David.
What are they looking for?
3:58.236
[David Spark] Leeland Heins of AMD said, “Looks nearly identical to what I’ve written about software engineering multiple times. There is no shortage, never has been, and given that the colleges and boot camps keep turning out diplomas into a massively glutted field, there never will be. Yes. If you have a job description with 40-plus bullet points and only hire a 110% perfect match purple unicorn that farts rose-scented rainbow magic fairy pixie dust,” love that, by the way, I would love to hire that person, “And you want to pay them 40% below market for 100% on-site, you will probably have trouble hiring and retaining.
Anyone with realistic requirements and expectations on salary and working conditions has never had any trouble finding as many highly talented techies of any kind as they need.”
And lastly, Justin St. Amour of Agio said, “I don’t think this is just cybersecurity, but IT in general. I’ve been saying for a long time that companies just don’t want to pay good people what they’re worth.” So, I’m going to just double down on that very last line, which also speaks to what Leeland says.
Do you think companies are willing to pay for what they’re worth? And you said the salaries are pretty high, Jimmy.
[Jimmy Sanders] It’s not if companies are willing to pay what somebody’s worth, it’s are the employees willing to take what they can negotiate and show that their value is.
[David Spark] So, when we’re seeing $2 million for a CISO and 300K for a security architect, I’ll go straight to you, Ngozi. I mean, is that the going rate? Because I mean, that does seem high. By the way, if it’s that expensive to build a security team, that doesn’t seem sustainable for a company that’s working with smaller margins, I guess.
[Ngozi Eze] In general, I think the quote is a little negative. I tend to look at things a little bit more positive. I think in general, most organizations want to pay people what they’re worth. They want really great talent, and they want to be able to deliver that talent and pay what they want. They want people to be able to stay in role for a good amount of time.
And if you’re undercutting your employees, you’re going to develop a little bit of a rap sheet as a company that wants to not pay their employees and you’re not going to get great talent. I actually don’t believe that. I think in general, most companies do want to pay their talent the best they can.
[Jimmy Sanders] One of the things that I know is that we keep a list. It may not be a formal list, but we keep a list of the cheap companies that always undercut their employees. They have the worst benefits. They have the worst kitchens. They don’t give any fringe benefits. The employees know that.
So, we intentionally don’t go to those companies. It’s the employees who have no other choice, who have no other options. They end up at those bottom feeder companies.
[Ngozi Eze] And they’re not there for long.
[David Spark] Well, that’s very interesting because I talked to Jesse Whaley, who’s the CISO over at Amtrak, and I’m pretty sure they don’t pay the top dollar. And don’t quote me on that, but I believe that’s the case. But I will say this, one thing that he does do, and I hear it from a lot of security professionals, is they have a very involved training program throughout their company.
And I used to work for Dice.com a long time ago. Believe it or not, salary was not the first thing that came up a lot of times when people talked about when they looked for jobs. So, going back to your benefits questions, what are other ways to attract these kind of talents, Jimmy?
[Jimmy Sanders] Engagement of openness to remote work, hybrid work, of being understanding. If you’re a male and you want to take a PTO or a time off to take care of your child, you shouldn’t be looked down upon that. Same thing for females. And so being open and engaging and listening to what somebody’s really talking about because most employees, they’re not there directly for a paycheck, as you were mentioning, and obviously Ngozi had some great ideas as well.
[David Spark] Ngozi?
[Ngozi Eze] Yeah, so I can’t really speak to other companies. I can tell you what we do, right? I think from my perspective, there’s a total compensation package that we put together. The actual salary is just one part of that, benefits is another part of that, options from a stock perspective is one.
But then also the culture that we provide. Are we able to allow you to come into the organization, and we think you’re going to be able to work on cool things, cool products, cool technologies? We’re going to stretch you and allow you to challenge yourself in other areas and disciplines that you may want to get into, things that other companies may or may not be able to offer?
We will also talk about the work/life balance. We talk about the values of our organization. It’s very important for us to find not only highly qualified and skilled talent, but those who fit our overall culture. So, I think there’s a myriad of dynamics that you want to put into play as it relates to looking for talent.
What are the complaints?
8:55.908
[David Spark] Jim Seaman of IS Centurion Consulting said, “Clearly there is some disparity between what is allegedly being reported, cyber skills shortages, and what we in the industry are experiencing. Perhaps there’s a misunderstanding between skills and experience and what businesses are expecting to pay.
I’m seeing lots of roles being advertised that have requirements lists as long as you’re arm, but the salaries do not relate to the time and investment it would take to fulfill even a third of the list.”
And Christy Fallin, a BSO over at Regions Bank, said, “A big consulting company has three new roles. They want people close to the office. They post a job with only three spots for every city 80-plus on five different job boards. Now three open jobs look like 240, then do that for 300 jobs. The certificate and education industry makes it appear as though there are hundreds of thousands of jobs.” So, yeah, if you search these job boards, it can look like a lot.
Jimmy, you were nodding your head.
[Jimmy Sanders] Yes, because I saw that perfect example of the same job is posted in a different city, the same job requirements, and it’s saying from Austin or from Cupertino. So, yes, I understand that. But there is a shortage. Just because the job boards show 3,000 jobs, we in the industry and as leaders understand when we’re trying to hire people what we’re looking for, and sometimes those people are hard to find.
I remember it used to be hard to find somebody who’s really good at a SIEM or something like that. So, there are certain things. Especially now with the advent of AI, there are so few people who are true AI experts.
[David Spark] And looking for that talent is very, very tough. So, do you think there is a confusion of what is actually available, Ngozi? Being that people can play games with the job boards and also sometimes they just put these things out and they just let them languish.
[Ngozi Eze] That’s one of the things I was just going to point to is that the cash isn’t always necessarily clear when the role is filled. Perhaps if it’s filled internally, the organizations don’t always do a great job of pulling those job requests down and then pulling them across sites as well. So, I think it’s just a nuanced question, right?
You have job boards, you have certification organizations, you have companies all looking for talent. That’s kind of confusing the market a bit.
[David Spark] What could give a little bit more clarity, Ngozi?
[Ngozi Eze] Yeah, I think from my perspective, I think companies could just be better about saying, “Hey, we’re looking for this particular role,” and then once it’s filled, take it down. I think it’s also important to address an issue of sometimes you have to post roles as an HR requirement, and the team may have no intentions of hiring externally.
That’s a positive thing for growing your internal talent, but it really reflects negatively to the market when you’re posting a role only just to fulfill a compliance requirement internally. I think that is something that we should probably think about addressing.
[David Spark] Well, it becomes like a legal compliant thing, like you said that they have to do, but it’s really hard to know if that’s going on at all. Anything to add to that, like in terms of adding clarity, Jimmy?
[Jimmy Sanders] In terms of adding clarity, I think the industry doesn’t want clarity.
[David Spark] Good point.
[Jimmy Sanders] You don’t want to always know when the company is doing nefarious things. They’re never going to tell you their company sucks or they’re horrible. So, they want to intentionally keep you cloudy.
[David Spark] Yeah, I mean, actually a company that has a dozen job posts for security positions makes it look like they’re filling security positions, and they have a sort of a vibrant security program. Just because you put it out doesn’t mean you’re going to fill it, for that matter.
Sponsor – ThreatLocker
12:35.886
[David Spark] Before I go on any further, let me tell you about our sponsor, and that is ThreatLocker. Let me ask you a question. Do zero-day exploits and supply chain attacks keep you up at night? If they’re not, they are worrisome regardless. Nobody likes them. But worry no more. You can actually harden your security so you don’t have these nightmares with ThreatLocker.
Imagine the following. You’re taking a proactive, deny-by-default approach to cybersecurity. You’re blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance.
Onboarding and operation is fully supported by their US-based support team.
So, stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware. Worldwide, companies like JetBlue, they trust ThreatLocker to secure their data and keep their business operations flying high. To learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, just go to their website.
It’s threatlocker.com. Go check it out.
What else are we missing?
13:52.655
[David Spark] Danny Hetzel of Accuray said, “There really is a shortage in what is required. Most shops are shorthanded and need individuals who are mid-level skill. Entry level will never have a shortage because it’s every level.” Now, Joseph Wyckoff said, “If there were jobs demand, there would also be part-time jobs, and there appear to be just about zero part-time cybersecurity jobs.” Interested on your take on that.
But let me also read Elias Avgoulas’ comment of Foodtastic, who said, “I’m not saying I disagree, but if that’s the case, why are governments subsidizing tuitions for students to get into cybersecurity-specific education?”
All right. Ngozi, good comments all around saying, “Well, I don’t see any part-time cybersecurity jobs, and the government’s really eager for more cybersecurity talent, so there must be a lot of demand still for it.” I mean, we’re being told again and again, I mean, where does this lie? But I should also mention, before you jump in, I find this show to be a barometer because when we started out the first three years, every CISO was hiring every single time, and they mentioned at the end of the show, they were hiring.
It’s not so much the case now. Where do you think we stand? And these barometers of government and part-time jobs, what do you think they tell us?
[Ngozi Eze] Well, kind of speaking to what you mentioned earlier as it relates to what’s missing, and I think just clarity around the subject, we’re not talking about the impact of globalization and how that is impacting entry-level roles. A lot of the entry-level roles do exist for organizations, but many of these organizations are in fact global and can find really top talent across the world for entry-level roles.
So, these comments typically are US-based, US-centric. And so, you have a ton of US talent looking for entry-level roles that just may not be in this particular market. So, I do think organizations are looking for skilled cybersecurity talent, and I think just what entry level looks like in the US and what that looks like from a global perspective, that delta is not really being communicated.
[David Spark] Is there something, Jimmy, that you can put in a job posting that makes it clear, “This is a real job. We’re not messing around. We really need this.”
[Jimmy Sanders] No, there’s nothing because we’ve seen all the amazing job postings from all the amazing companies. I remember during COVID when all the big tech companies were over hiring and promising these incredible salaries, and six months later, they fire everybody. So, I don’t trust almost anything that’s in a job posting until I actually talk to somebody.
[David Spark] That is a good point. Let me ask you, is there something unique to a Levi job posting, you think, that sort of sets your postings apart?
[Ngozi Eze] Well, I’m biased. It’s real, right? Because it comes from us. And associates and our people, we really, really mean that, right? We really care about the people that we’re able to hire and the folks that work on our team. We don’t get a ton of roles that we can hire for, so we have to make every role count.
So, when we post the role, it’s a real role, and we’re looking for real talent that really meets the culture that we have at LS & Co.
[David Spark] Do you find it hard to find the talent? Like if you put something out, does it take you months to find somebody? Or can you see people in weeks you like, and you start interviewing right away?
[Ngozi Eze] It takes us months to sift through the amount of qualified talent that is out there. The challenge is really the other end. We put a role out, and I think it was about 600 really qualified resumes almost in the first three days.
[David Spark] Wow.
[Ngozi Eze] And we were just overwhelmed. We found great culture fits, great integrity, great talent, great experience. As an organization, we do look for experience, but we absolutely look for transferable skills. So, we saw a lot of folks with what we like to look for, with the intellectual curiosity that fit the bill.
And then out of nowhere, we had tons of unicorns, from our perspective. So, really getting into who’s the right person for the role was important.
[David Spark] Let me double down and ask this question for everyone listening, who’s one of those 600 that wants to shine. Think about, whatever, the five candidates you chose to interview, I don’t know what it was, what was it about what you saw that made you go, “Okay, these are the 5 out of the 600 we want to look at”?
What was it?
[Ngozi Eze] Typically, it comes just down to energy and culture fit.
[David Spark] But how do you see that in a resume or a cover letter? How is that conveyed to you?
[Ngozi Eze] I think it’s just in how the resume is written. A lot of times, we have our recruiting team that’ll do the first pass and that’ll give us a point of view. That’s one. Two, we also get a lot of internal referrals. So, folks that have worked with other people before.
[David Spark] I’m sure that helps a lot.
[Ngozi Eze] Yeah. That really helps move people along and faster to the top of the heap.
[David Spark] Anything to add to that, Jimmy, of how you sort of set yourself apart from the 600?
[Jimmy Sanders] What do you do that you can bring value to the company that you know is a unique quality? Like makes you like a unicorn with two horns almost. Where you do X really good, and you do Y really good as well, and you show how you are the best at that in your field.
[David Spark] By the way, you’re no longer a unicorn if you’ve got two horns.
[Laughter]
[Ngozi Eze] You’re a bicorn.
[David Spark] Yeah, it’s a bicorn. And by the way, I’m going to quote Chris Sacca here, the investor. He used a line, and I’ve quoted this many times, and in fact, there’s a book written on this, but I love this. What is your unfair advantage? That’s the thing you need to double down on. What makes me sort of stand out from everybody else because I have this special background, skill, talent, whatever it is.
What do most people think it is, and what’s the reality?
19:55.924
[David Spark] Brandy Gordon, the CSO over at Gordon Digital Forensics, “The whole thing is just devious. An excuse for why their security program stinks or getting hacked. I’m imagining hands rubbing together saying, ‘Mawwaaa,’ security leadership whispering, ‘Tell the board there are no skilled workers shortage so they can’t replace us.
Just put an ad out there and we’ll just go through the motions.'” All right, obviously Brandy is playing into Mic Merritt’s first statement here. This is, I think, a little extreme, Jimmy. Yes?
[Jimmy Sanders] Yes, of course. First of all, you’re assuming that the board is made up of dumb idiots to begin with.
[David Spark] Yeah, there you go. [Laughter]
[Jimmy Sanders] The board is comprised of people who run businesses of their own and they already have security friends in the field, so they have that as a reference. Secondly, I have yet to meet a security leader who wakes up every day and says, “I want to do a bad job, and I want to get hacked.”
[David Spark] [Laughter] That is a good point. You don’t hear that ever. Not often, just never. You don’t hear that. I can see why people may feel the way that Mic Merritt feels and Brandy’s sort of silly joking comment on it. But let me ask, is there levels of truth to this, Ngozi, that we need to sort of unpack a little bit?
What do you think?
[Ngozi Eze] Again, I will tell you, being in the cybersecurity industry for over 20 years, right, technology, I’ve never met a group of individuals with such high integrity. And so, the last thing I think is cybersecurity professionals and practitioners are sitting around rubbing their hands saying that, “Hey, we’re doing something and we’re not actually doing it.” These are folks who, when there’s a fire, when there’s a challenge, they run to the fire.
So, they’re certainly some of the most caring, integral, and selfless people that I know. There’s just a challenge in the marketing. Cyber folks will shoot it to you straight, “We got a problem, and we need to fix it.” I don’t think it’s cyber people who are creating the confusion as it relates to hiring.
I think there’s other actors that are playing.
[David Spark] They’re arguing that the educating companies are sort of the initiators of this. That’s what Mic claims. Jimmy?
[Jimmy Sanders] So, I’m with Ngozi on this one. I think it’s, to me, a lot of these quotes are from non-security leaders who are watching what security leaders do and throwing sticks at them saying, “Oh, I could have did that better.” You can always do something better when you’re sitting on the sideline complaining about Tom Brady, the quarterback, and why he threw that interception.
But it’s a totally different thing when you’re actually in the seat, when you actually are going through seeing the attacks. We get attacked so much, and when we win in the attacks, we can’t say we won because we get attacked all the time. But we lose one time, we make the news, and all of a sudden, we’re inept at our job.
[David Spark] And I love this situation of, well, they do the posthumous look back, well, that information was there. Why didn’t they see it? Well, it’s easy to say that now.
[Jimmy Sanders] Yeah, you can’t stop everything.
[David Spark] It’s very, very difficult.
Closing
23:08.564
[David Spark] All right, we’ve come to the portion of the show where I want to ask each of you your favorite quote and why. And it could be something you disagreed with, but it brought up a good issue that you like to challenge. And I will start with you, Ngozi, which quote was your favorite and why?
[Ngozi Eze] Well, there are many different quotes that I really appreciated. I think Christy’s quote around three roles being posted and propagated on different job boards across 80 different cities, which really kind of add to an overall sense of confusion. And I think the part that we kind of appended to it was organizations not doing a great job of pulling roles down as necessary, which continues to contribute to that overall confusion.
[David Spark] That is a very, very good point. All right, Jimmy, your favorite quote and why?
[Jimmy Sanders] My favorite quote was Joseph Wyckoff’s. If there were job demand, there would be also part-time jobs. There are part-time jobs. We just call them contractors, you know? So, to think that there’s no part-time jobs, that’s why you do three to six months contract jobs. Those are part-time.
[David Spark] Yeah, and also when they need contractors, they also look at MSSPs, too, as well.
[Jimmy Sanders] Yes, exactly.
[David Spark] There’s a huge market for vCISOs and security consultants. Many of the people listening fall into these categories. I know they do, for that matter. Well, that brings us to the end of the show. Huge thanks to our sponsor, and that would be ThreatLocker. Remember, they are the Zero Trust Endpoint Protection Platform.
Commit that to memory and their web address, that would be threatlocker.com. Go check them out. Their customers love them, and we love them as a sponsor. Thank you so much for supporting the CISO Series. We love you too, ThreatLocker. Ngozi, thank you so much for joining us today. We greatly appreciate you being on board.
And also, Jimmy, we greatly appreciate you being on board as well. I believe there’s a big event coming up in April, yes?
[Jimmy Sanders] Yes, ISSA International will be having our 40th anniversary celebration in Houston, Texas in April 2025. Look forward to the details.
[David Spark] And the CISO Series Podcast is planning on being there, so you should be there as well. Thank you, audience. We greatly appreciate your contributions. And by the way, for those of you who don’t know, if you see a great conversation online that has lots and lots of comments, we turn that into an episode of Defense in Depth.
Please send those to us. Even if you wrote it. If you wrote it, we could be quoting you. The key thing is lots and lots and lots of good quality comments, like what we’ve just read today. Thank you for contributing. And thank you for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.