[iamAy0]

I've reading about this "security professionals shortage" for quite some years, yet the reality is that there is no such shortage.

And I think this is even expandable now to any IT field. People keep saying about shortage, but what I do see is exhausting hiring process most people just don't want to deal with.

[hirundo]

"Shortage" is a synonym for "costs more than I'd like to pay for it".

[closeparen]

Competing harder for the limited pool of competent security people might redistribute breaches away from your company onto others. From a local perspective this could be rational but as a society we want to be less vulnerable in aggregate.

(Although there I think the IT operations side is vastly overblown and not nearly enough attention is paid to quality control on the most popular software packages. Want to make every business substantially more secure at once? Take a hard look at Windows Server, Exchange, etc).

[nitwit005]

The pool is never truly limited though. Every industry was at one time tiny and had to train people to do the job.

But, training costs money, so they hope some other company will do it for them.

[souprock]

I'd say "costs more than the median income" is closer. Adjust for legitimate training costs that are incurred by the workers, and it might be a pretty good definition.

[missedthecue]

Paying more just means you fill your vacancy at the expense of another firm who has their employee poached. The net effect is that one company is still vulnerable.

[rdiddly]

They are all in this together? Paying more means you fill your vacancy.

Edit: The cheapskate can follow suit and maybe that convinces one person to undertake the 8-week cert. No more shortage. Or maybe they don't pay more and are DDoS'd out of business. Again, no more shortage.

[MrMorden]

There are at least one million people in the US who have more than enough experience for an entry-level cybersecurity position; all they need is a few weeks of training (to start) and an employer that isn't demanding twenty years of experience and a CISSP for $50k with crap healthcare and inadequate PTO.

Also, employees are not some company's property. At-will employment goes two ways, and if you want to treat them as if they were property you may as well just turn off the lights now because it will not end well.

[sjg007]

>There are at least one million people in the US who have more than enough experience for an entry-level cybersecurity position

What's the base requirement for these people?

[fmajid]

It also creates supply, e.g. software developers in a related field deciding to switch careers.

[ipaddr]

Or another country or another industry or encourages others to join the field.

[Covzire]

The security industry is unique in how much and how quickly it changes. There are two kinds of companies that hire infosec professionals in my experience: Those that understand that change and the resulting need to plug their employees into the industry training pipeline, invest in their active learning and those that don't. Those that don't more often than not have laughable or terribly unbalanced job descriptions where they're willing to pay decently well but demand a golden platypus riding a unicorn, and those types of hires might have a shortage indeed.

[hn8788]

The hiring process is definitely an issue. Cybersecurity is new enough that HR has no idea what they want, so they require useless certifications like CEH, and a college degree in CS. There's also a wide variation in what Cybersecurity even means. Some college cybersecurity programs are all about policy and compliance, while some focus on offensive security and vulnerability analysis.

[isbvhodnvemrwvn]

Often it's not HR that writes these job adverts, it's the managers. HR is just a middleman.