What are your thoughts on this ?
I think there are a couple of things leading to the conclusion that we lack cybersecurity professionals. A large one is the government surge in this discipline over the past several years. Here in the U.S., this is on federal, state, and we are even beginning to see local level. We create these agencies and positions rather than modifying existing ones to be better. For example, we don't have a perceived lack "HR coordinators" even though the area of human resources has expanded exponentially over the years thanks to various tax, insurance, and legal requirements. Maybe these departments have grown, but by in the large we take existing positions (in HR and management) and we train them to be on top of this. But security, we think of as a commodity. I use to give a talk "Security is not butter." You can't just buy more and spread it on where it is lacking. It has to be integral to be effective; it's really a measure of quality. That is what we haven't figured out.
The other thing that is going on is that our technology products have expanded geometrically. 25 years ago. Maybe there was a computer per home. Now, we're talking dozens of devices per home connected to the Internet. Here's the absurdity in the U.S. - we have all these devices regulated by the FCC in terms of radio frequencies used but no one is paying attention to the quality of the software/firmware being used. Now, I loathe government regulation, but my point is imagine the auto industry where auto safety amounted to a test of the volume of the horn or maybe depth of the tire tread, and no one was looking at brakes, seatbelts, steering, etc. As has been established crappy software (actually the same software that the government tends to buy) can shut down hospitals when attacked. I'm not advocating for a computing version of the FDA, but I think we have to ask are we going about this the wrong way? We are essentially trying to fix a problem at the worst end of it, and this naturally is a more resource intensive approach. At the least, if federal, state, county, and municipal agencies raised the bar for the quality of their own software, maybe we would see the marketplace address the issue (again, I loathe regulation).
My last point is we experience the same phenomenon with our schooling and professional training. We don't teach how to purchase and use these things securely. In my experience, despite all the lip service we pay to security awareness, most schools and organizations aren't interested in real training. At best they want to check a box. Like buying crappy software, it is not even an issue of price. A CISSP will offer to do Safe and Secure for free, but they prefer to stick with some presentation they pay for.
So if we are experiencing a shortage of cybersecurity professionals, it's for the same reason that the town who has experienced a season of drought but has bon fires every night and hands out matches to kindergarteners finds itself with a shortage of firefighters.
Don't think I could have said it better than Rob or JoePete.
I recently came across someone who is claiming to be a Security professional and after closer review find their only experience was generating reports out of ServiceNow for Audits......but they did get hired by someone to practice security......so those folks doing the hiring (whether it be HR or the department or whoever) are not educated.
We had almost a dozen students out at our last SIG meeting. I also know one
who's been working for two years now and still hasn't been able to get a serious
security job. (She's still looking.) We've got lots of talent. What we don't have is
people who will realistically take "trained, experienced, and willing to work"
rather than wait for "absolutely perfect for our specific hole."
This is more of what I am seeing, which is due to a broken hiring system then lack of talent.
I will accept that in some markets, for some skills, there may not be enough. But I don't believe its true across the board everywhere. And I think a lot of this is due to very superficial surveys that don't dig into the problem.
Instead you have a lot of companies (include their recruiters, both internal and external) who don't understand security, so they don't understand what they should be looking for. This leads to unrealistic expectations (the "looking for unicorn" nonsense) with ridiculous job posting (wanting senior level skills for junior positions, wanted a long laundry list of "must have skills") and treating people like porridge (don't want you because you are 'too much' this or 'not enough' that).
I see this in my area with people who have worked hard to get skills and knowledge, but can't get their foot in the door. Companies which flounder with filling roles for months where I KNOW they had several qualified candidates apply (and hopefully interview). I've experienced it with companies either ignoring me for roles I'm clearly qualified for, or given me ridiculous excuses not to continue the process with me (too much/not enough, etc).
Not to say the insulting behavior I've had to deal with. Being put down by peers for not having certs (really???). Being put down by some recruiter for not have hands on experience when its a management role (really???).
Problem is you'd have to really dig in. Like, say, have qualified people to review job descriptions and show that they were poor. More interesting would be to ask for the resumes of the people these companies were rejecting for interviews. You might get results like: "We found that 80% of job descriptions were poorly constructed and not in line with realistic roles. Titles were inflated, such that what should really be a lead security engineer role was called a security manager or ISO. Further, we found that the vast majority of the resumes received should have been interviewed for the roles they applied for, but were rejected due to those reviewing not having a good understanding of information security." or something similar.