Is the “skills gap” a real thing?

So you’ve heard about the cybersecurity “skills gap”?  I’m sure you have.  There’s been quite a bit of attention recently paid to it in all kinds of venues: surveys devoted to it, analysis, debates about it’s reality, and so forth.  It’s garnered quite a bit of attention.

But is it really the truth?

We know a few things for a fact:

  1. If you ask an organization if they have the right skills in place to appropriately defend their environment (at least given the budget they currently have available and they tool-set they currently employ), they’ll say they don’t.
  2. If you ask an organization if they are able to find security personnel in a reasonable amount of time, they’ll say they can’t.
  3. On average, it takes a long time to fill open security positions — and the evidence suggests that there are quite a few open positions in the field.

All of these things are true – at least insofar as our ability to measure extends.   What sticks in my craw though are that these three data points are the base upon which much of the discussion about the skills gap is founded — and they’re not really super objective (other than the last one).  Meaning, employees in security are highly incented to answer a certain way to points 1 and 2.  Can you adequately defend the environment?  When will the answer to that ever be yes?  Can they find the staff they need quickly?  Probably not – but when is that ever true?

The third one is more tangible.  But couldn’t that also be reflective of how folks are hiring rather than lack of skilled talent?  I see very few well-run hiring processes out there – and disorganization and shoddy hiring (lack of organization, etc.) could just as easily account for that issue vs. lack of skills.

Note that I’m not saying that there isn’t a skills shortage necessarily… I think I’m just looking for better data points.