So you’ve probably heard that security (cybersecurity if you must) has a skills gap, right?  Today’s headlines, for example, have no fewer than three separate articles about it (the best of which is this one over at The Register).

I’ve heard this too. In fact, I’ve been one of the folks actively reporting on it: both in the trade media and also at my (ahem) “day job.”  I’ve done studies about it, wrote reports and articles about it, blogged and spoken about it, and otherwise been discussing it ad nauseum.   But I’ve started to question the premise a little bit – or maybe not the premise but the implications?  I’m questioning something.

Now, I get it that what I’m about to say is not “the traditional wisdom.”  So I’m sure people will come out of the woodwork to fight me on it.  But let me walk you through my musings and you can draw your own conclusions.  First, from the get-go, let me be clear that I’m not disputing that the data says what it says.  There is absolute a challenge filling positions – we know that from the data.  There are also open positions out there: they are increasing, there are more of them, and organizations aren’t getting what they need skill-wise.  Truth – I know because data.

I think that the conclusions that folks draw from these points are a little skewed though.  Here’s what I mean.  When looking at the data points above, most people tend to picture in their minds something like this:

The size of the circle represents, as you might imagine, the number of open positions.  People tend to assume a universal distribution of jobs across all experience levels.  For simplicity’s sake, let say the market is broken down into two groups of jobs: “experienced people jobs” and “entry level” jobs.  The natural assumption leads people to think that the “skills gap” and “resource shortage” mean that both the demand for experienced people and the demand for entry level would increase near equivalently.

This is the part that I’m starting to think isn’t true.   Instead, I think what we’re seeing is something like this:

In this, the overall size of the position “inventory” is increasing, but it is not happening homogeneously across all areas.  Instead, it’s happening at a certain place: the bottom of the triangle.  Say the market is striated in such a way that you have bands like:

  • Industry leaders – people who lead the industry beyond their particular organization
  • Organizational leaders – people who lead a particular organization
  • Managers – people who manage other people
  • Experienced contributors – experienced, high-value individual contributors
  • Technical staff – somewhat experienced individual contributors
  • Entry level – folks just starting out

I get it that there are probably huge nuances that I’m not accounting for in that, but you get my drift.  Anyway, expanding the above to reflect the various strata, you get something like this:

The growth at the bottom of the pyramid is huge (for entry level people), while the growth at the top is there, but percentage-wise is fairly static relative to the growth at the bottom.  This is akin to what I think is happening in the security job market: huge demand at the lowest part of the pyramid, relatively little change at the top.

The analogy I’d use is Starbucks.  Let’s be real, I have no clue what it takes to staff a Starbucks, but I can probably make some guesses to make the point.  Say Starbucks opens 100 new shops in the time it takes you to read this sentence.  How many new baristas do they need now compared to right before you read it?  Based on the highly unscientific observation that there seem to be about 6-7 baristas at any given time at my local buckies, let’s assume (given shift requirements) that they need like 20 baristas per shop.  So, to staff 100 new shops, they need 2000 new people behind the counter.  Now how many new managers do they need?  If there are 2 managers per shop (who knows), they need like 200 – one tenth of the new baristas.  How many new regional executives or folks at HQ?  1 or 2 maybe (a tenth again)?  How many additional CEO’s?  None.

See? Pyramid.

If that’s true, what are the implications for the security market?  For one, good luck to you long term if you’re anywhere other than entry level.  I say this including myself in that group.  Why?  Because droves of people are coming into the profession.  The hype is real, and people are responding as you’d expect them to (i.e. following the money).  There’s room for them in the short term of course (because pyramid), but there will be increasing competition as they grow and move up the ladder.   Competition will increase at each tier they move through along the way.  Likewise, the bottom of the pyramid has a shelf life.  Why?  Because automation.  It’s only a matter of time before we can automate things like log review, SOC operations, intelligence analysis, etc. etc.  That will increase competitive pressure upwards as well as folks move to reposition as the lower tiers contract.  With competition comes downward pressure on salaries.  So, near term boom, but long term demand will be down as will salaries.

All this is, of course, rampant speculation on my part.  I’m not basing this on data, but rather on feedback from folks that I know in the field and “reading between the lines” of the data.  But I’m starting to think that there is some real truth to it.  More to come on this.