The great security worker shortage myth

Posted by

In the year 1900 Americans spent 43% of their income on food. Almost half of all Americans worked on farms. Today, we spend less than 10% of our income on food and less than 2% of the population are employed in farming. Over the same period, the US population went up tenfold. Technological innovations including better seed yields and improving productivity through automation such as the tractor (see figure below) have led to the dramatic shift. If agricultural productivity had not changed since 1900, we would have around 170 million farmers. Instead, today we have just over 2 million.


Hardly a week goes by that you don’t hear dire reports about a cybersecurity worker shortage. It has become a mantra that nobody disputes. Some even go so far as to make the mathematically impossible claim that there is a zero or even negative unemployment rate for cyber workers.

The truth is, we don’t have a staffing shortage, we have a productivity problem.

A good metric to look at is IT security spending as a percentage of the overall IT budget because it is a better indicator of productivity than percentage growth in absolute terms. Optimally, you would want security spending as a percentage of total IT spending to be constant or even decreasing relative to IT spending. Instead, we have this:

Percentage of total IT budgets spent on IT security from FY2005 to FY2017

That level of cyber spending increase is in the league of healthcare spending, which most everyone says is unsustainable.

One big hurdle for the industry is the “do it yourself” approach to security. The tide toward public cloud services is growing, but the appetite for outsourcing security functions is still not there for many organizations. Let’s do some rough math. In order to staff an in-house 24×7 Security Operations Center (SOC), you need at bare minimum 12-16 security staff. Like firefighters, they won’t be particularly busy, except for times there is a serious incident to deal with.

I talk to a lot of Managed Security Service Provider (MSSP) executives. There is a large amount of excess capacity in security outsourcing. There is no waiting list to sign up for services like Managed Detection and Response (MDR). The same 12-16 security staff in an MSSP can comfortably support multiple customers. Plus, they can take full advantage of automation capabilities such as Security Orchestration, Automation and Response (SOAR), which further enhances their productivity. Going back to our farming metaphor, companies have built their own security gardens. They may prefer homegrown organic/artesian/non-GMO/heirloom security, but the better economic choice for most organizations is the off-the-shelf crops from the big-time professional “farmers.” A tractor is probably a bad investment for your garden, but great if you are farming to feed hundreds of people.

Further, cyber staff and consultants are the modern-day horses and mules of the security industry. Not only are they expensive, they are unproductive. Doubling the volume of security projects generally means doubling the number of security staff. Cyber staff don’t follow Moore’s Law. There is also no incentive to improve productivity in a cyber consulting industry based on selling billable hours. Finally, we have too many security tools – when is the last time you heard of a security tool being retired?

Automation is just starting to make inroads in cyber, and it will dramatically change the cost structure of the industry, to include reducing labor requirements. The economic impact from the Coronavirus pandemic has accelerated this transformation. We are already seeing studies that show a slowdown in cyber spending and movement to outsourcing cyber functions. The perceived shortage of cyber talent is going away quickly.