01Jul

A few weeks ago, a conversation with a hiring manager highlighted a cybersecurity role that had been notoriously difficult to fill. The role was not new. In fact, the team had been talking about hiring for it for nearly a year.

The need was obvious. The workload was growing, existing team members were stretched, and everyone agreed another person was needed. Yet somehow, the chair was still empty. Budget discussions got pushed back, other priorities took over, and the role was approved, then paused, then reviewed all over again.

Sound familiar?

If you spend any time around cybersecurity teams, you have probably seen a version of this story: an empty chair that everyone knows needs filling, a vacancy that appears on an organisational chart but never quite becomes a person. Whilst the role remains open, the work does not magically disappear. It simply gets absorbed by everyone else.

For years, the cybersecurity skills shortage has been discussed as if the problem was simply a lack of talent. There is certainly truth in that, as finding experienced professionals is rarely easy. But from what is being seen in the market, the conversation has changed. The challenge is not always finding talent; sometimes it is getting the approval to hire it.

Everyone Knows Security Matters. So Why Are Teams Still Understaffed?

This is the fascinating part. It is rare to meet a business leader who thinks cybersecurity is unimportant. Nobody is arguing that threats are decreasing, that breaches are becoming less costly, or that security teams have too much spare time on their hands.

Yet, many organisations are still operating with fewer people than they know they need.

The reasons are understandable. Budgets are tighter, economic uncertainty makes businesses cautious, and every department is competing for investment. But cybersecurity often finds itself in a difficult position. When security is working properly, nothing happens. There is no breach, no crisis, and no headlines. Consequently, it can be difficult to demonstrate the value of additional headcount until the consequences of not having it become painfully obvious.

The Cost Nobody Sees

One of the challenges with an unfilled cybersecurity role is that the impact rarely arrives all at once. Instead, it creeps in.

  • The analyst who was already busy takes on another responsibility.
  • Projects get delayed because nobody has capacity.
  • Threat hunting gets pushed back until next month.
  • Training gets postponed because there are more urgent priorities.

Individually, these decisions seem manageable. Collectively, they create pressure. And pressure has a habit of showing up when organisations can least afford it.

The Good News? Talent Still Exists

Sometimes when people read headlines about skills shortages, they assume there simply are no candidates available. That is not the reality in the current market.

There are talented cybersecurity professionals looking for their next opportunity. There are people who want more responsibility, better leadership, or more interesting projects. Many have reached a ceiling where they are and are ready for something new.

The challenge is not always availability; quite often, it is alignment. The organisations attracting great people are usually clear about what they need, realistic about their expectations, and willing to move at a sensible pace. That sounds obvious, but you would be surprised how often it does not happen.

Building Talent Instead of Buying It

One of the most encouraging shifts seen recently is a greater willingness to look beyond traditional routes into cybersecurity. Some of the strongest professionals in the field did not start their careers in security at all. Instead, they came from adjacent backgrounds:

  • Infrastructure and networking
  • Software development
  • Risk and compliance
  • Technical support

Someone gave them an opportunity to learn, and they built a career from there. The organisations making long-term progress are often the ones investing in future talent rather than waiting for the perfect candidate to appear. If everyone is looking for the same fully qualified professional, eventually somebody has to ask where the next generation is coming from.

The Reality of Today’s Market

Cybersecurity hiring is not easy. Candidates report that the market feels more competitive than it did a few years ago, hiring managers struggle to secure headcount, and security leaders report that their teams are carrying more responsibility than ever.

All of those things can be true at the same time.

What gives confidence is that the organisations succeeding are not necessarily the ones with the biggest budgets. They are the ones making deliberate decisions. They are investing in people, creating environments where talented professionals want to stay, and recognising that every empty chair represents more than a vacancy. It is a decision and one that eventually needs to be made.

What is your perspective?

What are you seeing in the market right now?

  • Are you a hiring manager struggling to secure headcount?
  • Or are you a cybersecurity professional looking for your next move?

At Keen People, these are the conversations taking place every day.