That's right. Anyone who's really good in cybersecurity already has a job. So, most of the time when somebody is looking to hire a security expert, they are actually trying to poach someone from an existing job. Which is not easy. Let’s say, if you succeed, you still live with the thought in your head that this person might take off in one or two years. So, the alternative from a talent perspective is to work with a traditional consulting firm. But unfortunately, consultants are very expensive and are subject to availability. At Cobalt.io, we've managed to hack the talent shortage. We work with heavily vetted, certified freelance penetration testers who do the testing for us after their office hours or over the weekends.
In my experience its key to have a stable leader in InfoSec so as staff leaves/promoted for new opportunities the leader still has the overall vision, processes, goals, culture, and support in place. This allows for a wider range of talent (entry level to senior) that can be plugged into the "system". That said, keeping that leader may still be a challenge as is finding the leader who can do this effectively.
The challenge is real, so many candidates post fake CV with no real experience and overrated salary expectations, it's hard and u must verify the relevant technical skills on real life examples
In my humbled experience as people to be choosen for any cyber or security option, we should be honest more than the experience or knowledge we put at the Resume or CV. One thing is sure, if anyone take a call hearing about a challenge but also atractive offer (benefits and flexibility in a global world, and carrer path if exists), I am pretty sure there is a potential deal to be closed. Otherwise, we might be open to work as freelancers or by projects if the need from other external client (Company) fits with all the conditions to be addressed.
It starts with a cultural approach/shift to start with first embedding security awareness into the entire organization. The next step is to augment your existing security team with automation + orchestration solutions, often referred to as #DevSecOps