There is no shortage of Infosec professionals.

There is no shortage of Infosec professionals, as recently bandied about in various news circles and blogs.  But there is a shortage of companies willing to pay for the talent.

Number wise, how many people attend Blackhat?  5,000?  How many people attend the two big US SANS events? 10,000?  And a lot of folks can’t make it every year, so the rough number is a lot larger.   Admittedly, most of them have jobs, or limited talents, but that’s the glory of a free market.  Pay them enough and they’ll come work for you.  It’s a good system, because the talent gets drawn to where the most demand is, and then lower position jobs come open, for personnel with lower skill sets.

The problem is, some people want the talent they get in a 10 year veteran, in a middle to low salary range.  Not going to happen.  It takes years to train people up in security.  There’s no magic certificate.  Security talent is less numerous than some professions because it’s *hard*.  Infosec folks never stop going to school.  Worse, school’s expensive.  It takes a lot of personal time to pick up the general skillset.  You can make a firewall technician fairly easily, but they won’t know how to spot a lot of attacks; you’ll be on the growth curve.

But there is no shortage of talent, just a shortage of cheap talent.