Another thought on the shortage of information security professionals
When I was teaching computer science at Brigham Young University in 1985-87, the number of students enrolled as computer science majors had increased dramatically – by a factor of five or so – from when I had been a student there a decade earlier. One of the professors, who had been around since the early 70s, observed to me that the number of really good students in the department was still pretty much the same; the five-fold growth of enrollment hadn't brought a five-fold, or even a two-fold, increase in excellent CS majors. Why? Because those students with interest, aptitude, and native talent had been signing up all along; the surge in enrollment had come from students who saw computers as a way to get a great paying job, much as my friends during my undergraduate days had signed up for pre-law or pre-med.
Bruce Webster, The Art Of Ware
In a previous post I noted how some people think that there's getting to be a critical shortage of skilled information security professionals soon. One solution to the problem is to let market forces handle it, which should result in dramatically higher salaries for information security professionals.
But will offering higher salaries really attract the sort of talent that businesses need?
As Bruce Webster observed in The Art of Ware, in many career fields there seems to be a fixed number of people with the right aptitude to succeed. When this is the case, offering more money to people may not actually give them this necessary aptitude, and I'd guess that this is definitely the case for information security. The work can be difficult, and it often doesn't get the same level of recognition that other IT career fields get, so it definitely takes a non-typical person to do well at it.
Let's suppose that the shortage of information security professionals is real. I'm not convinced that it really is, but let's suppose that it is for now.
If that's the case, and we can't get more of the right people by offering more money, then a reasonable Plan B is to find a way to leverage the base of people with the right aptitude. That seems to be something that the government think-tanks that are talking about the possible shortage of information security professionals haven't thought about much. So maybe what we really need is better management, not more people working in the field.