The real cause of the talent shortage in the information security field isn't a lack of new people entering the profession, but retention and churn at the highest levels, according to a new report by IDC.
"It's a fairly common theme to suggest that we have better training in colleges, certificate courses, and all that sort of thing for entry-level folks," said IDC analyst and report author Pete Lindstrom.
But in fact, at the entry level, expectations are basic and companies are willing to be flexible, are open to diverse backgrounds, and can train new hires.
Jobs that require less than five years of experience are filled within just three months 85 percent of the time, and 99 percent are filled within six months, according to the IDC survey of senior infosec executives.
"But we seem to hit this tipping point when we look for more experienced security professionals," he said.
Jobs that require more than ten years of experience take longer to fill -- 21 percent take a year or more. And when it comes to jobs that require 20 or more years of experience, nearly half take more than a year to fill.
"My hypothesis is that it's because people bail," said Lindstrom. "They leave the security space after they get a taste of what security is all about."
Information security breeds a culture of paranoia, performance is measured based on whether there's been a breach, and the salaries aren't high enough to compensate for the stress.
"You get sick of it," said Lindstrom.
Paranoia, the destroyer
People who work in other technology fields get to grow systems, improve productivity, create technology to bring in new business.
That's not the case in infosec.
"Inside the profession, we often have a tendency to promote paranoia," said Lindstrom.
There's also a culture of antagonism between security requirements and what everyone else at the company wants to have.
"That drives people further and further away from what businesses need," he said. "And everything we do is in the negative frame."
There are other stressful jobs out there, but people switching into information security often find the stress to be even higher, said Andy Ellis, CSO at Cambridge, Mass.-based Akamai Technologies Inc.
In most high-stress careers, like hostage rescue or firefighting, the stress is there but focused in narrow scenarios with clear endpoints, he said.
Plus, firefighters, doctors, trial lawyers, middle-school teachers and others in stressful careers do occasionally get clear wins -- they save lives, win cases, or reach difficult students.
There are no clear wins in information security.
In addition, infosec professionals are responsible for areas where they don't have any control, Ellis added. "And that difference leads to unmanaged stress."
Sign up for CIO Asia eNewsletters.