authors are vetted experts in their fields and write on topics in which they have demonstrated experience. All of our content is peer reviewed and validated by Toptal experts in the same field.
Michael is the Information Security Practice Lead at Toptal. He holds a bachelor’s degree in brain and cognitive sciences from the Massachusetts Institute of Technology and a master’s degree in high-tech crime investigations from George Washington University. Before joining Toptal, Michael served as executive director of the Advanced Cyber Security Center, and held other roles in the field, including consultant, principal investigator, advisor to government officials, and chief information security officer.
PREVIOUSLY AT
Security executives live life on repeat. Each year brings new evidence of a persistent shortage of qualified security talent and a hiring environment in which demand consistently outpaces supply. In its 2023 Cybersecurity Workflow Study, ISC2 reported that the cybersecurity talent gap grew by 12.6% year over year to 4 million professionals while the available talent only grew by 8.7%. As a longtime information security professional who has worked amid that narrative for my entire career, I have watched that talent market asymmetry make adequate security practices broadly inaccessible.
As the Information Security Practice Lead at Toptal, I approach this problem knowing one thing is certain: There is no null hypothesis for exploiting weakness. No matter how effective we are at “shifting left” to proactively implement security measures, our defenses will always lag behind those of an attacker. This harsh truth makes quickly covering your cybersecurity workforce gaps all the more imperative. To do so at modern speed and scale requires thinking outside the box of traditional hiring and adding global, on-demand talent acquisition capabilities to your resourcing toolbox.
Less than five years before I started college, the first major internet cyberattack was launched from my eventual alma mater. After hacking into a Massachusetts Institute of Technology computer, a young Cornell student unleashed a virus, the Morris worm, on November 2, 1988—and the modern information security profession was born. The collective efforts of the world’s top computer experts were insufficient for defending against a single attack. There were too few people who understood how the internet could be misused to spread malicious code. Their systems were defenseless.
Since then, the exponential expansion of the internet and the rapid advancement of the technologies that utilize it consistently outpace the ability to train subsequent generations of information security professionals.
Technology advances, such as generative artificial intelligence (Gen AI), are expanding the threat landscape and outmoding traditional resourcing strategies, leaving hiring managers exposed and waiting months to acquire the specialists they need to secure new deployments.
Other advancements, however, provide new solutions to address the talent acquisition struggle. The rise and acceptance of remote work fueled by COVID-19 has disrupted the cybersecurity talent shortage. Companies are now open to innovative approaches for delivering highly experienced specialists beyond the traditional hiring model.
In my role at Toptal, I help clients apply new strategies to navigate the talent shortage. Companies that capitalize on these new talent acquisition approaches are better positioned to accelerate their initiatives without compromising security.
To further support your organization’s ability to meet the current moment, hiring managers and security leaders should avoid the following common mistakes.
One of the first mistakes I see clients make is focusing their attention on candidates with a specific skill set instead of those with experiential potential. In one recent example, a client sought talent with current experience deploying an AI security assistant that a major productivity software and cloud services company had released in beta only one week prior. There are many things wrong with this approach, the most critical being that the desired skill set is:
These errors in the skill-based approach represent the flawed logic in the idea that acquired skills solve exploratory problems. Skills may be important for routine tasks, such as coding a security monitoring interface, configuring cloud platform security features, or administering an endpoint protection tool, but they are tactical commodities generally ill-suited for discovery.
Instead, I advise clients to focus on the prerequisite experience that will best serve their business objectives. In the AI assistant case, experience evaluating a competing product or integrating a Gen AI solution into other business workflows would be valuable. Experience evaluating and integrating new solutions in a similar operational environment would establish a common baseline for evaluating new solutions.
Having a partner with the expertise to assess and validate these kinds of qualitative characteristics in potential talent can be the difference between leading and falling behind the competition. Waiting for specific talent to enter an already severely constrained talent pool is a waste of valuable time.
In the early years of internet commercialization, security professionals excelled at solving previously unforeseen problems by employing “hacker” troubleshooting mindsets. However, today’s commercialized internet is a landscape of distinct cloud platforms and software-as-a-service (SaaS) applications—a fractionalized operating environment that requires highly specialized talent to properly secure it.
Despite this evolution, most legacy-minded organizations continue to resource their information security needs with a handful of reliable generalists, seeking full-time talent capable of supporting an expanding list of specializations. Hiring managers with that mindset usually make one of the following missteps, seeking to find candidates who are:
The organizations that succeed at accelerating their enhanced security control investments—defending against emergent threats and complying with new industry regulations—address their talent needs with an agile approach that optimizes what is needed to accomplish their goals, instead of who should be hired. Implementing a more efficient resourcing strategy empowers organizations to respond to emerging threats faster than competitors that wait to hire. Once my clients shift to embracing an on-demand engagement model that identifies the right specialists at the right time, they begin to appreciate the productivity potential.
Legacy organizations often fixate on sourcing talent locally. Specific justifications vary, but they tend to revolve around the notion that physical presence has benefit because their business has been built around that presence. Some may argue that ideation and whiteboarding is only effective when done in person. Others suggest that in-person work fosters a sense of community that improves productivity. Still others point to the importance of a strong local ecosystem to empower a network effect that benefits all of the participating organizations. Regardless of the validity of those arguments, we cannot rationally assess the benefits of in-person work without also addressing the related costs. Those include:
Modern organizations understand that optimizing productivity and staying current in a dynamic operating environment requires a resourcing strategy that balances the real costs with the benefits. There will always be scenarios where localization makes sense, but proactively identifying ways to gain access to global talent provides a sensible alternative for those looking to quickly gain specialized security expertise without overinvesting or being limited by the local talent pool.
Defending against sophisticated attackers is already a daunting challenge for overworked, and often under-resourced, security teams. Rather than continue making the same old mistakes, accomplish more by augmenting your talent strategy with new, innovative approaches for navigating the cybersecurity talent shortage.
Have a question for Michael or his Information Security team? Get in touch.
Michael is the Information Security Practice Lead at Toptal. He holds a bachelor’s degree in brain and cognitive sciences from the Massachusetts Institute of Technology and a master’s degree in high-tech crime investigations from George Washington University. Before joining Toptal, Michael served as executive director of the Advanced Cyber Security Center, and held other roles in the field, including consultant, principal investigator, advisor to government officials, and chief information security officer.
PREVIOUSLY AT
Join the Toptal® community.