Shortage of skilled security engineers¶

Imagine the city of Ankh-Morpork suddenly decided it needed Watch officers who could spot a Klatchian spy, break up a troll bar fight, mediate a guild dispute, and understand dwarf mining law before breakfast. Now imagine there are twelve such people in the whole city, and everyone from The Patrician to Mrs Cake’s boarding house wants to hire them. Welcome to the world of security engineering.

In Europe, roughly 500.000 cybersecurity professionals are needed. Only about 100.000 exist. Universities graduate maybe 10.000 a year, most immediately poached by banks or tech companies. Training an existing IT person takes two or three years. Every organisation that digitises suddenly wants a security person. The arithmetic does not add up. You cannot hire five people when only one exists. You cannot train faster than demand grows. You cannot pay charity-level wages and expect private-sector talent to show up. And yet the city expects miracles.

Vimes and the great talent squeeze¶

The Watch has Sam Vimes, Carrot, Angua, Nobby, Colon, Detritus, Cheery, and dozens of others. Each has a specialisation. Each can take a holiday while the city continues to function. Now imagine the Watch is just Vimes. One man to patrol the streets, investigate crimes, train recruits, liaise with The Patrician, manage the budget, write reports, break up bar fights, catch thieves, solve murders, and prevent wars. He would do his best. He would prioritise ruthlessly. He would delegate to civilian volunteers. He would make tough calls. But inevitably, something would go wrong, and everyone would ask why Vimes did not stop it.

This is the life of the sole security engineer in most organisations. Their days are a juggling act of firewalls, suspicious emails, audit questions, patch management, policy updates, and meetings that should never have existed in the first place. Calendars overflow. Email inboxes swell. Sleep becomes optional. Proactive work is squeezed to a fraction of what is needed, and by the time something is implemented, the attackers are already three steps ahead.

How the city spends¶

Financial incentives, naturally, skew everything. Banks can offer €90.000–170.000 for mid-level engineers and pick first. Big tech companies offer €110.000–220.000 plus stock options and free lunches. Central government muddles through at €50.000–80.000 after three years of procurement wrangling. Local councils scrape together €40.000–55.000 if the budget committee is merciful. NGOs and charities mutter about €30.000–45.000 and hope that moral fervour will do what money cannot.

The result is obvious. Organisations protecting vulnerable people cannot afford talent. Organisations protecting capital snap it up. The market has efficiently allocated security expertise to money rather than human lives. Well done, market.

The training bottleneck¶

Universities cannot magically produce experts on demand. Lecturers who could teach security earn €45.000–70.000 in academia but could take €90.000–130.000 in industry. Lab equipment costs tens of thousands per cohort. Security evolves faster than curriculum approvals. Students graduate knowing technologies that are already quaint relics. Bootcamps produce eager novices ready for supervised work, but not to protect hospitals or councils. Apprenticeships require multi-year commitments that few organisations can or will make.

Certifications, of course, are another layer of absurdity. CISSP, OSCP, vendor certs, cloud certifications, each with fees of hundreds to a few thousand euros, all recurring and time-consuming. Brilliant self-taught individuals who built home labs and contributed to open source are often overlooked, while mediocre staff sent on company-funded courses appear qualified and are promptly snapped up.

Entry-level positions, absurdly, demand three to five years’ experience. Graduates are bounced from helpdesk to IT support to another dead-end role, gaining “wrong type” of experience, until either they leave for a development job or the organisation grudgingly hires someone barely qualified and proceeds to overwork them.

One person armies¶

Consider a mid-sized charity with a €1,200,000 annual budget, forty-five staff, ten thousand vulnerable people’s records, and two IT generalists. Security expertise: zero. Sarah, the IT manager, competent enough in networking and helpdesk, suddenly becomes responsible for security. Budget minimal. Tools scarce. Knowledge patchy. She Googles “how to secure small business,” implements the free basics, faces resistance from staff, gets denied essential tools, spends evenings reading about security, and slowly burns out.

A phishing email hits. Passwords are stolen. Consultants are called at €1,200 a day. Recommendations pile up. Sarah leaves for a development role paying €70.000 a year with evenings and weekends intact. Her replacement knows less. The cycle repeats.

Small and medium businesses face similar hells. They are too small to hire dedicated security staff, too big to ignore regulation, too visible to escape ransomware, and too broke to pay consultants. NGOs and charities add a moral twist. Attackers know they are soft targets holding sensitive data. Those charged with defending the people work heroically but are destined to be overwhelmed.

Consultants, when brought in, create a carousel of expensive, temporary advice. Reports gather dust. Patches lag. Configurations accumulate into mountains of debt. Every day without proper coverage is a day with vulnerabilities exposed, waiting for the first opportunistic exploit.

What must happen¶

The obvious fixes remain largely ignored. Fund training at scale, pay realistic salaries, create clear career pathways that allow technical specialists to thrive, mandate staffing ratios, subsidise certifications, and build cultures that value security. The reality is politicians prefer ribbon-cutting ceremonies to slow, patient investment, and organisations favour short-term savings over long-term resilience. Something bad will happen before lessons are learned.

Individuals survive by documenting everything, setting boundaries, automating ruthlessly, building networks, learning selectively, and always having an exit plan. Organisations must prioritise ruthlessly, accept limitations, leverage free tools, partner with peers, and formally acknowledge risks they cannot address.

The reality nobody wants to admit¶

Digital systems have been built faster than they can be secured, dependencies outpace understanding, and the people capable of protecting them are too few, too expensive, and too burnt out. Organisations most in need of protection can afford it least. Individual brilliance cannot compensate for systemic under-resourcing.

It appears as if something bad is always happening somewhere. Hospital records are encrypted. Charity donor lists are stolen. School systems held ransom. The shortage of skilled security engineers is not a skills problem. It is a funding problem. It is a structural problem. Until it is treated as such, the limp carrot will remain limp, the hockey stick will climb, and one overworked Vimes-like figure will be expected to secure everything for everyone.