The Talent Pipeline Nobody Wants To Fund

Imagine planting a tree. Not one of those fast-growing decorative trees, but a real tree. The kind that will one day provide shade, withstand storms, support wildlife, and outlive the person who planted it.

In the beginning, it's not much to look at. A small sapling. Literally a small stick in the ground. It needs water, protection and time. Someone has to make sure it survives the winter. Someone has to protect it from disease. And someone has to accept that for years, it will consume resources without providing any obvious return.

No sane person stands next to a newly planted oak tree and complains that it isn't already producing shade. The ROI is long-term, and still it's worth to invest. Yet in cybersecurity, that's exactly what we do.

Every year, we hear about the cybersecurity skills shortage. The big gap when it comes to diversity. Reports warn about talent gaps. Recruiters struggle to find experienced professionals. Organizations compete fiercely for senior engineers, threat hunters, malware analysts, incident responders, security architects and leaders.

At the same time, many of those same organizations reduce training budgets, cut support for community events, eliminate internship programs or don't offer them publicly, and reject junior candidates because they require too much support or don't have enough experience.

Everyone wants the shade, but no one invests in planting and growing a tree. There are two perspectives on this. One causes problems, the other one solves them. A junior analyst requires mentoring. An intern consumes valuable time from experienced staff. Training courses are expensive. Hosting or sponsoring events is expensive, and travel expenses and days away from work add up quickly. Viewed through the lens of a quarterly budget review, the costs are obvious. The benefits are not. Nobody can prove that a conference conversation will introduce an engineer to new knowledge that prevents the next cyber attack. Nobody can calculate the exact value of a mentorship session. And nobody knows which intern will eventually become the security architect protecting the critical systems ten years from now on. The investment is measurable, but the return isn't. At least not immediately.

And that's the raw reality of growing anything valuable. Trees operate on years. Forests operate on decades. And talent works much the same way. Every senior professional in cybersecurity was once somebody's investment. And somehow we've unlearned how to invest in somebody.

The experienced incident responder who can now calmly coordinate a big breach was once a confused junior trying to understand some cryptic log files. And so did the threat hunter not ask stupid questions about obvious false positives, and now they uncover advanced attacks in the infrastructure.

Nobody starts as an expert. They are grown. And growth takes time. Time, we don't have today it seems, since modern business culture is not particularly patient. Many organizations have become exceptionally good at optimizing for short-term ROI. Every expenditure must justify itself. Every project needs a measurable return. Every investment is expected to produce visible results within months.

But trees do not care about quarterly earnings reports. And neither does human development. The problem isn't new, but AI is a multiplier.

AI is rapidly changing cybersecurity. It summarizes incidents, enriches alerts, writes reports, generates detections and automates repetitive tasks. That's great. But when it comes to talent, I think we're asking the wrong question. Most discussions focus on what AI will replace. The more important question is what AI will replace before people have a chance to learn it.

Traditionally, a cybersecurity career started with repetition. Reviewing phishing emails, investigating false positives, reading endless documentation, writing small scripts, breaking things, fixing things, breaking them again. Making mistakes and then making fewer of them. None of that is glamorous, but that's how expertise is built.

Many of these entry-level tasks are exactly the kind of work AI is becoming increasingly capable of performing. Fantastic for short-term efficiency. Potentially terrible for long-term talent development. Because if nobody spends years learning, struggling and building intuition, where exactly are tomorrow's experts supposed to come from? Expertise is not downloaded. It is grown.

And that brings us back to our tree. Juniors are seedlings. Mentorship is irrigation. Communities are fertiliser. Experience is growth. And yet many organizations look at saplings and ask why they aren't already providing shade.

We expect entry-level candidates to have experience. We expect graduates to arrive job-ready. We complain about the lack of diversity in cybersecurity while reducing the opportunities that help new people enter the field. We talk about the skills shortage as if it were some natural disaster that appeared out of nowhere, whilst it's largely a problem of our own making.

Forests don't disappear because there weren't enough trees. They disappear because nobody planted them, watered them or gave them the right conditions to grow.

The cybersecurity skills shortage, the diversity gap and the lack of experienced professionals are often treated as different problems. They are just different symptoms of the same disease: an industry addicted to short-term ROI.

There is no shortage of seeds. Universities are full of students. Communities are full of passionate people. Every year, thousands of people try to enter this industry, and yet we're still hesitating to invest because we're looking for shade before planting the tree and because the environment is not made for everyone.

And even when we do invest, there are no guarantees. The junior we mentor today might leave tomorrow. The intern we support might build their career somewhere else. So what? Cybersecurity is an ecosystem, not a collection of isolated companies. The person who leaves today may one day secure your supply chain, respond to your breach, protect a partner you depend on or help defend critical infrastructure. Strong professionals strengthen the entire ecosystem. Everybody wants experts. Everybody wants seniors. Everybody wants the shade.

But somebody has to plant the damn trees.


There are plenty of cybersecurity blogs out there - but this one’s a little different. Think of it as your personal cyber bedtime story: a calm(ish), reflective read to end your day, with just the right mix of insight, realism and a touch of provocation.

I’m thrilled to introduce The Luna(r) Brief, a new monthly blog series brilliant Luna-Marika Dahl will be writing for Cybersecurity Redefined - published on the second Monday of each month at 9PM CE(S)T.

Why late? Because cybersecurity doesn’t sleep - and neither do the thoughts that keep us up at night.

Each post is designed to be a thoughtful end-of-day read - short enough to digest after work, deep enough to spark new thinking.

Next
Next

Flags, Packets and False Identities: The Same Game Everywhere