The Truth Behind the InfoSec & GRC Talent Gap
Almost every week, I hear companies say the same thing:
“We just can’t find qualified information security, governance, risk and compliance professionals.”
But very often, the problem doesn’t start with the talent market. It starts with something much simpler: the job ad itself.
Recently, I was contacted by a recruiter about a position titled Information Security Project Manager.
The title sounded interesting, so I asked for more details. As the recruiter explained what they were looking for, it became clear that something did not add up.
They wanted someone with strong knowledge of ISO 27001, NIS2, and DORA, and experience in building governance frameworks and conducting risk assessments.
After listening for a few minutes, I realized this was not really a traditional project management role. What they truly needed was a specialist in information security and GRC who could advise and lead the company towards compliance with NIS2 directive, not simply manage timelines, tasks and milestones.
When I pointed this out, the recruiter paused and said, “You are right, that’s actually what we are looking for.”
That single conversation revealed the bigger issue behind so many unfilled information security/cybersecurity and compliance roles.
A professional project manager brings excellent coordination, leadership, and communication skills, but usually only a basic understanding of security. Someone with deep information security and GRC expertise, on the other hand, may not be a top-tuned project manager.
When these two profiles are blended into one unclear description, both groups lose interest.
Project managers skip the ad because it sounds too technical. Security professionals skip it because the title does not fit their background.
The result is predictable: few relevant applications, long hiring cycles, and growing frustration on all sides.
The Hidden Cost of Vague Job Ads
When a job description is not aligned with real business needs, three things usually happen:
- Time, money and effort are wasted screening candidates who are not a good match.
- The company’s credibility suffers because the ad displays their low maturity .
- The right candidates never apply, even though they exist in the market.
A job description is often the first message your organization sends to potential candidates. If it lacks clarity, it can easily signal internal misalignment. Skilled professionals (like me!) notice this immediately.
How to Get It Right
- Start with the goal. Before posting the job ad, ask what problem this person is supposed to solve. Do you need a project coordinator or a GRC advisor? The answer defines the direction.
- Collaborate with experts. Involve your CISO, compliance lead, or an external consultant to ensure the ad reflects real technical and strategic needs.
- Be clear about priorities. If it is a hybrid position that combines project management and GRC responsibilities, say it directly. Clear communication attracts the right candidates.
The talent is out there. But clarity is what helps it find you.
My recent conversation with the recruiter was a perfect reminder that even a small mismatch in understanding can derail an entire hiring process.
How often have you come across job ads where the title and expectations simply did not match? I would love to hear your experiences.
