Published: May 2026 · 5 min read
For two decades the cyber security industry has told itself the same bedtime story. The talent is rare. The threat is accelerating. The good people are already taken. Hire now, hire fast, or fall behind.
It is a compelling story. It justifies premium fees, urgent timelines, and the frantic CV-flinging scramble that passes for recruitment in this sector. There is only one problem with it.
It isn't true.
The shortage that pays for itself
Start with an uncomfortable question the industry never asks out loud: why do people leave cyber roles?
Recruitment messaging almost never addresses it. It talks endlessly about scarcity and urgency, and says nothing about retention. That silence is not an accident. If a candidate churns out of a badly matched role within a year, the recruiter who placed them wins twice ... once on the first fee, again on the replacement.
When churn is a revenue stream, nobody in the business is motivated to fix it. So the "shortage" persists, decade after decade, not because talented people don't exist, but because the model is quietly built to keep them moving. A retention failure gets dressed up as a supply failure, and the bill goes to the client.
A logistics answer to a human question
The trade speaks in the language of a warehouse. Pipelines. Funnel optimisation. Time-to-fill. Cost-per-hire. Every one of those metrics measures the recruiter's speed, and not one of them asks whether the person hired stayed, grew, or solved the problem the business thought it had.
Meanwhile the people being hired have moved on. Candidates, especially those under thirty-five, no longer decide on salary alone. They weigh flexibility, mission, the quality of the work, whether the role will develop them, whether there is anywhere to go next. The category measures none of this, because it has decided hiring is a logistics problem when it has always been a human one.
Speed is a recruiter's metric. Organisations care about time-to-productivity, role fit, and whether the person is still there in twelve months. Those are not the same thing, and pretending they are is how the industry keeps optimising for itself while telling clients it is optimising for them.
The narrow profile that manufactures its own scarcity
Here is the part that should stop everyone in their tracks. The category has a fixed mental picture of what a cyber professional looks like ... a computer science graduate, a particular set of certifications, a particular career path. Anyone who doesn't match the picture gets filtered out before they are ever considered.
That filter screens out career switchers, military leavers, career returners, the self-taught, and the AI-native builders who are reshaping how software gets made. In other words, it screens out exactly the people the modern workforce is increasingly made of.
You cannot credibly complain about a shortage while you are filtering out the supply. The industry is manufacturing the very scarcity it sells against.
Selling fear to the people you are trying to recruit
The dominant register in this sector is military. Threat. Defence. Attack. Siege. It is effective at one thing: selling to a nervous buyer who wants reassurance that someone is standing guard.
But that same language repels the people worth recruiting. The strongest technical minds are drawn to building, creating, and solving, not to a permanent state of alarm. A brand optimised to frighten the client ends up filtering out the candidate. The industry is fluent in a language that works on one side of the table and works against it on the other.
The middleman whose secret is now public
"Privileged access to rare talent" used to mean something. Today it is a LinkedIn search and an AI match that anyone can run in an afternoon. The information asymmetry that justified the recruiter's cut has collapsed.
Large organisations have noticed. They are building recruitment and development in-house and leaving the agencies behind, because if the only thing on offer is access to information that is now free, that is not a business. It is a countdown.
So we built the opposite
TriTech exists because we read the diagnosis and decided not to repeat it. Everything above describes how the category works. Here is how we don't.
We treat hiring as a matching and retention problem, not a supply problem.
Talent is not rare. Good matches are. We measure success at twelve months, not at offer, because a placement that doesn't hold is a placement that failed ... whatever the invoice said.
We start with the human question on both sides.
What does this person actually want, and what does this role actually need? When the two don't meet, we say so, and we don't place against the clock to hit someone else's deadline. Speed that produces churn is not a service. It is a liability with a fast turnaround.
We widen the lens.
Cyber security and AI vibe coding are being remade by people who didn't arrive by the traditional route ... self-taught builders, career switchers, military leavers, AI-native engineers. We assess capability, not credentials. The talent pool is bigger than the industry's imagination, and we recruit from the real one.
We work as partners, not gatekeepers.
As organisations build internal capability, our job is to help them do it well, not to hoard the keys and bill them for the privilege. We would rather have a long relationship with a client who needs us occasionally than a dependent one we have to keep manufacturing.
We tell the truth.
About why people leave. About what a role is really like before someone signs for it. About when a hire is the wrong hire. A match that is corrected early and openly costs everyone far less than one that fails slowly and quietly twelve months down the line.
We go deep, not wide.
Cyber security and AI building. Not everything for everyone. Depth is the only defensible position left in a market where breadth has been commoditised.
The point
The shortage was never the real problem. The way the industry responds to it is.
Recruitment, done properly, is not a hunt for rare people. It is the work of understanding people ... on both sides of the table ... well enough that the match holds. That is harder than running a search and quoting a fee. It is also the only version of this work worth doing, and the only version with a future.
That is the modern way. It is why we built TriTech.