If you spend any time around cyber hiring, you’ll hear the same frustration on repeat.

“We just can’t find senior people.” “There’s a real shortage at the top end.” “Everyone good is already taken.”

On the surface, it sounds like a talent problem. But the more time you spend looking at how senior cyber roles are actually defined, scoped, and hired for, the harder it is to blame the people.

In many cases, the issue isn’t that senior cyber talent doesn’t exist. It’s that we’re asking for something that’s unrealistic, inconsistent, or poorly designed.

The Shape of the “Senior” Role Has Changed

A decade ago, being senior in cyber often meant experience and judgement . You had seen incidents, understood trade-offs, and could make sensible decisions under pressure.

Today, “senior” often means something else entirely.

Many roles labelled as senior expect deep hands-on expertise across multiple domains at once. Cloud security, application security, IAM, detection, incident response, risk, stakeholder management, and sometimes even people leadership as well. All wrapped into a single job description.

Individually, each of those areas can be a full-time role. Together, they describe a team, not a person.

When companies say they cannot find senior talent, what they often mean is they cannot find someone who ticks every box on an inflated wish list.

Experience vs Exposure Gets Blurred

Another quiet issue is how experience is interpreted.

A candidate with ten years in security might have gone very deep in one area. Cloud, for example. Or detection engineering. Or GRC. That depth is usually what makes them effective.

But many hiring processes still reward breadth over relevance. Candidates get screened out because they haven’t touched one specific tool, framework, or domain, even if their underlying skills are strong and transferable.

The result is a strange paradox. We say we want senior people with judgement, but we filter for surface-level exposure across as many areas as possible.

That doesn’t produce better hires. It just narrows the pool.

Job Design Is Often the Real Constraint

If you look closely at roles that stay open for months, a common pattern emerges.

The scope is unclear. The expectations are contradictory. The role mixes strategy and execution with no prioritisation.

In some cases, the organisation is hiring for the problems it wishes it had already solved. In others, the role is trying to compensate for gaps elsewhere in the team or business.

That makes it hard for even very experienced candidates to see themselves succeeding in the role. Senior professionals are often cautious. They have learned to recognise when a job is under-resourced, poorly supported, or set up to fail.

Not applying can be a rational decision.

Market Reality vs Internal Expectations

There is also a disconnect between how the market works and how some organisations still hire.

Senior cyber professionals are in demand. They tend to be selective, not just about salary, but about scope, autonomy, leadership support, and risk appetite.

At the same time, some hiring processes are slow, rigid, and overly conservative. Multiple interview rounds. Narrow definitions of what “good” looks like. Little flexibility around background or career path.

By the time an offer is made, the candidate has often moved on.

This isn’t a lack of talent. It’s a mismatch between how organisations operate and how the senior market behaves.

Why This Feels Like a Shortage

All of this feeds into the narrative of scarcity.

Roles stay open. Pipelines look thin. Interviews feel repetitive. It becomes easy to conclude that there simply aren’t enough senior people out there.

But when job requirements are unrealistic, titles are vague, and roles are poorly scoped, the market response is exactly what you would expect. Fewer suitable applicants. More drop-outs. Longer hiring cycles.

The signal sent to candidates matters. If it suggests chaos, overload, or unclear ownership, senior talent will quietly opt out.

What Works Better in Practice

The organisations that do seem to attract senior cyber talent tend to do a few things differently.

They are clear about what the role owns and what it does not. They prioritise outcomes over exhaustive skill lists. They acknowledge trade-offs and constraints openly.

Instead of searching for someone who can do everything, they design roles that allow people to be effective, supported, and credible in front of the business.

That does not eliminate hiring challenges, but it makes them solvable.

Reframing the Question

So maybe the real question is not “where has all the senior cyber talent gone?”

A better one might be: are we designing senior roles that experienced professionals actually want to step into?

Cybersecurity has matured quickly, but many hiring models have not caught up. Until expectations, role design, and market realities align a little better, senior talent will continue to feel scarce.

Not because people are missing. But because the ask doesn’t quite make sense yet.