Cybersecurity specialists in DACH: Why the shortage is no coincidence - and what can help now

The cybersecurity gap in Germany, Austria and Switzerland is not a temporary bottleneck - it is structural. According to (ISC)² There is a shortage of over 350,000 specialists in Europe, with many vacancies in DACH coming from security-critical areas such as energy supply, the financial sector or public authorities. The roles are not only highly specialised, but are often security-relevant in the legal sense - and are therefore subject to additional hurdles such as security checks in accordance with the German Data Protection Act (SÜG) or industry-specific audits (KRITIS, ISO 27001, PCI DSS).
If you want to fill positions here, you have to be able to do more than just google job titles.

Why the talent gap in the security sector is widening

In the last five years, the number of security positions in DACH has grown by 9-12 % annually, while the output of specialised training courses has remained almost constant. Traditional IT degree programmes teach the basics, but do not provide in-depth specialisation in topics such as OT security, cloud security architectures or incident response playbooks.
However, companies need precisely this specialised knowledge - often combined with regulatory expertise: a cloud security engineer for the financial sector must not only be proficient in AWS Security Hub and IAM guidelines, but must also be able to interpret and implement BaFin requirements.

To make matters worse, experienced professionals are extremely mobile. Many switch to international remote jobs that are not tied to DACH salaries or to consulting firms that carry out exciting project-based attacks and penetration tests. This leaves only a fraction of the already scarce market for local employers.

Where you can really find security talent - and where you can't

Anyone who believes that security experts actively search on StepStone or LinkedIn has never seen the market from the inside. The scene is decentralised, often isolated and operates in spaces that are invisible to traditional recruiters.
Examples:

• Technical platforms: HackTheBox and TryHackMe for practical labs, GitHub repositories with security tools such as nmap, Burp Suite or Metasploit.

• Communities: OWASP channels, closed Slack groups for incident response, forums such as "Exploit.in" (partly by invitation only).

• Events: DEF CON, Troopers, BSides, it-sa - this is where contacts and recommendations are made.

You rarely recognise a security profile by its CV, but rather by the sum of its traces: Git commits for CVE fixes, presentations on reverse engineering, rankings in capture-the-flag events. The key is OSINT-based cross-matching - linking pseudonyms and handles with public posts to identify the real person behind them.

Skill-based sourcing: How to make invisible experts visible

Job title are deceptive in the security sector. Many senior specialists have generic titles such as "IT consultant" or "system engineer", even though they have managed high-calibre Red Team projects. The ability to semantically recognise skills and project tracks is crucial.

One practical approach is to work with Vector Search and semantic matching:

• Instead of title: "Security Engineer" the system searches for technical signatures: skills: [Burp Suite, SIEM, CloudTrail, Threat Modelling].

• Semantic vectors can be used to find profiles that have similar patterns in projects, even if they do not match a single keyword.

• For example, incident response specialists can be identified who have contributed to log parsing tools in several GitHub repos without ever writing "Incident Response".

A DACH example: conventional tools found nothing for an OT security role in energy supply. It was only when we analysed GitHub commits for SCADA projects that we found a candidate who was then hired by our customer.

Retention: Why keeping security talent is the real supreme discipline

Replacement is more expensive in the security sector than almost anywhere else. A senior security architect with industry expertise costs months to train - and every gap weakens the defence.
Retention starts with the framework conditions:

• Scope for technical development instead of pure operational labour.

• Continuous certifications such as OSCP, OSWE or Cloud Security Alliance training courses.

• Rotation models between Red Team, Threat Hunting and Governance to create variety.

• Visibility and community engagementfor example by sponsoring a CTF team or giving specialist presentations at conferences.

Companies that offer a clear training and career architecture reduce their turnover rate in the security sector by up to 40 % - a figure that translates directly into a reduced recruiting burden.

Action levers for the DACH market - immediately realisable

Anyone looking for a security role in DACH today needs to adapt three things immediately:

1. Community presence: At least one person in recruiting must have an understanding of technical security and be active in specialist forums.

2. Skill mapping: CVs are secondary - current tools, frameworks and CVEs are decisive.

3. Technical authenticity: Disqualify interviews without specialised questions. Candidates realise within seconds whether their counterpart is just repeating buzzwords or knows what he/she is talking about.

It is also worth establishing strategic partnerships with universities and technical colleges specialising in security, such as St. Pölten University of Applied Sciences, Offenburg University of Applied Sciences or ETH Zurich. Relationships can be established here before talent comes onto the market.

When security positions remain unfilled for months, it is rarely due to a lack of talent - but rather to how and where the search is conducted. indivHR combines technological search methods, OSINT strategies and in-depth industry knowledge to close precisely this gap - and le delivers pre-qualified profiles in Ø 14 days.

➡ Contact us