Reality Check: AI, Staffing, and the "Boring" Truth of Cyber Risk with Peter Schawacker

Peter Schawacker dismantles the hype around cyber threats, explaining why hiring has slowed, how AI changes the game, and the real reason behind the return-to-office push

While headlines often paint a picture of a cybersecurity industry in a frantic race against expanding threats, the reality on the ground is far more nuanced. Business leaders are no longer swayed by simple scare stories, and the "unlimited budget" era of cyber hiring has given way to a stricter focus on risk management and cost control.

To understand the disconnect between the hype and the market reality, we spoke with Peter Schawacker, CEO of Nearshore Cyber and a seasoned strategist. He provides a candid look at the stagnation in recruiting, the lack of standardization in the industry, and why the current technological explosion is actually a massive opportunity for security professionals who can catch up.

Interview with Peter Schawacker

How is the rapid growth of cyber threats in the US influencing specialized cybersecurity staffing?

The growth in cyber threats has actually been steady for a long time; it is not especially fast right now. It is important to separate hype from reality. Business leaders are no longer impressed with the scare stories that used to come from the cybersecurity business, so they have moderated their approach. They have other things to worry about. Cybersecurity risk is now weighed against various other risks that have taken the lead recently, such as geopolitical risk or the short-term business risks of controlling costs/tariffs, for example.

In terms of how people staff, there is always a drive to keep headcount low. The market for cyber talent has been pretty slow since roughly April, though it seems to be coming back. However, the market is not what it once was. At one time, demand was so high and supply was so tight that it was very easy for anyone looking for a cybersecurity job to get one. Employers would invest heavily in training and take risks on hiring. That is not happening now.

We currently have a market where hiring managers are very slow to make decisions and authorize budgets. It is surprisingly hard to find people who have the necessary skills, yet at the same time, you have a lot of people who entered cybersecurity back when it was easy to get a job who now can't find work because they lack the deep experience needed today. This is all happening against a backdrop of incredible technological advancement that is being held back simply by the need for people to catch up and understand it.

Is the cybersecurity industry catching up with these developments, particularly with AI?

I think it is important to understand that, like business and IT, cybersecurity is not monolithic. To answer that, you have to ask what cyber risk we are talking about. If we are talking about pre-AI cyber threats, it is mostly the same: patch management, staying up on vulnerabilities, inventories, documentation, and maintaining security controls in ways we have understood for decades. AI increases the intensity of the activity, and there are technical challenges, but in the end, it is a matter of keeping up.

The limiting factor on AI is the business. Security tends to lag behind everyone because the business has to exist for you to be able to protect it. New business models are being invented now thanks to AI, and it takes time for the business to mature enough to be defendable.

However, cybersecurity professionals have a lot of opportunity right now. Lots of code is being generated by people who don't know how to secure it, and they know it isn't secure, they need help. There is a really good business opportunity for application security and an enormous opportunity around compliance. You can look at this and say, "There is a gigantic security problem, we are all doomed," or you can say, "This is cybersecurity's opportunity to help businesses accelerate under the power of AI."

What are the biggest challenges companies face regarding qualified talent, and how are staffing firms overcoming the skills shortage?

The problem security has is that, while the field is mature, it lacks a set of standards for defining the work. Therefore, people don't know how to hire or what to hire. If you are looking for a lawyer, they need a law degree and bar membership. Accountants have the CPA. If you hire a CPA, you know they are good. Cybersecurity has no standard like that. The roles people play are not well-formed and vary from organization to organization; titles mean different things in different places.

What we do to address this is use a third-party standard from the National Institute of Standards and Technology (NIST) called NICE (National Initiative for Cybersecurity Education). It offers a taxonomy that people can use to define job roles, and job seekers can use to define their capabilities, allowing us to find the gap between them. The lack of clarity on both sides, job seekers and employers, causes terrible problems with recruiting.

Which emerging technologies are reshaping cybersecurity staffing requirements?

AI is the one getting the most attention, as it should, but it isn't the only one that matters. There are a fair number of companies that have not completed their cloud migration, and some are even talking about moving back into data centers for various reasons. It is important for IT and business leaders to remember that despite the opportunities and threats of AI, regular IT still exists. People still have physical hardware, they still need basic tools, and they still rely on SaaS products that have been around for years.

Because AI tends to be stochastic, or non-deterministic, and traditional models like Salesforce or SAP are more predictable, they have different purposes and cannot be ignored. Adapting to this takes money and time. Everyone has to be patient because organizations need time to change and learn. AI is not going to change everything overnight. We also have systems like RPA (Robotic Process Automation) that have been around for a long time and automate things in ways similar to what people talk about with "agentic AI." There are still gains to be had there.

How is the push for remote work vs. Return-to-Office impacting competition for cybersecurity talent?

In cybersecurity, there is a very strong push for people to work in the office, at least part of the time. Some of that is due to deepfakes and news about foreign threat actors, which is a real problem, though solvable with cryptographic tools.

However, one of the reasons people are banning remote work is to reform business cultures, to make them more "agile" or "collegial." It turns out when you force people into one place, they don't necessarily get more collegial, and your culture often gets worse. Remote work policies are often really about controlling the employee's time and attention. But it breaks cultures; it doesn't help them. People sit in offices on Zoom or Teams meetings, having virtual conversations they could have had from anywhere.

For us, the strategy is staffing hybrid work where we find it. I think remote is better for experienced people, but for those who are not experienced, you have to be in an office. You need to be in meetings where you aren't essential so you can learn. So, we look for clusters of people. If we see a cluster in Guadalajara, we will put an office there. It allows us to capture that rapid growth while balancing the need for junior development with the efficiency of senior remote work.