Senior cybersecurity roles now routinely take 90 days or more to fill, and for some specialist positions, the process can take considerably longer. Ask any hiring manager who has recently tried to appoint a Security Architect, Head of Cyber or senior DevSecOps engineer, and you will hear a familiar story. The role was signed off months ago, the job description has been live for weeks, and the shortlist remains thin.
This reflects a set of structural cybersecurity hiring challenges that have been building for years: a genuine shortage of senior talent, rising demand from every sector, and hiring processes designed for a market that no longer exists.
At Lorien, we have helped companies recruit cybersecurity professionals across permanent and contract markets. While every organisation faces different challenges, we consistently see the same factors extending hiring timelines. The good news is that with the right approach, employers can significantly reduce time-to-hire without compromising on quality.
The cybersecurity hiring challenges behind the 90-Days problem
Talent scarcity at the senior end:
The cybersecurity skills shortageis well documented, but the pressure is sharpest at senior level. The UK cybersecurity workforce stands at roughly 143,000 professionals according to DSIT's Cyber Security Skills in the UK Labour Market 2025 report, yet growth is driven largely by graduates entering the field. Professionals with ten or more years of hands-on experience remain a small pool, and most of them are already employed, well paid and not actively looking. Nearly every senior search becomes a passive candidate search, and passive candidates take time to engage, persuade and move.
Across the roles we recruit many senior cybersecurity professionals who aren’t actively applying for jobs. Instead, they’re responding to trusted recruitment partners who understand their career aspirations, meaning proactive search and relationship-building are essential for successful hiring.
Niche expertise is now the baseline:
A decade ago, a strong generalist could cover most of an organisation's security needs. Today, employers are hiring for specific cybersecurity roles, each with its own shallow talent pool:
- Cloud Security across AWS, Azure and GCP environments
- Security Architecture and secure-by-design leadership Identity & Access Management (IAM)
- DevSecOps and secure software delivery
- Governance, Risk & Compliance (GRC)
- Threat Intelligence and Incident Response
- Application Security
- OT / ICS Security in manufacturing, energy and critical infrastructure
DSIT's research highlights that employers increasingly want unusual combinations of skills, such as cloud engineering paired with security leadership, which makes the qualified pool even smaller. When a role requires deep expertise in one of these areas plus stakeholder credibility at board level, the number of genuine matches in the UK market can drop to double figures.
This is why broad job board advertising alone rarely delivers strong shortlists for senior cyber appointments. Successful searches increasingly rely on targeted headhunting and established talent networks.
Hiring processes that work against employer:
Many organisations approach senior cybersecurity recruitment with the same process they use for any other hire: five or six interview stages, panel sessions that take weeks to schedule, and a search for the mythical candidate who ticks every box.
Risk aversion is understandable when the hire will hold the keys to your infrastructure. In practice, though, insisting on a perfect candidate usually means losing a very good one. In a market where strong professionals receive multiple approaches each week, a four-week gap between interview stages is an invitation to look elsewhere.
Compensation misalignment and counteroffers:
Salary benchmarks in cybersecurity move faster than most annual pay reviews. Offers built on last year's data land below candidate expectations, and negotiations stall. Even when the offer is right, counteroffers are now standard practice. Employers who know how scarce senior security talent is will fight hard to keep it, and it is common for a search to collapse at day 70 when a preferred candidate accepts a retention package. Without a strong pipeline behind the front-runner, the process effectively restarts.
Clearance and vetting requirements:
For roles in defence, government and critical national infrastructure, security clearance adds a further layer. SC and DV cleared professionals command a premium and are heavily contested, while sponsoring clearance for an uncleared hire can add months to onboarding. Thorough vetting, referencing and background checks are non-negotiable for senior security appointments, but they extend timelines in ways many hiring plans fail to account for.
Why cybersecurity recruitment is becoming even more competitive
Several wider shifts are compounding these cybersecurity hiring challenges:
AI is changing the skills employers need. ISC2's 2025 Cybersecurity Workforce Study, based on responses from more than 16,000 professionals, found that skills needs now outweigh headcount as the dominant concern, with AI capability rising quickly up the list. DSIT reports that around two thirds of cyber businesses expect their need for AI skills to grow. Employers are writing job specs for hybrid skill sets that barely existed two years ago.
Regulation is increasing demand for senior leadership. Frameworks such as DORA, NIS2 and the UK's evolving cyber resilience legislation are pushing boards to invest in senior GRC and security leadership, adding new buyers to an already competitive market.
The contract market is pulling talent away. Many experienced professionals have moved to interim and contract work, attracted by day rates and variety. This shrinks the permanent pool further, even as it offers employers a useful bridge option.
Competition is now global. Remote and hybrid working means a Security Architect in Manchester may be fielding offers from firms in London, Dublin, Amsterdam and New York. UK employers are no longer competing only with local rivals for cybersecurity talent.
What does a realistic hiring timeline look like?
While every organisation is different, employers hiring senior cybersecurity professionals should typically expect:
- Weeks 1–2: Market mapping, candidate outreach and shortlisting
- Weeks 2–4: First and second stage interviews
- Weeks 4–6: Offer, negotiation and acceptance
- Weeks 6–18:Candidate notice period (often the longest stage)
Delays usually occur because of interview scheduling, internal approvals and lengthy decision-making. Employers who streamline these stages are often able to secure stronger talent much faster.
The real cost of a vacant senior role
ISC2 found that 88% of professionals have seen at least one significant security consequence in their organisation linked to skills shortages. Prolonged vacancies typically mean:
- Increased exposure to threats while leadership and coverage gaps persist
- Compliance and audit risk where accountability sits unfilled
- Delayed transformation and cloud programmes that depend on security sign-off
- Burnout across existing teams absorbing the extra workload, a factor ISC2 links directly to attrition
- Growing dependency on contractors at premium rates
- Reduced operational resilience when incidents occur
Each month a senior role stays open, these costs compound, and the team you are trying to hire into becomes harder to sell.
How Lorien can help
The 90-day benchmark does not have to be the norm. As a specialist technology and digital recruitment partner, Lorien works with employers across the UK to remove the friction points described above, drawing on first-hand experience of senior cybersecurity recruitment across permanent, interim and contract markets. In practice, that means:
- Defining must-have versus nice-to-have early. We work with hiring managers before the role goes live to agree the three or four capabilities the position genuinely cannot succeed without. Perfect-candidate specs are the single biggest cause of stalled searches, and tightening the brief upfront widens the qualified pool.
- Streamlining interview stages to a maximum of two or three. We help clients design a shorter, sharper process that still tests technical depth and leadership credibility, scheduled within a fortnight rather than spread across two months.
- Aligning compensation with real-time market data. Because we place cybersecurity professionals every week, our benchmarks reflect what candidates are actually accepting now, not what last year's salary survey reported.
- Building talent pipelines before the need arises. We maintain ongoing relationships with passive senior cybersecurity talent across Cloud Security, Security Architecture, IAM, DevSecOps, GRC and beyond, which turns a 90-day search into a 30-day one and provides a credible second option if a counteroffer lands.
- Providing interim and contract solutions.Where a permanent search needs time, an experienced contractor can hold critical coverage and keep programmes moving, so hiring decisions are made on quality rather than urgency.
- Moving faster at offer stage. The gap between final interview and formal offer is where counteroffers win. We help clients prepare approvals in advance and manage candidate expectations through to signature.
Cybersecurity hiring challenges?
Senior cybersecurity roles will always require careful assessment, but they shouldn’t take longer to fill than necessary. With realistic role scoping, a sharper process and access to engaged senior talent, hiring timelines can be reduced significantly, without compromising quality or trust.
If a senior security role is sitting open, or you can see one coming, talk to Lorien's cybersecurity recruitment specialists about building a stronger talent pipeline and improving your hiring outcomes.
