Historically, penetration testing has been an area where demand has outweighed supply and 2010 has seen this gap increase. CHECK Team Leaders are where the gap is at its widest, followed by CHECK Team Members, and then expert penetration testers.With the introduction of the CREST scheme in 2008 it was anticipated the gap between supply and demand for CHECK Team Leaders would reduce, but it did not. CREST, which is the commercial equivalent to CESG’s CHECK scheme, renders CHECK Team Leader status to those who pass their Certified Tester exam. Since 2010, when CESG ceased running the CHECK Assault Course, the only routes to achieve CHECK credentials are through either CREST or the TIGER Scheme’s Senior Security Tester exam.The level of skill and talent required to pass these kinds of stringent exams is a contributing factor to the significant skills shortage, and it may become more challenging in the future; as an instance with CREST’s anticipated 2011 introduction of a two element test for CHECK Team Members.Whilst the multinational and boutique consultancies work hard identify qualified candidates to undertake CHECK work in addition to unqualified but very skilled penetration testers to undertake industrial sector work, end users such as ecommerce and financial sector businesses face the same candidate shortage issues for the unqualified but highly talented penetration testers.While generally there are a good number of penetration testers actively available on the market, these kinds of candidates are definitely more often than not unqualified for CHECK work, and most often are less experienced and/or less skilled. Specialist penetration testers at mid to senior levels, both qualified for CHECK work and unqualified, will always be in most demand and in shortest supply.The shortage at the very top end of the scale is somewhat due to penetration testers at the lower end moving out of penetration testing before they reach a senior level, some preferring to diversify into other areas of information security, gaining new skills and operating as generalists or specialists in different niches. This kind of movement is not exclusive to the penetration testing market, or indeed information security.In addition, it may be that not enough persons prefer to enter penetration testing early in their careers, not leaving sufficiently penetration testers remaining in the sector who will in that case eventually meet the market demand at the top end of the scale later in their careers.It should also be pointed out that to move across to penetration testing from a different area of information security is tougher further along in a career, and may mean beginning over in a junior or entry level position, which is why more experienced security professionals do not regularly make this transition.Another reason for this shortfall in candidates at more senior levels is the fact that as persons proceed in their jobs, they often choose to take on more responsibility. While there have been more penetration test team manager functions available in latest years, the number of managerial functions is far fewer compared to the number of senior penetration testers who like to take a step up. This has concluded in a number of the more experienced penetration testers diversifying in other areas of information security as a way to persist in a career path to management, as opposed to subject matter expert.Penetration testers working at mid and senior levels are generally very ingenious individuals, as their roles require a high level of intelligence. This might explicate their ambitiousness, and due to the lack of managerial roles in the niche, or after undertaking a managerial penetration testing post, why some then look outside to the wider security market when seeking to further their careers.Today, while there are more penetration testers than a decade ago, there are much more penetration testing positions. And while roles have increased year on year, the candidate pool has not grown at the same rate.