It may sound contradictory but I think the answers are "no" and "yes" in that order.
To be clear, in the last 10 years I've been in the private sector, I haven't seen a shortage. But....(1 of many ofc)
But, the real problem is massively broken expectations, misunderstanding, gatekeeping, corporate ignorance and most importantly monumental misspending in the realm of cybers.
There isn't even a shortage of money, it just goes on tools rather than people.
We have good employment rates in the "Industry" but we still have lots of good people
The reason is that infosec jobs are, on the whole, insane. With very, very, few exceptions, hiring manager expectations are broken.
We dont do ourselves any favours. We tend to criticise anyone who doesn't have full domain knowledge of every possible domain - and this is a million times worse for URMs. We think having CVEs makes you better at writing policies.
If your first cert isn't OSCE, do you really cyber?
This brings me back to the hiring point.
This is 100% where the problem exists.
This means we eliminate people new into working life.
The problem is, we also expect them to do "entry-level" jobs at entry-level salaries. It's hard to incentivise people to take a pay cut.
Sidenote: This is a self-imposed issue. We don't have to demand an IT background, but we seem to do it anyway.
This is why you see entry-level roles which say "CISSP required" (min 5 years of work experience & management qual).
Or less obviously bad - demanding GCIH/GCIA for SOC analysts.
I've seen forensics roles which ask for CEH. I can't explain this.
Badly is the short answer.
Two things tend to cause this.
This is a massive mission creep and largely unrealistic.
It is nearly impossible to replace the knowledge you've lost. Dont try.
This isn't a skill shortage, its an ego problem.
We will also create *actual* entry-level roles rather than just have badly paid roles. (FIN)