The short answer is that we didn't find enough; we were perpetually understaffed. However: most of that was just because of industry-wide talent shortage in information security.

Generally, you fill in the void with people who recently left competitors (who have the same attrition rates).