There's plenty without the "required education" or professional experience, that are good, even better than the common professional, that just needs the right chance to prove they already are good at what they do, or can be in a short amount of time. 

The traditional methods of finding talent are not quite working.  Big companies want to hire the paper certs to make HR happy.  If they want true talent, they need to check out the security conferences, the OWASP groups and other similar tech groups.  The talent is out there but either they are happy with their current situation or they don't have the degrees or certifications to get them on the radar. 

In this day an age when college grads with masters degrees are working at Subway, well kinda deters the high school student from wasting the money on a college education if the ROI won't be there when they get out. 

Granted I saw the writing on the wall in college and went into MIS.  You need to learn to predict where the job focus will be when you get out.  But I digress.  Basing your hiring on certs such as CEH or CISSP might get you some qualified applicants, but anyone worth there salt with those certs is probably hired and happy.  The relative experience should support the cert as well.  Another item to consider is the material the certs cover.  CISSP is not a technical cert so to require that for a technical job is a but wasteful.  CEH material is older and not always up-to-date.  Educate HR on what technical certs you want from applicants.  If you want a real savvy pen tester or blue team type, look for those OSCPs, GPEN or other GIAC related pen testing certs.  Only problem is some of the courses are a bit expensive for the individual to go for and the cert tests aren't cheap either compared to say an MCSE related test. 

So there are talented people out there but they may lack the big corporate dollars to get them up to snuff on paper.

You'll also find that "youthful indiscretions" hinder being hired in a lot of security positions.