Cybersecurity hiring managers need a reality check when it comes to hiring junior staff, with job adverts littered with unfair expectations that are hampering recruitment efforts, says industry training and cert issuer ISC2.
According to the organization’s latest hiring trends study, entry-level and junior job descriptions contain requirements that “are often difficult or impossible for these professionals to meet.”
“This can create a catch-22 – where employers struggle to find qualified candidates and early-career talent is locked out of opportunities that could help them build that very experience,” it added.
“Hiring managers should consider reevaluating their job descriptions and other hiring mechanisms to reflect the true nature of the role, making the distinction between ‘nice-to-have’ and ‘must-have’ qualifications clear.”
The study showed that more than a third of hiring managers expected early-stage hires to already have advanced certifications such as a CISSP, CISA, or CISM – achievements Dan Houser, a former ISC2 chair now at Oracle, said were unlikely or unfeasible at this level. “This has been a problem for some time, and it seems the battle continues.”
The report also stated that the most pressing skills gaps in the workforce can be filled by early-career cyber professionals who are simply given some on-the-job training coupled with clear development support from their employer.
Aside from employers with unrealistic expectations, job seekers should also be prepared to demonstrate their skills in teamwork, problem-solving, and analytical thinking – the three most in-demand (technical and non-technical) skills in all job descriptions.
Only in India are employers valuing technical know-how more highly than interpersonal skills at this level, with cloud security and data security seen as the two most in-demand specialisms in the country, and generally across the world, too.
A lot has been said about the value of diversity in cybersecurity, both in terms of neurology and education, and those with backgrounds outside of technology or science should not give up hope of entering the industry.
ISC2 said around a quarter of hiring managers who recruit from education programs were able to find valuable cyber talent in those who studied fields outside of cybersecurity, computer science, and IT.
It’s true that technical education, previous experiences, and/or the expected basic certs will give candidates a leg-up on the competition for entry-level roles.
According to the research, 90 percent of hiring managers would only consider candidates with previous IT work experience, and 89 percent said the same about holding entry-level certs.
However, the study noted that successful recruits were also sourced internally from departments such as finance and even non-STEM fields like communications, HR, customer service, and marketing to bring fresh ideas to the table.
So, if a candidate in the comms team starts thinking about a career switch, the way to maximize the chances of securing a job would be to work toward a Security+ cert, which is generally one of, if not the first qualification an aspiring IT pro should pursue.
It’s also one of the most in-demand certs employers are looking out for when assessing entry-level or junior candidates, second only to the CASP+, which is a far more advanced qualification.
“This trend indicates the value that professionals from non-IT backgrounds can bring to the field, offering fresh perspectives, business acumen, technical and non-technical (soft) skills, and innovative thinking to the cybersecurity team,” the report stated.
“Hiring strategies that include sourcing candidates from alternative pathways – such as internships, apprenticeships, and non-traditional educational or training backgrounds – can also help strengthen talent pipelines and foster a new generation of cybersecurity professionals from which hiring managers can draw.
“It is more important than ever for organizations to have these tools in place to stay ahead in a profession that demands continuous learning and adaptation.”
Job market
Once considered an empty chasm of talent, waiting to be filled, some experts now say cybersecurity has very little demand for generalists.
Industry hiring has been in flux for some years now. From the COVID-19 days of mass recruitment to the economic pressures of the past 18 months making many positions redundant, what used to be a sure-fire bet for a stable career suddenly doesn’t seem so safe.
Mary McHale, a careers advisor for UC Berkeley’s Master’s in Cybersecurity, told The Register that industry players are now looking for specialists in certain sub-fields of cybersecurity.
Recent layoffs have left the job market oversaturated, and with AI products now easily handling basic security tasks like event monitoring, employers are increasingly seeking unique talent, especially in oversight and governance.
While the private sector may not have many problems with hiring top cyber talent at the moment, the same can’t be said for the public sector, at least in the UK, where robust pension packages don’t make up for the comparatively lackluster salaries. ®
