Security hiring managers are now emphasizing hands-on experience when making hiring decisions for entry-level positions.
While relevant educational qualifications, such as computer science degrees, remain important, they are no longer the only path to an entry-level cybersecurity role.
The findings from ISC2’s 2025 Cybersecurity Hiring Trends report discovered that 90% of managers would consider candidates with only previous IT work experience and no educational qualifications.
Additionally, 89% would consider those with only entry-level cybersecurity certifications and not necessarily a relevant degree.
Read now: EU Launches Free Entry-Level Cyber Training Program
However, 81% of security managers would still consider candidates who only have an education in IT, cybersecurity or computer science.
A quarter of respondents who recruit from education programs (55% of participants) revealed they have sourced candidates from subjects outside of computer science, IT or cybersecurity.
Around half highlighted internships (55%) and apprenticeships (46%) as effective methods for identifying early-career talent.
Cybersecurity hiring managers are also focusing on non-technical skills in their decision making, with three of the top five skills they value in candidates being teamwork, problem-solving and analytical thinking.
Speaking to Infosecurity, Jon France, CISO at ISC2, said the findings show that there are a broader range of pathways into the sector, including career changers.
“Employers are recognizing the value of entry-level certifications where previously they would have demanded a degree,” he commented.
France added: “We’re seeing a propensity to favor traits over knowledge, which can be taught. Recruit for attitude and train for aptitude.”
France acknowledged that cybersecurity jobs are currently hard to come by, but this is more as a result of economic and geopolitical issues than it is hiring practices.
Professional Development of Entry-Level Staff
Encouragingly, the research found that training of entry and junior level employees is often fast and cost-effective.
The majority (56%) of hiring managers said that training entry-level cybersecurity team members to handle tasks independently typically takes four to nine months.
Around half (45%) reported spending between $1000-$4999 to ensure these staff can handle tasks independently.
Encouragingly, 91% of hiring managers reported providing professional development opportunities for these team members during work hours.
France explained that the trade-off of hiring entry and junior level staff is that organizations must commit to their training and development from the start.
“The prid quo pro is that you’ve got to give them the opportunity and commit to training them, which is relatively low cost in relation to recruitment,” he noted.
The research also looked at the types of tasks typically undertaken by entry-level and junior-level cybersecurity professionals.
The top tasks for entry-level staff were:
- Documentation, such as processes (43%)
- Alert and event management (35%)
- Reporting (32%)
- Physical access controls (30%)
- User awareness training (29%)
The top tasks for junior-level staff were:
- Backup, recovery and business continuity (53%)
- Intrusion detection (53%)
- Alert and event management (51%)
- Relevant frameworks (50%)
- Penetration testing (50%)
France noted that most of these tasks related to information discernment, which provide good opportunities for gaining experience for more technical tasks.
ISC2 study surveyed a total of 929 cybersecurity hiring managers from Canada, Germany, India, Japan, the UK and US.
