Cybersecurity Career

The Urban Legend of the Cybersecurity Skills Gap

cybersecurity skills gapAccording to the Information Systems Security Association (ISSA), we’re facing a cybersecurity skills crisis. Their recent report calls the gap in qualified individuals a “rapidly widening business problem,” claiming businesses are investing their resources in the wrong places when it comes to cybersecurity.

ISSA partnered with Enterprise Strategy Group (ESG) to look at the state of qualified cybersecurity professionals in the workforce. Around 70% of respondents to their survey said they felt a lack of cybersecurity skills within their organization was affecting their company. According to the cybersecurity organization (ISC)², almost three million cybersecurity jobs needed to be filled globally as of 2018.

Most people agree that this is a serious problem. The lack of qualified professionals at major businesses with knowledge in cybersecurity is exacerbating data breaches, and has been called an “existential threat to our national security.” What there doesn’t seem to be a consensus on is how that problem should be solved.

Are There Really Not Enough Qualified People to Fill the Cybersecurity Skills Gap?

The short answer seems to be no. Rather, the problem seems to lie with the paths made available to talent looking to get into the cybersecurity industry.

For a long time, the university path has been the main place students get recruited into cybersecurity jobs. Organizations recruit from universities, and many require a college degree as part of their job descriptions for cybersecurity roles. But there are thousands of talented people that miss out on these job opportunities simply because they don’t choose to go to college.

In an article for Forbes, cybersecurity contributor and CEO of Immersive Labs James Hadley argues that the cybersecurity skills gap won’t be mitigated through the classroom. He argues that self-taught, talented people should be recruited and trained by organizations before they take their talents to the wrong side. He writes:

“The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more-complex threats, the need for a diverse pool of cybersecurity experts to learn in real-time, rather than a classroom, strengthens.”

Hadley uses the example of 22-year-old Daniel Kelley, who hacked the telecom company TalkTalk, stole the data of thousands of users, and used it for blackmail as an example of what could happen if people who feel snubbed by the system use their talents for ill. Kelley didn’t make the grade required for a computer course and attacked TalkTalk out of a desire for revenge. He could’ve ended up using his skills to help instead of hurt, Hadley argues, had that path not been closed off to him.

Companies don’t want to train employees, preferring that they come to the job with the skills they need already, but the nature of cybersecurity work demands constant retraining and maintenance of those skills. There are qualified people ready to help stop the next cybersecurity threat if companies are willing to adapt to them.

How Can Companies Fill The Gap?

The threat of cyberattacks and hacking isn’t going away. In fact, they’re likely to increase as time goes on and the technology both companies and hackers use becomes more sophisticated. That’s why businesses should do everything they can to make themselves resilient to cyber threats. How can they do that?

First, hire and train the right people. Provide them with the time and resources they need to continually develop their skills to match the changing threat and technological landscape. Devote more of the company budget to cybersecurity. Currently, 49% of companies say that cybersecurity is a budget priority, but pros say that figure should be closer to 60%.

A shift away from the traditional job requirements of a university degree path would allow for the scouting, hiring, and training of the right people. Instead of academic background, those in the cybersecurity field would be better served by looking at a candidate’s skill sets. Do they have the skills needed for the job, even if they don’t have the degree? If they do, invest in that talent.

A few of the skills necessary for cybersecurity jobs:

  • Relevant past work experience,

  • Ability to understand advanced cybersecurity concepts,

  • Cybersecurity certifications,

  • Strength in non-technical soft skill areas.

University education can help, but it shouldn’t be the only factor in determining whether a potentially promising candidate in the cybersecurity field gets turned away, especially if that candidate could broaden the diversity of the field. Women represent only 23% of the cybersecurity workforce, according to (ISC)², and that number is after they broadened the definition of who works in cybersecurity.

It isn’t just companies that can help close the gap and guide more capable people into a cybersecurity career. Government initiatives like the UK’s Cyber Discovery free training program can help people explore their interest in IT, and ultimately decide that it’s a good career for them. State and federal governments in the U.S. should implement their own programs to seek out and support talent in a similar fashion.

Part of solving this problem will be getting the word out. Careers in IT and cybersecurity aren’t talked about as widely as more traditional paths like doctors or nurses, or trendier digital careers like YouTuber or Instagram influencer. But the fact is that people who have these jobs hold them a long time, are satisfied with the work they do and are compensated very well for their efforts. If more people knew that, starting at a younger age, they might find a place for their skills where they didn’t think one existed.

Companies can put themselves at the front of the pack by taking the initiative to find and recruit top talent outside the conventional pipeline. And they can do it by being willing to invest the time and money in proper, ongoing training. The cybersecurity skills shortage isn’t all that frightening if you know where to look to close the gap and are willing to take action.


LinkedIn Tips for a Better Cybersecurity Job

cybersecurity jobLand a new and better cybersecurity job with these LinkedIn tips.

It is a fact that employers, recruiters, and headhunters use LinkedIn to search for people with a cybersecurity certification, such as the CISSP or Security+. We can use this fact to our advantage!

In this article, I focus on a tactic that advertises your credentials to all LinkedIn users. Rather than actively work to find a job and seek out opportunities, this method brings opportunities to you!

In the screenshots in this article, we use the CISSP credential as an example, but you can easily replace “CISSP” with “Security+”, “CEH”, “PMP”, or whatever you want. All we are really doing is adding searchable data to our profile that may be of interest to a prospective employer.

For example, listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP”, as shown below.

LinkedIn search for CISSP, sorted by People.

linkedin cybersecurity

In the screenshot above, I searched for CISSP, then switched the results to “People”. There are two methods you can use to show up in these searches – (1) change your LinkedIn Headline and (2) change your LinkedIn name. If you want to be really proud (loud) about your credentials, you can even change both your headline and name.

linkedin profile

Where to change your LinkedIn Headline, which shows up beneath your name in search results.

LinkedIn Headline

The first person in the results example above doesn’t even have a CISSP certification. He listed “Studying for CISSP Exam”, in his headline. The LinkedIn Headline is what shows up beneath your name.

Listing “Studying for…” might pique the interest of some desperate headhunters. The fact of the matter is “Studying for the CISSP Exam” doesn’t mean anything though, other than you don’t have the CISSP certification. I personally think it is silly when people list “Studying for…..” or “In Pursuit of…”, but that’s me.

The third person listed the CISSP certification as their LinkedIn Headline.

LinkedIn Name change – BEFORE

LinkedIn Name

The second person put CISSP after their name, like “John Smith, CISSP”. This is effective. Some people even list multiple certifications after their name, such as “John Smith, CISSP, CEH, Hacker, Cat-Lover, Ninja”. It’s up to you. Some creativity may generate more interest.

How to add the title to your LinkedIn name. I suggest using something other than “Dude” 🙂
What LinkedIn profile looks like after “Dude” added to the name.


Any of these approaches work to get the attention of employers, recruiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests, even ones that don’t make sense, based on your current role, like the sample I received today:

Sample headhunter LinkedIn message.

It’s apparent many recruiters take a shotgun approach and don’t bother to look at the prospect’s current role. I don’t have any credentials listed in my profile headline or name either, but I still get a couple of these per week.

I hope you find these strategies useful in your hunt for your ideal career.

Check out my book “The Smartest Person in the Room” to pick up some much-needed EQ skills for cybersecurity. People skills are actually more important than technical skills.

How to Hire Cybersecurity Professionals to Ensure Success for the Organization and the Employee

cybersecurity hiringHiring practices are different for every field, and for cybersecurity professionals, there are many opinions. In a growing and evolving industry, some standardization exists, including a significant focus on certifications. But do certifications equal talent? Not always. As a cybersecurity leader with years of experience building teams, I want to teach you how to hire cybersecurity professionals so they and your organization can be successful.

The Failures in the Hiring Process

The number one failure by cybersecurity hiring managers is the blindness around certifications. Certifications should illustrate skillsets and experience; however, as I write about in my book, The Smartest Person in the Room, that over-dependence leads to retaining paper tigers. Paper tigers are the folks that look great on paper but aren’t ready for the real world of cybersecurity.

Why Certifications Don’t Hold Too Much Weight

The problem with cybersecurity certifications is that structure isn’t conducive to training people to be job-ready. The design of many is a quick multiple-choice test, which anyone can memorize. It’s not like a skilled trade, requiring hours of training or apprenticeships.

The rush to earn certifications accelerated because of the constant call of a lack of talent in the industry. That is certainly true, but many saw it as an opportunity to have a piece of paper that would lead them to a lucrative career.

Most certifications don’t test for practical, real-life skills in cybersecurity. Some are credible and mix hands-on experience with testing, such as CompTIA and EC-Council. So, if you’re going to look at certifications, investigate what they really mean about that candidate’s acumen.

Hard and Soft Skills Matter

Another area to discuss in hiring cybersecurity professionals is seeking a broad skillset. Cybersecurity is a technical field, so the person you’re interviewing should certainly understand:

  • Penetration testing
  • Ethical hacking
  • Incident response
  • SIEM (security information and event management) tools
  • Audit and compliance rules
  • Malware
  • Device management
  • IAM (Identity and Access Management)

These are all essential hard skills. Certifications and job experience can offer evidence of these. The questions you ask can as well (more on this in the best practices section).

However, don’t focus solely on hard skills. There are lots of great candidates out there that might fall short on an exhaustive list of technical prowess. If they have soft skills and an open mindset, they could be an excellent hire.

These soft skills should be on your radar when hiring cybersecurity professionals:

  • Leadership qualities: Gauge their ability to lead, no matter their career level. Cybersecurity is an intense field and having leaders on your team means they look at the big picture strategically.
  • Passion: One of the things most lacking in cybersecurity teams is passion. I firmly believe that the enemy — hackers — are deeply passionate about what they do, and that’s why they win a lot of the time. If you can find people that have a fire in their gut to learn and grow, they will care very much about keeping your data safe and secure.
  • Collaborative: Cybersecurity professionals shouldn’t work in silos. There are many specialist roles within the field, so it takes a team to execute a strategy and remain vigilant. Lean toward those applicants that appreciate collaboration and want to work in that kind of culture.
  • Communicative: Communication can be challenging for technical professionals. It’s a bit of a stereotype but also true. Being a good communicator isn’t about being articulate or having a large vocabulary. Rather, it means someone is a good listener and that they use communication to understand, show empathy, and work together. There are many ways to foster communication skills for tech folks, and I talk about this a lot in my book.
  • Curious and inquisitive: Cybersecurity professionals should not be afraid to ask questions. Only through these can they determine the organization’s needs and challenges around security. Some people don’t ask questions; they make assumptions. It doesn’t mean they aren’t talented. In fact, much of the time, those in this situation learn this from life experience. Having a curious nature is a great trait for cybersecurity candidates, and you can assess by the way they interact and if they actually ask you questions during the interview.
  • Empathy: Empathy is an attribute that’s an asset in every job. I find it’s constructive in cybersecurity because it enables people to be in the shoes of another and see their perspective. People who can do this can go far in their careers. There’s no substitute for empathy in professional or personal relationships. You can evaluate this characteristic by how the candidate talks and frames situations.

These are outlines of hard and soft skills and not an exhaustive list, but they are good points to consider as you rethink how to hire cybersecurity professionals. Next, I’ll share some best practices for hiring managers.

Best Practices for Cybersecurity Hiring

Whether you’ve been a cybersecurity manager for years or are just starting, this advice can support your recruiting efforts and help you avoid hiring unqualified people. Because once you do, it can become a bad cycle. Ultimately, you want to hire people that have the right skills and fit your culture. Success for all should always be the goal.

Recognize Past Mistakes

If you’ve been recruiting for some time, I would first recommend recognizing past mistakes. We’re all human and make mistakes. What’s important is we learn from them and do better the next time. The reality is that bad hiring hurts everybody. Turnover costs your company real money, and the effect of hiring candidates that are lacking could lead to expensive errors. So, face your past gaffes and go forward without those dragging you down.

Have Real Conversations with Candidates

An interview is a chance for the candidate to sell him or herself. Most interviews are very rigid with detailed questions or checklists. I’m not saying you should toss that out, but this is your chance to get to know the person and vice versa.

Having a natural conversation that touches on who they are and what they know will allow them to feel less nervous and be vulnerable. They may be more honest and introspective, and you can learn a lot about somebody when this happens. You’ll never find that on a resume.

Use an Assessment Tool

In my company, I use the TriMetrix HD. Such a tool allows you to discover important things about an applicant:

  • How they behave and communicate
  • Why moves them into action
  • What personal talents they have
  • Which competencies they have mastered, and to what degree

These aren’t technical tests. They give you insights into soft skills. It’s a good next step in the process after you determine they have technical acumen.

Screen Out Job Hoppers

I typically eliminate job hoppers from the applicant pile. This is not a finite rule; some people with multiple shorter job histories may have been the victim of layoffs or acquisitions. However, in the field, it’s rampant. Most of the time, if somebody is changing jobs every six to 18 months, it’s a red flag. If that looks to be the case, you should probably move on to others.

Don’t Rush Hiring

In many cases, the need to hire cybersecurity professionals is urgent. You needed somebody yesterday, but don’t let that guide you. You’ll make rash decisions that may not pan out just to have a body in a chair. Instead, have a strategic plan that will lead you to the right people. It will take longer, but it’s worth it in the long run.

Ensure Candidates Align with Organizational Values

Most companies, big and small, have a set of company values. Hopefully, these are more than in name only. Your values create your culture. The expectation is that your employees live and respect these.

You can ask candidates questions about your values. Talking about your culture and its attributes with the person should also give you insight into if they believe in them. You can find someone with amazing tech skills, but the employment will likely not last if they aren’t a good culture fit.

Seek Out Those with Great Focus

Monotasking is a pillar of my Secure Methodology, a framework for nurturing and fostering cybersecurity professionals to have better habits and behaviors. Monotasking is the opposite of multitasking and requires focus, which is very important in cybersecurity. You can tell a lot in body language about focus. Another way to assess for it is to ask them how they work. Those who see the value in monotasking could be great team members.

Cybersecurity Hiring: Get It Right So It’s Mutually Beneficial

Cybersecurity hiring can be challenging. There are many considerations — things to do and not to do. Focusing on hard and soft skills, deprioritizing certifications, and implementing these best practices can help. You can learn more about my hiring advice and the Secure Methodology by reading The Smartest Person in the Room.

Cybersecurity Paper Tigers are Killing Us

cybersecurity certifications

A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can’t perform any other tiger duties.

Wikipedia defines a paper tiger as this:

“Paper tiger” is a literal English translation of the Chinese phrase zhilaohu (纸老虎/紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.

comptia security+ logo

CompTIA has made the Security+ exam more difficult by adding “performance-based questions” to help with the paper tiger issue.

How do paper tigers relate to cybersecurity?

In my mind, the “paper” is often a cybersecurity certification and the “tiger” is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn’t learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.

My company, Blue Goat Cyber, gets routine inquiries about our cybersecurity training. Many people assume we will just “teach the test”. Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam “open book” and “as a group”, even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?

Cybersecurity Paper Tigers are Killing Us

Cybersecurity paper tigers are killing us for a number of reasons:

  • They don’t know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don’t actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says “yes”, so you let him drive to the grocery store. The outcome will not end up well.
  • They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being “found out”.
  • They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone certified that doesn’t really know anything. I’ve interviewed people with penetration testing certifications that couldn’t tell me what nmap was…
  • They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their careers, the chance is they are dabblers in everything in their life.

Cybersecurity criminals are masters of their trade – not dabblers. A dabbler will always lose to a master.

ceh master

The CEH Master requires a practical. Paper tigers need not apply.

What can we do about the cybersecurity paper tiger issue?

There are two areas to focus on to get rid of paper tigers:

  1. Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is “Certified Ethical Hacker”, where you have to pass a multiple-choice exam. The second is “Certified Ethical Hacker Master” where you have to pass both the CEH multiple-choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple-choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!

  2. Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn’t mean they know the material. It’s an employer’s duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I’m interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.

Let’s do the cybersecurity industry a favor and work to get rid of the paper tigers.