skills gap

Cybersecurity Skills-Based Hiring: Why Tech Leaders Need to Shift Their Idea of ‘Qualified’

cybersecurity skillsIt’s no secret that the cybersecurity field has a talent shortage. Experts project that over 3.4 million jobs in the industry remain unfilled. The reasons behind this are numerous—burnout is churning people out, younger generations aren’t entering cybersecurity, and qualified candidates aren’t plentiful. The last one is worthy of discussion. As the industry evolves, so should the idea of “qualified.” To do this, organizations need to shift to cybersecurity skills-based hiring.

The Current Consensus on ‘Qualified’

So, what does being qualified mean to those hiring cyber professionals? In the State of Cybersecurity 2022 Report from ISACA, 55% of cyber leaders said applicants aren’t well qualified. They find people lacking in key areas, including prior hands-on experience, credentials, hands-on training, employer recommendations, degrees, and association memberships.

So, the question is—do these things demonstrate that someone will excel and thrive in cybersecurity? If you look further at the data from the study, the importance of what hiring managers seek doesn’t necessarily align with the skills they believe are most valuable. The most sought-after skills include hard and soft ones:

  • Soft skills of communication, flexibility, and leadership
  • Cloud computing
  • Security controls regarding endpoints, networks, applications, and implementations
  • Coding skills
  • Software development-related topics, such as languages, machine code, testing, and deployment
  • Data-related topics
  • Network-related topics
  • Pattern analysis
  • System hardening
  • Computing devices, including hardware, software, and file systems

Soft skills were at the top of the skills gap list. Technical aptitude is also vital, but just because someone has a degree or credential doesn’t mean they know how to apply them. Narrow-mindedness on this can actually lead to hiring “paper tigers,” who look great on paper but don’t have the aptitudes or abilities to be successful.

In an environment where hiring is competitive and challenging, it’s time to readjust your definition of qualified with skills-based hiring in cybersecurity.

What Is Skills-Based Hiring?

Skills-based hiring is an approach to recruitment that focuses on someone having specific competencies and aptitudes. It’s a new method that shifts the emphasis from traditional screening using education, credentials, and previous experience.

It seeks to look at someone holistically, considering their abilities, attitudes, and adaptability. Hiring based on skills makes a lot of sense for cybersecurity. A good example of this would be that an individual has proficiency in programming languages but doesn’t have a degree in computer science. Another example would be that a person has immense knowledge of cloud computing but not a certification.

Skills-based hiring also looks at potential candidates beyond their technical prowess. Since it looks at someone’s complete profile, you can also evaluate their soft skills, which are desperately needed!

Experts Are Adamant About Skills-Based Hiring in Cybersecurity

The push to hire based on skills is something that experts are recommending and urging. At a recent House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing, many were there to discuss the workforce shortages. Their advice—stop requiring college degrees. The group said that to strengthen the cyber pipeline, the Federal government needs to take the lead in skills-based cybersecurity hiring.

Companies that are sounding the alarm on cybersecurity deficits can take on this new way of hiring. They could even fund skill development when they see someone with potential. Those people could come from many different places—military veterans, people seeking to change careers, new high school graduates, and even internal folks interested in the field. If there’s passion, curiosity, and appeal, you can nurture that to develop the person.

Why Is Skills-Based Hiring the Future of Cybersecurity?

The future of cybersecurity looks a little stark for the good guys. If you don’t have enough skilled employees, you’re automatically more at risk. While you can close some gaps with automation, human-in-the-loop will always be a strong component of all cyber operations. If the field makes this needed progression toward skills-based hiring, the future looks more manageable and optimistic.

Skills-based hiring finds those you may overlook or discount. It also has much to do with cultural fit and someone’s ability to be agile and flexible. A college degree, experience, or credentials don’t necessarily demonstrate any of these things. Further, if you hire based on skills—hard and soft—you are more likely to retain that person long-term.

By using cybersecurity skills-based hiring, you can:

  • Discover people with talent and a growth mindset: When you focus on what someone can do and their range of attributes, you’re likely to find great candidates. They don’t fit the familiar mold, but that can be a good thing. If they have technical knowledge and possess a growth mindset, they could become superstars with some skill development and coaching.
  • Attract younger generations: Currently, only 12% of the cyber workforce is 34 or younger. It’s not sustainable, so the urgency to get Gen Z to give cybersecurity a chance is huge. This generation and those even younger have different expectations about work and may avoid cybersecurity because they believe it to be rigid, stale, stuffy, and unchanged. Skills-based hiring allows you to change this false narrative by emphasizing the importance of soft and hard skills. If you’re creating a culture around skills, it should also be one of transparent communication, collaboration, and continuous improvement. Gen Z will find this much more attractive.
  • Create equity in hiring practices: If you’re following the skills when you recruit, you’ll be able to streamline the process and ensure that candidates get the same treatment regardless of their resumes. It makes it more equitable as well. The cyber field has not always been accessible or friendly to all demographics. For example, women represent a small number of cyber professionals. If you reimagine how you hire based on specific skills, you may see more female candidates.
  • Develop people over time: Skills-based hiring is also an investment in your people. You make them part of your team with expectations and requirements. This could include technical courses, hands-on training, and soft skill development. With this approach, you are making it clear that you want the person to be accessible, and you will give them the resources they need to do so. Such a strategy improves employee satisfaction and retention.

With all this to gain, the next step is implementing skills-based hiring.

How Do You Shift to Skills-Based Hiring in Cybersecurity?

If you want to go in this direction, you’ll need to work on a few areas so you can recruit and hire smarter. It’s not a massive change if you’ve already been assessing skills over diplomas and certifications. It will, however, require you to eliminate old ways of thinking about cybersecurity.

It’s a cultural shift where you want to banish all the stereotypes associated with technical folks—they’re bad communicators and collaborators who only see the world of ones and zeros. Yes, people in technical fields tend to be more pragmatic and logical, but they often don’t deserve the other labels. Your job is finding people outside the box who want to evolve cybersecurity with you.

Here are some tips:

  • Redefine your job descriptions and requirements: Start by eliminating the need for a four-year degree and specific certifications. Instead, focus on core competencies, soft skills, personality, communication capabilities, and drive. If there are specific things the person needs to be proficient in, emphasize those, but don’t limit this expertise to having a degree or certification.
  • Look for internal talent: Internally posting new jobs is a typical step, but if you do, add some context about whom you’re looking for beyond technical skills. There could be some smart and capable people that want to move into cybersecurity but don’t know how to start. Create relationships with those folks and work out a plan to upskill and reskill them.
  • Use assessments to evaluate technical and personal skills: You need people to demonstrate they have the abilities you desire. You can assess them with different tests to understand how they’ll perform. Don’t limit this to only technical skills. You also want to know about their ability to communicate, lead, problem-solve, and think critically.
  • Get to know people during the interview process: This part of hiring can be challenging for you and candidates. They’re nervous, and you’re cautious. I urge you to get to know the person and their philosophy on cybersecurity and why they want to be in the industry. You can learn so much from someone when you ask their opinion and perspective. You’ll be able to recognize genuine interest and desire from these discussions.

Skills-Based Hiring in Cybersecurity: Keep Developing Your People

Hiring based on skills fits the field of cybersecurity well. After all, you want employees to be able to deal with a dynamic environment. When you hire this way, you’re likely to find people with the right mix of abilities who want to be there for all the right reasons. Once they are on staff, keep developing them with an emphasis on soft skills. It’s not an easy journey, but you can find lots of advice on how to do this in my book, The Smartest Person in the Room, which features the Secure Methodology™. It’s a seven-step framework for improving and building these capabilities in technical folks. Check it out by getting your copy today.

Reskilling and Upskilling Talent Can Help Shrink the Cybersecurity Skills Gap

cybersecurity learningOne of the most important topics in cybersecurity is the talent shortage. Reports and data back up the consensus that we don’t have enough people for all the jobs and that new generations aren’t entering the field. Further, CISOs and other cyber leaders have noted it’s one of their biggest challenges. Finding qualified people has become a barrier to building and evolving cyber resilience. The cybersecurity skills gap runs parallel with this, as many cyber professionals or aspiring ones don’t have the qualities employers want.

This cycle of shortages and gaps will continue, leaving organizations facing greater risk in cyber operations. So, what’s the answer? There is no quick fix to this dilemma. However, there may be something we’re all overlooking — reskilling and upskilling talent. Making this investment in people develops them into capable cybersecurity specialists who possess both the soft and technical skills a company needs to survive and thrive in the modern age of business.

What Are the Cybersecurity Skills Gaps?

Overall, we can look at the industry and see it’s woefully understaffed. The ISC 2022 Cybersecurity Workforce Study made headlines with its findings that over 3.4 million jobs in the industry remain unfilled. As a result, these organizations feel the consequences of straining existing resources, inability to conduct risk assessments, and greater risk.

It doesn’t necessarily mean there aren’t people who want to work in cybersecurity. Although, it’s hard to be too optimistic about younger generations joining the field, as millennials and Gen Z aren’t flocking to be cyber experts. In fact, less than 12% of the workforce is 34 or younger!

The bigger problem is the gap in hiring people who can hit the ground running. They aren’t meeting the expectations of those employing them, with 55% of cyber leaders stating applicants aren’t well qualified. So, what qualifications do they think candidates need? Here’s what they said, in order of importance:

  • Prior hands-on cybersecurity experience
  • Credentials
  • Hands-on training
  • Employer recommendations
  • University degree
  • Association membership

But how well do these things determine if someone can do the job? It’s hard to get hands-on experience or training without a starting point. Credentials don’t always equate to someone with the right skills. We’ve previously discussed the term “paper tigers” and how they don’t represent “quality.” Rather, paper tigers have all the right credentials on paper but don’t have the aptitude or ability to be successful cyber professionals.

A university degree can be the same as credentials. A four-year degree doesn’t make someone qualified, either. I would argue that expecting a college education is a problem in cybersecurity recruitment, which 52% of organizations require. There are many bright and capable people out there that you’re dismissing.

The Biggest Skills Gaps: Soft and Hard Skills

In the same research, cyber leaders also noted the biggest skills gaps:

  • Soft skills (e.g., communication, flexibility, leadership)
  • Cloud computing
  • Security controls (e.g., endpoint, network, application, implementation)
  • Coding skills
  • Software development-related topics (e.g., languages, machine code, testing, deployment)
  • Data-related topics (e.g., characteristics, classification, collection, processing, structure)
  • Network-related topics (e.g., architecture, addressing, networking components)
  • Pattern analysis
  • System hardening
  • Computing devices (e.g., hardware, software, file systems)

Soft skills, the number one cybersecurity skills gap, isn’t surprising. Without these capabilities, it doesn’t matter how technically gifted someone is; they’ll flounder and actually cause problems in the organization. When asked specifically what soft skills they find attractive, leaders said communication, critical thinking, problem-solving, collaboration, and attention to detail.

Developing these isn’t a priority for most credential or educational institutions. I suppose they think the working world will figure this out and help workers cultivate it. Except most aren’t, so the cycle of bad hiring continues.

All this data emphasizes that we’re at a crossroads in the industry. You do have control here to break the cycle with upskilling and reskilling, focusing on hard and soft skills.

Upskilling and Reskilling to Build a Better Pipeline of Cybersecurity Talent

The strategies and decisions you make today regarding recruitment and hiring impact the short and long-term. If you’re going to keep a pipeline running, you will have to look outside the normal parameters. Finding people passionate about cybersecurity and helping them become adept at it will serve you well. Here are some tips on how to implement this into your hiring plan.

Look for internal talent.

There may be people within your organization now wanting to pursue cybersecurity. They may be in a non-technical position now, but they have potential. Creating a mentorship program within your company could build this bridge. Encourage those interested in the field to express their interest and join the community. Assess them based on their soft skills and capacity to learn technical knowledge. If you find some great people to develop, the business could pay for specific courses to help them level up their hard skills. Once they have the basics, continue to support them through learning and training.

Evaluate your current entry-level staff and their gaps.

You’ve likely hired some entry-level positions as of late. You saw their potential and recognized their abilities, but you also knew things were missing. Those can include soft and hard skills. Building a relationship with them and understanding their motivations and career goals can inform whom to invest in with upskilling and reskilling opportunities. If you invest in them, they’ll feel valued and appreciated, which will go a long way toward cybersecurity retention.

Stop looking at only a resume.

A resume is a piece of paper with a quick summary of what someone has accomplished. It’s not their whole story. It’s too easy to reject resumes based on if they have the right keywords or phrases. Pay more attention to their abilities, aptitudes, and attitudes. How can you do this? Consider a short questionnaire that peels back the layers and gives you more insight. You may be passing up great candidates otherwise.

Develop every team member’s people skills.

The last piece of advice is to focus on people skills development. You may think it’s an impossible task, and getting people to change and grow is hard. I found it to be such a deficit in the field that I created the Secure Methodology™. It’s a seven-step guide that helps cyber leaders transform technical folks into excellent communicators, problem solvers, and collaborators. Here’s a preview of what each step entails and why it supports upskilling and reskilling.


We start with Awareness, which includes being cognizant of the self and others. When it’s absent, people don’t realize the impact of their behaviors, which can cause conflict and resentment. If you can move people into a state of awareness, they’ll have greater respect for others and think more intentionally about how they act.


fixed mindset does no one any good. Encouraging people to shift to one of growth is good for everyone. In this step, I recommend the 7 Levels Deep exercise. From this, you can understand motivations and why people act as they do, which can break the fixed mindset.


Acknowledgment starts with you and is an act of appreciation. When you create a culture where this exists, it will strengthen trust and confidence. It’s also about redefining cybersecurity culture from one where the expectation is that technical people know everything and can do everything. All that does is create burnout. People need grace and also need to know you can give it to them.


Communication is the number one soft skill for a reason — it’s the core of everything in life. If communication is poor, rude, non-inclusive, or nonexistent, you have breakdowns that elevate risk and animosity. In this step, you’ll be using activities to get to the root of communication, which is just as much about listening as talking. Creating a space where communication is expected, transparent, and honest could be the greatest upskilling you provide to someone.


Monotasking focuses on the details, another soft skill missing in candidates. If you’ll recall, in acknowledgment, we discussed how cyber professionals couldn’t do everything. So, with this step, you will introduce monotasking and blocking off time on their schedules to complete one thing without distractions. The result will likely be greater productivity.


In the Secure Methodology, cognitive empathy is the learning. It’s understanding someone’s feelings and perspectives and is key to communication and collaboration. Once people grasp how important this is in work and life, they often have “aha” moments and finally realize how critical it is to be open to the views of others.


Kaizen is a Japanese term that translates to “continuous improvement.” So, this step continues forever and can teach people how to be adaptable and flexible. They can continually improve soft and technical skills throughout their career.

Reskill and Upskill With the Secure Methodology

If you want to reimagine how your recruit, hire, and retain, the Secure Methodology is a vital resource. Reskilling and upskilling are possible with this framework. Learn more by checking out the Secure Methodology course today.

The Urban Legend of the Cybersecurity Skills Gap

cybersecurity skills gapAccording to the Information Systems Security Association (ISSA), we’re facing a cybersecurity skills crisis. Their recent report calls the gap in qualified individuals a “rapidly widening business problem,” claiming businesses are investing their resources in the wrong places when it comes to cybersecurity.

ISSA partnered with Enterprise Strategy Group (ESG) to look at the state of qualified cybersecurity professionals in the workforce. Around 70% of respondents to their survey said they felt a lack of cybersecurity skills within their organization was affecting their company. According to the cybersecurity organization (ISC)², almost three million cybersecurity jobs needed to be filled globally as of 2018.

Most people agree that this is a serious problem. The lack of qualified professionals at major businesses with knowledge in cybersecurity is exacerbating data breaches, and has been called an “existential threat to our national security.” What there doesn’t seem to be a consensus on is how that problem should be solved.

Are There Really Not Enough Qualified People to Fill the Cybersecurity Skills Gap?

The short answer seems to be no. Rather, the problem seems to lie with the paths made available to talent looking to get into the cybersecurity industry.

For a long time, the university path has been the main place students get recruited into cybersecurity jobs. Organizations recruit from universities, and many require a college degree as part of their job descriptions for cybersecurity roles. But there are thousands of talented people that miss out on these job opportunities simply because they don’t choose to go to college.

In an article for Forbes, cybersecurity contributor and CEO of Immersive Labs James Hadley argues that the cybersecurity skills gap won’t be mitigated through the classroom. He argues that self-taught, talented people should be recruited and trained by organizations before they take their talents to the wrong side. He writes:

“The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more-complex threats, the need for a diverse pool of cybersecurity experts to learn in real-time, rather than a classroom, strengthens.”

Hadley uses the example of 22-year-old Daniel Kelley, who hacked the telecom company TalkTalk, stole the data of thousands of users, and used it for blackmail as an example of what could happen if people who feel snubbed by the system use their talents for ill. Kelley didn’t make the grade required for a computer course and attacked TalkTalk out of a desire for revenge. He could’ve ended up using his skills to help instead of hurt, Hadley argues, had that path not been closed off to him.

Companies don’t want to train employees, preferring that they come to the job with the skills they need already, but the nature of cybersecurity work demands constant retraining and maintenance of those skills. There are qualified people ready to help stop the next cybersecurity threat if companies are willing to adapt to them.

How Can Companies Fill The Gap?

The threat of cyberattacks and hacking isn’t going away. In fact, they’re likely to increase as time goes on and the technology both companies and hackers use becomes more sophisticated. That’s why businesses should do everything they can to make themselves resilient to cyber threats. How can they do that?

First, hire and train the right people. Provide them with the time and resources they need to continually develop their skills to match the changing threat and technological landscape. Devote more of the company budget to cybersecurity. Currently, 49% of companies say that cybersecurity is a budget priority, but pros say that figure should be closer to 60%.

A shift away from the traditional job requirements of a university degree path would allow for the scouting, hiring, and training of the right people. Instead of academic background, those in the cybersecurity field would be better served by looking at a candidate’s skill sets. Do they have the skills needed for the job, even if they don’t have the degree? If they do, invest in that talent.

A few of the skills necessary for cybersecurity jobs:

  • Relevant past work experience,

  • Ability to understand advanced cybersecurity concepts,

  • Cybersecurity certifications,

  • Strength in non-technical soft skill areas.

University education can help, but it shouldn’t be the only factor in determining whether a potentially promising candidate in the cybersecurity field gets turned away, especially if that candidate could broaden the diversity of the field. Women represent only 23% of the cybersecurity workforce, according to (ISC)², and that number is after they broadened the definition of who works in cybersecurity.

It isn’t just companies that can help close the gap and guide more capable people into a cybersecurity career. Government initiatives like the UK’s Cyber Discovery free training program can help people explore their interest in IT, and ultimately decide that it’s a good career for them. State and federal governments in the U.S. should implement their own programs to seek out and support talent in a similar fashion.

Part of solving this problem will be getting the word out. Careers in IT and cybersecurity aren’t talked about as widely as more traditional paths like doctors or nurses, or trendier digital careers like YouTuber or Instagram influencer. But the fact is that people who have these jobs hold them a long time, are satisfied with the work they do and are compensated very well for their efforts. If more people knew that, starting at a younger age, they might find a place for their skills where they didn’t think one existed.

Companies can put themselves at the front of the pack by taking the initiative to find and recruit top talent outside the conventional pipeline. And they can do it by being willing to invest the time and money in proper, ongoing training. The cybersecurity skills shortage isn’t all that frightening if you know where to look to close the gap and are willing to take action.