Organizations are scrambling to build robust security teams capable of defending against relentless attacks—threats that are becoming more sophisticated and robust. Yet filling those critical cybersecurity roles remains an immense challenge fueling an intense labor shortage debate.
Some experts assert the Great Cybersecurity Workforce Shortage is very real, with an estimated 700,000 open positions in the U.S. alone according to ISC2 research. Job postings for roles like cloud security engineers, penetration testers, and cybersecurity analysts often attract a dearth of qualified applicants.
However, others in the industry question whether the "shortage" narrative fails to capture the full picture. Instead, they argue that systematic hiring issues are the bigger culprit behind cybersecurity's staffing woes.
Derek Fisher, Executive Director of Product Security at JPMorgan Chase & Co., broke the issue down in a May 22nd LinkedIn post: "High Barriers to Entry: The industry's reliance on certifications and degrees as entry requirements artificially limits the number of eligible candidates; Recruiter Limitations: Non-expert recruiters often use degrees and certifications as shorthand for capability, overlooking many capable candidates; and Misplaced Trust in Credentials: Hiring managers seek the 'perfect' candidate with numerous credentials, who often isn't interested in entry-level roles."
"A significant part of the problem lies in the way organizations and recruiters narrow down candidate pools," Fisher said. "Recruiters, who may not be cybersecurity experts, often rely on easily measurable factors like degrees and certifications to evaluate candidates. This practice excludes many capable individuals who possess the necessary analytical and technical skills but lack formal qualifications. Consequently, organizations miss out on a vast pool of talent ready to deliver value, as they prioritize credentials over actual potential and dedication."
A common complaint is that employers set unrealistic, gatekeeping criteria that arbitrarily shrink applicant pools. Job postings demanding five-plus years of experience for entry-level roles (when even a two-year requirement weeds out a chunk of the talent pool), excessive certification requirements, and exhaustive technology skill checklists put off many viable candidates.
Colleen Lennox, Founder & CEO of Cyber Job Central, commented on Fisher's LinkedIn post, adding:
"In my opinion, every cybersecurity opening is like finding a unicorn. Companies need applicants who can hit the ground running, often seeking very specific, product-based experience. To be fair, corporations are willing to let these 'unicorns' work remotely. However, many highly-talented individuals are still out of work due to the 2023 reductions, and their opportunities are limited based on the products they have used in previous roles."
"Breaking into the field was easier before COVID-19 when in-office support and hands-on training were more accessible," Lennox continued. "Now, it's challenging to train new hires who are left to fend for themselves, leading to entry-level positions requiring years of experience. Something needs to change."
Cybersecurity also suffers from a diversity and inclusion challenge. Many companies still recruit from the same insular talent pools, missing out on candidates from non-traditional backgrounds such as career pivots and self-taught prospects.
[RELATED: Groundbreaking Report Exposes Stark Exclusion of Women in Cybersecurity]
Even when strong candidates are found, some companies fail to provide proper training and enablement. CISOs often lament budget constraints that force new hires into production roles before they're ready.
Some CISOs say without structured onboarding, mentorship, and continuous skills development programs, employers will keep facing high churn rates and perpetual staffing holes. It's not wise to simply hire for cybersecurity, they say; organizations have to be committed to training.
Jeffrey Burkhardt, Director of Business Development, IT, at firstPRO Inc., added on to Fisher's LinkedIn string with these comments:
"From where I sit, the challenges are several.
1. Unrealistic JDs (job descriptions) calling for experiences that in themselves are challenging. Add demands for certifications and degrees and the pool of talent for these JDs shrinks. (We know this.)
2. An unwillingness of companies to invest. Warren Buffett famously references in business to play 'the long game.' When seeking candidates for cyber roles, companies have a genuine opportunity to invest in grads, etc., who are looking to grow their careers. They should consider making the investment in these resources. It fosters incredible good will and will make these same employers feel proud someday.
3. False advertising. I see grads all the time ready to jump into their first cyber role with the promise of a nice salary and future job security. Not true. Colleges and universities (IMO) need to be more dutiful in sharing with grads the 'real world' they might face when they graduate. Like how they will encounter MANY equally talented, good looking candidates who can all start Monday.
I have dozens and dozens of cyber candidates I cannot find homes for. It's upsetting."
The cybersecurity community's fixation on certifications and credentials is, as is evident above, also hotly debated. Some feel the certification craze focuses on acronym chasing rather than assessing true skills exacerbates staffing gaps.
While the "Is there a shortage?" debate rages on, industry consensus is emerging around the need for smarter hiring approaches, skills-based candidate evaluation, robust training programs, and diverse talent pipeline development to close the cybersecurity staffing gap.
Fisher concluded his LinkedIn post with the following:
"Organizations must reevaluate their hiring practices. Instead of focusing on formal qualifications, they should recognize the potential of candidates from diverse backgrounds and invest in their development. This approach not only helps fill critical cybersecurity roles but also fosters a more inclusive and effective workforce."
Some solutions he offers:
- "Broader Talent Pool: There are many capable individuals with the right skills and traits who are excluded due to arbitrary qualifications.
- Unrecognized Potential: By broadening the criteria for entry-level positions and focusing on skills rather than credentials, the so-called shortage can be mitigated.
- Training and Development: Organizations need to invest in training programs to develop talent internally, similar to practices in other industries."
