Closing The Cybersecurity Skills Gap: A Manager’s Perspective

The Real Problem

So, what’s really going on here?

1. Companies lack loyalty to their employees, so professionals move jobs frequently, seeking better opportunities.
2. Entry-level roles require experience, but how do you get experience if no one gives you a shot?
3. Job descriptions are often created without clear alignment between hiring managers and recruiters, leading to mismatched expectations where the listed qualifications and certifications don’t reflect the actual skills needed for the role.
4. Many roles are hyper-focused on narrowly defined technical skills, overlooking the importance of curiosity, adaptability, and diverse problem-solving abilities that professionals with broader or non-traditional backgrounds can bring to cybersecurity challenges.
5. In my own hiring experience, I prioritize candidates who are hungry to learn and not afraid to fail. This is true, especially in fields like offensive security, where thinking outside the box is essential.

Let’s dig into why this "skills gap" narrative misses the mark.

The Myth of the Skills Gap

Year after year, we hear about the cybersecurity “skills gap,” with reports citing millions of unfilled jobs. But the truth is more nuanced. The industry isn’t suffering from a lack of potential talent. No, it’s suffering from rigid hiring practices and unrealistic expectations.

Aspiring cybersecurity professionals are earning certs, completing boot camps, and honing their skills in labs, yet they’re struggling to land that first role. Why? Because too many job listings demand 3-5 years of experience for positions labeled entry-level. It’s the classic “need experience to get experience” paradox, derailing careers before they even start.

The ISC² Cybersecurity Workforce Study estimates that 3.4 million cybersecurity workers are needed globally. However, this figure doesn’t account for the systemic hiring issues that prevent qualified candidates from filling these roles. 

Here’s a stat that says it all: According to CyberSeek, there are about 460,000 cybersecurity job openings in the U.S., yet thousands of certified professionals are still struggling to land roles due to unrealistic hiring practices. 

The Experience Paradox: Breaking into Cybersecurity

I’ve been there.

When I transitioned from law enforcement to cybersecurity, I faced the same roadblocks many aspiring professionals encountered. I had years of investigative experience, which translated directly to threat hunting and penetration testing skills. But on paper, I didn’t meet the arbitrary "years of experience" requirement most companies were looking for.

It wasn’t until I met a hiring manager who valued my law enforcement and investigative background that I got my foot in the door. They recognized that my ability to analyze complex cases, connect dots, and approach problems methodically was needed in cybersecurity. That opportunity was a game-changer, and it showed me firsthand how unconventional backgrounds can bring immense value to this field.

Now, when I’m hiring, I look for that same potential in candidates from people who are passionate about learning and bring diverse perspectives, even if they don’t check every box on a job description.

Contributing Factors to the Perceived Skills Gap

Lack of Company Loyalty

The traditional model of long-term employment within a single company has shifted. Organizations often do not invest in their employees' professional development, leading to high turnover rates. Cybersecurity professionals, aware of the demand for their skills, frequently move between jobs seeking better compensation, benefits, and growth opportunities. This constant movement contributes to the perception of a skills gap, as positions remain unfilled due to retention challenges.

A Centum Search study highlights that tech professionals, including those in cybersecurity, tend to stay in roles for 2-3 years, shorter than the 4.1 year average across all U.S. industries. This high turnover rate exacerbates the issue of frequent job vacancies and contributes to the false narrative of a skills shortage.

Experience Paradox

A significant barrier for aspiring cybersecurity professionals is the requirement that they have prior experience in entry-level roles. As I said before, I can relate to this as someone who came from another profession before cybersecurity. 

This paradox creates a cycle in which individuals cannot gain experience without first securing a job, yet they cannot obtain a job without experience. This issue is evident in job descriptions that demand multiple years of experience for entry-level positions.

An article from Bootstrap Cyber emphasizes the need for companies to invest in training new talent rather than waiting for perfect candidates. This shift would help break the cycle and allow fresh talent to enter the industry.

Disconnect Between Hiring Managers and Recruiters

Have you ever seen a job listing that asks for 15 years of Kubernetes experience when Kubernetes has only existed for 11 years? Job descriptions in cybersecurity often contain extensive requirements, including numerous certifications and years of experience, which may not align with the role's actual needs. This disconnect can deter qualified candidates who may feel they do not meet all the listed criteria.

CSO Online emphasizes the importance of focusing on relevant cybersecurity skills rather than rigid industry experience. It advocates diversifying hiring practices to address the “experience shortage,” suggesting that individuals from various professional backgrounds can bring valuable and transferable skills to cybersecurity roles. 

The Need to Embrace Diversity

Many cybersecurity roles are narrowly defined, focusing on specific technical skills while overlooking the value of adaptability and a willingness to learn. This over-specialization can limit the talent pool, as candidates who may not meet every specific requirement but possess strong foundational knowledge and the ability to learn are overlooked.

Embracing diversity in professional backgrounds, experiences, and thought processes can lead to more innovative and resilient cybersecurity teams. 

An article from AuditBoard discusses the need for organizations to build balanced and diverse teams with complementary skills rather than searching for individuals who meet every specific requirement.

Emphasis on Hunger for Learning

In my experience, candidates who demonstrate a passion for continuous learning and are unafraid of failure often excel in cybersecurity roles. This passion is evident in their engagement with the broader cybersecurity community.

Do they attend industry conferences, or better yet, volunteer or organize them? Are they contributing to GitHub projects, experimenting in a home lab, or building tools that showcase their curiosity? Participation in Capture The Flag (CTF) events and collaborative projects sharpens technical skills and fosters critical thinking and teamwork. This mindset is invaluable in penetration testing and other cybersecurity roles where outside-the-box problem-solving is key.

Organizations can cultivate resilient, creative, and high-performing teams by hiring for potential and a genuine willingness to learn.

These factors suggest that the industry's unrealistic hiring practices contribute significantly to the challenges of building a robust cybersecurity workforce.

Fixing the Hiring Problem: What Needs to Change?

To effectively build a robust cybersecurity workforce, organizations should consider the following strategies:

Revise Job Requirements

Stop demanding 3-5 years of experience for entry-level roles. Focus on problem-solving skills, adaptability, and foundational knowledge. This approach can attract a broader range of candidates and provide opportunities for diverse individuals entering the field.

The CyberSeek project highlights how many cybersecurity roles can be filled by individuals with transferable skills from IT, networking, or software development.

Invest in Employee Development

Organizations should invest in their employee's growth and development through mentorship programs, on-the-job training, and clear career advancement pathways. This investment can increase employee satisfaction and retention, reducing turnover and the associated perception of a skills gap.

A Harvard Business Review article demonstrates that companies prioritizing employee development enjoy higher retention rates and a more engaged workforce.

1. Align Hiring Practices: Improve collaboration between hiring managers and recruiters to ensure job descriptions align with the role's needs. This alignment can attract qualified candidates who unrealistic requirements have deterred.
2. Value Adaptability and Learning Potential: Recognize the importance of adaptability and a willingness to learn in cybersecurity roles. By valuing these traits over a rigid set of technical skills, organizations can build more versatile and effective teams capable of responding to the rapidly evolving cybersecurity landscape.
3. Foster a Culture of Continuous Learning: Encourage a culture that supports continuous learning and accepts failure as a part of the learning process. This environment can foster innovation and resilience, essential qualities in cybersecurity. Companies like Google and Meta have built cultures encouraging experimentation and learning from mistakes, leading to more innovative solutions and stronger teams.
4. The Role of Hands-On Learning: Cybrary bridges the skills gap by offering hands-on training that equips learners with real-world, actionable skills.

My own experience developing courses for Cybrary has shown the impact of practical learning. For example, my course on Offensive Penetration Testing has received positive feedback for providing actionable skills that professionals can immediately apply in their roles.

One reviewer, Joel Lim, shared how the course helped him develop technical skills and to think outside the box. This kind of feedback highlights the value of experiential learning in preparing professionals for the real-world challenges of cybersecurity.

Courses like this teach technical skills and cultivate the problem-solving mindset essential in cybersecurity. Learning through labs, simulations, and real-world scenarios allows learners to experiment, fail, and learn in a controlled environment by preparing them for the dynamic challenges they will face in the field.

Conclusion: Investing in Potential Over Perfection

The perceived cybersecurity skills gap is often a reflection of poor hiring practices and unrealistic expectations rather than a genuine talent shortage. The industry needs to shift from a rigid, checklist-based hiring approach to one that values curiosity, adaptability, and a hunger for continuous learning.

Addressing the disconnect between recruiters and hiring managers, investing in employee development and mentorship, and fostering a culture of learning will not only fill vacancies but also create a more engaged and loyal workforce. High turnover rates, often mistaken for a skills shortage, can be mitigated by building supportive environments where employees feel valued and see clear paths to advancement.

In cybersecurity, the ability to adapt and learn new skills is far more critical than checking off every requirement in a job description. Organizations that recognize and embrace this will close the perceived skills gap and position themselves at the forefront of innovation and security.

Ultimately, it’s time for the industry to stop chasing the perfect candidate on paper and start investing in the potential already knocking at their doors. By doing so, we can build a diverse cybersecurity workforce prepared to meet the challenges of today and tomorrow, ensuring vigilant protection for organizations across the globe.

Hiring managers should seek candidates who actively use platforms like Cybrary, as it shows a commitment to continuous learning and practical skill development. Cybrary prepares aspiring professionals with real-world training and helps organizations retain top talent by offering ongoing growth opportunities. 

The talent is out there. The question is: Are you ready to lead the change and fix the broken hiring system?