How to bridge the cybersecurity skills gap — Take a risk

The cybersecurity industry is ripe with opportunity, boasting nearly 500,000 job postings in February. From bright-eyed high school and college graduates with no strings holding them down to seasoned professionals seeking a career change, there is an incredible talent pool just waiting to be tapped. 

But here’s the catch: companies must be willing to put in some additional effort and take a little risk to reap some major benefits. 

To close the skills gap, companies need to be willing to hire and train new security professionals or upskill current professionals missing the niche capabilities necessary for their cyberinfrastructure. Unfortunately, many current job listings require prior experience or certifications, and many cybersecurity training programs and certifications are quite expensive and time-consuming. This becomes an impasse too large to bridge for many individuals who are already employed or are caregivers. 

Many of those folks trying to break into the industry bring a particular passion and drive, they want to be in the industry. Instead of filtering candidates by checkboxes, organizations should focus on hiring the right people — those who bring curiosity, problem-solving skills, and a willingness to learn. Cybersecurity is a team effort and requires a lot of hard, mentally exhausting work. Hiring for the right culture fit, adaptability and passion will result in a stronger and more resilient team in the long run.

Cybersecurity would also stand to benefit from the perspectives of individuals from different professional backgrounds. A journalist or marketer’s experience can transfer to cyber threat intelligence; an educator can cross-train to technical writing or security awareness training; an accountant can work in cyber fraud; someone who is multi-lingual can become a threat researcher; and mechanics and engineers can learn hardware, Supervisory Control and Data Acquisition (SCADA), or Internet of Things (IoT) security — the list goes on. Professionals from non-traditional roles, when transferred into cybersecurity roles, will also bring fresh, valuable, and unique perspectives to the industry. 

The presumed concern and hesitancy to hire individuals with little-to-no cyber experience likely comes from the time and cost necessary to train a new hire, in addition to the risk of losing them following training completion. Fortunately, we live in the modern day of GenAI power, which can be leveraged to upskill and support junior cybersecurity professionals as they work alongside senior mentors.

I recently came across a job posting for an organization valued at $700M doing exactly what I hope to see more companies do. This post advertised an opening for a Tier One SOC position, in-person, on third shift, and there were no special requirements — just the standard high school diploma, an understanding of basic computer programs, and a willingness to learn new skill sets. The job duties entailed everything from physical security of the building, like a security guard, to, more importantly, watching for and escalating cyber detection alerts. This is the kind of entry-level, bare-requirement position that helps folks break into the industry. 

One week later, I came across a similar position for a different organization. It, too, was third shift and on-site, but did not include physical security duties. This listing required 1-3 years of experience and preferred applicants with certifications and prior knowledge of various tools and applications. I would argue that experience could be taught on the job in a position at this level. Someone with a military, law enforcement, or IT background would understand processes and could be trained on tools, whereas folks with existing certifications but no experience may know the tools and quickly be able to learn the processes. All it takes is some additional on-the-job training.

Hands-on training is essential in any field, but it’s especially valuable in cybersecurity. Cybersecurity concepts are often complex and difficult to grasp through textbook or lecture-based education alone. The best way to learn how to secure an environment or application, analyze threats, and pentest existing defenses is through direct experience with a real cloud environment, analysis of a known attack path, and practice evading detection tools. HackTheBox and TryHackMe are incredibly valuable hands-on learning programs, but newcomers to the cybersecurity industry learn more — and learn faster — from mentors and with the support of GenAI tools on the job. 

At the end of the day, we don’t have a shortage of talent — we have a skills gap. Take me for example: I never had a formal education in cybersecurity and didn’t receive any certifications prior to holding a cyber position. I’m living proof that on-the-job training works, and I’m not alone. Plenty of passionate, capable people are eager to join this industry, but they’re being blocked by checklists and rigid hiring mindsets. 

To fill the nearly half million open roles, I encourage organizations to take a chance on non-traditional candidates and invest in training. Cyber threats don’t wait for an opportune moment, so why are you?