Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Is there really a cybersecurity skills shortage?

By Tom Kranz
The 'People' Part of Enterprise Cybersecurity Strategies
July 9, 2020

Companies are struggling to find cybersecurity talent, and roles remain unfilled for months at a time. But is there really a lack of qualified candidates on the market? Is the problem with the lack of skills - or are we inadvertently limiting the talent pool before we even post the job spec?

Over the last few years, I've helped several companies grow their cybersecurity teams. There is a huge pool of untapped talent out there: the key is working out the right approach to get these people hired. Let’s look at five simple ways we can expand our pool of candidates, and increase our ability to hire the right people.

Requiring a degree

I keep seeing this as the biggest barrier companies face when trying to hire cybersecurity talent. This is an attitude that belongs firmly in the last century. "Must have a BSc or advanced degree" goes hand in hand with "Why can't we find the candidates we need?" The best security people I have worked with had no degrees. The great ones never finished high school.

Someone who has spent four years teaching themselves security, or has earned that experience on a job, will always be more motivated, skilled, and valuable to your company, than someone who has spent four years attending lectures. There are more of the former out there, too.

By looking for provable skills and real-world experience over that University parchment, we instantly get an increase in quality candidates who have the security skills our company needs.

Hire for ability, not certificates

Cybersecurity, as an industry, is facing familiar challenges on how to formalize recognition as a profession. There is an acronym soup of vendor certifications that has sprung up, which makes it very difficult to work out what real skills someone has.

Instead of focusing on certifications, ask applicants for a portfolio of their work. What code have they shared on GitHub? What tools have they built? Have they presented at any conferences? Are they active in any open source projects?

Good security people work in the industry because it's interesting and fun, so give them a chance to show that off. Get them talking about the conference talk they did, or the neat tool they built. This is real world, applicable experience that is vastly more valuable than answering 40 multiple choice questions in an hour.

Interview with a case study, not a list of questions

Building on the previous point, it is time to retire the “question and answer” interview. We all carry smartphones and we can all use Google. No one needs to know the difference between a virus and a Trojan off the top of their head.

Instead, take a leaf out of the big consultancies' books. Give candidates a case study -- a problem to solve on a whiteboard, in real time, as their interview. Regardless of skill or experience level, it gives them a chance to showcase their abilities and thought processes. As interviewers, we get a much better idea of how candidates approach real world problems, whether they will be a good cultural fit and where their strengths and weaknesses lie.

When I introduced case study interviews at one organization, I saw a 160-percent growth in the team in 12 months, with retention rates at 100 percent. Cast study interviews don't just land the right candidates -- they land candidates who want to stay.

Expand location expectations

COVID-19 has made it painfully clear that not only are companies able to support remote working, but that remote working actually increases the productivity and mental health of employees. Whether lockdown or travel restrictions ease or not, all companies should be embracing remote working and geographically diverse teams.

The moment a role is advertised that must be within commuting distance of a specific city, the pool of suitable candidates has been shrunk. If the goal is to attract the top skills to our company, expecting employees to be local is going to limit our options and weed out some great candidates.

Cross-train and cross-hire from other IT disciplines

Cybersecurity in particular touches not just all aspects of IT, but also finance, and business processes. Many companies fall into the trap of looking for unicorn candidates who already have all of this experience -- and then find themselves frustrated: there aren't that many people out there with the full skillset and the market is paying top money for them.

Instead, look to internal teams. A network engineer who has been working on firewalls and DDoS protection is a prime candidate for cross-training into a security engineering role. A finance person who has been auditing processes could be a good fit to train up into a governance role.

There is plenty of talent out there: by taking a different approach to the hiring process, we can ensure we attract the candidates with the skills and attitudes we need.

KEYWORDS: cyber security cybersecurity skills gap information security remote work

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tom kranz

Tom Kranz's career has spanned almost 30 years, as a Cybersecurity and IT consultant.  After a successful career helping UK Government departments and private sector clients (including Betfair, Accenture, Sainsburys, Fidelity International, and Toyota), Tom now advises and supports organizations on their Cybersecurity strategy and challenges.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • It's Time to Change Your Perception of the Cybersecurity Professional

    76% of Cybersecurity Leaders Face Skills Shortage

    See More
  • skills-freepik1170x658.jpg

    90% of security leaders face internal cybersecurity skills shortage

    See More
  • cybersecurity900px

    Addressing the Cybersecurity Skills Shortage Through Upskilling and Retention

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing