Cybersecurity not the hiring-'em-like-hotcakes role it once was

Analysis It's a familiar refrain in the security industry that there is a massive skills gap in the sector. And while it's true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists.

It seems every year there's another warning about a shortage for security talent – the first warning we found on The Register is from 2009 – yet lately this reporter has run into more and more people in the field who are recounting that even getting an interview can be tough.

Speaking to The Reg, Mary McHale, who works as a careers advisor for UC Berkeley Master's in Cybersecurity, said: "I kind of joke with my students that when I started, I felt like if you could spell cybersecurity you would get an interview. Now a lot of things have changed.

There has been a tendency for those recruiting security professionals to ask for a lot of experience and offer not much in the way of compensation, which turns off many applicants

"During COVID, there was huge hiring. Then after that, the companies said 'Oh my gosh, we have too many people. We need to do some downsizing.' And what happened then was a lot of very talented tech people were laid off and began flooding the market in all sorts of areas and began trying to reposition themselves."

The problem is also exacerbated by the latest generation of AI products coming onto the market, McHale explained, and not just in security. AI agents now routinely make decisions about a person's resume and many applicants lack the skills to game such software and bag an interview.

There's also the problem of ghost jobs bedeviling recruitment websites, she added. The majority of HR people surveyed in multiple studies report filing job adverts for positions that don't exist. Reasons vary from trying to give the impression a business is growing to both insiders and onlookers, and to motivate staff to work harder because "they think they are replaceable."

According to data on the market from Cyber Seek, a partnership between the National Institute of Standards and Technology, Computing Technology Industry Association, and recruitment consultant Lightspeed, the number of security vacancies peaked in 2022 and the number of people working in the sector has plateaued.

The most in-demand skills are oversight and governance, which is mostly suited to more experienced practitioners. Florida, California, and Texas remain key job markets, although Virginia is also high on the list, as are Maryland and New York.

To cert or not to cert, that is the question

Experience in the field is by far the most attractive thing for employers, McHale told us. Yet qualifications are useful in both demonstrating knowledge and getting around automatic HR filtering systems.

A CompTIA Security+ certificate is de rigueur these days and being a Certified Information Systems Security Professional (CISSP) doesn't hurt either - and without them HR software will bin an application for a cybersecurity role almost without fail, she said. But once you actually get an interview certificate collections are less important than practical experience and a more formal education.

"Our research indicates that cybersecurity professionals are finding other educational and experience opportunities more valuable when landing a job in cybersecurity," said Andy Woolnough, executive vice president of corporate affairs at International Information System Security Certification Consortium (ISC2).

"Our 2024 research found that 19 percent of professionals entering the field for the first time first prioritized a bachelor's or post-bachelor degree in cybersecurity or other related field, 16 percent received a cybersecurity certification, and 4 percent got a cyber internship, and surprisingly zero of the 7,000+ respondents got an apprenticeship before landing a job in cybersecurity."

Woolnough told The Reg there has been a tendency for those recruiting security professionals to ask for a lot of experience and offer not much in the way of compensation, which turns off many applicants. He recommended that when recruiting new team members HR should sit down with existing security staff and work out realistic requirements.

• Wanted. Top infosec pros willing to defend Britain on shabby salaries
• Average North American CISO pay now $565K, mainly thanks to one weird trick
• Mind the talent gap: Infosec vacancies abound, but hiring is flat
• BOFH: AI consultant rapidly transitioned to new role as automotive surface consultant

Overall Woolnough still sees demand for more cybersecurity staff, but budget cuts have led to shifting patterns of hiring and many potential employers are betting on AI as a low-cost way to plug the gaps among generalist security staff. Nine out of ten companies ISC2 surveyed said they had an incomplete security team with skill holes in some areas.

"While the full impact of AI is still unknown, we are hearing that hiring managers are not rushing to hire specialized workers, instead preferring generalists who can cover a range of areas while managers figure out what skills will be most beneficial to meet future demand," he said.

"It's also worth noting that most of the skills needed for entry-level jobs aren't technical. Problem-solving, communication, analytical thinking and critical thinking are all skills that come from fields outside of just cybersecurity. For junior-level staff, it is more important to find those with the aptitude to succeed in cyber (rather than focus on unrealistic experiential requirements) and train them up to take on the lower-level tasks to free up senior staff for advanced work."

He noted that there are some notable skills gaps by industry segment, in part driven by attack trends. For example, manufacturing and critical infrastructure firms are currently facing a shortage of specialists in operational technology after a spate of attacks. And government and education sectors need more zero-trust experts, he opined.

One area where McHale and Woolnough definitely agreed was that networking is absolutely key in the security field. Succeeding in the job market is increasingly about who you know as much as what you know. ®