Security Experts:

Connect with us

Hi, what are you looking for?


Training & Awareness

How to Attract Hard-to-Find Cybersecurity Talent

It’s tempting to view cybersecurity through the lens that new and better technology will knock down threats and deliver all the protection an organization needs. While the right tools, applications and systems are essential, the problem for most organizations is managing a security framework. 

It’s tempting to view cybersecurity through the lens that new and better technology will knock down threats and deliver all the protection an organization needs. While the right tools, applications and systems are essential, the problem for most organizations is managing a security framework. 

Currently, nearly 600,000 cybersecurity positions remain unfilled in the US or put another way about 46% of all cyber positions. Globally, the shortage is approximately 2.7 million. What’s more, the problem is accelerating

This talent shortage has real world repercussions. It makes it more difficult to use tools and technologies effectively, but it also overburdens existing staff and results in protection gaps that increase risks. Yet, snagging cybersecurity talent is an increasingly daunting task. It often seems as though people with the right background and qualifications simply don’t exist.

The upshot? Security leaders must approach staffing in broader and deeper ways. These days, it isn’t enough to rely only on those with degrees, certifications and past experience. By expanding the labor pool to those who are self-taught or have a knack for cybersecurity—and training them for specific roles—the universe of candidates expands exponentially.

Taking a Position

It’s tempting to rely on all the usual suspects for attracting talent. This may involve posting job listings on LinkedIn and on conventional job boards. Or posting openings at a company’s website or using computer programs to scan résumés and look for talent by searching on keywords.

A starting point for spotting cybersecurity talent is to think more broadly. For example, college job fairs, gaming conventions, hackathons and various other events can serve as valuable resources. A booth or even an informal presence at industry events can pay enormous dividends. It may also be possible to sponsor programs or participate in learning partnerships at universities and technical institutes—and thus establish connections with professors and students.

Yet, it’s also critical to rethink the fundamental way an organization approaches hiring. Unfortunately, many companies are entirely out of sync with the marketplace. For example, it isn’t uncommon on LinkedIn to see “entry level” job postings that require multiple certifications and several years of experience. The idea that an entry level position requires this type of background is unrealistic and counterproductive.

In fact, Gartner and other consulting firms point out that security leaders and human resources departments habitually undermine recruiting efforts by writing job postings that contain too narrow or overly vague qualifications. Not surprisingly, onerous or unclear requirements intimidate and scare off qualified candidates. Buzzwords only serve to complicate things—especially when algorithms are doing much of the initial screening.

Instead, it’s better to focus on broadening the net…and requirements. For instance, only about 25% of all cybersecurity positions are currently held by women. But it also means looking beyond computer science majors to fill cybersecurity positions. Many jobs in the field do not require a formal computer science education and technical certifications. Oftentimes, it’s possible to get a bright and motivated person up to speed quickly, with minimal training.

In other words, it’s the underlying attitude and qualities that matter. The ability and desire to solve puzzles is the cornerstone of a good cybersecurity pro. So too is working with others. With the right training, certifications and a mentoring program, candidates with minimal practical experience who are motivated to learn will ultimately perform well. 

The bottom line? Instead of forcing applicants to conform to the unrealistic expectations of the company, itt pays to bend a bit to accommodate the candidate. In the end, everyone wins.

Risks and Rewards

Of course, attracting talent is only part of the picture. There’s also a need to retain expertise—and avoid other firms poaching staff. While salary is certainly a starting point for all work, it’s vital to look beyond the flat earth of thinking that money is the primary factor for winning the talent wars. 

In reality, successful organizations strive for an engaged culture—and work hard to establish a framework where people fully trust each other. This means creating meaningful work and providing opportunities to advance in the organization and within the field. Not surprisingly, many younger workers, particularly Millennials, thrive in environments where they have a chance to continually learn, advance and have fun. 

And, yes, cybersecurity can be incredibly fun and engaging—even if it’s serious and at times frustrating work. A few ways to make work interesting, while ratcheting up protections, is through red and blue team events, internal hackathons, and various contests—which may include modest prizes and rewards. It’s also possible to tap cyber-skill-building and development tools that emulate real-world events and allow staff to test and develop their skills in realistic scenarios.

When organizations adopt a broader yet more focused framework for cybersecurity staffing, they’re suddenly positioned to gain a clear competitive advantage in the labor market. Instead of constantly scrambling for talent, they can organically attract new candidates.

Written By

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

UK-based cybersecurity training solutions provider Immersive Labs announced on Wednesday that it has raised $66 million in new capital.

Management & Strategy

750 cyber specialists have participated in Defence Cyber Marvel 2 (DCM2), the biggest military cyberwarfare exercise in Western Europe.


Series A funding brings the total amount raised by cybersecurity training company to $15 million.

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Management & Strategy

Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can...

Management & Strategy

The US government’s 120-day Cybersecurity Apprenticeship Sprint has come to an end. The initiative has resulted in more than 190 new cybersecurity programs and...