Mani MasoodEveryone’s talking about a cybersecurity talent shortage, but here’s the truth: it’s not a lack of talent that he problem, it’s how companies fail to find and nurture it. Headlines about hundreds of thousands of unfilled jobs tell only half the story.
The real bottleneck is what the companies are willing to pay, what they expect and how little they are willing to commit to investment. They demand unicorns, professionals with deep expertise in multiple domains, years of experience in emerging technologies, and a laundry list of certifications—and then wonder why they can’t fill roles. The problem isn’t talent scarcity, it’s a scarcity of perspective. But the solution doesn’t lie in chasing these mythical hires. It starts with deep self-reflection and a mindset shift: redefining what cybersecurity talent really looks like.
The Growing Complexity of Cybersecurity Roles: Why Generalists Come First
Over the past decade, cybersecurity has undergone a profound transformation. The accelerated digital adoption spurred by global events, particularly the COVID-19 pandemic, has brought an explosion of new attack surfaces and, with it, increasingly sophisticated cyber threats. To combat these challenges, new cybersecurity roles and disciplines have emerged across a wide range of domains: cloud security, Identity and Access Management (IAM), DevSecOps, application security, vulnerability management, incident response, penetration testing, forensics, Security Operations Center (SOC) analysts, data privacy, fraud detection, revenue assurance, threat intelligence and so on. The field is vast and shows no signs of slowing down.
Here’s where many organizations stumble: they fail to understand which roles they actually need and when. Smaller businesses, especially those with limited resources, benefit from hiring generalists who can manage diverse security responsibilities. These professionals are like Swiss Army knives—able to secure endpoints, monitor network traffic, respond to incidents, and assist with compliance. Generalists are ideal for companies just beginning to establish their security operations.
Larger, more mature enterprises, by contrast, typically require specialists who focus deeply on specific areas such as cloud security or threat intelligence. But hiring a specialist too early, without a solid security foundation, often leads to problems. Why? Because specialists rely on well-defined infrastructure, which encompasses people, processes, and technology. When this infrastructure is underdeveloped, specialists face broken or missing processes, poorly integrated tools, and unclear responsibilities—factors that can seriously hinder their ability to do their job. This leads to mounting frustration and, ultimately, burnout.
Imagine hiring a cloud security architect to build a Zero Trust model in a company that doesn’t even have a working incident response plan or Configuration Management Database (CMDB). They’ll end up wasting their time on manual workarounds instead of strategy. This frustration is amplified when teams are stretched thin due to poor process management, a lack of support, or inadequate staffing.
Compounding the issue is a dangerous but persistent misconception: that cybersecurity is simple and solvable with a few tools, like firewalls and strong passwords. Many business leaders believe that once basic defenses are in place, security runs itself. This mindset underestimates the evolving nature of threats and the proactive measures required to stay ahead. Skilled security professionals recognize this disconnect quickly. It’s demoralizing to work for organizations that fail to grasp the complexity of security operations, leading to further attrition.
Hiring security professionals is only half the battle. Retaining them is an entirely different challenge—and one that too many companies overlook. Cybersecurity is a close-knit, highly connected industry. Thanks to platforms like LinkedIn, Glassdoor, and other social media networks, word about a company’s culture spreads fast. When organizations develop a reputation for toxic environments or for failing to support security initiatives, their ability to attract and retain top talent evaporates.
Corporate culture is a critical factor here. Companies that neglect accountability or de-prioritize work quality are breeding grounds for burnout. Imagine working long hours to patch vulnerabilities only to have business dismiss your concerns and not keep up in the next cycle. In environments like this, even highly motivated professionals will eventually leave.
Security professionals want to be part of environments that understand the risks, provide resources to do the job well, and promote long-term career growth.
Experience Levels: The Myth of Entry-Level Security Roles
Ask any cybersecurity recruiter about “entry-level” positions, and you’ll hear the same story: the job descriptions are anything but entry-level. Candidates are often expected to have three to five years of experience, familiarity with Active Directory, and hands-on exposure to network security or email systems. So, what’s going on here?
The problem is rooted in how cybersecurity professionals traditionally entered the field. Many started in IT roles like system administration or network engineering—before specializing in security. Hiring managers, consciously or not, often expect new hires to follow that same path. As a result, positions labeled “entry-level” require extensive IT experience, creating confusion and frustration for job seekers who are new to the field.
So, is there any such thing as a real entry-level security role? I’d argue that, in most cases, no. Security Operations Centers (SOCs) may hire junior analysts with minimal experience, but even these roles require a solid understanding of core IT concepts. In my view, an “entry-level” cybersecurity professional should ideally have three to five years of prior IT experience. I know—I’m endorsing the very thing I’m criticizing. Not entirely. I’m making the case that many so-called entry-level roles are misclassified.
Think about it: would you want someone who has never worked in IT, someone who’s never logged into Active Directory, or managed systems and Exchange servers—interacting with high-sensitivity, mission-critical systems? Of course not.
This isn’t a hard rule some highly driven individuals do break into the field without prior IT experience. But for most, having that foundational experience makes the transition to security much smoother.
Companies need to be honest about this reality. If a role truly requires no prior experience, it should be framed as an associate or intern-to-hire position. Defining clear experience levels—associate, mid-level, senior, architect, engineer—helps both hiring managers and candidates align expectations. And by the way, let’s stop calling every senior position “architect.” Security architects are a rare breed, and not every senior hire will fit that mold.
Traits and Skills That Really Matter
When hiring for cybersecurity, technical expertise tends to dominate the conversation. But here’s the thing—tools change constantly. What works today may be obsolete tomorrow and and technical expertise in the age of ChatGPT is difficult to determine. What doesn’t change is the need for critical thinking, problem-solving, and communication skills.
Think about incident response. A security analyst can’t just rely on automated alerts; they need to analyze logs, correlate data, and ask the right questions to get to the root cause of an incident. Similarly, collaboration is crucial. Cybersecurity touches every part of an organization, from IT to legal to executive leadership. Professionals who can build bridges across these functions are far more effective than those who operate in isolation.
That said, there is one technical skill I always recommend testing: scripting. Whether it’s Python or PowerShell, knowing how to automate tasks can significantly improve efficiency in any security role. Beyond that, hiring managers should avoid being overly technology-specific. I’ve seen teams paralyzed because their “expert” only knew one tool or platform. In cybersecurity, adaptability is survival.
The Complex Value of Certifications
Certifications are often treated as gatekeepers in cybersecurity hiring, but their value is more nuanced than that. Certifications like CISSP, CISA, and CISM are well-known, yet they’re not created equal. Unfortunately, the certification industry has become increasingly greedy. Organizations like (ISC)², which maintains the CISSP, have raised prices and marketed their certs as tickets to six-figure salaries. I reviewed the CISSP material in 2024 and found it outdated, particularly in areas related to modern principles like Zero Trust Architecture (ZTA). Some chapters even contradicted ZTA concepts entirely.
Despite these issues, certifications do offer value, especially at different stages of a career. For beginners, certifications like CCNA, Network+, Security+, and entry-level cloud certs provide a well-rounded foundation. They demonstrate not just subject knowledge but also a methodical approach —something hiring managers should pay attention to.
Still, certifications should never be the sole hiring criterion. I’ve seen highly capable candidates rejected simply because they lacked formal certs. Organizations need to strike a balance here: recognize the value of certifications but also assess candidates on their practical skills and critical thinking.
Biases That Block Strong Candidates
Hiring manager bias is a subtle but powerful barrier to building high-performing cybersecurity teams. Many managers feel intimidated by candidates with strong credentials—those holding traditional degrees, certifications, and a habit of questioning the status-quo. These candidates often approach problems systematically, referencing best practices or established industry frameworks. For some managers, this represents a challenge to their authority and decision-making or worse exposure. Rather than seeing such candidates as assets, they see them as potential disruptors who may demand higher standards and call out poor practices
As a result, these managers often gravitate toward candidates who feel “comfortable.” In a world where complacency is the killer. They favor those who won’t challenge their strategies—perhaps candidates with less formal education, fewer certifications, or a mindset that aligns with internal subcultures. This is particularly common in environments where IT teams develop an insular, us-vs-them dynamic, viewing end users and other departments as obstacles rather than partners.
This bias doesn’t just limit diversity of thought; it weakens the organization’s ability to innovate and stay resilient. Cybersecurity threats evolve quickly, and teams that rely solely on like-minded hires risk stagnating. Companies need hiring managers who can recognize the value of individuals with strong credentials and collaborative skills—those who might challenge flawed assumptions but ultimately strengthen the organization.
Addressing this bias requires leadership intervention. Structured interview processes, clearer evaluation criteria, and cultural shifts toward accountability and openness are essential. Without these changes, organizations will continue losing out on the very candidates who could transform their security posture for the better.
Hiring Strategies That Work
Modern cybersecurity hiring requires precision and flexibility. Job descriptions should be realistic and tailored to the role—not laundry lists of every possible security skill. If you’re hiring for cloud security, focus on cloud-specific tasks and avoid cramming in unrelated requirements.
Interviews should go beyond talk. Have candidates demonstrate skills through scripting exercises or cloud platform scenarios. Let them log into a sandboxed AWS or Azure environment and solve a problem. And be aware of AI’s growing role—tools like ChatGPT can help candidates draft answers but can’t fake deep problem-solving ability in real-time challenges.
Finally, remember that long-term retention depends on more than salary. Remote work flexibility, professional development opportunities, and a supportive culture are key to keeping cybersecurity talent engaged.
There’s no shortage of cybersecurity talent—it’s there if you know where to look and how to hire. By modernizing your approach, you’ll not only fill roles faster but also build a team that can adapt to an ever-changing threat landscape. The future of your security depends on it.
From the Author
I endeavor to curate stories like this one on my website. This serves a dual purpose: firstly, to provide a valuable reference for my writing endeavors, and secondly, to share insightful narratives with the wider community.
If you like this story, you should check out some of the other stories in the Management section or Small Business section.
You can also find more of my Cybersecurity writings here in the Cybersecurity section.
Stay Up-to-date: Stay informed on the latest science and tech breakthroughs at the NPR Science Section.
Mani
