Recruiters must look beyond IT for cybersecurity roles, says (ISC)2

Fewer entrants into cybersecurity are coming from IT, while military veterans and those with law enforcement experience make up almost a third of cybersecurity professionals in North America

Posted 28 April 2021 by Christine Horton

Recruiters and hiring managers may need to change how they use to identify candidates, for cybersecurity roles, according to new research by Cybersecurity association (ISC)².

The 2021 Cybersecurity Career Pursuers Study of cybersecurity professionals and jobseekers indicates that the path to jobs is shifting. Half of those newer to the field (with less than three years of experience) came from an IT background, compared to 63 percent of those with between three and seven years of experience in the field.

By a wide margin, fewer professionals who are relatively new to the field (less than three years) consider IT experience to be critical (46 percent) than their more senior colleagues (69 percent).

Military veterans and those with law enforcement experience make up 31 percent of the cybersecurity professional respondents, indicating these backgrounds are areas for recruitment.

While cybersecurity professionals tend to be highly educated, just 51 percent have degrees in computer and information services. Less than half (42 percent) of the professionals who responded said a dedicated security education is critical for a role in cybersecurity.

Cloud security was rated by professionals as the most important technical skill new entrants to the field should learn, while problem solving was the top-rated “soft skill” they should have. Both areas were simultaneously the top-rated responses by career pursuers too.

Don’t rely on cybersecurity ‘all-stars’

“One of the biggest challenges we have in cybersecurity is an acute lack of market awareness about what cybersecurity jobs entail,” said Clar Rosso, CEO of (ISC)2. “There are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organisations and their cybersecurity leadership need to adopt more mature strategies for building teams.

“Many organisations still default to job descriptions that rely on cybersecurity ‘all-stars’ who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come.”

(ISC)2 believes that organisations must adopt more pragmatic approaches to team building. This starts by relying less on the recruitment of cybersecurity ‘unicorns’ with many years of experience, advanced certifications and deep technical acumen, or sourcing new talent exclusively from IT.

Instead, it says “organisations must take broader approaches: curate role-specific requirements; invest in their cybersecurity team’s training and professional development, as well as commit to upskilling and reskilling home-grown talent to help team members translate tangential skills into valuable risk management and security know-how.”