Portal
Forum
Devolutions Force
Hub Business
Hub Personal
Devolutions Send
Devolutions Academy
RDM
Workspace
Launcher
Announcing that there is a massive shortage of cybersecurity professionals is not “breaking news.” The talent crisis has been ongoing for several years. Today, an estimated 4.8 million cybersecurity positions are vacant worldwide — and that number is increasing about 19% each year.
However, what is certainly worth paying attention to is the unexpected revelation in the new 2025 Cybersecurity Workforce Research Report from SANS. For the first time, a majority of hiring managers say that that the core problem they face when it comes to cybersecurity recruiting is not a lack of interest from applicants. Rather, they are struggling to find people who have the right mix of job-ready skills that will make them, their team, and their organization as-a-whole successful.
Technical capability emerges as top hiring qualification
The SANS report surveyed nearly 3,400 cybersecurity and HR managers from around the world, and found that for 52% of respondents technical capability has now overtaken work experience and academic credentials as the most valued hiring qualification.
It should be added that technical capability in this sense is not limited to competencies such as coding, risk analysis, network security control, and other so-called “hard skills.” It also includes factors such as adaptability, eagerness to learn, and the ability to work well in a team environment.
This is a significant departure from conventional thinking among organizations, which prioritized increasing headcount. In other words: for many years, the mandate for hiring managers was to get people with strong cybersecurity knowledge — but not necessarily proven abilities — into the organization. Now, many hiring managers are saying that approach isn’t optimal. Instead, they are focusing on candidates with the right mix of job-ready skills, and balking at candidates who only have impressive resumes.
The end of the cybersecurity talent crisis?
The paradigm shift revealed in the SANS report is convincing some experts to conclude that the cybersecurity talent crisis — at least as it has been conventionally described and discussed — is over. Instead, it has been replaced by a directive for organizations to target skilled workers outside traditional cybersecurity talent pools in areas like accounting, education, HR, and other unexpected spaces, and actively cultivate those new hires new hires into effective cybersecurity professionals.
Commented Helen Patton, former CISO and cybersecurity leader at Cisco: “My personal perspective is that we don’t actually have a talent shortage in cybersecurity. The real issue lies in understanding the skill sets that are needed for the kinds of roles you have, and finding the people who have those skill sets.”
Advice for companies and job seekers
The optimal framework for finding, hiring, and keeping cybersecurity talent may be shifting. But what isn’t changing, is that this will remain a major challenge for years to come.
To shed some light on this situation and point the way forward, we asked Devolutions’ CIO Simon Chalifoux to share some advice for companies facing a cybersecurity skills shortage. We also asked Simon to provide some suggestions for job seekers who may have strong knowledge and credentials, but lack the job-ready skills that would make them a top candidate.
-
Advice for companies: It just makes sense that after years of skill shortages, the current wave of newcomers lack extensive hands-on experience. It's time to be part of the solution. We need to welcome these individuals into our sector — otherwise, the situation will only continue. While it is ideal to find candidates who have both technical and non-technical skills, in many labor markets this expectation is unrealistic. Companies should therefore be flexible and hire based on attitude and willingness to learn, and then grow together with their new people.
-
Advice for employees: Given the current state of the sector, if you can't find your first job in cybersecurity, one of the best ways forward is to strengthen your network. Attend cybersecurity conferences or capture-the-flag events, build relationships or get involved in bug bounty programs. You could also volunteer your time and skills with community organizations, or take a more active role in professional associations. And don’t feel that a lack of deep cybersecurity knowledge or experience will eliminate you from consideration. Skills and competencies such as communication, teamwork, adaptability, and critical thinking are extremely important and valued. Highlight and demonstrate these abilities, as they are competitive advantages.
What’s your view?
Are you seeing any recent changes in cybersecurity hiring practices? If so, what is your view of these shifts? Do you think they are positive or negative?
Also, what advice do you have for companies that are facing cybersecurity recruiting challenges? What are they overlooking or doing wrong?
And what advice do you have for individuals who want to enter the cybersecurity field? What should they be doing to strengthen their candidacy both in the recruiting process, and also when they start their new job? What strategies should they adopt, and what mistakes should they avoid?
Please share your insights, experiences, advice, and warnings by commenting below.
