Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

There just aren't enough certified cybersecurity pros to go around -- and there likely never will be enough. So how do you fill out your cybersecurity team? Executives and hiring managers share their top tips on recognizing solid candidates.

There's a general acknowledgement that there aren't enough trained cybersecurity professionals to go around. Conversations at cybersecurity conferences are often centered on where to find top pros, how much to pay them, and what string of letters behind their names means the most.

Even the organizations that provide cybersecurity certification admit that there aren't enough certified pros to meet the need — and that there never will be enough. So what's a manager charged with finding cybersecurity talent to do?

Many executives and hiring managers say the key to finding solid talent is flexibility in the search. "The process is very much like drafting professional athletes," says Mike Jordan, vice president of research with Shared Assessments. When you can't find a position player that you need, you look for individuals who have the skill sets relevant to the position. Find ones that are smart and hardworking and they should be able to fill the position nicely."

Heather Paunet, vice president of product management at Untangle, says that it's important to get it right. "Searching for candidates to fill cybersecurity positions beyond certifications and years of experience can seem counterintuitive, but there are many other interests and logical business skills that are just as important to consider," she explains.

We asked executives what they would look for in filling cybersecurity positions. What they provided was less a checklist of specific skills than an indication of the broad skills, experiences, and personality traits that make someone a great candidate for the cybersecurity team. What they didn't provide was a simple way to look for those on a resumé — but no one said that solving the hiring problem was going to be easy.

Of course, not everyone agrees that there is, in fact, a shortage of cybersecurity professionals.

"The premise that we are short of cybersec pros is BS spread by businesses with a vested interest in importing HB-1 workers," says Colin Bastable, CEO of Lucy Security. "There is no shortage of cybersec pros — just a shortage of good ones, and that is a good thing. The market decides. Certification is a scam — it just gets us a load of talentless credentialed people who make the world less secure. You want to hire someone who understands how the enemy thinks but without the moral baggage of being a cybercrook. Most employers with a four-year degree will hire someone with a four-year degree, but zero talent." All you have to do is find that elusive thinker.

What do you think — is it possible to hire a great cybersecurity professional in the absence of security certification? If it is, what do you look for in a great candidate? We'd like to know your thoughts; please talk to us in the Comments section, below.

Read on to see what other security hiring managers had to say.

(Image: chokniti VIA Adobe Stock)

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights