According to the United States Bureau of Labor Statistics, the demand for cybersecurity jobs is expected to grow significantly – as it has already increased 32% from 2022 to 2023, higher than the average 3% growth rate of all U.S. jobs.
There are several important trends to consider, which ClearanceJobs explored with several experts.
The Focus on Certifications
It has been said for years that the cybersecurity talent shortage isn’t the lack of people. It is the lack of the right people, and that includes those at the entry-level as well as those with more experience. There has also been a lot of focus put on certifications, but experts are divided on its importance.
“Enterprises that require professional certifications before interviews are hurting their ability to both attract and develop top talent in the market,” warned Jim Routh, chief trust officer at cloud identity provider Saviynt.
“Practical experience in cybersecurity is far more valuable than professional certifications for candidates,” Routh told ClearanceJobs. “The most effective approach is to reduce/eliminate professional prerequisites/certifications and expand the number of exploratory interviews with a focus on determining what professional skills candidates wish to invest in.”
He further suggested that the pursuit of professional certifications for employees should be positioned within the context of education/learning rather than as a badge of honor for future employment opportunities.
Yet that could be easier said than done, given the state of the industry, and the past emphasis on certifications.
“The industry has always been a mix of needing a degree and/or certification, or many places simply caring that you have the proven experience and expertise,” added Roger Grimes, data-driven defense evangelist at KnowBe4, who told ClearanceJobs, “It’s never great when you have the right person with the needed experience and skillset and all that is missing is a certification.”
Will a Certification Help You Stand Out?
Despite the strong demand for workers, the “right job” could have multiple candidates, and that is where certification could help an individual stand out.
“The value of a ‘cyber certification’ is that it may help the applicant stand out in a sea of fellow applicants where the first line screener often doesn’t understand what the job entails,” suggested Evan Dornbush, a former NSA cybersecurity expert.
“Those certs don’t imply the candidate has any experience,” Dornbush told ClearanceJobs. “They don’t indicate whether the candidate has a particular work ethic. As a business owner, when I hire, my bias is toward seeing research projects, hobbies, and references from people I know and trust. My advice to job seekers is that engaging in the community is a better investment of your time and energy than sitting for a multiple choice exam.”
The Foot in the Door
Those who are seeking entry-level may need to truly go above and beyond and show that they’re fast learners, but it is also important that those seeking their first job apply for positions that they are best suited for.
“Entry-level folks should be hired to work on the fundamentals that are often neglected by busy security teams – patching, web filtering, security awareness training, access control, asset management, and change management. Folks hired to do this work require very little hand-holding and can provide a return on investment to their companies within weeks if not days,” emphasized Naomi Buckwalter, senior director of product security at Contrast Security.
At the same time, it is up to the employers to make clear what they expect.
There needs to be a “clear definition of what qualifies as ‘entry-level,’” Buckwalter explained, and told ClearanceJobs that companies should only post “entry-level” cybersecurity jobs that do not require previous work experience.
Cybersecurity Worker Shortage
Even though there is a strong growth forecast in the cybersecurity sector doesn’t mean that candidates should expect an offer upon walking in the door, and the hiring process can still be prolonged.
That may not be an applicant problem, however.
“The problem is not with the applicants, it’s with the employers,” said Dornbush. “We cannot have 3.5m open roles and simultaneously have massive numbers of people seeking these roles for the extended periods we are seeing presently. Hiring practices are broken in so many places.”
Setting Goals With Clear Responsibilities
Likewise, all too often job postings may match the actual daily responsibilities – while often employers’ expectations are too high.
“Employers are reluctant to hire people that aren’t senior even though all positions will require training, as each organization uses different tech stacks,” Dornbush continued. “On the other side, organizations haven’t yet figured out how to give security careers a progression path/ladder the way they have with other roles within tech, leading to burnout and retention challenges.”
One other problem is that almost every cybersecurity job often requires years of experience, and the industry needs to accept that “newbies” should be given a chance.
“We need to get our new people with zero to low experience a shot at these jobs,” said Grimes. “What you want to hire is someone that has an intense interest in the field that you know will be able to learn quickly, like the job, and be good at it. All the other stuff shouldn’t matter as much as it does. I can train anyone to do anything. It’s mindset and future ability that matters the most.”
Career Transition – Now is the Time
Employers are starting to realize the need that they may need to look at candidates who will need some training, and that could make now the best time for those thinking about making a career transition.
“I came from being a CPA,” Grimes added. “What matters more is that someone has an intense interest in the field and someone you know with a little training will do the rest to become one of the best employees you ever hired. I think more and more organizations care that the cybersecurity person they hire has good communications skills and understands the business.”
Dornbush concurred with that assessment and told ClearanceJobs, “The best practitioners were at one point system administrators, or software developers, or mathematicians, or accountants/forensic auditors. People who have demonstrated the commitment to solving problems in professional settings.”
Thus the right motivation and a healthy desire to learn could go further than being certified or having years of experience under the belt. Fresh and eager talent may be more attractive than someone who has spent too many years in the trenches could be burned out and is looking for an “easier gig.”
“The key is to determine the level of interest in learning new skills during the interview process. Leaps in expertise originate from personal commitment,” noted Routh. “Determining the level of commitment during the interview process will increase the probability of success in a transition to a new discipline.”
Cybersecurity and IT
Employers should make sure that cybersecurity isn’t treated as an extension or report to IT, and candidates should understand this as well.
“Security should at least be peers with IT, but should ideally report directly to the CEO or Board of Directors, and have its headcount and budget,” said Buckwalter, adding “Cybersecurity ‘thought leaders’ and ‘influencers’ should use their platforms to showcase the companies and leaders that are investing in the next generation of cybersecurity professionals. The more security leaders see it’s okay to ‘hire someone with no experience,’ the more security leaders will do the same. We simply need to change what ‘normal’ looks like in our industry.”