Hiring For Cybersecurity Roles
At a time of heightened cybersecurity and amidst the “Great Resignation,” how are decision makers navigating hiring for cybersecurity roles?
One minute insights:
Hiring for cybersecurity roles is described as challenging by most
The most in-demand cybersecurity areas are cloud, IAM, and DevSecOps
Security engineer is the most in-demand cybersecurity role
Most decision makers are interviewing 4 - 6 candidates at the final stage
The average candidate application is satisfactory with 4 - 6 years of relevant experience
Eagerness to learn is the quality most decision makers look for in cybersecurity candidates
The increased demands of remote work is the most cited challenge for filling cybersecurity roles
Almost all agree the cybersecurity talent shortage will get worse
Decision makers are finding it challenging to hire for cybersecurity roles
At the time of answering, 70% of decision makers reported that their organization was hiring for cybersecurity roles.
Is your organization currently hiring for cybersecurity roles?
91% of those who were hiring for cybersecurity roles described the process as challenging.
Has hiring for cybersecurity roles been a challenge?
n = 181
Of those whose organization wasn’t currently hiring, 82% had plans in place to hire for cybersecurity roles in the future.
Are there plans to hire for cybersecurity roles within your organization?
n = 88
Staffing cyber security roles has been extremely difficult.
We have been having a hard time with the talent pool. There is much demand in the market for these roles.
Cloud security is the most in-demand area of expertise, while most are looking for security engineers
Most respondents actively hiring were looking for cybersecurity roles in cloud security (56%), identity and access management (IAM) (52%), and DevSecOps (51%).
Do you have adequate budget in place to hire the desired level of cybersecurity talent?
Information security governance and risk management 39%, Operations/operational security 31%, Pen testing 29%, Legal, regulations, investigations, and compliance 27%, Endpoint security 24% , Data security 22%, Privileged access management (PAM) 22%, Business continuity and disaster recovery planning 10%, Internet of Things (IoT) security 7%, None of these 0%, Other 0%
n = 181
Security engineer (76%) was the most sought-after cybersecurity role, followed by security analyst (64%).
What cybersecurity roles have you been hiring for?
None of these 2%, Other 2%
n = 181
Quality of candidates is a concern, there is a flood on the market of jr analysts, but there is a distinct lack [of] tenured experience.
Most are interviewing 4 - 6 “satisfactory” candidates in the final round, and report that the average candidate has 4 - 6 years of relevant experience
Most (49%) decision makers interview between 4 and 6 candidates in the final round of interviews for a single cybersecurity role.
How many candidates do you interview (in the final round of interviews) per cybersecurity role?
Most (53%) describe the average quality of cybersecurity candidate applications as satisfactory. Only 5% describe the average application as high quality.
How would you describe the average quality of cybersecurity candidate applications?
n = 181
On average, cybersecurity candidates have 4 - 6 years of relevant experience, according to most (49%) decision makers.
What is the average number of years of relevant experience for each cybersecurity candidate?
[It is] very hard to winnow the chaff from the wheat before the actual interview stage.
It is challenging to determine cybersecurity skills during interview.
Most decision makers are hiring with a competitive budget and feel satisfied with their hiring process
When it comes to hiring the right talent, most decision makers describe their budget as competitive (39%).
Do you have adequate budget in place to hire the desired level of cybersecurity talent?
59% are satisfied with their hiring process for cybersecurity roles, compared to 17% who are dissatisfied.
Are you satisfied with your hiring process for cybersecurity roles?
n = 181
It is hard to meet financial demands of good specialists.
It is worth [it] to offer [a] good salary to the proper person. It will pay back.
The most sought-after quality for cybersecurity roles is an eagerness to learn
The top 3 qualities decision makers look for in cybersecurity roles are eagerness to learn (66%), relevant experience (64%), and core technical skills (48%).
What are the top 3 qualities you look for in a candidate for a cybersecurity role?
Ability to speak the language of the business (e.g., convey cybersecurity risk to business leaders) 44%, Experience working for top companies 37%, They have a strong peer network 22%, Computer science background 11%, Persona (do they have an online brand/are known for speaking roles/thought leadership?) 10%, Business degree 6%, None of these 1%, Other 0%
n = 259
HR and hiring managers need to have realistic expectations of entry level positions. Asking for a CISSP and years of experience for entry-level pay isn’t a sign of a skills shortage, just clueless management.
Certifications are a must. Employers should sponsor certification.
Remote work demands are the most cited challenges to filling cybersecurity roles, while almost all agree the cybersecurity talent shortage will get worse
The increased demands of remote work (50%) is the most commonly cited challenge for filling cybersecurity roles, followed by burnout among cybersecurity professionals (44%) and lack of cloud computing skills (38%).
Do you see any of the following as challenges to filling cybersecurity roles?
Cybersecurity professionals fear blame for cybersecurity breaches 25%, Current cybersecurity climate too challenging 22%, Lack of business support for cybersecurity (cybersecurity viewed as a cost) 22%, Cybercrime is more lucrative 19%, Lack of quality training programs/schools 19%, Current cybersecurity tools insufficient 16%, None of these 1%, Other 1%
n = 259
92% of decision makers agree that the cybersecurity talent shortage will get worse.
To what extent do you agree with the following: “The cybersecurity talent 92% shortage is only going to get worse.”
Volume of candidates seems to be not sufficient right now.
This will probably get worse before it gets better.
Companies need to start internal recruitment and commit to training. A long time ago you could take an employee who was strong in programming and invest in their training to work in other areas. Our company no longer offers that type of career path. They want to hire & fire as needed. It’s not working and now employees are leaving since they know the career path can be short. Hopefully other companies invest more in the talent they already have.
Instead of looking outward, companies should focus on adding cybersecurity training and responsibilities onto existing employees who are already familiar with the landscape of operations.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.
Respondent Breakdown
