Teamwork, problem-solving, and analytical thinking outrank core technical skills such as data security and cloud security as criteria for hiring entry-level cybersecurity staff today, according to a report from ISC2.
The cybersecurity training and certification organization’s Cybersecurity Hiring Trends study also found that AI’s growing role in cybersecurity is shifting hiring priorities, with managers placing greater value on human skills that artificial intelligence can’t replicate.
The study — based on a survey of 929 hiring managers from enterprises in Canada, Germany, India, Japan, the UK, and US — looked at what skills, attributes, and responsibilities cybersecurity hiring managers expect from early-career and entry-level security staff, as these roles, undergoing AI disruption, continue to be vital for developing long-term cybersecurity defense strategies and plugging skills gaps.
Hiring criteria in flux
Experts quizzed by CSO agreed that teamwork, communication, and problem-solving should be a priority for hiring managers while arguing that the industry needs to broaded its search for potential entrants to have any chance of closing the growing skills gap.
Mo Gaibee, associate consultant at technology recruitment firm Harvey Nash, told CSO that employers are looking for a combination of technical aptitude combined with people skills.
“As security is no longer confined to the IT team, cyber professionals need to work closely with legal operations, HR, and even marketing, which makes soft skills essential,” Gaibee said. “They want strategic thinkers who can embed security into every part of the organization.”
Gaibee continued: “Greater priority is also now given to strong communication skills — especially with non-technical stakeholders, problem-solving in fast moving environments, collaboration across departments, adaptability and strategic thinking are also high on the list.”
Gregory Rouvelin, marketing director at employers.io, a platform that provides insights into industry hiring trends, added that “technical skills still matter, but with AI now handling a lot of routine monitoring and detection, employers are placing greater value on human capabilities.”
While CISOs have been increasingly rethinking hiring to emphasize skills over degrees, early-career professionals should expand their learning beyond mere certifications, Rouvelin advised.
“Demonstrating analytical thinking and teamwork in practical settings is now just as valuable as listing cloud security modules on a CV,” Rouvelin said. “Employers are actively looking for that balance because it’s where AI can’t compete.”
The certification trap and broken pipelines
Other experts argued that an over reliance on CVs and certifications is one of the biggest barriers to hiring success in cybersecurity because it acts to shut out otherwise qualified candidates.
“Despite bringing valuable experience and perspectives, people with 10 years of work experience are put off because there is a persisting emphasis on certifications,” said Kieran Rowley, director of community at cyber skills training firm Immersive Labs. “It’s absurd that an industry facing a skills shortage overlooks talent simply because candidates lack the ‘right’ exams.”
Rowley added: “A cybersecurity degree doesn’t guarantee the best fit.”
Raghu Nandakumara, VP of industry strategy at cybersecurity vendor Illumio, said the lack of a clear pathway from education to employment is acting as a barrier to entry into the profession and therefore contributing to the cyber skills gap.
“Currently, talented individuals drift into other, more accessible fields as they struggle to find a clear pathway into cybersecurity,” Nandakumara told CSO. “We lack the necessary follow-up support to guide individuals into the workforce.”
While apprenticeships and internships are valuable, there simply aren’t enough of them, according to Nandakumara.
“Smaller organizations lack the resources to offer such schemes, and the government needs to step in more to support these initiatives or to encourage more larger organizations to adopt them,” Nandakumara added.
Chris Wysopal, chief security evangelist at Veracode, argued that the “entry-level pipeline in cyber security is broken.”
“Many of the best potential practitioners aren’t university types, but unconventional talent like gamers, builders, and deep thinkers found in online communities,” Wysopal said.
Criminalizing hacker behavior is a shortsighted move that’s costing the industry an opportunity to recruit more than viable candidates, according to Wysopal.
“When it comes to hacking, not every teenager who tricked someone into handing over a password should be branded a criminal for life,” Wysopal argued. “We need to distinguish between genuine cybercrime and youthful curiosity, the latter of which should be sought after in cyber recruitment.”
The AI effect
Cyber talent has always been in high demand but this has intensified with threats increasing in both frequency and severity. The global cyber security skills gap is estimated at 4.8 million, a 19% increase from 2024.
“Addressing these skills shortages, we are seeing more organizations turning to AI to do some of the heavy lifting, for example, in early threat detection and summarization,” says Harvey Nash’s Gaibee. “This is not replacing the need for cyber talent, just providing an effective way to manage the ever-increasing threats.”
Increased use of AI is changing the profile of candidates in demand, according to both Harvey Nash and other industry experts.
IT skills will change, rather than be replaced, as AI takes over more repetitive tasks, according to a recent survey by IT management software vendor ManageEngine.
But Richard Watson, global cybersecurity consulting leader at EY, recently told CSO that he believes the level-one SOC analyst role “is going to be eradicated” by AI eventually. As a result, CISOs and cyber pros need to emphasize skills such as business literacy and communication.
“The role is shifting to be one of partnering and advising because a lot of the technology is doing the monitoring, triaging, quarantining, and so on,” Watson told CSO’s Christine Wong.
So, while technical skills will always be a key issue for cyber skills gaps, as AI takes on more technical tasks, the mix of skills CISOs are short on will increasingly include problem-solving, analytical thinking, and the range of people skills necessary to ensure a robust cybersecurity culture across the enterprise.
Broadening talent pools
Rob Demain, CEO of managed detection and response firm e2e-assure, said the vendor has amended its hiring process to make it more inclusive. As a result, one in 10 of e2e-assure’s workforce identify as neurodiverse — an often overlooked talent pool for cybersecurity.
“Their strengths in pattern recognition, creative logic, and attention to detail directly map to the capabilities ISC2 highlights as most in demand and make us a stronger partner for our customers,” Demain explained.
Hannah Roome, talent acquisition manager at cybersecurity services firm Bridewell, said the vendor is actively trying to increase diversity and expand its hiring scope by reaching out to universities, industry groups, and those seeking a change of career.
“We deliver workshops, presentations, and Q&As to schools, colleges, universities and professional membership organizations such as SANS, WiCyS [Women in Cyber Security], TechVets, and the Career Transition Partnership, both of which support those leaving the military,” said Roome. “Many of these schools and colleges support underprivileged communities from a diverse set of backgrounds.”
Illumio’s Nandakumara argued that rather than concentrating on pre-existing technical knowledge in candidates, cybersecurity hiring should focus on creativity, critical thinking, and willingness to learn.
“These skills are much harder to teach than technical ones,” Nandakumara argued. “By valuing aptitude and diverse experiences, the industry can attract non-traditional talent and build a more inclusive workforce.”
No Responses