{"id":2770,"date":"2025-04-16T10:01:00","date_gmt":"2025-04-16T10:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2770"},"modified":"2025-04-16T10:01:00","modified_gmt":"2025-04-16T10:01:00","slug":"cisos-rethink-hiring-to-emphasize-skills-over-degrees-and-experience","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2770","title":{"rendered":"CISOs rethink hiring to emphasize skills over degrees and experience"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For decades security chiefs have trained their sights on job applicants with university degrees.<\/p>\n

But ongoing skills shortages and experiences with highly talented security pros who do not hold college degrees are spurring some CISOs to rethink their hiring strategies, favoring a skills-based approach to filling cybersecurity roles.<\/p>\n

It\u2019s a big shift in how professionals get hired, says Jon France, who, when he became CISO at ISC2 in early 2022, inherited a security team that had a mix of workers with and without college degrees.<\/p>\n

That mix of talent produced a valuable range of experiences and skills, France found. Seeking to build on that dynamic, France decided to remove the requirement for a college degree for jobs in his department, and removed certification requirements for some positions as well.<\/p>\n

\u201cPreviously a college degree was what we used as an indicator of quality, but now we\u2019re accepting many more indicators of quality, not just a degree. Because while a degree is an indicator, it is not the only indicator and, arguably, it is not the best indicator,\u201d France says.<\/p>\n

Under France, ISC2\u2019s security department looks for candidates who can solve problems, demonstrate good communication capabilities, and show curiosity. It also asks candidates to prove they\u2019re up to snuff on the specific technical tasks they\u2019ll be performing if they land the job.<\/p>\n

\u201cThose are the things I\u2019d look for in someone over a degree and even certifications,\u201d France adds.<\/p>\n

Skills-based hiring: Hard work, mixed results<\/h2>\n

France is part of a growing movement to implement skills-based hiring, which, as the name suggests, awards job offers to candidates who can demonstrate they have a good percentage of the skills required to do the work required in the role, regardless of educational background or experience.<\/p>\n

Like others, France believes a skills-first focus is the best way to bring together diverse talents to create a cohesive, high-performing team. He also recognizes that many talented workers don\u2019t have degrees, having opted for military service<\/a> or other opportunities before seeking a career in cybersecurity. Moreover, he knows there just aren\u2019t enough existing cybersecurity professionals<\/a> to fill open positions.<\/p>\n

But shifting to skills-based hiring takes a lot more work than dropping \u201cdegree required\u201d from job postings to be successful. Many organizations, in fact, are failing in their attempts.<\/p>\n

According to a 2024 report<\/a> from Burning Glass Institute and Harvard Business School, skills-based hiring is gaining momentum, but, \u201cfor all its fanfare,\u201d the report authors write, \u201cthe increased opportunity promised by Skills-Based Hiring has borne out in not even 1 in 700 hires last year.\u201d<\/p>\n

Some 45% of organizations studied as part of the report are implementing skills-based hiring in name only, having made no substantial changes to how they recruit and screen for talent. Another 20% or so made progress toward a skills-based approach but their efforts didn\u2019t stick, despite short-term gains.<\/p>\n

\u201cSuccessful adoption of Skills-Based Hiring involves more than simply stripping language from job postings,\u201d according to the report. \u201cTo hire for skills, firms will need to implement robust and intentional changes in their hiring practices \u2014 and change is hard.\u201d<\/p>\n

\u2018Hire differently\u2019<\/h2>\n

France and ISC2 are among the 37% of leaders and organizations who have put in the work to make skills-based hiring an effective strategy, not just an empty promise.<\/p>\n

To improve outcomes, France works with the HR team to review job descriptions for open positions and then crafts them based on the organization\u2019s current needs, detailing the tasks that the position would handle when filled and the skills required to tackle those tasks.<\/p>\n

In some cases France lists nontechnical skills and attributes<\/a> such as \u201cmust be able to solve complex problems\u201d first in job postings. \u201cWe favor more trait-based things rather than the hard skilling\u201d in such cases, he says.<\/p>\n

Such work helps hiring teams know how to evaluate resumes without falling back on degrees as the default indicator of needed capabilities, he explains.<\/p>\n

He also has tweaked the interview process, so candidates are asked to work through scenarios to test their technical, personal, and intellectual skills.<\/p>\n

\u201cYou test facets of a person,\u201d he says.<\/p>\n

Such moves, France says, does not preclude him from asking candidates about their education. Nor does it preclude him from requiring certifications for some jobs; France, like others, says certifications can indicate specific skills and aptitudes \u2014 often better than a degree.<\/p>\n

In fact, France will also require some new hires to earn specific certifications within a specified time period after being hired, which he believes shows the new hire\u2019s willingness and ability to learn.<\/p>\n

All this, he says, has helped him \u201chire differently.\u201d<\/p>\n

\u201cI\u2019ve gotten candidates I wouldn\u2019t have had before by doing this, and I\u2019ve gotten a better group of candidates as well. It\u2019s given me diversity in its truest sense, and that diversity gives you the best candidate pool,\u201d he adds.<\/p>\n

\u2018Matching the work that needs to be done\u2019<\/strong><\/h2>\n

The principle of skills-based hiring does have a whiff of everything-old-is-new-again, as employers have always sought workers with demonstrable skills. Moreover, the technology ranks have long been populated with highly accomplished professionals without college degrees.<\/p>\n

Still, more employers are making the shift, and by emphasizing skills in their job listings and assessments, many are improving the hiring process. According to LinkedIn\u2019s The Future of Recruiting 2025 report<\/a>, \u201ccompanies with the most skills-based searches are +12% more likely to make a quality hire.\u201d<\/p>\n

CyberSN founder and CEO Deidre Diamond has found that to be the case.<\/p>\n

Diamond adopted a skills-first approach at her staffing solutions firm, which places full-time permanent hires and uses a taxonomy created by her firm to write candidate requirements that \u201creflects what the person will do day to day.\u201d<\/p>\n

This helps her team and their clients move away from ambiguous job titles such as security engineer<\/a> and correspondingly vague job descriptions \u2014 both of which can force hiring managers to fall back to searching for candidates with relevant degrees as badges of professional competency.<\/p>\n

In addition to looking for candidates with well-regarded certifications that demonstrate they have desired skills, Diamond also uses written and verbal tests to determine whether candidates, particularly ones new to the profession, have the skills needed for posted positions.<\/p>\n

\u201cIt\u2019s all about matching the work that needs to be done to the work [a candidate has] done recently,\u201d explains Diamond, who is also a board member at Cyversity, a nonprofit promoting diversity in the cybersecurity field.<\/p>\n

Executives at Immersive are likewise having a good run with a skills-based approach for hiring cyber talent, overcoming challenges along the way.<\/p>\n

The company, which makes a cybersecurity training and exercise platform, doesn\u2019t mandate degrees or certifications but evaluates candidates on competencies, says Dan Potter, Immersive\u2019s senior director of resilience.<\/p>\n

It uses its own platform for recruiting, advancing candidates for some cyber jobs through specific learning content. The company considers each candidate\u2019s performance, including their problem-solving accuracy and processing time, to identify \u201cpeople [who can] make quick but well-informed decisions,\u201d Potter says.<\/p>\n

Candidates brought in for interviews are presented challenges to assess their problem-solving and collaboration skills, he adds.<\/p>\n

\u201cCybersecurity is fast paced, with new challenges every day, so we want to know if [candidates] have a drive, have that mindset where they want to solve problems,\u201d he says.<\/p>\n

Like ISC2\u2019s France, Potter says succeeding with this approach means working with HR, in part to ensure pay scales don\u2019t favor workers with degrees over others. He also says it requires changing the typical enterprise mindset that degrees automatically signal competency.<\/p>\n

Immersive\u2019s process has yielded hires who might not standout in more traditional recruiting settings but are nonetheless valuable employees, Potter says.<\/p>\n

\u201cIndividuals might not look the best on paper, but they\u2019re showing they\u2019re excellent at what they do,\u201d he adds.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For decades security chiefs have trained their sights on job applicants with university degrees. But ongoing skills shortages and experiences with highly talented security pros who do not hold college degrees are spurring some CISOs to rethink their hiring strategies, favoring a skills-based approach to filling cybersecurity roles. It\u2019s a big shift in how professionals […]<\/p>\n","protected":false},"author":0,"featured_media":2771,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2770"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2770"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2771"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}