Industry gatherings are replete with anecdotes from would-be employers on the trouble they face when searching for qualified candidates to fill cybersecurity positions. Even as the cybersecurity workforce grows, industry reports describe a widening gap between supply and demand. At the same time, despite purported workforce needs in the tens of thousands, candidates often describe their inability to even secure an interview. The challenge is particularly acute for entry-level work roles in the Workforce Framework for Cybersecurity1. For these roles (e.g. security analyst), job seekers regularly complain about “entry-level” positions requiring lists of “advanced” capabilities and employers lament the pool of underprepared candidates without necessary experience.
HR professionals play a critical role in the hiring process, yet most examinations of cybersecurity workforce gaps do not directly engage these team members. Annual workforce surveys gather insights from cybersecurity professionals and offer recommendations on how to address the workforce gaps. These reports often include guidance for HR professionals to use report findings in augmented workforce strategies. However, given their importance in the process, understanding the perspectives of HR professionals on cybersecurity hiring may take us one step further toward addressing frustrations and ultimately closing the workforce gap. Thus, this phase of the Search for the Cyber Unicorn study aimed to capture the perspectives of HR professionals to better understand their role and experience in the cybersecurity hiring process, as well as their perceptions on the gap between organizational expectations and candidate qualifications.
Through a series of interviews, twenty-two county and local HR professionals across the state of Florida described how they approach and progress through the hiring cycle for entry-level cybersecurity positions. The synthesis of these interviews revealed several major themes. These themes, and their associated recommendations, are summarized on the subsciquent pages:
Collaboration. Collaboration between HR professionals and subject matter experts throughout the hiring cycle is critical to implementing an efficient process. The collaboration results in position descriptions that reflect work role requirements, state-level experience and education standards, and internal resource constraints. Collaboration between hiring officials and education and training providers helps to clarify expectations, priorities, and operational constraints that shape the recruitment efforts. These relationships also help to expedite the development of trust with new employees.
Recommendation C1 – Establish collaboration opportunities for HR professionals and subject matter experts early and throughout the hiring cycle to strategically integrate position needs and compliance requirements in the context of resource and other operational constraints.
Recommendation C2 – Expand opportunities for hiring officials and academic and training providers to share the expectations and constraints that shape workforce needs and to use these insights to strengthen educational programs.
1 Workforce Framework for Cybersecurity (NICE Framework) is available at: https://niccs.cisa.gov/workforce-development/nice-framework
Recommendation C3 – Develop ongoing education and awareness programs for HR team members to improve their understanding of cybersecurity roles, including distinctions from general IT positions, cybersecurity career pathways, and typical feeder roles.
Recommendation C4 – Implement strategies to foster continuous dialogue between managers, hiring organizations, and HR departments to reinforce collaboration and maintain internal alignment on critical cybersecurity hiring needs.
Internal Labor Market. The internal labor market, as opposed to external recruitment, serves as the primary source for entry-level cybersecurity candidates in the organizations represented by the study participants. By leveraging the internal labor market to fill positions, employers hasten the development of trust and lower recruitment costs. Because internal hiring provides career pathways with advancement opportunities for current employees, it also helps to strengthen employee morale and may reduce employee burnout and unwelcome turnover. A months-long hiring process that disenfranchises applicants, particularly highly desirable candidates, is not uncommon. Leveraging the internal labor market can shorten lengthy recruitment timelines by reducing the time needed for extensive candidate screening. Not only does the shorter timeline appeal to candidates, but it also supports a more dynamic and flexible team structure that can more rapidly adapt to the evolving environmental.
Recommendation L1 – Use the internal labor market to address challenges to employee morale, trust, budget constraints, and workforce shortages in specific roles.
Recommendation L2 – Strategically build career training programs for the existing workforce that support both professional development for employees and flexibility for teams to align with dynamic environmental conditions.
Recommendation L3 – Use the internal labor market to establish a standardized screening approach for internal and external candidates.
Recommendation L4 – Clarify workforce needs and clearly communicate the approach to filling positions. If, for instance, entry-level cybersecurity positions are filled primarily through the internal labor market, communicate the typical career pathway with internal and external candidates, and with education and training providers.
Experience. Study participants indicated that hiring managers tend to favor experience over education and certifications when filling entry-level cybersecurity roles. Team size is a principal driver for prioritizing experience over these other factors. Respondents stated that smaller teams, along with those working under resource constraints, have limited time available to integrate new and inexperienced members.
Recommendation E1 – Clarify the definition of entry-level cybersecurity positions and outline experience expectations based on regulatory requirements or hiring preferences.
Recommendation E2 – Explain how the combination of experience, education, and credentials are considered in the hiring process and provide transparent information on how the criteria are prioritized.
An entrylevel candidate will be ready for this when… well, you know.
At the outset of this study, the search for the cyber unicorn focused on the challenge of finding candidates who meet an often-unattainable combination of education, certifications, and experience (the proverbial cyber unicorn). The insights gathered here suggest that perhaps the cyber unicorn not a candidate, but rather an entry-level cybersecurity position.
experience requirements are often “wish-lists” and include more requirements than necessary to begin in a particular role
Overview
Industry gatherings are replete with anecdotes from would-be employers on the trouble they face when searching for qualified candidates to fill cybersecurity positions. Even as the cybersecurity workforce grows, industry reports describe a widening gap between supply and demand.2 At the same time, despite purported workforce needs in the tens of thousands, candidates often describe their inability to even secure an interview. The challenge is particularly acute for entry-level work roles in the Workforce Framework for Cybersecurity.3 For these roles (e.g. security analyst), job seekers regularly complain about “entry-level” positions requiring lists of “advanced” capabilities and employers lament the pool of underprepared candidates without necessary experience. Despite the attention paid to the workforce challenge, the mismatch between what candidates have and what employers want, persists.
Phase I of the Search for the Cyber Unicorn4 study sought to explore why by surveying Florida-based hiring managers seeking to fill entry-level cybersecurity positions as defined by the Workforce Framework for Cybersecurity. In that study, survey respondents revealed that experience requirements are often “wish-lists” and include more requirements than necessary to begin in a particular role. Wish-lists were especially pronounced for experience requirements as respondents also reported that experience outweighed education and certifications in hiring decisions for these entry-level positions. In follow-up discussions with the hiring managers surveyed, respondents explained that in their view experience, more so than education and certifications, reduced the need for on-the-job training and oversight, while also accelerating the timeline for seeing contributions from their new hires.
The tendency toward including experience driven wish-lists in position descriptions provides some insight on why the mismatch between candidate qualifications and position requirements continues to challenge the field. The very nature of a wish-list suggests that the capability is not required but rather, desired. Even when these lists of qualifications are separated into optional or preferred sections of position descriptions, respondents to this survey either implied or explicitly stated that the wish-lists of experience requirements play a prominent role in the hiring decision. If this is in fact the case, then insight on how the list is created and by whom, deserves investigation.
Phase I survey results affirmed that both hiring managers and human resources (HR) professionals play a role in preparing position descriptions. Respondents attributed the specification of position requirements primarily to hiring managers. However, they also highlighted the importance of HR professionals in the process. HR partners, according to respondents, provide a broad understanding of organizational needs and the larger environment, offering valuable information on internal human resource guidelines, external employment regulations, and general hiring trends.
Supply & demand? Everybody wants a Cyber Unicorn!
2 See, for example, the 2024 (ISC)2 Cybersecurity Workforce Report at: https://www.isc2.org/Insights/2024/09/Employers-Must-Act-Cybersecurity-Workforce-Growth-Stalls-as-Skills-Gaps-Widen
3 Workforce Framework for Cybersecurity (NICE Framework) is available at: https://niccs.cisa.gov/workforce-development/nice-framework
4 See, for example, https://www.rsaconference.com/Library/presentation/usa/2024/searching%20for%20a%20 cyber%20unicorn%20is%20it%20possible%20to%20find%20a%20perfect%20candidate
do you want from me?
HR professionals play a critical role in the hiring process, yet most examinations of cybersecurity workforce gaps do not directly engage these team members. Annual workforce surveys gather insights from cybersecurity professionals and offer recommendations on how to address the workforce gaps, often including guidance for HR professionals to use report findings in augmented workforce strategies.5 However, given their importance in the process, understanding the perspectives of HR professionals on cybersecurity hiring may take us one step further toward addressing frustrations and ultimately closing the workforce gap. Thus, this phase of the Search for the Cyber Unicorn study aimed to capture the perspectives of HR professionals to better understand their role and experience in the cybersecurity hiring process, as well as their perceptions on the gap between organizational expectations and candidate qualifications.
Background
Despite the wide array of educational and training programs launched in the last two decades to prepare future cybersecurity professionals to enter the workforce, employment gaps persist. According to the ISC2 2024 Cybersecurity Workforce report, job growth has stalled, and skills gaps are widening. Aspiring workers gather credentials from degree programs, boot camps and training programs yet often still find themselves unable to even receive an interview, while would-be employers lament the lack of experience in the candidate pool, asserting that the list of credentials included on candidate resumes is often insufficient preparation. Unmet expectations on both sides of the equation leave candidates and employers frustrated and raise questions about how workforce planners fill entry-level cybersecurity positions.
In a field that markets itself by enumerating the thousands of open entry-level positions, candidates are regularly left wondering how they get in and employers are asking why they aren’t better prepared. This is not a new problem and workforce experts have been sounding the alarm of a broken system for many years.6 Thus, this study sought to gather insight on the drivers of the workforce mismatch by exploring the role of HR professionals in the hiring process for entry level cybersecurity positions.
6See, for example, https://danielmiessler.com/p/the-problem-with-cybersecurity-hiring/ only every single thing!
About the Participants
While private sector firms and public sector agencies face similar workforce challenges, differences do exist. Most notably, pay scales in the public sector typically lag behind private sector firms. As a first step toward exploring the views of human resource professionals on the hiring process, this study focused specifically on these public sectors officials. Cyber Florida provided the list of interview subjects. Study participants worked as state and local government HR professionals across the state of Florida. The counties represented in this study are located across the wealth spectrum and the geographical di -
5 See, for example, Fortinet Cybersecurity Skills Gap Report at https://www.fortinet.com/content/dam/fortinet/assets/reports/2023-cybersecurity-skills-gap-report.pdf, (ISC)2 2023 Cybersecurity Workforce Report at https://edge. sitecorecloud.io/internationf173-xmc4e73-prodbc0f-9660/media/Project/ISC2/Main/Media/documents/research/ ISC2_Cybersecurity_Workforce_Study_2023.pdf
It looks like we missed our connection
versity of the state. In total, twenty-two county officials from 13 agencies across four Florida counties took part in this study. Respondents participated in semi-structured Zoom interviews across three lines of inquiry. Questions covered (1) the relative balance of hands-on experience, education and credentials in candidate review, (2) considerations and the role of trends in the position description development process, and (3) a deep dive into the rationale for experience requirements for entry-level positions. The qualitative analysis of these interviews provides emergent themes to support a critical discussion of the role of HR in the hiring process and suggests that a future quantitative study of a cross-section of HR officials – to systematically explore the role of HR professionals in closing cybersecurity workforce gaps – could provide valuable information toward addressing cybersecurity workforce challenges.
Insights from HR
HR professionals use a structured hiring cycle to organize their work, with each phase of the cycle focusing on a different task: workforce planning, creating position description, recruiting, application, screening, interviewing, hiring, and onboarding. Interview insights on HR’s role in the hiring process for entry-level cybersecurity positions are presented in the table on page eight.
Unmet expectations on both sides of the equation leave candidates and employers frustrated and raise questions about how workforce planners fill entry-level cybersecurity positions.
Insights from HR
Hiring Cycle Phase
Workforce Planning
Position Description
Recruiting
Interview Insights
• The ideal workforce planning process involves HR in planning and implementation from start to finish, from defining requirements to participating in interviews and assisting with candidate selection.
• Workforce planning can involve external resources like specialized recruitment companies when HR does not have the capacity or resources alone to implement planning activities.
• HR collaborates with department heads to define job descriptions. Hiring managers identify specific technical requirements and ensure job descriptions align with department needs, while HR professionals ensure that requirements align with the class specifications that define combination of education and experience needed to fill entry level positions in the state. The classes specify that entry level positions require a bachelor’s degree plus two years of experience, or associate’s degree plus four years of experience, or six years of relevant experience without a post-secondary degree. The specifications do allow for consideration of alternative credentials and certifications.
• Collaboration involves various stakeholders to ensure job descriptions are accurate and updated to reflect industry standards. Detailed position descriptions are essential and often updated to reflect current industry standards.
• Preferred versus required qualifications are not always separated into different lists
• Positions are posted internally and advertised externally using platforms like LinkedIn and job fairs.
Internal postings are typically open for a week; external postings are typically listed for at least two weeks.
• Internal recruitment boosts morale and retention. Internal recruitment often occurs through recommendations and promotions.
• Internships and cooperative education programs are common pathways for new graduates to gain practical experience and transition into full-time roles
Insights from HR
Hiring Cycle Phase
Application
Screening
Interview Process
Interview Insights
• Preferred qualifications frequently include specific certifications (e.g., CompTIA Security+, CISSP) and relevant education but hiring managers tend to value candidates with practical experience, problem-solving skills, and teamwork abilities.
• It is challenging to find candidates with both technical skills and practical experience. However, respondents noted that practical experience can be gained through labs, hackathons, or similar activities.
• Education and certifications are both important; candidates with degrees in cybersecurity and certifications like CompTIA are preferred. Workforce development programs, including short-term training courses and certifications, prepare candidates for entry-level positions.
• Initial screening is conducted by HR or staffing firms and can involve automated “knockout” questions to ensure candidates meet minimum requirements.
• Candidates are evaluated based on educational background, certifications, relevant experience, and demonstrated skills with a particular emphasis on practical experience and ability to apply knowledge in real-world scenarios.
• Interviews include multiple rounds including technical assessments and practical tests.
Interview processes can take 4 to 8 weeks and often involves a committee evaluation to move from round to round.
Interview assessments also place an emphasis on soft skills such as communication and teamwork.
Hello there!
You can fnd the remainder of the chart on page 10.
(If only finding cyber unicorns were this easy!)
Hiring Decision/Compensation Package
Onboarding/Acclimation
Respondents recognize the importance of cultural fit with the team for long-term retention.
• Final decisions are typically made by senior leaders with input from department managers and team leads.
The goal is typically to complete the hiring process within 70 days. Managers are encouraged to act quickly to secure top candidates and discuss salary expectations early to avoid misalignment.
• Competitive salaries and remote work opportunities are crucial to attract top talent.
• Organizations face challenges attracting candidates due to salary constraints and competition with the private sector.
• New employees undergo a combination of formal training programs and on-the-job training.
Onboarding involves background checks and additional training to ensure security standards are met.
• Continuous training and certifications are necessary to keep up with the evolving cybersecurity landscape. Mentorship programs and individual development plans (IDPs) are used to provide continuous feedback and development opportunities.
Major Themes
Collaboration. Collaboration between HR and subject matter experts throughout the hiring cycle is critical to implementing an efficient process. Early collaboration between HR and security offices incorporates strategic insight and context for addressing workforce needs and enables more effective workforce planning. Moreover, ongoing stakeholder engagement is important for maintaining the accuracy of position needs and to ensure that the position descriptions reflect current industry standards.
HR actively collaborates with department managers and existing employees to formulate comprehensive job descriptions and establish qualifications for open positions. Yet, credentialing requirements, and the combinations of experience and education that meet those requirements are driven by state regulations. While officials cited some level of flexibility in how the requirements are applied, several respondents referenced the state guidelines and asserted, “[We] cannot deviate from the standard framework” when discussing the various combinations of education and experience. Despite the examples of collaboration, several managers also highlighted that a disconnect between cybersecurity managers and HR still exists. In the larger workforce context, cybersecurity is a relatively new field and HR professionals often lack the specialized knowledge to distinguish between IT and cybersecurity. This suggests a need for targeted HR education and awareness focused on cybersecurity. Additionally, the HR process is often slower compared to the rapidly evolving cybersecurity landscape, which can hinder the hiring process. The traditional HR system may act as a barrier for managers, contributing to this disconnection. However, HR is also concerned about compliance with organizational policies, which further complicates the situation.
Respondents also noted that when creating job descriptions, they tend to look at what other companies are doing rather than using the Workforce Framework for Cybersecurity as a foundation. Instead, they prioritize aligning with the requirements and practices of competitors.
Internal Labor Market. The internal labor market, as opposed to external recruitment, serves as the primary source for entry-level cybersecurity candidates in the organizations represented by the interview participants. By leveraging the internal labor market to fill positions, employers hasten the development of trust and lower recruitment costs. Because internal hiring provides career pathways with advancement opportunities for current employees, it also helps to strengthen employee morale and may reduce employee burnout and unwelcome turnover. A months-long hiring process that disenfranchises applicants, particularly highly desirable candidates, is not uncommon. Leveraging the internal labor market can shorten lengthy recruitment timelines by reducing the time needed for extensive candidate screening. Not only does the shorter timeline appeal to sought after candidates, but it also supports a more dynamic and flexible team structure that can more rapidly adapt to the evolving environmental.
Internal postings are the heavily favored strategy used to recruit entry-level positions. “For the security positions, … they tend to promote from within and train on those security related positions” One official estimated that “the percentage of internal versus external postings is maybe 75% [to 25%]. The individual went on to reveal that external postings were used for higher-level positions – stating, “if we do have external [postings], I maybe have had a couple of the higher-level ones.”
I can’t afford that time…
Respondents outlined several reasons for their expressed a preference for hiring internal candidates. Internal hires can save time and money needed for the recruitment process. Respondents highlighted the significant impact of insufficient state and local cybersecurity funding. This lack of financial support, combined with limited time and resources, leaves managers feeling overwhelmed and without adequate support from state and local leadership. “I can’t afford that time…you’ve got to hit the ground running”
Internal candidates have often already developed a trusted relationship – is the candidate trustworthy and can the candidate perform, they understand the environment and culture and have shown a commitment to the mission. “They [internal candidates] didn’t just walk in off the street. However, we realize that there’s a huge gap between a student and getting the experience and getting trusted to becoming productive in your environment.” Another respondent said, “We have a huge element of trust and background checking. … How do we know who that person [is}… their background?”
you’ve got to hit the ground running
Further, internal recruitment strategies prioritize employee recommendations and promote existing personnel, fostering heightened morale and retention among staff. Using entry-level cybersecurity positions as a step in the career ladder for the IT workforce was commonly cited as a motivator for hiring internally. “They usually do post that for promotional opportunities within and then they’ll send them to get the training”
Experience. Respondents expressed a clear preference for experienced candidates. Experience is critical even for entry-level positions. The amount of experience required, however, was unclear and was not necessarily associated with specific cybersecurity positions. “There’s what CIOs want, what IT Directors want, and because government likes to can positions, you have… [state hiring standards that outline how education and experience requirements are considered in concert (e.g. bachelor’s degree plus 2 years of experience, associate’s degree plus 4 years of experience, or high school diploma plus 6 years of experience)].” State hiring standards play a major role in hiring decisions even when the standards do not align with reuqirements outlined by subject matter experts.
Hiring managers exhibit a preference for candidates demonstrating practical experience complemented by problem-solving skills and teamwork capabilities “There is a problem with people that apply to our positions that lack experience, … we don’t want somebody coming with a paper or certification not knowing that they got that they went through a cram session and got the certificate that they have to have experience behind it.”
Even when candidates come directly from academic and training programs, experience is important. Florida hiring guidelines drive the combination of experience and education requirements outlined in position descriptions. Respondents noted that students in these programs should participate in experiential learning opportunities including labs, hackathons, or comparable activities. Internships and cooperative education programs are common pathways for new graduates to gain practical experience and transition into full-time roles. They also asserted that candidates who enter the workforce from academic programs with vetted curricula and hands on components, are more quickly able to gain trust in their capabilities. “I would trust anybody coming out of the Cyber Florida program [because their curriculum has been vetted].”
I would trust anybody coming out of the Cyber Florida program — because their curriculum has been vetted.
The state and local county officials interviewed in this study all described their cybersecurity team as small and they indicated that their teams were similarly sized with most other county and local offices around the state. Many officials reported having only 2-3 cybersecurity employees who were part of a larger IT department. With these small numbers, it is difficult for department heads to support the training needs of entry-level employees who do not have sufficient experience to contribute immediately. As one respondent put it, “I don’t have time to train and cannot afford the mistakes.” In these environments, department heads must make a choice to either do the work with their limited staff or take the time to train a larger staff but not have time to do the work. They choose to do the work. And while respondents acknowledged the value of mentorship, several noted that while mentors were committed to supporting newer team members, “it takes them off their job” and must take a back seat when the department needs “all hands on deck” for incident response and other significant tasks.
Small team size also highlights the importance of workforce planning as fit and strategic alignment of complimentary skill sets are particularly important because they do not have the luxury of maintaining staff with overlapping skillsets.
Conclusions & Recommendations
Collaboration. Collaboration between HR and subject matter experts throughout the hiring cycle is critical to implementing an efficient process. The collaboration supports full position descriptions that reflect position requirements, state-level experience and education standards, and internal resource constraints. Collaboration between hiring officials and education and training providers helps to clarify expectations, priorities, and operational constraints that shape the recruitment efforts. These relationships also help to expedite the development of trust with new employees.
Recommendation C1 – Establish collaboration opportunities for HR professionals and subject matter experts early and throughout the hiring cycle to strategically integrate position needs and compliance requirements in the context of resource and other operational constraints.
Recommendation C2 – Expand opportunities for hiring officials and academic and training providers to share the expectations and constraints that shape workforce needs and to use these insights to strengthen educational programs.
Recommendation C3 – Develop ongoing education and awareness programs for HR team members to improve their understanding of cybersecurity roles, including distinctions from general IT positions, cybersecurity career pathways, and typical feeder roles.
Recommendation C4 – Implement strategies to foster continuous dialogue between managers, hiring organizations, and HR departments to reinforce collaboration and maintain internal alignment on critical cybersecurity hiring needs.
Internal Labor Market. The internal labor market, as opposed to external recruitment, serves as the primary source for entry-level cybersecurity candidates in the organizations represented by the interview participants. By leveraging the internal labor market to fill positions, employers hasten the
development of trust and lower recruitment costs. Because internal hiring provides career pathways with advancement opportunities for current employees, it also helps to strengthen employee morale and may reduce employee burnout and unwelcome turnover. A months-long hiring process that disenfranchises applicants, particularly highly desirable candidates, is not uncommon. Leveraging the internal labor market can shorten lengthy recruitment timelines by reducing the time needed for extensive candidate screening. Not only does the shorter timeline appeal to sought after candidates, but it also supports a more dynamic and flexible team structure that can more rapidly adapt to the evolving environmental.
Recommendation L1 – Use the internal labor market to address challenges to employee morale, trust, budget constraints, and workforce shortages in specific roles.
Recommendation L2 – Strategically build career training programs for the existing workforce that support both professional development for employees and flexibility for teams to align with dynamic environmental conditions.
Recommendation L3 – Use the internal labor market to establish a standardized screening approach for internal and external candidates.
Recommendation L4 – Clarify workforce needs and clearly communicate the approach to filling positions. If, for instance, entry-level cybersecurity positions are filled primarily through the internal labor market, communicate the typical career pathway with internal and external candidates, and with education and training providers.
Experience. Hiring managers favor experience over education and certifications, although all indicators of knowledge, skills, and ability are important in the hiring process. Team size is a principal driver for prioritizing experience over other factors. Respondents stated that smaller teams, along with those working under resource constraints, have limited time available to integrate new and inexperienced members.
Recommendation E1 – Clarify the definition of entry-level cybersecurity positions and outline experience expectations based on regulatory requirements or hiring preferences.
Recommendation E2 – Explain how the combination of experience, education, and credentials are considered in the hiring process and provide transparent information on how the criteria are prioritized.
At the outset of this study, the search for the cyber unicorn focused on the challenge of finding candidates who meet the desired combination of education, certifications, and experience (the proverbial cyber unicorn). The insights gathered here suggest that perhaps the cyber unicorn not a candidate, but rather an entry-level cybersecurity position
Happy Trails! I hope you enjoyed getting to know me better! “
