A pendulum swing is underway across the cybersecurity hiring landscape, with traditional four-year college degree requirements increasingly becoming an entity of the past. The U.S. House Oversight Committee advanced the Modernizing the Acquisition of Cybersecurity Experts Act this summer, a new bill that would prohibit mandatory college degree requirements for federal cybersecurity jobs unless there are specific legal requirements. In addition, the Biden Administration’s National Cyber Workforce Strategy called for more organizations to adopt skills-based approaches to recruitment and development.
Why? Well, for starters, national enrollment rates are declining. From 2019 to 2022, undergraduate enrollment dropped by a record-high 8% according to data from the National Student Clearinghouse and the U.S. Bureau of Labor Statistics. This, in large part, is causing more major players across the private sector to embrace skill development, with Booz Allen Hamilton recently revealing over 58% of its workforce was upskilled by certification training and IBM planning to upskill 30 million external people by 2030.
There’s also a heightened urgency to hire rippling from cybersecurity’s ongoing talent shortage. More than 700,000 U.S. cyber jobs are vacant today. On a larger scale, the ISC2 2022 Cybersecurity Workforce Study found that the global skills gap increased by 26 percent from 2021 to 2022, with 3.4 million additional employees needed to secure business-critical assets. Less than 15% of IT leaders believed they had had full-resourced teams to execute C-Suite cybersecurity priorities.
Meanwhile, the cyber threat landscape isn’t slowing down. The World Economic Forum’s 2023 Cybersecurity Outlook report found that 86% of business leaders and 93% of security leaders believe that global geopolitical instability will likely lead to a catastrophic cyber event in the next two years. It’s clear that more action is needed. And while there isn’t a quick-fix solution, real sustainable progress will require more than just higher wages and streamlined workflows. Adopting innovative approaches to how we educate, hire, and retain talent is equally critical.
This is where a skill-based hiring culture comes in. It deprioritizes traditional education and experience during the recruiting process, instead determining candidacy on high-value technical skills obtained via cybersecurity certification training programs. The benefits of this model are two-fold. It enables organizations to fill hiring needs faster by tapping into a wider variety of well-positioned candidates ready to enter the field. In addition, it empowers a myriad of diverse working professionals to forge new, sustainable career paths. Compounded at scale, both can help offset cybersecurity’s labor challenges to foster a brighter future for the sector.
Reskilling and upskilling working professionals
A skill-based hiring culture enforces the premise that anyone can become a cyber professional with the right training and techniques. Certification training programs are tailored for inclusivity, allowing non-traditional candidates to align their soft skills with impactful cyber roles. Former athletes with competitive drive can become SOC threat hunters. Physical therapists who gravitate to strategic outcomes can master cloud security. Extroverted customer service reps can become social media security analysts. Focused on cybersecurity aptitude rather than prior experience and expertise, certification training programs offer these non-STEM professionals a robust foundation of practical cybersecurity knowledge to build around. They can also be utilized to reskill IT professionals who already have a background in technology, but still need a more detailed understanding of cybersecurity concepts, technical terms, and application techniques.
From a holistic perspective, leveraging certification training allows CISOs to upskill internally, amplifying their existing cyber workforce with actionable guidance from expert instructors leading tailored courses. The continuous training helps security teams remain aligned with evolving threat actor tactics, techniques, and procedures (TTPs) to enhance operational efficiency across critical workflows. It also provides much-needed support for employee retention. A Society of Human Resource Management (SHRM) Research Institute survey found that 86% of HR managers are confident that ongoing training increases employee retention. By empowering employees to succeed in their roles, organizations can better position themselves to keep top cyber talent on staff.
Fostering opportunities for underrepresented groups
Improving diversity, equity, and inclusion across cybersecurity is another key benefit of a skill-based hiring culture. Certification training programs foster more affordable and accessible education opportunities for underrepresented groups like minorities, women, and veterans. The model aligns with this excerpt from the Biden Cyber Workforce Strategy: “Education and training ecosystems should expand the availability of competency-based cyber education opportunities that accelerate knowledge acquisition and allow learners to demonstrate mastery at their own pace.”
Take the SANS Diversity Cyber Academy for example, a free all-inclusive program that offers cybersecurity training and scholarships for women and minorities from Latinx, Native American, Native Hawaiian, Asian Pacific, Asian Indian, and sub-Saharan backgrounds. On average, 90% of graduates from the accelerated program secure a cybersecurity job within six months of completion. The SANS Veterans Cyber Academy follows a similar model, offering 100% scholarship-based accelerated training programs that arm veterans with GIAC certifications to launch mission-oriented cyber careers. These programs level the playing field for people who are traditionally overlooked, but just as capable of succeeding in cyber as higher-ed alums.
Softening Generative AI Displacement
The future of skill-based hiring begs an interesting discussion around the rise of Generative AI. It’s no secret that Generative AI will likely replace millions of full-time jobs in the years to come. From coders and computer programmers to writers and paralegals, a wide variety of working professionals could be forced to transition into new fields that render their previous education and experience irrelevant. Reskilling them into well-paying cybersecurity jobs could help soften the impact of displacement. Furthermore, it immerses a new class of talent in the workforce to help alleviate shortages.
Generative AI will undoubtedly have a place in cyber, however it’s not going to outright replace human roles like it could in other sectors. It will augment human performance by allowing security analysts to automate the tedious aspects of their job and instead focus on overarching frameworks that have a more direct impact on security posture. Since certification training can be scaled to high-level security concepts, it’s an educational model that aligns with a future of humans and AI working in tandem.
With labor shortages looming, the time is now for cybersecurity to redefine its approach to educating, hiring, and retaining talent. Progress cannot be accomplished with an eye for legacy practices. A skill-based hiring culture driven by certification training at scale could be a shot in the arm our industry needs.