With thousands of job openings and more tech professionals focused on a security career than ever before, cybersecurity hiring managers and executives would appear to have an easy time picking the talent they need to help defend their organizations from attacks and threats.

The reality, however, is more complex. A study published by ISACA (which included answers from more than 2,100 of the association’s members) found that, while cybersecurity hiring managers and executives now have better relations with their HR departments, 71 percent report that their organization has open positions regardless of the type of job.

The report also found that hiring managers continue to have low confidence in candidates’ qualifications, with only 26 percent reporting that they believe at least half of applicants are well qualified for the position they are applying to. When it comes to hiring, 72 percent of survey participants noted that previous experience remains a primary factor in making a decision—but the most significant skill gap relates to so-called soft skills such as communication, writing and adapting to company culture.

The push-and-pull between needing experienced tech professionals with particular certifications and skills and also having numerous open positions that create critical gaps in security coverage can further complicate the hiring process, which affects job seekers.

“Organizations continue to have a hiring problem—an estimated 3.5 million unfilled cybersecurity jobs—that is not projected to get any better through 2025,” Dave Gerry, CEO of  Bugcrowd, recently told Dice. “The cause of that is somewhat self-inflicted. By focusing too much on certifications, experience and background, employers are significantly limiting the talent pool that they can go after. The impact of this is unfilled jobs, losing out on high-potential talent and a lack of diversity of candidates from under-represented and non-traditional backgrounds.”

For tech professionals looking for a cybersecurity position or those interested in moving up the career security ladder, knowing what a hiring manager or executive is looking for is crucial. To better understand what these hiring managers are looking for, Dice asked several experts about their current thinking as part of the hiring process and what skills—technical and non-technical—might come into play when making a final decision.

Tech Skills Matter… But Remember the Bigger Picture

As the ISACA report makes clear, hiring managers are looking for tech and cybersecurity pros with certain skill sets depending on an organization’s needs. John Pirc, vice president at security firm Netenrich, noted recently that candidates who understand issues centered on SaaS and cloud applications are a must for his company.

Beyond the technical know-how, however, Pirc focuses on experience and how a particular candidate can fit into the larger culture. That experience doesn’t necessarily have to include a long tenure at previous employers, but it must demonstrate some breadth of experience and adaptability.

“In writing job descriptions for my team, I’m looking for a particular set of skills that are a must and some that are nice to have. Lastly, I look for culture fit and a great EQ,” Pirc said. “The hardest thing about hiring for me is great cybersecurity talent—they are very expensive and generally not located near headquarters.”

Another technical skill frequently mentioned and increasingly important for hiring managers is knowledge and mastery of artificial intelligence, including generative A.I., machine learning and augmented intelligence.

“Additional opportunities for growth exist for candidates by learning about leveraging A.I. for security use cases, A.I. security, A.I. safety and A.I. bias training,” Bugcrowd’s Gerry added.

For many hiring managers, budgets limit or expand the ability to hire talent. For organizations that must adhere to the bottom line, hiring managers look for tech pros who have diverse backgrounds to help fill multiple roles and stretch budget dollars.

“There is a need to find people who can cover multiple roles and fill the gaps, which can be hard to find in the competitive market,” said Satyam Tyagi, vice president at ColorTokens. “In addition to existing technical skills, cybersecurity professionals that have a learning mindset and an ability to adapt are critical in the field. Cybersecurity is a dynamic field that requires constant updating of knowledge, tools, and skill sets.”

Cultural Fit

For many hiring managers, candidates who show promise, ambition and the ability to blend into the larger culture of the security organization can learn specific tech concepts. It’s the cultural fit that matters more in the long term. 

“For many hiring managers in cybersecurity, it's finding the culture fit for their team and organization,” said Guy Rosenthal, vice president for product at DoControl. “Another big challenge is getting enough perspectives on a candidate while not making the hiring process too long or burdensome on the candidate. Panel interviews can be a good option to solve the latter problem, and they also help with the former—especially evaluating culture fit.”

If the cultural fit is there, Rosenthal noted, there are three criteria hiring managers need to understand when looking further at a candidate:
 

• First, does the candidate demonstrate a willingness to learn and an understanding of how best they learn? New skills will be required, and learning has to start with self-motivation. If the role does not have a budget for formal training, but that's how the candidate best learns, it might not be a fit. The same is true for people who learn by lab or hands-on if there is no time or equipment available for learning. 
• Second, does the candidate fit with the culture of the team and the organization? Great skills and role fit cannot compensate for creating an unproductive or even toxic environment.
• Third, how are the candidate's soft skills, such as written and verbal communication, as well as interacting with people? Most roles do not exist in a vacuum or isolation. There will be interaction with their team, cross-teams in security, and with the larger organization. Everyone needs to be able to communicate and interact well with others.

“Hiring managers have an objective set of qualification criteria and a fair evaluation process for soft and subjective skills so that as much personal bias as possible is removed from the process,” Rosenthal added. “The goal should be to find the best possible candidate for the role based on the pool of candidates, leaving aside all other considerations.”

Looking for Candidates Outside the Box

As Bugcrowd’s Gerry noted, finding candidates outside the normal channels helps organizations discover talent that they did not know existed. This also holds true for candidates who do not have some of the more sought-after certifications and skills that cybersecurity managers and HR require for employment. The federal government has likewise made it a point to expand the available pool of cyber talent. 

At the Conversant Group, which provides infrastructure and cybersecurity services for clients, founder and CSO John A. Smith noted that his company recently had success in promoting an intern into full-time work. This particular young worker fit the needs and could be trusted to learn while on the job.

“One of our employees came to us from a small college and he’s been our most successful intern. Why? He had a technical acumen. He could take instruction and was willing to put in the time. He had a hunger, a desire to learn,” Smith said.

“Most importantly, he was and is a good, genuinely kind person. He has a cyber degree, and we got connected with him because his school requires placement and working in the field as part of degree completion,” Smith added. “He did not come to us with much technical knowledge, but he learned it here and had the capacity and willingness to commit the time.”