Pareto Cyber Logo

The Skills Gap Fallacy – 10 Things I Hate About Cybersecurity: A Love Story

Hi! I am Nick Gipson, the Director of Cyber Operations here at Pareto Cyber. This is Part 10 of my 10-Part series on “10 Things I Hate About Cybersecurity: A Love Story” where I dissect the problems within this industry and my personal encounters with them. You can find the other parts of this series here.

The Issue

Many reports and publications in cybersecurity complain about a mismatch between the vacancies available and the potential candidates to fill them.

Supposedly, while the demand for positions in security operations (SecOps) is skyrocketing, there aren’t many people with the technical skills necessary to work those jobs. 

I think that this notion of a “skill gap” is a complete misunderstanding.

There are people that could fill those jobs. There are candidates with the skills required to do them. Cybersecurity is a highly technical field, but there are many talented specialists seeking employment.

So… what’s the issue?

There’s a communication breakdown between the SecOps departments needing to hire and the HR people actually doing the hiring. 

Most positions are filled by company HR departments. 

So in the case of a cybersecurity job, the process could look like this:

  1. The CISO decides that the company needs to hire more analysts.
  2. The CISO puts in a request for candidates with the HR team, providing them information such as the number of people required, job titles, and a brief explanation.
  3. The HR department then writes up a formal job description for the vacancy and uploads it onto some hiring portal.
  4. Candidates fill out the standardized application form, upload their CV and perhaps a cover letter.
  5. Some hiring software looks through these applications, matching submissions by keywords from the job description.
  6. The HR team then shortlists candidates from the application approved by that automated process.
  7. The CISO or some other member of the security team interviews shortlisted candidates.

Does anything seem off about this process?

Why It Matters

Whenever I look through job descriptions posted for positions in SecOps, I’m genuinely flabbergasted. 

The “requirements” section is often just nonsensical. I’ve seen jobs requiring 30 years’ experience for an entry-level position. Some companies require obscure tools (bonus points if they want 5+ years experience in a software that’s only 2 years old!). Occasionally, the skills required don’t even exist.

I think you see the problem.

These listings end up completely out of touch with what the position actually requires. The keywords that both the automated scan and the HR person’s pass-through are looking for… have nothing to do with the job that they are trying to fill.

So qualified candidates don’t even get a single interview.

At the same time, the CISO or any actual technical recruiter on the other end may see a shortlist that doesn’t have much in common with what they were looking for in the first place.

What Can We Do?

I want to avoid blaming any individual HR professionals. They are trying to do the best job they can despite limited information. 

The difficulty here is that this process expects the impossible. So, the solution isn’t to look for “better” recruiting agencies or restructuring HR departments.

Instead, I think we need to reimagine the tech hiring process itself.

We can train non-technical hiring managers better. We should help them understand the actual responsibilities and requirements for security professionals. That way, HR teams can actually identify qualified candidates.

But this process can’t be left up to chance.

When I am hiring analysts, I tend to rely heavily on my intuition. I’ve been working in cybersecurity long enough that I can tell when someone is actually passionate for this field. Good candidates can clearly articulate their technical expertise even in a brief interview. Yet, the concept of “passion” has little in common with the internships or degrees on a CV.

A recruitment manager won’t have my intuition. 

But I can help them learn what underlying skills I’m actually looking for. I can show them that specific software or programming languages don’t really matter. I can run through examples of CVs that stood out to me and explain why.

To reiterate, I don’t think there’s a real skills gap in cybersecurity. There is a skill gap, but it’s not with the candidates. Instead, the people that need to develop new skills are those involved in recruiting for cybersecurity positions in the first place.