Cybersecurity Hiring is Broken – Here’s How We Fix It

For years, cybersecurity job descriptions have looked something like this:

  • 5+ years of experience
  • CISSP, CEH, or OSCP certification required
  • Expert in [insert long list of tools]

Sounds reasonable, right? Wrong.

The reality?
❌ Some of the best cybersecurity professionals don’t have traditional degrees.
❌ Many qualified candidates lack certifications but have real-world skills.
❌ Cyber threats evolve faster than experience requirements can keep up.

Yet, companies still use years of experience as a primary hiring filter—eliminating incredible talent before they even apply.

It’s Time to Rethink Cybersecurity Hiring Metrics

Instead of fixating on the past (years of experience), hiring managers should focus on:

  • Problem-Solving Ability – Can they think like an attacker? Can they break, fix, and defend?
  • Hands-on Skills – Have they worked on real-world challenges? Capture-the-Flag (CTF) competitions, home labs, or bug bounty programs can be better indicators than a résumé.
  • Adaptability & Continuous Learning – The cyber landscape evolves daily. Is the candidate proactive in learning?
  • Critical Thinking Under Pressure – Cyber threats don’t wait. Can they make the right call in a crisis?

Companies Already Doing This Are Winning 

  • Google’s cybersecurity team considers self-taught hackers and unconventional backgrounds.
  • IBM launched an apprenticeship program to train cybersecurity talent, removing degree requirements.
  • Some leading firms now conduct skills-based hiring challenges instead of résumé screening.

How Can Organizations Make This Shift?

  • Rewrite Job Descriptions – Focus on skills, not just years. Ask for “proficiency” rather than “X years of experience.”
  • Incorporate Practical Assessments – Use real-world simulations or CTF-style tests instead of relying on résumés.
  • Consider Non-Traditional Talent – Military veterans, career switchers, and self-taught professionals bring unique strengths.
  • Invest in Upskilling – Sometimes, the right hire is already in your IT team—just needing cybersecurity training.

Final Thought: Experience ≠ Expertise

Cybersecurity is about mindset, adaptability, and skills—not just time served.

What’s your take? Should we move away from “years of experience” as a hiring filter? Or is it still a necessary benchmark?

Drop your thoughts below! 👇