homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
370x370_kevin-garvey.jpg
Kevin Garvey

Skilling the Gap: Creative Ways to Recruit Top Cyber Talent

Many want to come to our field, but just do not know how. Open the door for them.

March 22, 2021

Recruiting for top cyber talent has been a challenge since the dawn of the cyber security industry. As the requirements for organizations to secure themselves against a myriad of security concerns continues to grow, so does the growing requirements to fill new and existing cyber roles. This worldwide problem is exacerbated by dearth of “perceived” worldwide cyber security talent. However, many within the industry and recruiting for roles in the industry can utilize this unique challenge and turn this problem into creative and successful solutions to bridging the gap of cyber talent. Luckily, those who are hiring for cyber security roles have the individual power to help turn the tide and bring uniquely qualified candidates to organizations.

Understanding what is causing candidates not to present themselves to an organization starts from the very beginning of recruitment. Four main problems creating an artificial blockade to potential candidates include:

  • Steppingstone hands-on experience is lacking for many trying to get into the industry
  • Job descriptions over exaggerate the requirements for the role
  • Interviews can be too much of an art than a science
  • Tech teams and HR have not forged on bridging the talent gap together

Steppingstone Hands-on Experience is Lacking for Many Trying to Get into the Industry

Many individuals trying to get a head start into the cyber security industry hit a major headwind the minute they start applying for a role. They look back at their resume and say to themselves, “I do not have the required hands on experience for this role”.

Unfortunately, while that candidate may have the right ingredients to be successful at the role they are applying to, they will pause on applying to the role due to a perceived lack of experience for the position. This dilemma stops so many qualified candidates from ever stepping foot into this amazing industry. There are a few different ways one could tackle this barrier to enlarge the pipeline of qualified candidates into stepping-stone roles to flourish into something special in the industry:

  • Develop a rotation for candidates to sit with non cyber security focused technical team such as network operations, Windows and Linux operations, and IT help desk in the beginning of their tenure to gain hands on experience. This allows candidates to build key foundational knowledge of functional units they may be responsible for protecting and responding to throughout their career.
  • Follow Google’s 80/20 policy which allows an individual to spend 20% of their time on creative side projects. Not only does that allow the candidate to flex their creative muscles, but it also gives them wonderful opportunity to partner with other functional areas to gain experience they would have never had the chance to even think about prior. It will also afford them the chance to network with those outside of cyber security and build contacts throughout the company that could help them be successful in the organization throughout their tenure.
  • Allow employees to work on stretch goals. For example, let someone work on an automation solution so they can grow a small amount of programming skills. Employees will appreciate senior management’s backing on their endeavors to be a better version of themselves too.

Job Descriptions Over-Exaggerate the Requirements for the Role

When organizations know they have an open requisition to fill, some make the mistake of using a canned job description from the past or taking one from the internet and copying and pasting much of the detail. However, those trying to enter the industry see job descriptions and get scared off from even applying in the first place. An example of an entry level job description I found through a quick search:

“A minimum of three years of experience in the field of Cyber Security and Information Risk Management

Bachelor's degree in an appropriate field from an accredited college/university

Cybersecurity related certification (e.g., CISSP, CISM, CISA, GCIH, GPEN) a plus

Working knowledge of NIST 800-171 and the Cybersecurity Maturity Model Certification

Familiarity with other compliance frameworks such as FedRAMP, FISMA, SOC, ISO, HIPAA, HITRUST, etc.

Working knowledge of database technologies such as SQL

3 years of working and hands on networking knowledge”

In fact, many with experience in the industry may not have all the “requirements” for this entry level role. Does that mean an entry level application would be unsuccessful at this role? Maybe instead of analyzing that question, we instead ask if the job description for the role is appropriate. Next time you are charged with review a job description of a role, think about:

  • Will large list of certificates could scare off qualified candidates?
  • Look closely at the “years of experience” required for each line item
  • Differentiate between a “required skill and “nice to have”
  • What soft skills can make an entry level candidate shine?

Unfortunately, stringent job descriptions like the example above may be good for Application Tracking Systems, but it may not be the best way to bring in your best future cyber talent. It may inadvertently stop top candidates from ever applying to your organization because they automatically do not think they are qualified enough. Sadly, if they do not apply, you will not be able to interview them to really get to know a hidden well qualified candidate. Some of the key hard skill components to be successful at a role have the potential to be taught while on the job.

Interviews Can Be Too Much of an Art Than a Science

Ask 100 people how they interview a candidate, you will get 100 different answers. Everyone has their own style of interviewing, but when it comes to entry level positions or those trying to forge their path in the cyber security industry, trying to figure out the right mixture of questions to assess a candidate can be tricky. After interviewing hundreds of candidates for roles, including entry level roles, honing in on the candidate’s soft skills can be a huge win to find someone who will quickly excel in the industry. Some high-level soft skills to assess an entry level candidate on can include:

HR_Cybersecurity_Blog_1_Pic1.svg

I always enjoy interviewing a candidate to find out how they were able to get through a sticky situation each at school or in the office. Hearing the way they tell the story can say a lot about a candidate as it showcases their communication skills without it being a direct soft skill based question. Additionally, understanding the thought process of how the candidate was able to win over the situation will likely translate well into how they will get past complex situations at the office. A key tenet to remember:

“Cyber security is filled with the complex, but many times the crux of the answer is found by asking the best directed questions to best directed people or systems and not taking what is on the surface as the final answer. “

In addition, finding someone who has taken steps to practice their craft outside of normal working hours can turn into a superstar in your cyber team. They continually dig for the best answers when they are not transparent. Also, the tools in their toolbox are constantly being sharpened by being exposed to a diverse set of problems and an even more diverse set of solutions.

Tech Teams and HR Have Not Forged on Bridging the Talent Gap Together

What is enjoyable about trying to close the talent gap is no one is alone on this journey. Cyber security teams and HR teams have a unique opportunity to work together and be creative on future roles. Many affinity groups are working tirelessly to help fill the gap. Both candidates and cyber professionals can partner with them to help build the future pipeline and also to find candidates who are making every effort to make a positive splash in the industry. In addition, utilize the free resources SANS has created to help in your cyber security and HR partnered journey

Cyberaces.org


Developed by SANS, Cyber Aces is a free, online course that teaches the core concepts needed to assess and protect information security systems.

sans.org/FREE

SANS instructors produce thousands of free content-rich resources for the information security community annually. These resources are aimed to provide the latest in research and technology available to help support awareness and growth across a wide range of IT and OT security considerations.

SANS Summits

Summits bring together cyber security practitioners and leading experts to share and discuss case studies, lessons learned, new tools, and innovative strategies to improve cyber security and overcome challenges in a particular focus area or industry. Many SANS Summits are now FREE!

Tech Tuesdays

Dive into the material and get hands-on experience with tools and techniques that you can apply immediately.

SANS Reading Room

The SANS Reading Room features over 3,120 original computer security white papers in 111 different categories as of March 2021, and is continually added to regularly.

While the cyber security industry has experienced incredible growth both in requirements and expertise over the years, talent development is still playing catchup. Luckily, those in the cyber security field historically thrive in situations where the answer to a problem is not always clear. Answering the problem by developing talent beyond the standard approaches will pay dividends to both your organization and the growth of the whole industry.

Many want to come to our field, but just do not know how to. Open the door for them.

Rest of the HR + Cybersecurity Series

1. Listen to the corresponding webcast here.

2. Read the rest of the Blog series here:

  • Knowing Your Applicants: How to Stay Current to Best Assess Your Cyber Applicants
  • Not in Cyber Security? No Problem! Creative Ways to Gain Experience With No Experience
  • Slow the Revolving Door of Talent: Creative Ways to Keep Your Cybersecurity Talent in Your Organization
  • Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Impress to Land Your Dream Cyber Role
About the Author

Kevin Garvey is the US IT Security Manager for an international bank responsible for overseeing incident response, vulnerability management, cyber threat intelligence, as well as the security operations center (SOC). Previously, he worked at New York Power Authority, JP Morgan and WarnerMedia (formerly Time Warner). Kevin has always had a passion to hunt down the adversary and has loved tackling the risk and threat challenges his responsibilities have thrown at him. Kevin teaches SANS MGT512: Security Leadership Essentials for Managers. Read Kevin's full profile here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • LDR419: Performing A Cybersecurity Risk Assessment
  • ICS410: ICS/SCADA Security Essentials™
  • SEC275: Foundations: Computers, Technology, & Security™

Tags:
  • Cybersecurity Insights
  • Cybersecurity Leadership

Related Content

Blog
Cybersecurity Insights
February 19, 2025
The Ultimate List of SANS Cheat Sheets
Need help cutting through the noise? SANS has a massive list of Cheat Sheets available for quick reference.
SANS_social_88x82.jpg
SANS Institute
read more
Blog
Top_10_SANS_Summits_Talks_of_2021.png
Cybersecurity Insights, Digital Forensics, Incident Response & Threat Hunting, Cyber Defense, Cloud Security, Open-Source Intelligence (OSINT), Cybersecurity Leadership, Security Awareness, Artificial Intelligence (AI)
December 18, 2023
Top 15 SANS Summit Talks of 2023
This year, SANS hosted 16 Summits with 209 talks. Here were the top-rated talks of the year.
No Headshot Available
Alison Kim
read more
Blog
ICS_-_Blog_-_Top_3_Predictions_for_ICS_&_OT_Security_in_2024_in_EMEA_340_x_340.jpg
Industrial Control Systems Security, Cybersecurity Insights
December 18, 2023
Top 3 Predictions for ICS & OT Security in 2024 in EMEA
This is what we have to start to prepare for in ICS/OT Security while there is still time.
370x370_Kai-Thomsen.jpg
Kai Thomsen
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn