Skip to main content

Learn About Skills-First Hiring

Learning Objectives

After completing this unit, you’ll be able to:

  • Discuss the cybersecurity talent gap.
  • Explain the limitations and perceived advantages of traditional hiring.
  • Define the skills-first hiring approach.

The Cybersecurity Talent Gap

Think about the last time you searched for someone to provide a service: a doctor, a mechanic, or a babysitter. What mattered most in your final decision? Their education level and years of prior experience, or their current reputation and proven ability to do the job? We instinctively want the most technically skilled and trustworthy person to take care of the things we value most—our health, our personal assets, our children–regardless of how they acquired those skills.

Interestingly, that same mindset doesn’t always translate to the business world. Workplaces may often opt for a traditional approach to hiring by prioritizing credentials and years of experience over demonstrated skills. But in cybersecurity, where protecting critical assets is paramount, this more traditional approach might be leaving some of the most highly skilled talent undiscovered.

As businesses rely more on information technology (for example, servers, devices, networks, data) to meet their goals, the risk of cyberattacks interrupting essential business functions increases and the potential fallout of an attack is more serious. In addition, the growing cybersecurity compliance requirements imposed by regulators makes the risk of noncompliance a concern for leaders. These situations create a growing global demand for cybersecurity professionals to minimize operational interruption and to ensure regulatory compliance.

The 2023 ISC(2) Cybersecurity Workforce Study consistently highlights that there aren’t enough skilled individuals to meet the current demand. This imbalance between supply and demand contributes to the cybersecurity skills gap. However, a growing body of evidence suggests there are many skilled and qualified candidates to meet the demand but a “broken” hiring process challenged by rigid recruiting processes, vague job descriptions, and credential bias. These factors obscure the more expansive talent pool available and prevent businesses from taking advantage of the existing, capable candidates.

What if the problem isn’t a lack of cybersecurity talent, but a lack of an effective process to find and hire that talent? If that is the case, a skills-first approach, prioritizing what a candidate can do and how well they do it, offers one solution. Before we dive further into skills-first hiring, let’s review some of the primary barriers to entry in the current hiring process:

  • Formal educational requirements: Many cybersecurity jobs require a bachelor’s or master’s degree in computer science, cybersecurity, or related field. This excludes qualified individuals who possess the necessary skills but obtained them through alternative paths such as self-study, bootcamps, or on-the-job experience.
  • Certification requirements: Certifications, often required for many roles, can create a significant barrier to entry. The costs of obtaining and maintaining them, including membership and renewal fees, can exclude capable individuals who lack the financial resources and/or time.
  • Experience requirements: The paradox of entry-level cybersecurity positions requiring years of experience creates a significant barrier for capable candidates. These individuals who may have no direct cybersecurity background, may still possess valuable transferable skills from other fields or life experiences that can be effectively applied in the role.

While these barriers of entry for candidates are noted examples, there are also perceived advantages to prioritizing these factors in cybersecurity recruitment and selection.

Traditional hiring factors

Perceived advantages

Credentials (for example, degrees, certifications, certificates)

  • Verified competency: Credentials validate a candidate has a proven level of technical knowledge and skills.
  • Simple metric: Credentials offer a quick way to compare applicants, especially when dealing with many applications.
  • Reduced risk: Credentials suggest someone is less likely to make mistakes due to lack of fundamental knowledge and skill.
  • Compliance purposes: When required, credentials ensure compliance when handling sensitive data or working within regulated industries.
  • Learning commitment: Credentials demonstrate a candidate is invested in their own professional development.

Years of experience

  • Deeper expertise: Experience suggests a candidate has handled a wide range of complex, relevant, and practical cybersecurity challenges.
  • Capability and autonomy: Experience suggests a candidate can efficiently and effectively perform required tasks and accomplish results with minimal guidance and direction.
  • Reduced training expenses: Experience suggests the candidate will have fewer training needs, resulting in cost savings for the company.

An additional perceived advantage of hiring based on traditional factors like credentials and years of experience is justification for the hiring decision. If a seemingly good hire turns out to be a poor fit, the hiring manager can point to those traditional hiring factors as proof of the most reasonable choice during the hiring process. While this may offer a layer of justification, it also places undue weight on external factors and potentially shifts accountability for hiring away from the decision-maker.

These traditional hiring factors can offer employers perceived advantages and create some level of hiring efficiency due to the existing workflows, budgets, staff, and IT systems in place to support them. Shifting to a skills-first approach might initially seem disruptive, however, skills-first is not about abandoning the current hiring factors or the perceived advantages. Instead, skills-first hiring is about finding a balance that allows organizations to remain flexible and responsive to a dynamic workforce environment so they can more easily discover and attract candidates who demonstrate practical mastery of relevant skills. This approach promotes a risk-aware and data-informed hiring process, minimizing reliance on assumptions and focusing on demonstrated evidence of required skills.

What Is Skills-First Hiring?

Skills-first hiring involves valuing and prioritizing a candidate’s demonstrated skills over more traditional hiring factors like education requirements and previous experience in the same field. In cybersecurity, prioritizing skills is especially critical, for the following reasons.

A circular diagram with five segments outlining key areas of a skills-first approach, surrounding an illustration of a person working.

  • Addresses emerging threats: Prioritizes finding skilled professionals who can address emerging threats (for example, increased adversary skill, evolving technology) as they arise.
  • Reaches broad industries: Identifies cybersecurity talent across diverse industries, especially nontechnical industries like arts & entertainment, food services, agriculture, waste management, and real estate.
  • Decreases skills gaps: Reveals previously obscure talent pools by opening opportunities to individuals from unconventional backgrounds to fill more in-demand cybersecurity roles.
  • Prioritizes applied knowledge: Emphasizes demonstrated skills specific to an organization’s strategy and culture.
  • Leverages diverse perspectives: Invites unique and fresh problem-solving approaches to fortify security and defenses.

By enhancing the hiring process to prioritize proven skills businesses can meet and exceed hiring expectations. In fact, the 2023 State of Skills-Based Hiring report states that skills-based hiring resulted in improved business benefits like reduced hiring costs, decreased time spent on the recruitment process and increased employee retention.

The Skills-First Framework

To implement a broad, structured organizational transformation from a traditional hiring process to a skills-first approach to recruitment and hiring, consider using the World Economic Forum’s Skills-First Framework.

Circular diagram labeled "Skills-first framework" with two enablers and five action areas outlined in boxes, indicating steps to implement a skills-based approach.

The skills-first framework provides a roadmap for organizations to adopt skills-based practices. It offers tools and innovations to streamline the process, including:

  • Skills mapping and taxonomies: These resources help define the core skills needed for each role, creating a standardized language across the organization.
  • Skills assessments and recognition: Platforms and certifications validate skills and showcase individual achievements.

This framework promotes a more equitable and efficient labor market, benefiting individuals and businesses. By focusing on skills rather than traditional qualifications, companies can more easily hire, develop, and manage the best talent for the job and fill those critical job openings.

Savvy organizations recognize that a strong cybersecurity program offers a competitive advantage. A key ingredient to a strong program is the best cybersecurity talent. Businesses that shift toward skills-first hiring models position themselves to secure and retain that talent.

In the next unit, we discuss how a skills-first approach can enhance your traditional hiring process. We also review a tool kit of practical templates, checklists, and resources designed to empower you to build a stronger, more adaptable cybersecurity team.

Resources

Comparta sus comentarios de Trailhead en la Ayuda de Salesforce.

Nos encantaría saber más sobre su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios en cualquier momento en el sitio de Ayuda de Salesforce.

Más información Continuar a Compartir comentarios