Is the Cybersecurity Skills Shortage Actually a Hiring Problem?
In our last Super Cyber Friday, "Hacking the Talent Myth: An hour of critical thinking about why the 'skills shortage' might be a hiring problem," we challenged long-standing assumptions about the cybersecurity workforce gap.
Our discussion focused on redefining job requirements, the value of unconventional hires, and how security leaders can partner with HR to build pathways for talent rather than barriers.
Joining us for this conversation were Mike Lockhart , CISO, EagleView , and Mathew Biby , director of cybersecurity, TixTrack .
Watch the full video here
Join us next Friday, August 8, for “Hacking Toxic Culture”
Super Cyber Friday will be back Friday, August 8, 2025, for our discussion "Hacking Toxic Culture: An hour of critical thinking about how and why we poison the well in cybersecurity." It all starts at 1 PM ET/10 AM PT.
Did you know that we have an events calendar?
Visit our events page to subscribe (look at the dropdown in the upper right) so you can stay up to date on Super Cyber Friday and other CISO Series content.
Best quotes from our guests
“There’s a lot of folks that want in. There’s a lot of folks that I talk to all the time that are doing everything they possibly can to get into security. And they're hitting roadblocks left and right.” - Mathew Biby, director of cybersecurity, TixTrack
“When you’ve got a hiring manager who doesn't actually know what they need, they just got told to hire an infosec person, they throw out something that looks like a resume they’ve seen before. That’s a pipeline problem.” - Mike Lockhart, CISO, EagleView
“We put job postings out there that are a wish list, and not an actual job requirement.” - Mathew Biby, director of cybersecurity, TixTrack
“We are far too reliant on HR to be our filter, and they’re going to look for what they understand, which is what’s written down, which is certifications or experience, and not attitude or ability to grow.” - Mike Lockhart, CISO, EagleView
“I think some of this just goes back to hiring managers not necessarily understanding what they need, and kind of going out there and looking for that unicorn.” - Mathew Biby, director of cybersecurity, TixTrack
“Some of the best hires I’ve made are folks who don’t have a traditional infosec background. They’ve come from completely different areas—linguistics, accounting, engineering.” - Mike Lockhart, CISO, EagleView
“We need to give folks a place to start so they can build a foundation and really turn it into something. Otherwise, we just continue this cycle of everybody wants three to five years experience, and nobody ever gets it." - Mathew Biby, director of cybersecurity, TixTrack
“We’re looking for experience in tools, but we don’t offer ways for people to get experience in those tools. You’ve got to break that cycle if you want new talent.” - Mike Lockhart, CISO, EagleView
Quotes from the chatroom
"Twice, I ended up hiring former paramedics. Talk about 'grace under pressure.'" - William Curtiss , CISO
"I once hired a volunteer firefighter in my SOC. Talk about knowing how to triage incidents. Once you know how to cut someone out of a burning car, SIEM alerts seem trivial." - Duane Gran , director of information security, Converge Technology Solutions Corp.
"Soft skills and attention to detail are great skills to look for." - Greg M. , CISO, Lightcast
"Much easier to train for hard skills than to develop soft skills." - Andrew Aken, PhD, CISSP , CIO/vCISO, DocDrew, LLC
"I use a framework when hiring, I call it "TICK" which stands for Technical Intelligence Communication Knowledge if they "tick" all of the above, we move forward." - Aman S. , executive security lead, vp, Elsevier
I often say "Don't undersell yourself" when I learn a skill the candidate has that is NOT on the CV. Equally, don't "oversell yourself" when there is no evidence the skill stated is part of their repertoire! Works both ways. - Aman S. , executive security lead, vp, Elsevier
"Oh lord the ATS and AI generated job descriptions drive me bananas. and in general people do not know to connect the dots of experience and skills." - Cortney W.
I think it is a necessity for candidates to ask questions. Otherwise they're not showing interest, and likely lack the curiosity/drive for the role. Kurtis Berger , global director of IP and security, Aryaka
Pro tip: When you "don't know", it is an opportunity. Say, "I don't know offhand, but I know how I would research it." Bonus, research that shit and write a follow up email with detail to the hiring manager after the interview. - Duane Gran , director of information security, Converge Technology Solutions Corp.