CISO Diaries

8 min read

5 tips for hiring entry-level cybersecurity professionals

Actionable expert-led tips on how to hire and retain entry-level cybersecurity talent.

Mags22 avatar

Mags22,
Feb 15
2024

The global cybersecurity talent shortage currently stands at almost four million. To fill these roles, more organizations are hiring entry-level talent, but the real challenge is attracting and retaining this talent when the demand is so high. 

We spoke to industry experts on what steps hiring managers should take to attract, hire, develop, and retain entry-level cybersecurity employees.

Why should you hire junior cybersecurity teams?

There’s by no means a lack of entry-level talent searching for cybersecurity roles, the problem hiring managers are facing is the lack of qualified candidates. And once they’ve found those candidates, how do organizations stand out and retain that talent when it's so highly sought after?

By prioritizing hiring junior candidates, you’ll be filling that talent shortage whilst also retaining entry-level talent by offering them a place to learn and grow. The fresh perspectives and enthusiasm are also great additions to the team that can help prevent burnout. 

Offering junior cyber talent a route into the industry is beneficial to all involved, as long as it’s done the right way.

How to successfully hire entry-level cybersecurity professionals

From job descriptions to onboarding and upskilling to retention, there’s plenty of opportunity to attract and develop entry-level talent. With the cyber skills gap looming over the heads of many CISOs, the key to improving security posture and mitigating risk is building a strong team from the ground up.

The cybersecurity industry is shrouded in mystery for many entry-level candidates, with no clear path from university to their first role. As leaders, we can change this perception by actively reaching out to entry-level talent and attending career fairs. 

When speaking to Matthew Rosenquist, CISO, Mercury Risk and Compliance, Inc., he shared how there’s “uncertainty of value in regards to degrees and certifications,” which leads to a “tremendous amount of frustration for graduates.”

When students aren’t sure that the time and money they are spending on degrees and certifications is worth it, it can be difficult to find motivation to continue. The responsibility rests on cyber leaders to demystify the best path into the industry, providing candidates with a clear goal to work towards. 

Another step to make cybersecurity roles more accessible is going directly to the candidates themselves by prioritizing specialist job boards. 

Utilize specialist security job boards and industry forums, rather than general job boards. This can result in lots of wasted time sifting through candidate profiles that are not suitable for the role. Speak to your team to get tips on the best forums and job boards to post on.

 

Tom Williams, former Principal Consultant at Context Information Security.

Cyber hiring managers are often trying to fill a huge variety of roles with different levels of experience and skills required. This means that there’s no one-size-fits-all approach to hiring. 

However, one fact that remains consistent is that all cybersecurity roles require a combination of hard and soft skills.

It is imperative that they have the soft skills, they have to communicate. Our world is so complex that we can’t solve it independently, we have to be able to work as a team.

 

Matthew Rosenquist, CISO, Mercury Risk and Compliance, Inc.

By getting clear on the skills, education, and certifications you’re searching for in a candidate, you’ll have a laser focus approach, rather than hoping something sticks.

Matthew goes on to say that “most employers really want experience. Juniors need to hit the ground running, and be effective”. Having said this, a “combination of degree and experience is very powerful.”

Struggling to find the perfect candidate? 

Tom Williams shared: “consider headhunting for specialist roles, either in-house or through external recruiters with niche expertise. This specialist knowledge and experience can act as a force multiplier for your team and also equip you with specialist market knowledge.”

3. Clearly define cybersecurity job descriptions

When searching for entry-level cybersecurity professionals, hiring managers are often faced with a lack of “qualified” candidates. But there’s a desperate need to redefine what qualified looks like. 

As Matthew Rosenquist says: “A level 1 SOC analyst should be an entry-level position but ads are asking for three years of experience!” This is due to the “fault of the employer, for not writing good job descriptions.”

Focus on essential skills and experience, avoiding unrealistic qualifications or an extensive wish list. Not managing this well can mean that you miss out on a whole host of potentially suitable candidates who will rule themselves out of the process.

 

Tom Williams, former Principal Consultant at Context Information Security.

So, how do you go about clearly defining these entry-level cybersecurity job descriptions? 

Tom suggests that “HR and the cyber hiring manager should meet early to discuss the role and its requirements in detail to draft a specific job specification and agree on a selection process.

This part of the process is often overlooked but is crucial as it provides transparency and sets clear expectations for candidates and internal stakeholders alike.”

4. Connect HR and hiring managers 

HR and hiring managers need to work closely together. Cybersecurity is such a large and sometimes confusing industry that we can’t expect HR to immediately know who a good entry-level candidate is.

Hiring managers need to take the time to educate HR on what they need to look for in cybersecurity professionals. As Matthew shares, “HR is being asked to understand a field that they don’t know.” There’s a huge disconnect between HR and hiring managers.

Managers must work closely with HR when creating the job ad, explaining which degrees or certifications are essential, and what tools stand out as a green flag. 

For example, a candidate may not have a degree, but they rank highly on a platform like Hack The Box. This tells employers that they have the drive to achieve whilst also having a strong grasp of technical skills. 

Once we cross the chasm between HR and hiring managers, there will be many more opportunities to hire great entry-level talent.

5. Retain talent with strong leadership

With such a high demand for talent in the cybersecurity industry, managers need to work to keep their employees, especially as burnout runs rampant amongst thinly-stretched teams. 

“It starts with leadership”, Matthew Rosenquist says, “security is a really stressful environment that can create a negative situation.” This is why leaders need to “understand the challenges, step up, and help your team grow. Address problems as they arise.”

Whilst a good salary isn’t all that’s required to retain employees, Matthew says that managers need to “understand what the market’s paying” and “may have to pay a premium for certain talent.” 

But at the end of the day, “good leadership really matters in the long-term.”

To go about retaining and developing entry-level talent, we need to do the following:

  • Show value: in job descriptions and within the role itself, leaders need to show what value they can offer employees. Whether it’s upskilling, remote work, flexible hours, or a generous salary.💡Fun fact: 75% of employees prioritize progressing their skills over pay. 

  • Understand your market: money isn’t everything, but companies need to be aware of what the market is paying and match these salaries to attract long-term employees. 

  • Check-in regularly: cybersecurity is stressful and there’s often a lot of firefighting involved in many roles. Good leaders check in with their employees and offer solutions to problems. 

Hire and retain elite cyber teams

The cybersecurity talent shortage isn’t going to be solved overnight. More time needs to be spent nurturing and finding the right talent, which leads to great success in the long run. 

By embracing a strategic approach to hiring entry-level employees, leaders will have a better chance of building a strong infosec team that can reduce security risks.

 
 

Become an HTB Subject Matter Expert

Are you a cybersecurity professional who wants to contribute to articles like this one?

Join the HTB SME program and you’ll benefit from the following:

  • A huge audience: Our HTB community has over 2.7 million members, giving you a huge platform to share your knowledge with and feature in our editorial content.

  • Networking opportunities: Meet other HTB SMEs and expand your professional network, meeting people you may never have connected with if it wasn’t for your involvement with HTB.

  • Recognition: Any insights you provide will be credited to you, including your name, title, and LinkedIn profile. Some content will get additional love on social media too!

  • Share your experiences: We’re giving a voice to cybersecurity professionals, providing you with a platform to share your knowledge and experiences.

  • Help others: Your unique insights are incredibly valuable to other cybersecurity professionals, or even individuals just starting their careers.

💡Find out more on our blog: Become an HTB Subject Matter Expert

 

Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box

Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors.

His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies.

In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive.

At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs.

 

Hack The Blog

The latest news and updates, direct from Hack The Box