CISO’s guide to hiring for the right cybersecurity skills
CISO’s guide to hiring for the right cybersecurity skills
Publish Date: 2026-07-08 14:06:00
Source Domain: www.techtarget.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The cybersecurity talent crisis has moved from a simple numbers problem to a fundamental mismatch between what organizations need and what the workforce can deliver.
While 87% of organizations plan to expand their security teams this year, according to Fortinet Training Institute’s “2026 Cybersecurity Skills Gap” report, the CyberSeek online data tool found that there are only enough available cybersecurity workers in the U.S. to meet 74% of employer demand.
As problematic as that data is, it doesn’t encapsulate the full extent of the workforce challenge. Cybersecurity leaders are finding not only a shortfall in the number of cybersecurity professionals, but also a significant misalignment between the available skills in the market and those needed in enterprise cybersecurity departments.
Researchers from SANS Institute and GIAC called it “a widening skills gap that organizations struggle to close, even as they increasingly recognize that having the right abilities matters more than simply adding head count,” in the “2026 Cybersecurity Workforce Research Report.”
“The problem isn’t a shortage in head count. We’re never going to get the numbers we want to get. It’s really more about getting the needed skills,” said Brian Correia, director of global cyber workforce strategy and engagement at SANS.
CISOs must modernize their approach to recruiting workers. This involves moving away from a conventional search strategy and adopting one that creates multiple talent pipelines and emphasizes workforce development to ensure hires continuously learn the latest skills.
The impact of the security talent, skills gaps
Staffing challenges affect an organization’s cybersecurity posture. Recent research from ISC2 found that 88% of organizations experienced at least one significant cybersecurity event due to cybersecurity skills shortages.
Such findings are particularly troublesome because the increasing use of AI — both in SOCs and by malicious hackers — is rapidly changing the types of skills needed by security professionals, putting organizations at even greater risk for incidents as they fall further behind in hiring.
“There are different skill sets needed in security due to AI,” said Vikram Desai, senior managing director of cyber strategy, risk and architecture at professional services firm Accenture. “But people don’t naturally have them. And very few organizations have training programs in place to help bridge this gap, so there is a giant gap between what is needed and the skills that job seekers present, and we [mistakenly] expect it to resolve itself.”
Legacy practices hurt hiring
Desai called the belief that cybersecurity professionals should come fully skilled for existing positions a “legacy mindset.” And it’s not the only one — plenty of other legacy recruitment strategies make it challenging for today’s CISOs to fill open roles.
For instance, the blanket requirement for candidates to hold a bachelor’s or master’s degree is, according to Shawn Murray, former president of the ISSA, “an old-fashioned approach that’s just not reasonable anymore.” Moreover, he said security skills are evolving so quickly that a degree is no guarantee that a candidate has the skills needed at the time of hiring.
Others criticized conventional recruitment strategies that put HR teams or recruiting firms in charge of defining candidate requirements and screening. These processes lead to an unrealistically long list of skills and a misalignment with what the CISO actually needs from a new hire.
Experts said requiring candidates to have prior experience specifically in cybersecurity or IT is also unduly limiting. Murray noted that outdated recruitment and hiring practices can cause a chain reaction in a security organization, where understaffing that results from these practices puts more pressure on existing workers, who then experience burnout and quit, further depleting the team.
A new hiring paradigm
Researchers and CISO advisers identified the following hiring strategies that help CISOs find employees with the cybersecurity skills they need.
Looking outside security
Desai explained that workers of all kinds now have training in risk and security that, when coupled with a business background, can make them invaluable additions to a security team. “We’re seeing leading CISOs shift to hiring cyber-savvy people who also know the business,” he said.
CISO-led hiring
Another modern hiring practice involves the CISO leading recruitment and retention strategies, Murray said. He found that CISOs who identify the specific skills they need to fulfill their strategic missions, and then work with HR and recruiters to find candidates, are most successful.
Community partnership
Murray shared that leading CISOs also recruit from and develop partnerships with community colleges and training centers, recognizing that those institutions usually offer hands-on experience to students, making them ready to perform on day one at the job.
Retention
Good recruiting practices should be part of an overall talent strategy that includes retention. By ensuring people with the right set of skills are on staff, CISOs can build a bench of future security talent, avoiding the costs and training involved with new hires.
Hiring for technical skills
It’s unlikely any candidate will have all the needed skills. Correia said CISOs shouldn’t hold out for the perfect fit but rather seek candidates who demonstrate what he calls “technical capability,” defined as meeting about 80% of the job’s technical requirements. That approach, along with screening applicants for cultural fit and an aptitude for learning, enables CISOs to build teams for today and tomorrow.
Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.