In the realm of cybersecurity, there is no shortage of skilled professionals; rather, the key lies in learning how to recognize the specific expertise required for various roles. This perspective is shared by Helen Patton, a former Division Chief Information Security Officer (CISO) at Cisco, who is quoted in a report addressing this very issue by the SANS Institute.
According to Patton, the perceived talent shortage stems mainly from the lack of standardization across cybersecurity job functions. Currently, there is insufficient codification of what skills and roles encompass within the industry. While regulations may eventually help establish clearer definitions and frameworks for these roles, she cautions that this might lead to conflicts with the unique needs of individual organizations, which often have specialized requirements that do not always fit standardized categories.
For example, at Airbus, the company has established a structured approach to defining cybersecurity roles by creating ten profiles grouped into three main categories. These profiles are based on the NICE Framework (National Initiative for Cybersecurity Education), an initiative from the U.S. government, which is adapted to meet the aviation industry’s specific needs and aligned with the standards set by ENISA, the European Union Agency for Cybersecurity.
Similarly, Santander Bank has adopted the same NICE Framework, but with an innovative twist: promoting reverse mentoring within their teams. This approach encourages more experienced cybersecurity professionals to learn from their junior colleagues, fostering a culture of continuous learning and knowledge exchange.
Lynn Dohm, the Executive Director of Women in Cybersecurity (WiCyS), emphasizes the importance of soft skills in cybersecurity. She states, “Anyone over 45 should have a mentor under 30,” highlighting how mentorship across age groups can benefit career development. Dohm also notes that employees with a mentor are five times more likely to receive promotions, illustrating the value of guidance and support in this field.
For her, soft skills—such as adaptability, agility, curiosity, and collaboration—are increasingly crucial in building effective cybersecurity teams. This shift reflects a broader transformation in the industry: ten years ago, technical expertise dominated the landscape, with roughly 70% of cybersecurity talent being technically oriented, and only 30% possessing soft skills. Today, the balance has flipped, with soft skills becoming just as important as technical competence.
Furthermore, the way organizations handle staffing has evolved. In the past, IT departments would draft job descriptions, pass them to HR, and wait for suitable candidates to apply. Now, IT professionals are actively involved in training HR teams, helping them understand modern technologies and security frameworks through concepts like “shift left” security, which emphasizes integrating security practices early in the development process. CISOs now have direct access to recruitment platforms like LinkedIn, allowing them to refine job offers and identify talent more precisely.
Airbus exemplifies this integrated approach, with a member of their HR team embedded within the cybersecurity department. “When I tell [them] that we need an architect, they already know what that role entails,” explains the group’s CISO, underlining the close collaboration between HR and security teams.
Salary: The Main Barrier to Hiring and Retention
Last year, the SANS Institute focused its survey on mid-level cybersecurity professionals. This year, the scope expanded without targeting a specific experience level. The composition of respondents also shifted significantly, especially concerning organization size. The proportion of small organizations with fewer than 100 employees increased sharply, representing 27% of the approximately 3,400 respondents, compared to just 15% last year. Conversely, larger organizations with over 1,000 employees saw a decrease, now accounting for 39%, down 18 percentage points.
As in previous years, the majority of organizations (58%, up from 48%) are involved in developing or selling cybersecurity products and services. The primary decision-makers surveyed (75%) are cybersecurity directors, with many respondents also coming from human resources teams. More than half of these HR professionals hold cybersecurity certifications, indicating an emphasis on skill validation across functions.
The challenge of remuneration remains the most significant obstacle both for recruiting talent (24%, a slight decrease of 2 points) and retaining staff (28%). The length of the hiring process has risen in importance, now cited by 13% of respondents (+6 points), surpassing benefits such as social perks (12%), remote work options (11%), and company culture (11%).
Regarding retention, benefits continue to be crucial. Social advantages, including health insurance and other perks, are viewed as key, as is ongoing training and opportunities for professional development. Leadership quality, however, remains a less prominent factor in retention.
The survey also sheds light on obstacles to cybersecurity training and skill development. Time constraints have become the most cited barrier, with 39% of respondents highlighting it (+1 point), followed by budget limitations at 36% (-1 point). Interestingly, the lack of available training options, which increased to 20% (+6 points), is now also a notable concern. The primary factors influencing training accessibility include job requirements (26%), costs (23%), certification needs (21%), and continuing education aspects (13%).
Main illustration © Rawpixel – Shutterstock
