No one really knows what to expect when they first start a new job, especially someone fresh out of college or starting a new career. When that new career is cybersecurity, here’s a little secret – the people doing the hiring probably aren’t totally clear on what the job is, either. And that’s one of the issues that is behind the cybersecurity skills gap.

There are unrealistic expectations when filling cybersecurity jobs, according to recent research from (ISC)2. “They either overload job descriptions with too many responsibilities or set unrealistic experience requirements for entry-level and even mid-career jobs,” the study reported.

What Skills Do You Need?

Repeatedly, the skills gap is listed as one of the obstacles companies face when improving their cybersecurity posture. There just aren’t enough skilled people out there to fill the positions, or so companies say. But do these same companies even know what skills they are looking for, or the most important skills that are required for their particular needs? The answer is, most likely, no, they don’t.

“One of the issues we discuss in the report is job descriptions and understanding, as an organization, which skills are needed for which roles,” said Clar Rosso, CEO for (ISC)2, in an email interview. For example, many introductory positions want applicants to hold industry certifications. However, said Rosso, it’s unrealistic to ask entry-level job seekers to hold a CISSP certification—a common certification listed for these jobs—since someone looking for an entry-level position is unlikely to have the requisite five years of experience the certification requires. “What we’d like to see is hiring managers partner with other cybersecurity team members and the human resources team to ensure job descriptions are fit for purpose,” said Rosso.

What the New Hires Think

The study talked to 1024 professionals, 42% of whom have less than three years of experience and 29% with three to seven years of experience (the rest of those interviewed had more than eight years in the industry). Many of the respondents said they felt like they were thrown into the deep end of a pool during those first years, surviving in a “sink-or-swim” environment.

“Many candidates – especially those without previous IT experience, but who may offer more diverse perspectives to the team – may become frustrated, lose interest or move on to be successful at another organization,” the research stated. Having mentors or being put on a big project helped new employees feel more comfortable and gave them the chance to show their skills. Based on what these relatively new cybersecurity professionals experienced, Rosso said the (ISC)2 study offers an outline of 10 strategies; here are several that are often overlooked but need to be stressed:

    • Involve your senior security leadership in the recruiting process. Challenge them to identify the specific skills and qualities the team needs to add, ensuring they understand that these roles to be filled are ones that will help them do their own jobs more effectively. This type of consensus building contributes to keeping your team together longer.
    • Look at the talent right in front of you. If you are going to invest in people without direct cybersecurity experience anyway, why not start with your existing staff—people you know and trust, and who already understand your systems, processes and organizational dynamics.
    • Embrace diversity as an organization. Look outside traditional cybersecurity pathways into the profession for candidates who can bring diverse perspectives. Make sure you are instituting more inclusive and equitable recruiting and advancement policies to make the environment one that can support a diverse cybersecurity team once you get them in the door.
    • Foster mentorship within your operation. Pairing your more senior team members with newcomers helps to develop the former’s leadership capacity, and it offers a more rapid path to evaluating new team members’ strengths and weaknesses so that you can target development efforts to help them realize their full potential more quickly.

Advice for New Hires

There are a lot of opportunities for specialization in cybersecurity, because the technology used in digital transformation is constantly evolving. Understanding cloud security, data analysis, risk assessment or penetration testing can put a new hire on a lucrative career path. For hiring managers, it is important to understand the specific skills and job duties that the new cybersecurity professional will be handling. However, as tempting as it is for new hires to focus on one of those specializations from the beginning, Rosso advised getting a good foundation first.

“I’d recommend that learning the basics across several domains as a generalist is probably the right way to start for someone without on-the-job experience,” Rosso said. “I will say, based on the feedback in this report and our 2020 Cybersecurity Workforce Study, those who focus on developing cloud computing security skills will be in high demand, as it is the top-rated technical skillset that’s been indicated as important to learn.”