Cybersecurity Skills & Recruitment: Understanding the skills shortage
Part of the Trust in Digital Life Webinar Series 2025
The fourth 2025 TDL webinar took place on Thursday, 20 March when a group of subject matter experts discussed issues related to understanding the skills shortage in the context of cybersecurity skills availability and recruitment. The aim was to cover challenges and opportunities for both the demand side and the supply side of cybersecurity skills from several different perspectives – educators, policy specialists and recruiters.
The speakers were:
· Daria Catalui, Advisory ENISA, Global Head of Human Firewall at Allianz
· Vanessa Lewis, Vice President of Recruitment, Nexova Group
· Nina Olesen, Head of Sector, ECSO and Chief Operating Officer at Women4Cyber
The session was moderated by TDL Strategic Advisor, Steve Purser.
Cybersecurity Workforce Shortage and Skills Gap
Steve opened the session by reflecting on the global cybersecurity workforce shortage, noting that 67% of organisations report a moderate to critical skills gap. He highlighted the 2024 ISC2 Cybersecurity Workforce Study, which estimated a global workforce gap of 4.8 million and a total workforce need of 10.2 million. Steve also mentioned the Global Cybersecurity Forum and Boston Consulting Group 2024 Cybersecurity Workforce Report, which stated that the lack of diversity is problematic, with women holding 36% of all technology industry jobs but only 24% of the cybersecurity workforce. He emphasised the importance of soft skills, particularly communication, in cybersecurity. Steve also raised questions about the role of certifications in recruitment and the effectiveness of job descriptions in matching reality. He concluded by discussing the challenges of the CISO (Chief Information and Security Officer) role, including burnout and being used as a scapegoat when something goes wrong. Vanessa, as a recruiter, was invited to share her perspective.
Cybersecurity Talent and Skills Challenges
Vanessa and Nina discussed the challenges and opportunities in the cybersecurity industry, particularly in relation to talent and skills. They agreed that while there is a growing pool of talent, the industry's fast pace and dynamic nature require innovative and agile responses to the workforce and skills gap. They suggested that companies should be more open to hiring non-conventional talent and consider skills-based hiring. They also highlighted the need for practical skills assessments and upskilling/reskilling programmes. Nina emphasised the importance of distinguishing between the workforce gap and the skills gap, and the need for better mechanisms to ensure that the talent coming through the pipeline is equipped with the necessary skills and abilities. Steve agreed with their points and added his concerns about the over-reliance on cybersecurity certification, which he believes doesn't fully capture a person's abilities or soft skills.
Cybersecurity's Human Skills Gap
The team discussed the importance of soft skills in cybersecurity, such as problem-solving abilities, communication and business acumen. They agreed that, while technical skills are essential, they can be learned, but the lack of human skills is a significant issue. The group also discussed the need for a broader understanding of cybersecurity, including governance, risk and compliance, and the importance of integrating security concepts into the real world. They emphasised the need for a multi-disciplinary approach to cybersecurity, including skills from different domains. The team also discussed the challenges of recruitment, particularly for young people and experienced professionals, and the need to improve the situation.
Cybersecurity Collaboration and Skills Gap
The discussion focused on collaboration between industry and academia to address the skills gap in cybersecurity. Nina mentioned that the European Commission has launched a network to bring industry and academia together, emphasising the importance of aligning university curricula with industry needs. Vanessa and Steve highlighted the challenges in job descriptions, noting that recruiters and hiring managers often struggle to accurately define requirements. Daria discussed private sector initiatives, including public-private partnerships and programmes to train "cyber citizens." The participants agreed that mentoring programmes, including reverse mentoring, are valuable for developing talent in the cybersecurity field.
Non-Traditional Recruitment and Mentorship Strategies
The team discussed the importance of non-traditional ways of recruiting, particularly focusing on soft skills and reverse mentoring. They emphasised the need for standardising titles in the industry and the significance of mentorship in career development. The group also highlighted the importance of cross-mobility and partnerships in the context of cybersecurity. The conversation ended with a discussion on the need for a best practice guide for mentorship and the importance of embracing unconventional talent.
Recommendations
1. Develop a best practice guide for mentorship programmes to promote the practice.
2. Educate hiring managers on creating more effective and realistic job descriptions for cybersecurity roles.
3. Explore implementing reverse mentoring programmes to leverage fresh perspectives from new graduates.
4. Further develop and scale up job fairs to facilitate engagement between companies and universities.
5. Implement a solution for extending cybersecurity training to employees' families and peers.
Watch the full recording of the webinar on our YouTube channel here!
sorry to say this is total nonsense, there is absolutely no skill shortage, people with decades of experience are too often dismissed as irrelevant, unsuitable, not qualified
there is a political and business strategy at work which drives this notion of "skill shortage" so there is the possibility to dismiss inflow of valid candidates, move towards automation/AI where no real need applies
most clear though is how the recruitment industry benefits greatly from a so called shortage
this is a notable irritation if not frustration with even senior cybersecurity specialists, the recruitment industry is averse and unaware to their competence
the simplest example is how recruitments "specialists" are unable to distinguish between technical roles (cybersecurity/handson)à and non-technical roles (information security/paperwork) and dismiss candidates randomly
there is an effective and concerning powergrab by the recruitment industry on employment and business opportunities which is the largest social engineering campaign in history