Defense in Depth
Cybersecurity's Broken Hiring Process

Something is wrong with the math in the cybersecurity job market. If there are "millions" of unfilled jobs out there, why are so many job seekers struggling to even book an interview?

Check out this post by Dr. Chase Cunningham, CSO at Demo-Force, for the discussion that is the basis of our conversation on this week’s episode, co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Brett Conlon, CISO, American Century Investments.

Listen to the full episode here.

The experience paradox

Getting into cybersecurity has become a problem that higher education seems unable to address. Nick Chadwick of NT Concepts described his own path: "I didn't even get into cybersecurity roles until I was 5-8 years deep in enterprise and edge IT, and then they were just additional duties on my normal job." That was 20 years ago. Today, he asked, "How can someone perform cybersecurity primary roles if they don't have deep hands-on exposure to enterprise IT?" Hand wringing about talent shortages isn't new, as Rob Slade of (ISC)2 reminded, "Forty-five years ago, when I joined the IT job market, there were articles (from companies) bewailing the lack of IT talent. Forty years ago, when I joined the security job market, there were articles bewailing the lack of security talent." For the last thirty years, while teaching IT and security talent, "there have never been recruiters beating down the doors. And yet, the articles bewailing the lack of talent have continued. Either the articles are lying, or this 'supply and demand' thing that the economists seem to think is important, is, in fact, nonsense."

Who benefits from the narrative?

The talent shortage story isn't coming out of a vacuum. It serves specific institutional interests, hiding dysfunctional hiring practices. Laura Kenner of Bootstrap Cyber Community pointed to who profits from perpetuating the shortage narrative, saying, "It's the colleges and certification programs perpetuating this lie because it adds to their bottom line." Companies want someone with 10 years of experience, expect them to be a jack-of-all-trades, but pay entry-level wages. "Candidates are coming out of schools and cert programs in droves, ready to work," she emphasized. "The next generation of cyber professionals will be built in the workplace!" Andrew Robinson of Securiti highlighted how internal processes compound the problem. He described a portfolio client whose pre-IPO hiring involved two or three interviews maximum with direct C-suite engagement. Once they reached $4 billion in revenue, "it was death by interview. 15+ wasn't uncommon, and in the worst case, an 11-month process." Companies try to reduce hiring costs, he noted, but many of their processes are broken and not fit for purpose.

Kitchen sink job postings

Market dynamics have given employers leeway to make unrealistic demands. "With thousands of highly experienced folks suddenly kicked to the curb, employers know they can ask for whatever they want under whatever title they want to use for their vacancy—and pay less than they ever thought they could get away with paying," said Arun Acharya. "Not so long ago, there was the phenomenon of the 'kitchen sink' resume. Now there is the new phenomenon of 'kitchen sink' job posting." Ronald Sweatland of Orcannus Cyber Security emphasized that it's not uncommon to see postings requiring a PhD in Cybersecurity along with every certification imaginable. "While these credentials may look impressive on paper, such expectations are often impractical," he explained. "Organizations would benefit far more from professionals with hands-on experience and real-world problem-solving skills—individuals who have faced and mitigated threats in live environments—rather than those who have only accumulated theoretical knowledge and certifications."

The aggregation problem

Part of this hiring story is that cybersecurity isn't a one-size-fits-all industry. "I think there's a disconnect here," said Steve Pangborn of Onsite Logic. "'Cybersecurity' isn't a single discipline: it's a whole ecosystem of roles: architecture, forensics, governance, detection, policy, data protection, and more. We often refer to a generic 'cyber talent gap' as if one person could fill all of that." The path forward requires specificity rather than broad generalizations. "The truth is, we need to start defining what kind of talent is missing, and where, before we can effectively address the issue," he emphasized.

Please listen to the full episode on your favorite podcast app, or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Scanner

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Join us next week, Friday [02-20-26], for "Hacking the Future of Log Data"

Join us Friday, February 20, 2026, for “Hacking the Future of Log Data: An hour of critical thinking about why your traditional SIEM is telling only a fraction of the story.”

It all begins at 1 PM ET/10 AM PT next Friday with guests Tim Leehealey, vp of corporate strategy and operations, Strike48, and Nick Falzarano, director, information security, TE Connectivity. We'll have fun conversation and games, plus at the end of the hour we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Strike48

PREVIEW: CISO Series Podcast LIVE in Orlando, FL 3-6-26

CISO Series Podcast will be making like snowbirds to Orlando, Florida, recording an episode at Zero Trust World 2026. Michelle Wilson, CISO, Movement Mortgage, and Rob Allen, chief product officer, ThreatLocker will be joining us on stage for the recording.

Register to attend here, and use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Thanks to our sponsor, ThreatLocker

Cybersecurity Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Chris Ray, field CTO, GigaOm, and Nick Ryan, former BISO. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Thanks to our Cybersecurity Headlines sponsor, ThreatLocker

Join CISO Series Podcast live at ThreatLocker's Zero Trust World 2026, March 4-6th, 2026 in Orlando, FL. Use coupon code ZTWCISOSERIES26 to get $200 off your ticket.

Jump in on these conversations

“Notepad++ Hijacked by State-Sponsored Hackers” (More here)

“WaPo Raid Is a Frightening Reminder: Turn Off Your Phone’s Biometrics Now” (More here)

“Russian hackers exploit recently patched Microsoft Office bug in attacks” (More here)

Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.