Industry insights

Key findings from Infosec’s 2020 IT & security talent pipeline study

Megan Sawle
July 13, 2020 by
Megan Sawle

Fewer challenges facing our industry are more pervasive than the cybersecurity talent shortage. It’s an advanced persistent threat of the human variety that impacts nearly every component of an organization’s security strategy. Not enough talent to fill open roles means security vulnerabilities and risks may go unaddressed, while also tasking existing staff with burdensome workloads. This often compounds the talent shortage problem by leading to higher rates of employee burnout and churn. 

Several credible studies already validate the size and scope of the cybersecurity talent shortage, but few resources exist to help organizations and hiring managers improve their chances of filling open cybersecurity roles. That’s why Infosec surveyed over 250 IT and security hiring managers in the U.S. to learn what drives their hiring decisions. The study analyzed employer emphasis on candidates’ skills, aptitude, experience, degrees and certifications across three candidate experience levels — and compared their responses to how they assessed their own ability to fill open cybersecurity roles.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

Unsurprisingly, nearly all survey respondents (73%) reported challenges filling open cybersecurity positions, yet major differences emerged when the responses from successful hiring managers were compared to those who struggle.


Download the Study


Hiring manager involvement in the recruiting process drives success


Many conversations around cybersecurity hiring challenges focus on the candidates — their credentials, skills and experience — and how deficits in these three areas contribute to the growing skills gap. The 2020 IT & security talent pipeline study looks further up the talent pipeline to explore the strategies and tactics used by organizations and hiring managers recruiting for open roles.

The study found hiring managers who agree or strongly agree their organization is doing a good job recruiting candidates are 113% more likely to recruit their own candidates and 58% more likely to screen their own candidates. Hiring managers who are unsatisfied with their organization’s ability to fill open roles were less involved in these processes than both their counterparts and all survey respondents.


Successful hiring managers report fewer hiring challenges overall


With 72% of all survey respondents confirming there are not enough qualified candidates to fill open cybersecurity positions, it’s not surprising that organizations doing a good job filling open roles still face challenges along the way. 71% of hiring managers from these organizations report challenges finding qualified candidates, compared to 89% of those who are not satisfied with their organization’s ability to fill open roles. So while they are challenged, the study found they struggle less overall. Hiring managers who experience more success filling open positions report fewer challenges on average (2.7 vs. 3.4). Most notably, they are significantly less likely to report a lack of candidate skills, education or certifications as challenges during the hiring process. They are also less likely to report an applicant shortage or salary requirements as a hiring concern.


Successful hiring managers are more likely to consider inexperienced candidates


Hiring managers at organizations doing a good job filling open roles are more engaged in early stages of the hiring process and leverage more recruiting tactics on average than those at organizations who struggle. The 2020 IT & Security Talent Pipeline Study also found they are more likely to consider hiring inexperienced candidates. The differences were telling: 58% of successful organizations regularly consider inexperienced candidates for open roles compared to just 40% of organizations that struggle. Organizations challenged to fill positions were also less likely to consider inexperienced candidates than all other survey respondents (40% vs. 54%).


Reskilling programs give hiring managers confidence to take risks


Interestingly, the same hiring managers who are more likely to consider inexperienced candidates are also more likely to work at organizations with established reskilling programs. This suggests that these organizations are more mature in their approach to employee development, which better equips hiring managers to take on inexperienced candidates and train them on the job. If properly resourced, hiring managers facing a lack of qualified candidates should consider removing onerous experience requirements from job descriptions to widen their talent pool and get more candidates into their hiring funnel.


Successful hiring managers more likely to use projects in the evaluation process


Hands-on projects during the candidate evaluation process offer a lower-risk way for employers to deemphasize experience in favor of demonstrable technical knowledge and aptitude. The study found hiring managers at organizations doing a good job filling open roles are much more likely to leverage projects in the hiring process to evaluate candidate fit than their counterparts (39% vs. 9%), suggesting organizations who struggle would do well to loosen position requirements in favor of relying on candidate assessments and projects to determine fit.  

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.


Download the full report to learn more


While the IT & security talent pipeline study confirms no organization is immune from the cybersecurity hiring challenges, it offers actionable steps to help hiring managers fill open roles.  For more findings like those shared above, download the full 2020 IT & security talent pipeline study.

Megan Sawle
Megan Sawle

Megan Sawle is a communications and research professional with 10 years of experience in cybersecurity, bioscience and higher education. Megan leads Infosec’s research strategy, leveraging study findings to mature its cybersecurity education offerings and build awareness of cybersecurity diversity and skill shortage challenges. Since joining the team, she’s directed research projects on a wide variety of cybersecurity topics ranging from dark web marketplaces and phishing kits to the Workforce Framework for Cybersecurity (NICE Framework) and the importance of soft skills in cybersecurity roles. Megan is a University of Wisconsin-Stout graduate, an avid equestrian and (very) amateur mycologist.