Is the cyber security skills gap a myth?

If you’ve been following cyber security news over the last few years, you’ll have noticed variations on the same story cropping up time and again: employers can’t recruit the people they need for cyber security, and as a result, millions of posts are going unfilled. The headlines often refer to this as the ‘Cyber Security Skills Gap’.

But just how accurate is this? After all, a skills gap is basically a mismatch between what employers want or need particular employees to do, and what those people can actually do when they walk into work. If you cannot find someone who knows how to run a penetration test, then that’s a skills gap.

However, if a business automatically discards candidates with hands-on hacking skills but who don’t have a particular college degree, it’s not so much a skills gap it is facing, but a recruiter expectations gap.

Overly rigid hiring criteria don’t work for anyone. It means that way too many skilled applicants fall by the wayside, while posts go unfilled. Thankfully however, there’s evidence that things are changing, with an extra 700,000 people joining the cyber security workforce in 2020 (up 25% on the previous year’s figures). Employers are being encouraged to be more creative when it comes to hiring, with more flexibility when it comes to years-of-experience requirements and less emphasis on traditional training routes.

For would-be entrants to the infosec profession, this is actually very good news. If you can repivot your existing skills, fill the gaps in your knowledge and pick up the type of practical know-how that’s in demand, you should be better placed than ever to fill the gap.

The hiring shortfall in focus

Here’s a quick snapshot of the recent state of cyber security hiring across various parts of the globe…


As reported in Techtarget, according to (ISC)2, the gap between open cyber security positions and those filled currently in the US stands at 359,000. Speaking to TechTarget, Bart McDonough of managed IT and cyber security provider, Agio said, “Cybersecurity leaders these days must understand that talent rarely comes in ‘fully baked’ and will need time and attention to train up.”


Vacancysoft’s 2020 report, Cybersecurity: Building Business Resilience highlighted a shortage of 140,000 cyber security professionals across Europe. An estimated 70% of businesses are lacking an adequate security team.


Last year, ComputerWeekly highlighted a massive growth in demand for cyber security applicants outside of the London bubble. Year on year, the number of advertised jobs in Yorkshire and the North East increased by 138%, along with an 85% increase in the South West. Only 10% of existing IT professionals have the cyber security skills the UK’s tech sector currently needs.


According to a recent estimate by the Data Security Council of India, the country will shortly find itself in need of about one million cyber security professionals. 49% of organizations surveyed for the 2021 State of Cybersecurity 2021 report say that they have unfilled positions in their cyber security divisions. According to R.V. Raghu, member of ISACA’s Emerging Trends Working Group, “It is not only important to better prepare fresh graduates, but also to bring a wider pool from all streams and equip them with the skills needed to succeed in a cybersecurity career”.

Skills Gap vs Hiring Gap

The talent is out there. It’s just that outdated ideas of what it means to be “qualified” means that there is often a barrier to recruitment. That’s according to a recent opinion piece for Forbes by Christian Espinosa, Cybersecurity Engineer, Author of ‘The Smartest Person in the Room’, and Founder and CEO of Alpine Security.

If employers insist on a very rigid wish-list on what to expect from candidates, then a so-called skills gap is inevitable. There simply aren’t going to be enough college graduates with 5 years+ in-house experience to go around. And Espinosa’s argument is that the value of theory-based college courses can easily be overstated. Candidates can sometimes look great on paper; they can ‘talk the talk’, but are lacking in the type of practical know-how that organizations actually need.

How are employers responding?

As we mentioned earlier, the last few years have been dominated by stories of the cyber security skills gap. But recently, there has been a shift: employers are starting to realise that it’s actually a hiring gap rather than a skills gap. Forward thinking businesses are becoming less rigid in their approach to recruitment, which is good news for anyone who’s arrived at infosec via non-traditional routes.

ISACA, the global IT governance and accreditation body recently published an article giving best practice tips for widening the talent search. These include…

  • Setting out clear, achievable expectations in job postings and greater reliance on practical skills tests.
  • Flexibility with years-of-experience requirements.
  • Avoiding over-reliance on formal qualifications and focusing on up-to-date know-how.
  • Looking for general evidence of inquisitiveness, willingness to learn, problem solving and communication skills.

Where this leaves potential cyber security employees

If you would like to transition to an ​cyber security role for your existing employer, what specific skills does the business require? If you are approaching cyber from a completely different background, what’s the best way to get started? If organizations are going to respond to the growing risks out there, the only way forward is going to involve greater flexibility in bridging the hiring gap. For would-be employees, there has never been a better time to focus on targeted, hands-on training to bridge their own skills gaps.

To ensure your skills are better aligned with the demand that’s out there, explore our ​Cyber Security Career Development Platform HERE.

  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Edwin says:

    I was discussing this with a colleague today.
    Many companies have job postings that they will not fill in the coming years. They just ask too many specific things and that just puts people who are looking for a job off. Why not just do a month of probation and see if it suits both parties. And for me personally money is not a motivation. To find people for some job postings here in the Netherlands, those companies need a lot of luck. (when you read them it’s actually just laughable)

    But again a very nice blog post.

  • Valerie C. says:

    This is good news. I’ve been trying to convince my youngest son to go this route. If I weren’t nearing retirement age, I’d probably consider cyber security for myself.

  • Abao Aweikago says:

    I also experienced the “Gap” when I finish a course for college past Monday. It was focused on network security and risk management and focus on the CompTIA SY0-501 Sec+ exam. However, 501 Sec+ retried that exam, and the information is helpful but still messing with the modern-day TTP cybercriminals are using today. I’m assuming that not many cybersecurity professionals care if you have a degree because it is a slice of knowledge on paper. Still, it can be a liability if it is not the new standard up to par with the industry to date.

    • Nathan House Nathan House says:

      In the ISACA State of Cyber Security Report 2020, perceptions of university degrees in cyber security remain mixed among survey respondents. 

      Forty-six percent report that they neither agree nor disagree that cybersecurity degrees prepare university graduates well for their future organizations’ challenges. This represents an eight percentage-point increase from a year ago. The percent of respondents who indicate that cybersecurity university degrees do not prepare graduates for today’s challenges dropped to 28 percent this year, down from 39 percent last year. 

      Despite this sentiment, 55 percent report that their organizations require a degree , though responses vary by geography. For example, 78 percent of those responding from Africa indicate that their enterprises require a university degree to fill an entry-level cybers ecurity position, while only 37 percent of those responding from Oceana indicate requiring a university degree. 

      Respondents from other geographies fall somewhere in between regarding the university degree requirement—with Asia at 62 percent, Europe at 46 percent, Latin America at 64 percent, North America (including the Caribbean and Central America) at 54 percent and the Middle East at 67 percent.

      Reporting shows that a large majority of cybersecurity professionals do have a degree. According to the (ISC)2 Cybersecurity Workforce Study, 2019, 88 percent of practitioners have a degree—most at the bachelor-degree level or higher. 

      The value of formal education varies by region. However, given the cybersecurity human capital crisis that threatens global markets—and, when it comes to personal privacy, for example, jeopardizes the reputations of everyday citizens, or even continuity of life in hospitals or other healthcare settings—it becomes clear that not only enterprises, but the public in general, would benefit from greater numbers of cybersecurity applicants. Mandating degrees—especially via automated recruiting platforms—unnecessarily constrains talent pools.

      So generally it can help if you have a degree but it’s not necessary with many organizations. If you have aspirations of moving into security management or a CISO position then a degree would be advantageous. 

  • Marcin W. says:

    This is very good news. I am trying to get into cyber myself. I have a good networking background with 20+ years of experience in general telecom and IP networking… We shall see if my skillset can be adapted to the new requirements…

  • Aidara says:

    Great news. I come from France, 36 years old, I want to work in cyber security. I am a total beginner and without experience.

    Am I too old to take this direction and take your VIP membership to get a job ?

  • Enroutech says:

    Protect your environment against Cyber Attacks or threats

  • DOS arrest says:

    Great!! Cyber security is becoming increasingly crucial, as well as a viable career option.

  • Srashti Jain says:

    Thank you so much for sharing this cyber security blog.

  • >