Experience Is a Big Risk With Cybersecurity Professionals

By Sarah Fister Gale

Feb. 23, 2017

cybersecurity education opportunities
Educational opportunities for cybersecurity jobs abound in a field where unemployment is virtually nil.

When you need a cybersecurity professional to keep company secrets safe, it is easy to get lulled by a lot of letters on a resume. CISSP, CISM, GSEC, and CEH are just a few of the many certifications that indicate a recruit has the chops to take on whatever hackers come your way. But certifications only tell part of the story, said Humayun Zafar, associate professor of information security at Kennesaw State University in Georgia.

Zafar teaches a Certified Information Systems Security Professional, or CISSP, boot camp to help prepare students to take the certification exam, and many of his students pass the test right out of the gate. “It is a good start to a cybersecurity career,” he said. “But it may not be enough.”

In one of his recent courses, he had a student who was an assistant to a paralegal with no prior cybersecurity experience. “She took the course, passed the exam and had a cyber security job a week later,” he said. That’s not to say she wasn’t smart and capable, but it suggests that companies may be relying too heavily on certifications as a measure of skill.

“Ideally you want someone with at least a little experience,” he said. They also need more than just software skills to keep up with the complexity of the role. As hacking attempts have gotten more frequent, and hacks more difficult to track, it has caused the cybersecurity skill set to change, Zafar said. “Ten years ago cybersecurity was a technical role, now it’s a business role.”

While cybersecurity professionals still need to understand the technology and stay abreast of the latest hacking trends, they also need to be able to problem solve, understand business continuity planning and work with the executive team when security breaches occur. “And they will occur,” Zafar warned. “It’s just a matter of when.”

Part of the challenge in finding these experienced and certified cybersecurity professionals is the talent landscape. The unemployment rate among cybersecurity professionals in 2016 was literally zero, with 1 million openings going unfilled, according to Cybersecurity Ventures. That number is expected to climb to 1.5 million by 2019. “It’s a seller’s market and employees are in the driver’s seat,” Zafar said.

While companies may not be able to find the ideal candidate, they can look for characteristics that suggest a person will be a good fit, said Joshua Crumbaugh, CEO of PeopleSEC, a security awareness training company in Huntsville, Alabama. He suggested looking for candidates who are constantly “self-educating” and participating industry groups. “The bad guys are always developing new evasive tactics, so you want people who are interested in keeping up,” he said. And any work experience is great if you can find it, Crumbaugh says. “Experience is better than any degree or certification.”

He encouraged HR leaders to involve their IT or cybersecurity team, or external consultants, in the vetting process to help them gauge the abilities and passion of potential recruits, and to ask detailed questions about how they would respond to specific types of attacks. “How they answer these questions will tell you whether they have the experience you are looking for.”

Education Never Ends

Once you hire someone, regardless of whether they are a newbie or a seasoned professional, training should be a mandatory part of the job. He suggested sending them to at least one annual conference, like DEF CON or BlackHat, paying for them to pursue additional certifications, and giving them the time they need to stay current on continuing education credits.

Many companies require cybersecurity professionals to complete at least one certification per year and pay for the time and training they need to prepare, he said. This ensures their people is up to date on the latest trends, and lets these hard to source employees know that the company is invested in their success.

“The cybersecurity space is always evolving so education isn’t optional,” Crumbaugh added. “The most successful people in this field are constantly learning so they can always stay on top.”

Sarah Fister Gale is a writer based in the Chicago area. Comment below or email

Sarah Fister Gale is a writer in Chicago.

What’s New at

blog workforce

Come see what we’re building in the world of predictive employee scheduling, superior labor insights and next-gen employee apps. We’re on a mission to automate workforce management for hourly employees and bring productivity, optimization and engagement to the frontline.

Book a call
See the software
workforce news

Related Articles

workforce blog


Labor analytics: A how-to guide for company leadership

Make sure to start small, clean your data, use data from a variety of sources and use desired business ...

data analytics, employee data, HR Tech, people analytics, talent management

workforce blog


Why tattleware isn’t the solution for underperforming teams

If your employees can take their smartphones out of their pockets to circumvent your efforts, how can y...

employee monitoring, HR technology, tattleware

workforce blog


4 Ways to Maximize HR and WFM Data

Technology and cloud-based applications and platforms enable companies to gather more data, but can the...