The Cybersecurity Talent Shortage: Experience vs. Certifications vs. Degrees and How to Bridge the Gap
Welcome to another episode of “The Other Side of the Firewall,” where we dive into the latest and greatest in cybersecurity news and highlight movers and shakers in the industry. This week, we’re tackling a pressing issue: the cybersecurity talent shortage. With nearly 470,000 positions unfilled in the U.S., the debate around the value of certifications versus experience has never been more relevant.
You can view the full podcast episode on our YouTube page:
You can listen to the full podcast episode on almost every audio platform:
The Current Landscape
According to a recent article from Dark Reading, the cybersecurity workforce in the U.S. is struggling to meet employer demand, with nearly 470,000 positions currently unfilled. The article points out that while certifications are a common requirement, there is a significant gap between the number of certified professionals and the actual demand for cybersecurity talent.
Shannon Tynes brings up an interesting point: “When it comes to the cybersecurity career field and how understaffed they are, the numbers kind of vary depending on who you talk to.” Estimates for the shortage range from half a million to as high as two million jobs, highlighting the inconsistency in how this data is reported.
Certification vs. Experience
We’ve all heard the mantra that certifications are crucial for landing a job in cybersecurity. However, as we discussed in this episode, the reality is more nuanced. Certifications like Security+, CISSP, and CISM are important, but they are not the only factor that should be considered.
Experience is King: As I always say, “Experience leads you to certifications to display your expertise, and then degrees.” Unfortunately, many companies prioritize certifications over real-world experience, expecting these certifications to compensate for the lack of hands-on skills. This approach often results in a mismatch between job seekers and employers, with both parties losing out.
The Disconnect
The crux of the issue is the disconnect between job seekers and employers. Companies often list certifications as a primary requirement, sometimes overlooking the practical experience that truly prepares candidates for the job. As Shannon aptly puts it, “When you look at these job offerings, they’re talking about certifications, but you also see they like to have a bachelor’s degree in some type of cybersecurity.”
This creates a paradox where candidates with degrees but no experience struggle to find jobs, while those with experience but no certifications face similar challenges. Daniel Acevedo points out, “Firms may emphasize certifications and job experience over degrees, but many mid to lower-level companies outside the tech industry don’t understand this yet.”
Bridging the Gap
So, how do we bridge this gap? Here are some actionable solutions for both job seekers and employers:
For Job Seekers:
- Gain Hands-On Experience: Volunteer your time, work on personal projects, or seek internships to build practical skills.
- Certifications: Pursue relevant certifications to complement your hands-on experience.
- Networking: Join cybersecurity communities, attend conferences, and connect with professionals in the industry.
For Employers:
- Develop Pipelines: Create entry-level positions that allow candidates to gain hands-on experience while working towards certifications.
- Support Continued Education: Offer financial support for employees to obtain relevant certifications and degrees.
- Foster Internal Growth: Encourage internal mobility where employees can transition into cybersecurity roles from other departments, leveraging their existing knowledge and skills.
Real-World Example
Reflecting on my own journey, I was fortunate to serve in the military where both experience and certifications are highly valued. “Before I retired from the Air Force, I was gunning for all of the education and certifications I could get. I got my PMP, CISSP, and other certifications, but I also had hands-on experience,” I shared. This combination of experience and certifications made my transition smoother and highlighted the importance of balancing both.
Moving Forward
The cybersecurity landscape is continuously evolving, and so should our approaches to addressing the talent shortage. By balancing experience, certification, and education, we can build a more robust and skilled workforce capable of tackling today’s complex cybersecurity challenges.
In closing, it’s essential for both job seekers and employers to recognize the value of a balanced approach. For job seekers, it’s about gaining the right mix of experience and certifications. For employers, it’s about creating opportunities for employees to grow and develop their skills.
Thank you for reading and stay tuned for more episodes of The Other Side of the Firewall podcast on Monday, Tuesday, Wednesday, and Fridays, as well as, the Ask A CISSP podcast every Thursday. Please like, share, and, subscribe.
Stay safe, stay secure!
Ryan is a retired Air Force veteran who brings over 20 years of experience in network infrastructure, project management, and cybersecurity consulting to his current role at BuddoBot . At Buddobot, he is dedicated to supporting national security by helping organizations transition from costly, reactive, and automated IT and security practices to proactive and robust security solutions.
Shannon, also a retired Air Force veteran, has more than two decades of expertise in network security and vulnerability management. He now serves as an Information System Security Officer (ISSO) for the U.S. Space Force, where he continues to enhance national security protocols.
Daniel is an Air Force veteran with over 15 years of combined experience in IT, cybersecurity, information assurance, and government risk compliance. He has held various roles, including IT administrator, cybersecurity engineer, senior information system security manager, and currently serves as a senior security consultant for Booz Allen Hamilton. In this latest role, Daniel leverages his expertise to address unique and complex challenges in the cyber and IT domains, enhancing his customers’ capabilities.