The Cybersecurity Skills Gap: The Hiring Problem No One Wants to Admit
We’ve all heard it before—companies are facing a crippling skills gap in cybersecurity. Headlines scream about a shortage of talent, a growing number of unfilled jobs, and the dire consequences of not hiring fast enough. Yet, for all the panic, the real problem isn’t the lack of qualified professionals. The problem lies behind the scenes, embedded in the very hiring process itself.
Here’s the uncomfortable truth: It’s not that the talent isn’t out there—it’s that companies are looking in all the wrong places, using all the wrong tools. They’ve turned hiring into a game of keyword bingo, favoring checkboxes over creativity and self-starters. In an industry where adversaries don’t have résumés, where hackers don’t care about your job titles, and where cybercriminals holding your data hostage have never heard of a CISSP, hiring managers seem more concerned with finding paper-perfect candidates than actual problem solvers.
The result? A fundamentally broken hiring system. And the fallout from this isn’t just in talent shortages—it’s in companies unprepared for the very threats they claim to fear.
Misunderstanding the Cybersecurity Battlefield
Here’s where it all goes off the rails: companies still believe cybersecurity is just another arm of IT. You see it in the job postings—roles that demand a Frankenstein list of qualifications that would make even the most experienced cybersecurity pro wince. They want network security, risk management, software development, incident response, cloud security, and of course, every certification under the sun. A jack-of-all-trades who can do everything with minimal resources and maximum results.
Let’s get real. Cybersecurity isn't an extension of your IT department. It’s a beast of its own. IT security guards the castle—keeps the firewalls strong and makes sure systems run smoothly. Cybersecurity? That’s warfare. It’s hunting adversaries who don’t play by the rules. It’s finding flaws in systems designed to resist them. And yet, many hiring managers are still searching for candidates using the same cookie-cutter IT recruitment tactics.
In Canada, the disconnect is especially obvious. As senior IT leaders cling to outdated notions of security, they often fail to appreciate that cybersecurity demands a different kind of professional. What they’re missing is that this field evolves faster than they can imagine—and the adversaries don’t wait for you to figure it out.
Hiring Managers Have Become Human Text Parsers
Let’s talk about the elephant in the room: hiring managers have become human text parsers, searching for candidates the same way an algorithm scans a document. They feed résumés into an ATS (Applicant Tracking System) or review them with a checklist in hand, eyes darting for the "right" keywords—CISSP, CEH, CISM—and a list of five to ten years of experience in every hot tech out there. But they’re missing something crucial: they’re filtering out the very people who could save them from their worst nightmares.
Cybersecurity professionals aren’t built from certification mills or boot camps. The best in the field are self-taught, scrappy, and obsessed with solving problems. They’re challenge-seekers, constantly tinkering with code or breaking into systems to understand how they work. They don’t always follow traditional career paths. But in today’s hiring process, those professionals are often cast aside because they didn’t fill out their résumé like a textbook.
The kicker? In the real world, these pros are facing off against adversaries—hackers, cybercriminals, and state actors—who hold zero certifications, don’t have a résumé, and couldn’t care less about how your job requirements are worded. These are people who breach your defenses in their pajamas, fueled by caffeine, not diplomas. And the cybersecurity professionals who can outthink them? They’re getting filtered out by HR systems built to identify clerks, not cyber warriors.
The Startup Approach: A Better Way to Hire
The traditional hiring model has become a 30-minute, surface-level conversation on Zoom, where candidates are judged on how well they check the boxes on a piece of paper. But in the fast-paced, high-stakes world of cybersecurity, that’s not how you find talent. The real leaders in this field know it. Take startups, for example—they hire differently. They slow down the process, not by dragging their feet, but by actually investing time into understanding their candidates.
Startups don’t just glance at résumés. They engage in multiple rounds of interviews, tests, and even casual conversations, drawing out the candidate’s problem-solving ability, tenacity, and hunger for challenges. Startups want to know if you can pivot under pressure, outthink an attacker, and keep up when the rules of the game are constantly shifting. They value adaptability, not just what certifications you’ve stacked up.
This is exactly what the cybersecurity industry at large needs—a hiring paradigm shift. Hiring managers need to stop parsing text and start looking for potential. They need to test how candidates think on their feet, not how well they regurgitate industry jargon. The industry itself is chaotic and rule-breaking, so why are we hiring as if the job requires a predictable, certification-stamped soldier?
The Pay Disparity Problem: Canada’s Race to the Bottom
The hiring problem is made worse by something no one in Canada wants to talk about: money. The pay disparity between Canada and the U.S. is stark. In the U.S., cybersecurity analysts earn between USD $90,000 and $100,000. In Canada, that same role is lucky to pull in CAD $80,000. For senior roles, like cybersecurity engineers or CISOs, the gap becomes a chasm.
Why would the best talent stick around in Canada when U.S.-based companies are offering them almost double the pay? Even with the rise of remote work, Canadian firms aren’t able to compete. The result? Canada’s top cybersecurity professionals are increasingly heading south, either physically or virtually. And the few who do stay? They’re getting poached by U.S. companies who can afford to outbid anyone.
Gatekeepers, Bias, and Ego: The Silent Killers of Good Hiring
If pay disparities weren’t enough, there’s another layer blocking the path to smart hiring: ego and bias. Often, gatekeepers—whether recruiters or senior IT leaders—are making decisions based on outdated notions of what makes a good cybersecurity candidate. They’re filtering for degrees, certificates, and polished résumés instead of practical experience and problem-solving ability.
What’s more, many IT leaders are uncomfortable with the idea that cybersecurity is a completely different discipline from their own. Instead of welcoming experts with specialized knowledge, they’re gatekeeping. It’s ego-driven hiring at its finest—where the very leaders making the decisions are afraid of bringing on talent that could expose their own shortcomings.
The Broken Matchmaking Process: Time to Look Inward
Let’s stop pretending the problem is just a skills gap. If companies can’t find talent, maybe the issue lies within the companies themselves. If you’re still searching for that "perfect candidate" who ticks every box, maybe it’s time to ask: Are we even looking for the right things?
What’s missing from the current hiring model is a human-centered approach. Companies need to stop treating candidates like keywords on a page and start treating them like problem solvers. Job descriptions need to be realistic, compensation needs to be competitive, and most importantly, hiring managers need to ask the right questions.
In a field where cybersecurity professionals are going toe-to-toe with adversaries who don’t play by the rules, the hiring process can’t be stuck in the past. The industry demands thinkers, tinkerers, and hackers—not certification-holding automatons. The only way to fill the so-called skills gap is to start hiring differently. If you can’t find the right people, it’s time to stop blaming the talent pool and start looking at your hiring practices.
Because let’s be honest: If you can’t find the right candidate, maybe the problem is you.