In today’s rapidly evolving threat landscape, cybersecurity is more critical than ever. Yet despite the urgent need for talent, many organizations seem intent on erecting barriers that inadvertently exclude capable candidates. One of the most persistent and frustrating trends is the demand for a multitude of certifications, a bachelor’s degree, and five years of experience — for what is labeled an “entry-level” position.

Worse yet, the initial screening for these roles is often conducted by HR personnel with little or no technical background, leading to decisions that may not align with the actual needs of the security teams. The result? Qualified, passionate individuals are filtered out, while boxes are checked without a true assessment of a candidate’s ability to perform.

The Problem with “Entry-Level” Requirements

At its core, an entry-level role should welcome individuals who are beginning their careers, offering them an opportunity to develop skills and grow within the organization.
Instead, many job descriptions today demand:

• Multiple professional certifications (such as Security+, CEH, CISSP — the latter of which explicitly requires five years of work experience!)
• A four-year degree (often unrelated to technical ability)
• Several years of professional experience in cybersecurity or IT

These requirements create a paradox: how does a candidate gain the experience needed if they are unable to enter the field to begin with? Moreover, certifications and degrees are not a guarantee of competence. A candidate may hold numerous certifications but lack the practical problem-solving skills or mindset needed to detect, respond to, and mitigate real-world threats.

Why HR Screening Falls Short

While Human Resources plays a vital role in organizational health, screening cybersecurity candidates requires technical discernment. Unfortunately, many HR professionals lack the cybersecurity background needed to distinguish between what’s truly essential and what’s merely “nice to have.”
Common issues include:

• Overemphasis on keyword matching with certifications and degrees
• Lack of understanding of transferable skills (e.g., networking, scripting, risk assessment)
• Inability to evaluate practical abilities such as log analysis, threat hunting, or vulnerability management

This approach prioritizes surface qualifications over core competencies, leading to a situation where talented individuals are overlooked because they lack a specific acronym on their resume.

What Needs to Change

To truly address the cybersecurity skills shortage — and build stronger, more resilient teams — organizations must rethink their hiring practices. A few key steps could include:

• Partnering HR with technical teams: Allow cybersecurity professionals to help design job postings and participate in candidate screening.
• Focusing on core skills: Prioritize practical skills like analytical thinking, troubleshooting, scripting, and understanding of basic security principles over checklists of certifications.
• Investing in training and mentorship: Recognize that entry-level hires should be viewed as an investment, with a plan to nurture and grow their abilities.
• Evaluating through hands-on assessments: Short technical tests or practical exercises can reveal far more about a candidate’s potential than a resume ever could.

Final Thoughts

The cybersecurity threat landscape does not wait for bureaucracy to catch up. Organizations that cling to outdated hiring models risk not only alienating future cybersecurity professionals but also leaving their defenses vulnerable.
It’s time to rethink what truly matters: capability, potential, and passion — not just a list of degrees and certifications.
By creating smarter, more inclusive hiring processes, we can build a stronger cybersecurity workforce ready to meet the challenges ahead.