Five Reasons Security Leaders Should Hire Entry-Level Staff

A lack of entry-level opportunities in cybersecurity is exacerbating the widely discussed skills gap in the sector.

Around a third of security teams have no entry-level professionals, an ISC2 report published in 2024 found.

The focus of hiring managers, the report identified, was on hiring mid to advanced level roles rather than a broad mix of experience and abilities.

Unrealistic requirements for entry-level roles that are available, such as expensive qualifications that require multiple years of experience to obtain, have also created major barriers to candidates looking for their first job in cyber.

By not opening up opportunities for entry-level candidates, security leaders may be missing out on talented staff who can help reduce skills gaps in their teams.

The difficulty in gaining an entry-level job could also reduce incentives for people to pursue a career in cyber, meaning an even smaller talent pipeline for the future.

Here are five reasons security leaders should consider adapting their strategies to focus on the recruitment of entry-level candidates. These could be graduates looking for their first job in the field, or career changers, aiming to transition to cyber from a different industry.

Focusing only on highly qualified and experienced candidates significantly limits the pool of available cybersecurity talent.

The lack of options has also pushed up salaries to unsustainable levels for many organisations – a particular issue in a time of declining budgets.

In a recent Infosecurity webinar, Goher Mohammad, explained that this is occurring for certain technical roles where there is a dearth of trained individuals, such as security architects.

Opening up entry-level positions, for those with little or no work experience in the field, offers an opportunity to overcome skills shortages, without a significant initial outlay.

In an interview with Infosecurity, UK National Highways CSO Keith Price said there is an urgent need to “rebalance” security teams by finding the next generation of talent today.

“A solid strategy would be to hire good people, and then spend the years developing them into specialists, as opposed to the current strategy of spending years hiring the unicorn or perfect candidate that likely does not exist,” he noted.

Stress and burnout have become prevalent in cybersecurity, leading to high costs on businesses and resulting in many professionals leaving the sector altogether.

Entry level staff can alleviate pressures on more experienced team members in the short term by taking over less technical, but time-consuming tasks, as they cut their teeth in the industry.

A report by ISC2 in June 2025 found that the top five tasks taken on by entry level cybersecurity professionals are:

• Documentation, such as processes
• Alert and event management
• Reporting
• Physical access controls
• User awareness training

Broadening opportunities in cybersecurity to those from different backgrounds can also introduce vital new skills to the team.

An ISACA survey published in October 2024 found that over half of security professionals believe soft skills are lacking most across the sector, including communication, problem-solving and critical thinking.

These are the types of traits that can commonly be found in individuals who have worked in other sectors.

For example, Simon Whittaker, CEO at security training firm Vertical Structure Ltd, said during a UK Cyber Security Council event that he has a former firefighter on his team, who is able to stay calm during cyber incidents due to his experience in crisis situations.

Research has demonstrated the immense value that workers aged 50 and above can have in cybersecurity, even when they have little technical knowledge.

This includes the ability to adapt to changing practices and technology, critical in cybersecurity. Another skill is problem-solving and finding complex solutions, having spent their formative years with limited technological assistance. 

In the aforementioned Infosecurity webinar, the NFL’s director of cybersecurity and risk management, Kam Karaji, noted that there are a range of non-technical roles in cyber which match skills candidates can potentially develop in other sectors.

This includes cybersecurity awareness training, where traits like communication and psychology are important. Another is governance, risk and compliance (GRC) where business and legal knowledge are vital.

Recruiting based primarily on attitude ahead of qualifications and experience can ensure the right mindset is established in the team.

Curiosity, collaboration and the willingness to learn are key traits for prospective cybersecurity professionals.

Such attitudes are vital in cybersecurity, where constant adaption to new technologies and attacker techniques is required. This means working in the industry is a continuous learning process, regardless of the technical skills you already have.

Individuals who have such traits are likely to engage in continuous self-development, as well as think of new ideas and ways of working.

Additionally, those entering the profession often look how teams operate with a fresh lens, rather than persisting with the same approaches that have been in place for years.

The UK Cyber Security Council panel explained how graduates and career changers often provide a completely different perspective to those who have been working in IT and cyber for many years.

Una Whelan, Global Head of Cyber Prevent at Vodafone, commented: “The things that my graduates are teaching me are just mind-boggling – we give them a question and they come back with a technical solution that’s suddenly embedded in our security operations centre.”

Employing entry-level cybersecurity personnel, and assisting their development, can help security leaders build a balanced and stable team for the future.

Retention is currently a problem in cybersecurity, with lack of progression opportunities cited as a major factor in professionals leaving their roles.

Security leaders should work with their employees on their development, including a clear progression plan. This approach is likely to improve retention rates.

It is easier to develop such a plan for those in the early stages of their cybersecurity careers, where there is a blank slate to work from. Leaders can identify the various job types and skills needed in their department, and work towards harnessing those.

Jeff Combs, a recruitment and career strategy consultant, noted that good leadership is consistently shown to be the biggest factor in growing people’s careers.

“It was a leader who fought for them, who had a vision beyond the immediate fix, and who recognised the value of building teams that not only were independent and able to operate within the scope of the mission, but also deeply integrated into the overall success of the programme,” he explained.

As a technical field, there has been a focus from cybersecurity teams on finding highly qualified and experienced professionals. This has had the effect of reducing opportunities for entry-level positions, which is exacerbating the skills crisis.

It is important for security leaders to adapt their hiring strategies and recognise the value that entry-level staff can have for their teams, far beyond just filling spaces.

This includes across a growing range of non-technical functions in cybersecurity, such as GRC. Additionally, many soft skills, such as problem-solving and willingness to learn, are transferable and can significantly boost teams’ capabilities in all areas.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?