Better Cybersecurity Job Descriptions: A Matter of Degrees?

(Note: this blog was originally published at in May 2018)

About fifteen people joined the Peer2Peer Session “Wanted: Better Cybersecurity Job Descriptions. Apply Within” at RSA Conference on April 17. The attendees included several from the government sector, some from enterprises, a few from start-ups and even a couple from organizations focused on training and educating people to move into cybersecurity. The initial question was how we could improve cybersecurity job descriptions to encourage a broader applicant pool. Over the course of the discussion, the group noted several challenges to finding talent but also developed some recommendations.

DevOps Connect:DevSecOps @ RSAC 2022


One of the earliest and most recurring points was the way that college degree requirements were creating a barrier to finding talent. For example, veterans with significant experience but no college degree often find themselves locked out of government agency roles that ask for degrees. We were lucky to have several representatives from the government sector that shared their challenges in filling roles; in one example, their government customer pointed to someone on the current team and asked why that person couldn’t fill the role, and the team responded that the person in question didn’t meet all of the listed requirements. With that knowledge, the customer changed the contract to loosen the requirements and get the person they needed, versus the non-existent person they assumed they wanted.

Contracts and schedules that impose unneeded degree requirements can limit the applicant pool significantly, and unlike the private sector, those requirements are harder to change. Even when degrees are not formally required, participants noted that the large volume of applicants often led to those with degrees being given preference in the application process. As an industry, how can we educate decision makers and encourage job descriptions and application processes that are more flexible with respect to formal education?

Other points:

  • Passion and communication: A couple of participants talked about recruiting for passion, curiosity and strong communications skills versus specific degrees or certificates. Hiring managers and recruiters weren’t looking for “controls geeks,” but rather people that understood business and process and could push security without making it a hindrance for the business.
  • Certifications: The question of certifications came up briefly, and it’s worth comparing that to the degree discussion. Our government sector participants noted that certifications can help candidates distinguish themselves and save the agencies time on vetting.
  • Bias words: while gender issues in recruiting remain a hot topic of discussion in the industry, we only touched on this towards the end of session, when one participant noted the research around particular words in job descriptions that tended to discourage female candidates.
  • Competing with the “big names”: Several participants, in both public and private sector, noted the challenge of competing for talent with “cool” companies (e.g., Google, Amazon, Apple). Frills and salary get attention, but many participants spoke passionately about the unique opportunities in their organizations: “doing something that you can’t do anywhere else.” Their passion for their work and the opportunity got the attention of the group, who agreed that that passion needed to be harnessed and displayed in the job postings themselves. A couple of participants have had success with video job postings that allowed the hiring manager to speak directly to applications and demonstrate their passion and culture. One attendee has even posted job videos on Reddit!
  • About millennials: A brief sidebar about millennials showcased biases and opportunities. Some hiring managers asked how to attract millennials to organizations or positions that were less “cool”, and the few millennials in the group responded that their generation was also concerned with doing meaningful work. After brief discussion, the group agreed that showcasing the importance of the mission and the opportunity to have an impact (versus being a small cog in a large wheel) could help attract younger candidates.
  • The “platypus” candidate: Remember that you are recruiting for a team rather than an individual; you can prioritize specific skills for a role within a larger team. You don’t need someone who can do everything – those are harder to find and rarely necessary.
  • Re-recruiting: Even when you lose good talent, they don’t always stay away. Some might be lured to a “name” company for a short time, but strong relationships with departed talent can help lure them back in a few years. Employees are often told not to burn bridges, but the same is true of employers.

One resource worth mentioning:, recommended by one of our session participants, who works with NIST. CyberSeek provides data and tools to help address the cybersecurity talent gap and could be useful for industry newcomers, job candidates and hiring managers looking for new talent. The heatmap provides a breakdown of cybersecurity job openings in the US broken down by state, job title, framework category and certification desired. The career pathway shows different pathways to a security career and includes feeder roles such as networking, software development and risk analysis.

How Can The Industry Do Better?

Coming away from this session, we had a few key takeaways. The most critical was around degree requirements. If you are in a position to influence job requirements, particularly at agencies developing contracts and schedules, push for flexibility around the degree requirements. In addition, focus beyond the technical skills and look at passion and curiosity. If you are struggling to attract talent, think about what’s unique about the opportunities on your team and consider new ways of reaching prospective candidates, such as video job descriptions.

Many of the session attendees mingled after the session had ended, sharing ideas and exchanging information. I look forward to hearing from many of you about new approaches that you’ve tried and what you’ve found be effective.

Sandy Carielli

Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

sandy has 1 posts and counting.See all posts by sandy