2025 Cybersecurity Hiring Trends: Why Investing in Entry- and Junior-Level Talent is Key to Building a More Resilient Cybersecurity Workforce

Foreword | Introduction | Trends in Candidate Sourcing | Developing the Hiring Process | The Role of Certifications | Top Sought-After Skills | Navigating Skill Expectations | Development and Retention | Training | Conclusion | Methodology

Foreword

Colleagues and friends,

I continue to be proud of the work ISC2 delivers as a global voice on behalf of its members, and this 2025 ISC2 Cybersecurity Hiring Trends Report spotlights how vital cybersecurity certifications continue to be. I am also immensely thankful for the opportunity to provide a few thoughts regarding this important work.

I’m encouraged that three quarters of respondents are investing in their employees via training, vital to keeping pace with emerging challenges. I am also heartened at the strong showing for apprenticeships and internships as a path for security talent, which I have personally found rewarding and effective. Further, the report highlights the importance of broadening hiring outside traditional STEM/CompSci backgrounds and leveraging psychology, communications, business and internal roles outside IT. Some of my best hires and managers came from retail, restaurants and construction management, highlighting (as this report shows) the increasing relevance of soft skills to effective cybersecurity candidates.

We also have some work to do, based on these results, to continue to educate the marketplace and create realistic and balanced job descriptions. Certified in Cybersecurity (CC) has a strong presence in the marketplace in only its third year. However, over a third of hiring managers wanted to see advanced certifications (CISSP, CISA, CISM) and unlikely or unfeasible skills in entry and junior-level hires. This has been a problem for some time and it seems the battle continues.

My organization had a downsizing, one of many consulting firms that were challenged over the past few quarters. I found my role made redundant just before the 2024 holidays along with several others in my firm, enduring a typical unemployment period seeking my next great adventure. Reporting from the front lines, the hiring environment has dramatically changed and not for the better. In talking with recruiters in many key cybersecurity economies, staffing is becoming increasingly challenging as recruiters are slammed with AI-polished resumes delivered via automation, many times seeing more than 1,000 applications in the first day of a job posting. With so much noise, how do we ensure true professionals are finding roles? The answer is the same that caused ISC2 to be founded 35 years ago - certification.  

As this report shows, certification continues to deliver differentiation in the marketplace, outpacing education and nearly on par with experience. Certification has never been more crucial to ensure there is clear qualification of cybersecurity professionals, enabling those holding CCSP, CISSP, ISSAP, CSSLP and other ISC2 credentials to stand out in a crowded and increasingly automated field. Never has certification accreditation, such as ANSI ISO/IEC 17024, been so important to cybersecurity, to ensure that those credentials matter and can be relied on by hiring managers and recruiters as independent verification of competency to a benchmark standard.

I encourage you to read this report and see how your opinions and practices may change. I found some surprises that I know will change my hiring perspectives going forward. The future is bright, even if the path continues to not be easy, as our profession continues to grow and learn in unexpected ways. I hope to see you at the 2025 ISC2 Security Congress for one of those great ways we can grow together!

Warmest Regards,

Dan Houser, ISSAP, ISSMP, CISSP, CCSP, CSSLP, CC

ISC2 2024 Board of Directors Chair

 

2025 Cybersecurity Hiring Trends:

Why Investing in Entry- and Junior-Level Talent is Key to Building a More Resilient Cybersecurity Workforce

As a profession, cybersecurity has enjoyed a long period of high personnel demand in the face of restricted supply. However, ISC2 research has shown that the economic and geopolitical factors that have weighed on other parts of organizations in recent years are now impacting cybersecurity teams and departments to the same degree. Cybersecurity professionals and hiring managers charged with recruiting and retaining staff for these critical roles are now dealing with unprecedented budgetary pressures that make building and retaining resilient teams even more challenging.

Nonetheless, cybersecurity remains an essential, in-demand and well-rewarded career path, offering both vast opportunities and complex challenges for hiring managers who are competing for top talent from a limited pool of candidates. The current climate has also put entry- and junior-level personnel and candidates in the spotlight, with the need to maintain and progress cybersecurity professionals through cybersecurity teams remaining a key consideration for hiring managers, as well as ensuring that job descriptions for early-career roles are realistic and achievable.

Success also relies on investing in and retaining the right people at every level as well as every part of the organization. To understand how cybersecurity hiring managers are finding success investing in entry- and junior-level roles, ISC2 surveyed 929 hiring managers across organizations of all sizes in Canada, Germany, India, Japan, the U.K. and the U.S.— six countries identified as having established or growing cybersecurity staffing needs. All respondents had entry- and junior-level cybersecurity personnel on staff and recruited for such roles in the two years prior to the survey taking place.

Key Findings

The following key findings highlight the main opportunities and challenges hiring managers face when building entry- and junior-level cybersecurity teams:

1. When it comes to hiring entry- and junior-level cybersecurity professionals, security managers prioritize hands-on experience and certifications over relevant education. In fact, most would consider candidates with only previous IT work experience (90%), or those who only hold an entry-level cybersecurity certification (89%), over those with only education in IT, cybersecurity or computer science, suggesting that relevant experience and certifications can often outweigh a degree alone when competing for cybersecurity roles.
2. Internships (55%) and apprenticeships (46%) are considered powerful tools for identifying and recruiting early-career cybersecurity talent. While standard job postings and staffing/recruiting firms remain top sources for identifying or recruiting entry- and junior-level hires (tied at 57%), sectors such as education, healthcare, government, IT services, and telecommunications are turning to internships just as often—or even more. This shift is especially pronounced in India, the U.K. and the U.S. Meanwhile, hiring managers in energy and utilities are increasingly relying on apprenticeships to fill critical roles.
3. While nearly 3 in 5 cybersecurity hiring managers (58%) said they are concerned about attrition among entry- and junior-level team members, most said they have both the budget to invest in their professional development (75%) and to adequately staff their team (73%). The research affirmed that training entry- and junior-level talent is not only fast but also cost-effective, making it a strategic investment with a high potential return.
4. About a quarter of cybersecurity hiring managers that recruit from education programs (55% of participants) have identified entry- and junior-level cybersecurity talent from programs outside of computer science, IT, or cybersecurity, highlighting an opportunity to broaden the talent pool by considering candidates from both IT and non-IT academic backgrounds who may bring fresh perspectives to the field.
5. Indicators point to cybersecurity hiring managers valuing non-technical skills as much as, or in some cases, more than, technical skills. The ability to work in a team, problem-solving and analytical thinking rank highest, ahead of data security and cloud security. This signals that hiring managers are not necessarily prioritizing technical know-how; they are looking for collaborative, adaptable thinkers who can tackle the complex problems impacting the cybersecurity landscape. 
6. There is a recurring disconnect between the skills and credentials that security managers expect from entry- and junior-level cybersecurity professionals versus what this group can realistically achieve at this stage in their career.Take cloud security, for example—the top technical concept that security managers said entry- and junior-level candidates should be familiar with. Despite viewing it as an important concept to understand, only 18% of managers believe cloud security tasks could be handled by an entry-level professional, while 46% said junior-level expertise was required.

Despite the positive hiring plans stated by respondents at the time this study was conducted in December 2024 (75% of hiring managers had planned to hire more cybersecurity professionals during 2025, while nearly 90% had open positions at their organization), the cybersecurity profession (like many others right now) is still experiencing economic pressure that has arguably increased in recent months.

What’s more, simply hiring more employees is not a guaranteed fix for skills shortages within cybersecurity teams. Organizations should consider a more holistic approach—examining not just their recruitment and hiring strategies, but also what drives employee retention. Hiring an external candidate can be a significant expense, with the average cost per hire in the U.S. at nearly $5,000, so the importance and value of retention during a period of economic pressure increases.

By analyzing the stages of the employee lifecycle and developing or even reframing recruitment and retention strategies, organizations can uncover staffing opportunities and focus their efforts on securing the best talent.

One key consideration is the role of entry- and junior-level talent in filling cybersecurity vacancies. As seen in ISC2’s previous hiring manager and cybersecurity professional research, respondents indicated that many security managers (and perhaps organizations) are still setting unrealistic expectations and using unachievable job descriptions for early-career cybersecurity professionals. This is occurring even though many of the most pressing skills gaps can be filled by this group with the right training, support and realistic role parameters.

Hiring managers can effectively target this critical group, whether by refining job descriptions, providing clear development trajectories, or offering structured training and mentorships. Hiring strategies that include sourcing candidates from alternative pathways—such as internships, apprenticeships, and non-traditional educational or training backgrounds —can also help strengthen talent pipelines and foster a new generation of cybersecurity professionals from which hiring managers can draw. It is more important than ever for organizations to have these tools in place to stay ahead in a profession that demands continuous learning and adaptation.

Trends in Candidate Sourcing

Echoing the findings from the 2022 ISC2 Cybersecurity Hiring Managers Guide, staffing/recruitment organizations and standard job postings remain the top sources for identifying or recruiting entry- and junior-level cybersecurity candidates. However, this year’s findings highlight the importance of internship and apprenticeship programs in sourcing early-career cybersecurity talent, which ranked among the top five sources. In certain industries and countries, internships and apprenticeships are used just as much, if not more, to source early-career cybersecurity talent. For instance, industries such as education, healthcare, government, IT services and telecommunications are using internships more frequently than other industries to identify candidates. Regionally, this trend is also evident in India, the U.K. and the U.S. Meanwhile, in sectors like energy and utilities, cybersecurity hiring managers are increasingly relying on apprenticeships to fill critical roles.

Internships and apprenticeships often serve similar purposes but differ in structure. Typically, internships are shorter term placements (often during or after university) that offer exposure to office-based work but may not guarantee a job at the end. Apprenticeships, on the other hand, are usually longer term and combine on-the-job training with formal instruction and usually lead to a job upon successful completion. In some countries, like the U.K. and Japan, apprenticeships have traditionally been associated with trades, but they seem to be gaining more traction in professional fields like cybersecurity. However, internships are still used more widely than apprenticeships as pathways for entry- and junior-level talent into the field.

The fourth most cited method for identifying cybersecurity talent is through colleges and universities. Among cybersecurity hiring managers who recruit from this source, the majority find entry- and junior-level candidates from relevant undergraduate (80%), graduate (80%) and associate (72%) programs—with degrees in IT, computer science or cybersecurity.

However, a clear trend has emerged: Some cybersecurity hiring managers are looking beyond traditional academic and professional backgrounds when needing to fill entry- and junior-level cybersecurity roles. Nearly a quarter of those who recruit from colleges and universities said they had identified candidates from courses and backgrounds not directly related to cybersecurity or computer science (27% from undergraduate degree programs, 20% from graduate programs). This trend was mirrored inside organizations as well. Among the 22% of hiring managers who sourced cybersecurity talent from other departments within their organizations, most recruited from IT (85%) and technical support/help desk (68%). However, they also found candidates from their finance (39%), HR (38%), communications (37%), customer service (35%) and marketing (31%) teams.

This trend indicates the value that professionals from non-IT backgrounds can bring to the field, offering fresh perspectives, business acumen, technical and non-technical (soft) skills, and innovative thinking to the cybersecurity team.

Developing the Hiring Process

Several important steps in the hiring process help organizations attract top cybersecurity talent, including writing job descriptions, screening applications and assessing potential candidates. But who oversees these processes and why does it matter?

Job Descriptions

A job description is often a candidate’s first impression of an organization. It’s more than just a list of requirements; it also serves as a reflection of the company and should accurately depict what the role entails, as well as be realistically targeted. A job description requiring an experience-heavy candidate for an entry-level role would be an unrealistic outcome, prolonging the hiring process and significantly reducing the chances of a successful hire. Our findings reveal that IT and cybersecurity hiring managers typically take the lead in defining most requirements, such as technical skills, educational background, certifications, professional experience, security clearances and keywords for applicant tracking systems. The one exception? Non-technical skills and personality attributes, which are more often shaped by HR.

Hiring managers in the U.K. and India (both 74%) are significantly more likely to say that HR determines non-technical skills and personality attributes compared to managers in the U.S. (60%), Germany (53%), Canada (51%) and Japan (45%)

Screening Applications

For entry- and junior-level positions, application screening is most commonly a shared responsibility between IT/cybersecurity hiring managers and HR (53%). In other cases, it is handled exclusively by IT/cybersecurity hiring managers (35%) or solely by HR and software tools (13%).

This division of responsibility indicated by respondents mirrors the process of writing job descriptions, ensuring that both technical and non-technical qualifications are carefully considered during the screening stage.

Advice for Job Seekers

• Be prepared to demonstrate your knowledge in action, not just on paper. According to the study respondents, most organizations (84%) use skills-based assessments and/or tests for entry- and junior-level cybersecurity applicants.
• Your online presence matters more than you might think. Over half of hiring managers (54%) say they have passed on candidates due to their social media activity.

The Role of Certifications

When recruiting entry- and junior-level cybersecurity professionals, hiring managers prioritize hands-on experience and certifications over relevant education. In fact, most respondents (90%) stated they would consider candidates with only previous IT work experience, or those who only hold an entry-level cybersecurity certification (89%), suggesting that relevant experience and certifications that validate foundational competence carry additional weight in the hiring decision-making process, potentially outweighing a degree alone when competing for cybersecurity roles.

Additionally, when assessing the importance of previous IT experience, IT/cybersecurity certifications and relevant education, nearly all security managers considered these attributes as either critical or nice to have. However, when prioritizing only the critical attributes, IT/cybersecurity certifications (47%) ranked slightly higher than IT experience (44%) and relevant education (43%).  

So, which certifications hold the most weight? While most cybersecurity certifications are seen as "nice to have" rather than required, there are key exceptions. For entry- and junior-level professionals, three foundational certifications lead the professional certification requirement from hiring managers across both groups of early-career professionals: Certified in Cybersecurity (CC) introduced by ISC2 in late 2022, along with CASP+ and Security+ from CompTIA.

A closer look at the top certifications required for entry- and junior–level positions revealed a notable misalignment between employer expectations and feasibility. A point aligned with the need for realistic job description requirements, the findings revealed that a significant proportion of hiring managers are still specifying industry qualifications that are unfeasible for these roles.

Many of the top certifications required for professionals seeking entry- and junior-level positions are intended to support more experienced cybersecurity professionals. For example, 38% of hiring managers said they require the CISA (ISACA) certification for entry-level positions, even though this certification demands a minimum of five years of professional experience in information systems auditing, control, assurance or security. Likewise, hiring managers expect around a third of entry- (34%) and junior-level (33%) candidates to have the CISSP (ISC2) certification, which also requires a minimum of five years of cumulative, paid experience in cybersecurity.

Top Sought-After Skills for Entry- and Junior-Level Roles

Indicators point to cybersecurity hiring managers valuing non-technical skills as much as, or in some cases, more than, technical skills. In fact, three of the top five skills that hiring managers indicate they value most – teamwork, problem-solving and analytical thinking – aren’t technical at all.

With these three attributes ranking ahead of data security and cloud security skills, we see a clear requirement for a blend of both technical and non-technical fundamental competencies. This signals that hiring managers are looking for collaborative, adaptable thinkers who can tackle complex problems in the cybersecurity landscape, rather than just technology specialists.

This trend varies slightly by country. For example, hiring managers in India stand out as the only group that listed technical skills in their top three rankings—without including any soft skills. This compares with the U.K., which was the country that specified an entirely non-technical top three set of skills priorities.

 

Here is the breakdown across technical, non-technical and personality attributes:

Navigating Skill Expectations for Entry-Level Roles

When asked what they would say to those who believe there are no true entry-level roles in cybersecurity, cybersecurity hiring managers consistently highlighted the value these candidates bring. They pointed to fresh perspectives, the ability to take on foundational tasks like malware analysis and penetration testing and the capacity to relieve senior team members of routine responsibilities.

Our research also revealed the tasks most likely to be assigned by experience level:

To truly practice what they preach, organizations should clearly define entry-level roles, perhaps also differentiating between “desired qualifications” and “required qualifications” in job descriptions. Early on, they can also communicate professional development opportunities and map career growth for these candidates. This will serve a dual purpose by empowering cybersecurity candidates to apply for roles with more confidence and helping prospective and current employees envision their long-term potential within the company.

Professional Development and Retention

Most cybersecurity hiring managers reported having both the budget to invest in entry- and junior-level workers’ professional development (75%) and to adequately staff their teams (73%) at the time this survey was fielded. Nearly 60% expressed concern about employee attrition. If resources are available, where does this concern stem from? Beyond certain job features like salary/wages and total rewards, the overall employee experience plays a critical role in employee retention, particularly professional development opportunities. A study of early-career professionals found that while about one-third (32%) of recent graduates intend to stay in their current job for four or more years, nearly twice as many—almost two-thirds (65%)—would stay for the same amount of time given consistent opportunities to develop in-demand skills.

Most organizations, based on participant feedback, are on the right track—91% of hiring managers who responded said they provide professional development opportunities for entry- and junior-level cybersecurity professionals during work hours. In some cases, engaging entry- and junior-level talent may be as simple as communicating these opportunities and providing concrete examples of how they can take advantage of them.

When looking across the different countries, hiring managers in Germany (99%) are significantly more likely to offer professional development opportunities for entry- and junior-level professionals than those in the U.S. (93%), India (91%), the U.K. (87%), Canada (89% and Japan (86%).

The top professional development offerings that organizations provide to entry- and junior-level cybersecurity professionals include certification training/courses (65%), training/courses for non-certification skills/knowledge (59%), career pathing and advancement (57%) and mentorship programs (informal and formal) (50%). Notably, when hiring managers were asked about the most effective ways to train entry- and junior-level cybersecurity professionals, their responses mostly aligned with these existing offerings.

Despite mentorships being cited as one of the most effective ways to train early-career talent, half of organizations do not provide this option. The primary reasons for this are that organizations have other methods (37%), there’s a lack of staff who can or are willing to be mentors (36%) and a lack of time/security team is too busy (32%).

Training: High Return, Low Investment

Our research reveals that early-career cybersecurity roles are relatively quick to fill. Twenty-one percent of hiring managers say entry-level cybersecurity roles are typically filled in under a month, with another 40% reporting it typically takes just 1–3 months. For junior-level roles, 8% say these positions can be filled in less than a month and 34% within 1–3 months. These timelines stand in contrast to more senior roles, which often take longer to fill.

Once hired, training this group can be fast and cost-effective, too. Most hiring managers reported that training entry- (81%) and junior-level (79%) professionals to handle tasks independently takes less than a year. However, the training timeline varies slightly between these groups. For example, hiring managers are more likely to say that junior-level cybersecurity professionals require less time in the early stages, with 17% stating they can be trained in 1-3 months, compared to 8% for entry-level professionals. The majority of hiring managers surveyed (56%) said that training entry-level cybersecurity professionals typically takes 4–9 months, while 45% said the same for junior-level professionals.

When examining training costs, hiring managers commonly registered spending between U.S. $1,000 and $4,999 to train entry- (45%) and junior-level (38%) cybersecurity professionals to handle tasks independently. However, nearly a third (31%) indicate that training an entry-level professional costs less than $1,000, while a quarter (25%) report the same for junior-level professionals.

Conclusion

The findings of this study provide a clear view of the current cybersecurity hiring landscape, highlighting key challenges and opportunities for all hiring managers. Demand for key skills in the cybersecurity profession remains high. While most organizations had open positions and planned to hire more professionals in the year ahead when this survey took place, it’s critical to regularly reassess current recruitment, hiring and retention strategies to ensure they are viable and actionable and aligned with the current conditions the organization is operating within.

This doesn’t mean starting from scratch—it means refining current process and thinking outside the box on how to attract top talent. Hiring managers should consider the following:

• Address the disconnect between employer expectations and entry- and junior-level realities. Our research shows that job descriptions for entry- and junior-level cybersecurity talent list requirements that are often difficult or impossible for these professionals to meet. This can create a catch-22—where employers struggle to find qualified candidates and early-career talent is locked out of opportunities that could help them build that very experience. Hiring managers should consider reevaluating their job descriptions and other hiring mechanisms to reflect the true nature of the role, making the distinction between “nice-to-have” and “must-have” qualifications clear.
• Embrace alternative pathways into the cybersecurity profession – hire for attitude, train for aptitude. As a relatively new and evolving field, cybersecurity requires a dynamic approach to talent acquisition. Traditional pipelines, such as relevant educational backgrounds and prior IT experience, remain valuable, but they are not the only routes to success in the cybersecurity profession. Hiring cybersecurity professionals from a broad spectrum of educational and professional backgrounds is an effective strategy to address shortages in candidates without compromising on standards. In fact, blending technical expertise with non-technical skills or personality attributes such as teamwork, problem-solving skills, analytical thinking, etc., can strengthen cybersecurity teams and bring fresh perspectives to the field.
• Leverage foundational certifications to identify high-potential talent. While some experience-based certifications are incompatible with early-career cybersecurity roles, foundational certifications provide an achievable and independent means to verify the competency of an entry- or junior-level candidate. These globally-recognized and reproducible baseline measures of knowledge and capability offer hiring managers a valuable tool to differentiate and evaluate these candidates.

The research shows that many security managers have already begun tapping into “non-traditional” talent pools and embracing non-technical, non-IT and foundational certified candidates. However, there is room to expand these efforts further, leveraging transferable skills from other industries to build a more sustainable and resilient cybersecurity workforce.

About ISC2 & Methodology

Survey Methodology

We surveyed a total of 929 cybersecurity hiring managers from Canada (158), Germany (155), India (152), Japan (154), the U.K. (155) and the U.S. (155) in December of 2024. Respondents were surveyed in their native or local languages. To be eligible to participate, managers had to have entry- or junior-level cybersecurity professionals on their teams. Most (94%) had hired entry- and junior-level professionals in the past two years. The margin of error for the global descriptive statistics in this research is +/- 3% at a 95% confidence level.

About ISC2

ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. More than 265,000 certified members and associates are a force for good, safeguarding the way we live. Our award-winning certifications – including cybersecurity’s premier certification, the CISSP® – enable professionals to demonstrate their knowledge, skills and abilities at every stage of their careers. ISC2 strengthens the influence, diversity and vitality of the cybersecurity profession through advocacy, expertise and workforce empowerment that accelerates cyber safety and security in an interconnected world. Our charitable foundation, the Center for Cyber Safety and Education, helps create more access to cyber careers and educate those most vulnerable. Learn more and get involved at ISC2.org. Connect with us on X, Facebook and LinkedIn.

© 2025 ISC2 Inc., ISC2, CISSP, SSCP, CCSP, CGRC, CSSLP, HCISPP, ISSAP, ISSEP, ISSMP, CC and CBK are registered marks of ISC2, Inc.