4 expert tips to revolutionize cybersecurity hiring (& build A-list teams)

Security incidents are rising, insurance premiums increasing, and the cost per incident is hard to overestimate. Paired with complex customer environments, cloud adoption, and an increase in remote work, protecting your IT infrastructure is more of a challenge than ever before. The result? 

We need more cybersecurity professionals.

The talent shortage, coupled with an ever-widening skills gap, is burning out teams and, ultimately, raises our susceptibility to the rapidly evolving risks we face. 

This all calls for a new way of hiring.

The huge cyber skills gap 

Cybersecurity talent shortages have plagued the industry for years, and they are only getting worse. 

However, there’s a common misconception that there’s a lack of entry-level candidates applying for these open cybersecurity positions.

The real issue here is that these candidates aren’t considered “qualified”. 

A demand for more qualified candidates with practical, real-world experience and skills has created this gap. And with many “entry-level” cybersecurity roles calling for 3-5 years of experience, something has to give. 

So, how do we close that gap? We need to redefine what “qualified” means and shift our focus on who the ideal candidate is. 

By embracing a skill-based hiring culture, we encourage the idea that anyone can become a cybersecurity professional when supplied with the right tools and support.

Whether it’s someone from your IT team, a recent graduate, or someone from an entirely different career background.

Practical tips to upgrade your cybersecurity recruitment strategy

Rethinking your cybersecurity recruitment strategy is more than just a good practice. It's a game-changer.

Imagine significantly reducing the time it takes to fill critical roles, providing a smoother and more effective onboarding experience for new hires, and fostering a more engaged and less burdened team.

This is not just about adding new members to your team. It’s about transforming the very fabric of your cybersecurity workforce, elevating your team's performance, and improving security posture.

1. Focus on skills over certifications

Qualifications and certifications can only tell you so much about a candidate. To properly assess whether a candidate can do the job, you must look at their skill set.

But how can we measure these skills? 

At HTB, we’ve noticed that effective teams map skills requirements to job and organization-related techniques—or system vulnerabilities and misconfigurations that teams will scout for on actual engagements. 

Our Professional Labs build skills that are mapped to the MITRE ATT&CK framework, relating critical skills to real job roles and responsibilities. Tracking these skills makes it easier to upskill (or test candidates) for a certain job role. 

So, if a candidate uses a platform like HTB, you can immediately see from their profile what areas they are skilled in and where the gaps may be. You can then use customized or pre-built labs to test their skills. 

💡Tip: Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.

This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material. 

Let’s say you’re hiring for an incident response role. 

You can use Sherlocks to assess a candidate’s digital forensics and network security skills with a Lab such as Repetitive-D. This is a much more accurate representation of talent than going purely by education and certifications. 

We use HTB to evaluate the technical skill level of new hires—and it has been amazing at identifying talent. Internally, we leverage HTB to help support professional development and certifications required in the industry throughout our professional grades. We even plan to train our sales team using HTB!

 

Paul Craig, Chief Hacking Officer at Vantage Point Security 

Skills-based hiring also provides some reassurance that your latest hire is already aligned with evolving threat actor tactics, techniques, and procedures (TTPs). This can be helpful when presenting additional investment or potential hires to the wider businesses, you can show the tangible benefits they’ll bring to the organization. 

Hack The Box has been a great platform for us as a recruitment agency to quickly establish the caliber of candidates we represent for ethical hacking positions. The platform provides a credible overview of a professional's skills and ability and a ranking that clients consider when selecting the right hire. An active profile on HTB certainly strengthens a candidate's position in the job market, making them stand out from the crowd and highlighting their commitment to skill development.

 

Ryan Virani, UK Team Lead, Adeptis 

It’s important to manage your expectations and not expect all candidates to have the same skill set. Instead, search for a willingness to continuously upskill and a keen passion for the industry. This will give you an employee who wants to grow with your organization, provided you invest in their learning.

2. Go where the talent is 

By depending only on recruitment agencies or simply posting your jobs on popular career boards, you often receive applications with similar experience levels and certifications. This limits the potential pool of candidates, leading you to overlook some fantastic talent. 

Instead, hiring managers can adopt a much more precise approach to hiring by targeting cybersecurity professionals on the platforms they use. 

This saves both time and money, reducing the number of unrelated applications and recruitment fees. 

We spoke to Tom Williams, the former Principal Consultant at Context Information Security, 

who expanded his pentesting team by finding their profiles on cybersecurity upskilling platforms. He shared how taking a proactive approach to sourcing talent unlocks a unique pool of candidates. 

We finally were able to target an audience that exactly matched the type of skills we were seeking. There aren’t any other credible job boards that specialize in penetration testing, Red Team, or just focusing on cybersecurity roles.

 

Hack The Box offered us the opportunity to post jobs directly to a community of hackers. 

 

We got access to profiles that are non-traditional, this broadens your perspective and opens up a whole new addressable market of skilled candidates. 

 

Filtering by rank provided an indication of capability. It’s how we found Josiah, who was working in a Blue Team role at the time. His profile likely wouldn’t have reached us via a recruiting agency because it did not meet the typical criteria.

 

Tom Williams, former Principal Consultant at Context Information Security.

Hack The Box specializes in distinguished practical and guided cybersecurity training courses aligned with the NIST NICE and MITRE | ATT&CK frameworks, as well as unrivaled hands-on labs designed to help organizations close skills gaps, hire top talent, and protect infrastructure.

Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors. His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies. In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive. At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs.