ISC2 – the US-based nonprofit membership group for cybersecurity people – has published its 2025 Cybersecurity Hiring Trends Report. Based on 929 hiring managers across Canada, Germany, India, Japan, the UK and the United States, the report found when evaluating candidates, managers prioritise those with hands-on IT experience or cybersecurity certifications over those with education in IT, cybersecurity and computer science that lack professional experience.
ISC2 Chief Qualifications Officer Casey Marks said: “Entry- and junior-level roles are critical for the future of the cybersecurity profession. Investment in people and career-long learning will always be essential components of resilient cybersecurity teams. This year’s Hiring Trends Report reveals how cybersecurity hiring managers recognize the importance of providing opportunities to the next generation of cybersecurity professionals and our research can help others managing cyber teams create a roadmap for hiring and developing entry- and junior-level team members.”
According to the research, 90 per cent of respondents would consider candidates with prior IT work experience only and 89pc would consider those with only entry-level cybersecurity certifications. In contrast, only 81pc would consider candidates who only have an education in IT, cybersecurity or computer science.
Early career
A majority of hiring managers surveyed (56pc) said that training entry-level cybersecurity team members to handle tasks independently typically takes four to nine months, while 45pc said the same for junior-level practitioners. Moreover, hiring managers reported spending between US $1,000 and $4,999 to train entry- (45pc) and junior-level (38pc) team members to handle tasks independently. Most hiring managers surveyed also recognise the importance of supporting the long-term growth of entry- and junior-level employees. In fact, 91% of hiring managers reported providing professional development opportunities for these team members during work hours.
Skill expectations
Hiring managers also reported specific expectations around the tasks typically assigned and handled proficiently by entry- and junior-level cybersecurity talent.
Top tasks for entry-level professionals include:
• Documentation (Processes, Procedures) (43pc)
• Alert and Event Management (35pc)
• Reporting (Developing, Producing) (32pc)
• Physical Access Controls (30pc)
• User Awareness Training (29pc)
Top tasks for junior-level professionals include:
• Backup, Recovery and Business Continuity (53pc)
• Intrusion Detection (53pc)
• Alert and Event Management (51pc)
• Relevant Frameworks (50pc)
• Penetration Testing (50pc)
AdOther findings include:
Nearly 25pc of hiring managers who recruit from education programs (55pc of participants) said they have sourced candidates from programs outside of computer science, IT or cybersecurity. Some 55pc(internships) and 46pc(apprenticeships) of respondents believe these are effective methods for identifying early-career talent. Sectors such as education, healthcare, government and more are adopting these methods. Three of the top five skills that hiring managers prioritize – when asked to rank both technical and non-technical – are related to non-technical abilities, such as teamwork, problem-solving and analytical thinking.
Attracting top talent depends on strong job descriptions, screening applications and assessing potential candidates. Hiring managers set most job requirements – skills, education, certification, experience and clearances – while HR defines non-technical skills. However, screening applicants is a shared responsibility. As for evaluating candidates: most, 84pc of hiring managers use skills-based assessments and/or tests for entry- and junior-level cybersecurity applicants and 54% say they have passed on candidates due to their social media activity.
Visit https://www.isc2.org/.
