Cybersecurity hiring is deeply flawed, demoralizing, and needs to be fixed – Source: www.csoonline.com

When people think about starting a new job, words like “exciting,” “motivating,” and “rewarding” often come to mind. The search for a new role represents an opportunity to embrace fresh challenges, grow professionally, and explore untapped potential. However, for many in cybersecurity, the reality is far from this ideal.

The job market has become an exhausting and deeply flawed experience. What should be an inspiring journey often turns into a demoralizing maze, leaving candidates, recruiters, and hiring managers frustrated and questioning the system itself. If you’ve ventured into this landscape recently, you’ve likely felt the strain — clearly, something isn’t working, and it’s time for us to rethink how we approach the process.

The current economic landscape hasn’t helped. Inflation, high interest rates, and stagnant wages have pushed professionals to seek higher-paying roles, often out of necessity rather than ambition. At the same time, the ease of applying for jobs has reached unprecedented levels.

Automation hasn’t helped the hiring process

Tools such as LinkedIn’s one-click application feature have transformed what was once a thoughtful process into a scattershot approach. Candidates now send out dozens of applications in minutes, overwhelming hiring pipelines with irrelevant or poorly targeted resumes. Andrew Wilder, CSO at Vetcor, captures the frustration: “Qualified security professionals are now having to market themselves hard. The ease of applying for jobs creates noise, and that noise drowns out highly qualified candidates.”

Automation was supposed to alleviate this problem but has instead worsened it. Applicant tracking systems (ATS) were designed to handle large volumes of applications, but they often filter out strong candidates based on rigid keyword matching or superficial criteria.

These systems, derisively referred to as “application trashing systems” by many job seekers, eliminate resumes that don’t fit their narrow parameters. Professionals with years of relevant experience are rejected outright for lacking specific buzzwords or certifications. “Automation is papering over the cracks in a broken system,” Ziff Davis CISO Sai Iyer tells CSO. “ATS tools exacerbate the issue, and the result is a cycle where neither companies nor candidates get what they need.”

Some organizations don’t seem to know what they’re looking for

Even when resumes make it past the ATS, they frequently land on the desks of recruiters who may lack the expertise to assess nuanced cybersecurity roles. This is especially problematic in an industry like cybersecurity, where roles often require highly specific skills and experience. “What one organization calls a CISO is a completely different role elsewhere,” says Lee Mangold, CISO at Fortress Information Security. “Companies aren’t just struggling to find the right candidates — they don’t even know what they’re looking for.”

The frustrations don’t stop there. Cybersecurity professionals often encounter job descriptions that are contradictory or unrealistic, demanding expertise in every conceivable domain of security. This confusion trickles down from hiring managers, who often lack a clear understanding of the role themselves.

Mangold posed a critical question: “What, exactly, are you looking for in your CISO role? Do you know? I don’t think most organizations can answer this question, and I don’t think you can just blame that on HR — there’s a hiring manager somewhere who must tell HR what the job description should include.”

This lack of clarity extends to the broader recruitment process. Many companies rely on “ghost jobs” or “evergreen roles” to give the illusion of growth or activity. These are postings for roles that either don’t exist, have already been filled, or are merely kept live to build a talent pipeline.

While some see this as a proactive approach, it often backfires — signaling to candidates that a company struggles to hire or retain talent. Candidates spend hours crafting tailored applications for jobs that were never real to begin with, leading to frustration and eroded trust.

Ghosting candidates after numerous interviews erodes trust

Compounding this issue is the troubling phenomenon of recruiters and hiring managers ghosting candidates after multiple interviews, leaving professionals in the dark about their status and eroding trust in the process. Even when a job is legitimate, the hiring process itself often borders on the absurd.

Candidates are subjected to drawn-out interview cycles with 10 or more rounds spread over several months, often including requirements to produce detailed deliverables such as cybersecurity strategies, 90-day plans, or mock board presentations. This exhausting approach not only depletes candidates’ time and energy but also represents a staggering resource drain for companies, creating inefficiencies that benefit no one.

On top of these systemic issues, the cybersecurity employment market itself is shifting. Regulatory changes, such as the SEC’s new cyber disclosure rules, have led some companies to view cybersecurity as just another business risk to be managed, often through insurance rather than robust security leadership.

“Many firms have shifted their focus from hiring CISOs to simply managing risk through insurance and standardized disclosures,” veteran CISO Rich Ronston tells CSO. “This evolution, while cost-effective in the short term, undervalues the strategic importance of cybersecurity leadership and leaves companies exposed in ways they may not yet realize.”

Improving the hiring process should start with hiring managers

So, how do we fix this mess? For starters, companies need to redefine their approach to hiring and crafting job descriptions. Roles must be clearly articulated with specific expectations, responsibilities, and outcomes. This clarity would help recruiters and candidates alike, reducing mismatches and wasted effort.

Hiring managers must take ownership of this process rather than leave it entirely to HR or recruiters. Wilder also suggested that recruiters should experience the systems they enforce on others: “Every recruiter should have to apply for a job using their own job application system before making others use it.” This step would likely expose inefficiencies and drive improvements in user experience.

Companies must also address the inefficiencies of prolonged hiring cycles. Setting strict timelines for interviews and decision-making would not only improve the candidate experience but also reflect well on the organization. For high-level roles like CISOs, Wilder proposed a creative solution: establish pre-arranged contracts with external recruiters, akin to incident response retainers. This would enable companies to quickly scale recruitment efforts when internal teams are overwhelmed.

Finally, trust must be restored to the system. Ghost jobs need to disappear, and companies must provide transparent communication at every stage of the hiring process. AI tools are beginning to play a role here, offering solutions to improve communication by keeping candidates updated on their status, answering basic questions, and even providing recruiters and hiring managers with insights on their progress toward time-to-hire goals.

Building a cybersecurity job market that works for everyone

While these tools hold promise, they should complement, not replace, human engagement to ensure candidates feel valued throughout the process. Feedback should be mandatory for every interview, regardless of the outcome, creating a closed-loop system that respects candidates’ time and effort while fostering trust.

“Feedback isn’t just a courtesy; it’s a vital pillar of trust,” says Gianna Driver, former CHRO of cybersecurity firm Exabeam. “When delivered clearly and promptly, feedback transforms the hiring process, turning even a rejection into a moment of growth and respect for the candidate.”

The improving economic outlook presents an opportunity for change. With signs of recovery on the horizon, companies have a chance to revamp their hiring practices and eliminate inefficiencies that have long frustrated candidates and recruiters alike. The cybersecurity market is too critical to remain trapped in outdated approaches.

 “The act of going from employed CISO to unemployed CISO decreases your value immediately,” Wilder says. “Companies need to rethink their approach to hiring if they want to attract and retain the best talent.”

The current system presents challenges for candidates, recruiters, and employers; however, it also offers a significant opportunity for improvement. By working together, we can transform hiring into a more efficient, transparent, and rewarding process.

Candidates can focus on crafting thoughtful applications and leveraging networks. Recruiters can embrace tools and training to enhance their ability to identify top talent while hiring managers can take ownership of defining roles and streamlining processes. Each step forward contributes to a better system; one that values effort, fosters trust, and matches talent with opportunity. Positive change is within reach, and with intentional action, we can build a job market that works for everyone.