Can cybersecurity hiring managers keep pace with threat actor evolution?

In the battle between defenders and attackers, one thing is constant: threat actors don’t wait. They innovate, adapt, and evolve at pace – and the cybersecurity industry has to keep up. 

The recent ISC2 Cybersecurity Hiring Trends Study reveals a workforce under pressure. Organisations are not only battling complex threats but also struggling to find and train the people needed to fight them. 

And things bring up an important question: are current hiring practices agile enough to match the speed of cyber evolution?

Hiring managers are loosening the rules 

One positive change we’re seeing across the sector (and it’s evidenced in the ISC2 report) is growing flexibility in how hiring managers think about talent. The study found that 90% of cybersecurity hiring managers are open to candidates with prior IT experience, even if they don’t yet have formal cybersecurity credentials. That’s a shift towards practical, skills-based hiring.

When we asked Max Imbiel (CISO at Bitpanda) about his approach to hiring he said:

“So for me the person behind a profile is always more important than just the skills and certifications.”

This reflects a wider trend – recognising potential and mindset over rigid qualifications. But flexibility alone isn’t enough. Because while threat actors are constantly refining their tactics, onboarding and training in cybersecurity can still be a long and expensive process.

Training takes time (and money)

According to the ISC2 research, hiring managers report that it typically takes 4 to 9 months to train entry-level cybersecurity professionals to the point where they can operate independently. And for each of those new hires, organisations are investing between USD $1,000 and $4,999 in training costs. 

That’s time and money well spent. But it also highlights the gap between threat actor agility and internal ramp-up speed. In contrast, threat actors don’t wait nine months to improve their skills. They’re exploiting new vulnerabilities within days, sometimes hours, of discovery.

So what can hiring managers do to keep up with the try fast, fail fast mindset of cybercriminals?

We need to recognise that soft skills point to fast learners 

Conventionally, cybersecurity hasn’t prioritised soft skills. But that’s changing – because soft skills like adaptability, curiosity, and communication enable a person to learn fast. 

Tools and threats will always change, but a candidate who knows how to learn quickly is valuable. 

As Max Imbiel noted, it’s not just about technical boxes being ticked:

“Do I need someone with experience in a certain area or can they be trained on the job? Do they fit our team and company culture? What are their ambitions?”

These are questions that put growth potential front and centre.

It’s worth noting, too, that while there’s been a lot of noise about AI taking over entry-level jobs, there’s still strong demand for new starters in cybersecurity – but organisations do need to make sure they have the frameworks in place to train, mentor, and nurture junior staff through their first year. 

While 56% of hiring managers are actively doing this, there’s still a disconnect in some organisations between the urgency of threat evolution and the speed of internal capability development.

Cybersecurity practitioners have limitations that cybercriminals don’t 

Threat actors evolve without bureaucracy. They don’t need budget approval or HR sign-off to try something new. Cybersecurity teams, on the other hand, do. That means hiring managers need to think like threat actors – in terms of speed, agility, and innovation.

That might mean hiring someone who’s not the perfect fit on paper, but shows the grit and growth mindset needed to adapt. It might mean investing more in training or rethinking job descriptions to be more inclusive and realistic.

Because ultimately, if defenders don’t keep pace with attackers, the consequences can be severe. And the frontline doesn’t start with tools or policies – it starts with people. 

Hiring managers can’t just hire for today’s threat landscape. They have to hire for tomorrow’s; because threats move fast.