Cybersecurity hiring practices: From degrees to real-world skills

Companies are changing the way they find and hire talent. Conventionally, it was almost a given that you’d need a formal degree in computer science, IT, or a related field if you wanted to break into cybersecurity. But that’s no longer the whole story – a growing number of organisations are focusing on what candidates can actually do, rather than where or what they studied. 

This shift away from traditional degree requirements is opening doors for people from diverse backgrounds and making the hiring process more inclusive. And importantly, it’s a move that could help address the shortage of skilled cybersecurity professionals.

Changes in the cybersecurity hiring landscape 

We asked Max Imbiel (CISO at Bitpanda) what he looks for in new hires. He oversees cybersecurity in the fast-paced crypto and fintech space, and he said: “There are of course multiple dimensions to this task of hiring talent.” 

The key questions that guide his hiring decisions are: 

• “Do I have the right inclusive wording and definitions on the application form?”
• “Do I need someone with experience in a certain area or can they be trained on the job?”
• “Do they fit our team and company culture?”
• “What are their ambitions?”

For Imbiel, “the person behind a profile is always more important than just the skills and certifications.” 

This highlights a growing recognition across the industry that a piece of paper isn’t everything. What really counts is the candidate’s ability to demonstrate skills, problem-solving capability, and cultural fit.

Skills over credentials: Why it matters 

Why is this a good thing? 

Because cybersecurity needs people. According to the (ISC)² Cybersecurity Workforce Study 2024, there are nearly 3.5 million unfilled cybersecurity jobs worldwide. Relying solely on degree holders limits the pool and excludes many capable individuals who have taken different routes into the profession.

By considering candidates based on demonstrable skills and experience, like hands-on knowledge of security tools, scripting, threat detection, or incident response, employers create a more practical and inclusive approach to finding talent. This approach values self-taught talent, boot camp graduates, career changers, and even those coming from non-technical backgrounds who have acquired relevant skills through unconventional paths.

Inclusive hiring opens the door to diverse talent 

This evolution in hiring practices has important implications for diversity and inclusion. By removing the strict degree gatekeeper, cybersecurity roles become accessible to a broader spectrum of candidates – including those from underrepresented groups.

The tech industry has long struggled with inclusivity, but shifting the focus to what candidates can show they can do (instead of what a piece of paper says they can do) helps level the playing field. This change invites people who may not have had access to traditional university education – maybe due to economic, geographical, or social barriers – to compete on a more equal footing.

Imbiel’s approach at Bitpanda reflects this inclusive mindset. He emphasised the importance of carefully worded job descriptions to avoid alienating potential applicants. For example, overly rigid or jargon-heavy job adverts can discourage talented candidates who might not tick every box on paper but have the potential to grow quickly.

What should cybersecurity professionals focus on? 

For those looking to enter or grow in cybersecurity, Imbiel recommends focusing on building a tangible skill set relevant to the job market, particularly in high-growth sectors like fintech and crypto: 

“Anyone interested in this space should learn not only cybersecurity fundamentals but also understand how financial technologies work, the regulatory landscape, and the specific threats facing crypto,” he said.

Practical experience through internships, capture-the-flag (CTF) competitions, online labs, open-source projects, or certification programmes like CompTIA Security+ and Offensive Security Certified Professional (OSCP) can help candidates stand out – often more than a degree alone.

Hiring for potential, not just paper 

As well as casting their hiring nets wider, organisations are also investing more in training and on-the-job development – because they recognise that while skills can be taught, qualities like adaptability, curiosity, and resilience are harder to instil.

“We look for people who are hungry to learn and can quickly adapt to new challenges,” Imbiel said. This attitude ensures the team remains agile in a field where threats evolve daily.

As we move into the second half of 2025, we expect to see the move towards skills-based and inclusive hiring continue. Employers are taking into account the whole person instead of just a checklist of qualifications, and this is good for everyone – employers, candidates, and the industry as a whole – because it unlocks hidden talent and drives innovation. 

Imbiel summed it up like this: “The person behind a profile is always more important than just the skills and certifications.” 

And that philosophy is helping to reshape how cybersecurity teams build the future – one skilled professional at a time.