Cyber security is misunderstood

Some of the problem here can be attributed to the movie-driven image of cyber security professionals being “solitary geeks” in hoodies tapping away on keyboards in dimly lit rooms.

But the lack of alternative role models “is putting a lot of people off”, believes Amanda Finch, chief executive of the Chartered Institute of Information Security (CIISec). It is also narrowing the perception of the variety of roles available within the profession.

“Where some of the confusion comes from is that everything is now labelled ‘cyber security’ when it’s really information security, which encapsulates the cyber stuff,” Gillespie says. “Information security is governance, risk, compliance and audit but people focus on high-tech jobs, such as penetration testing and offensive hacking, as they appear sexier, even though they’re only a small part of the overall industry.”

Finch agrees. “Although we, as an industry, are doing a better job, we’re still not doing enough to explain how diverse the profession is in terms of roles and how much we rely on expertise beyond just pure cyber skills,” she says. “People like the idea it’s well paid and there’s work available, but it’s still seen as a bit of a dark art.”

Chris Wysopal is co-founder of application security company Veracode and a former L0pht hacker. He believes the problem is even more basic.

“One of the challenges is that high school kids with an aptitude for cyber security aren’t always aware of it as a profession,” he says. “They might be gamers or people who’ve played with different networking and AI tools and don’t know they could turn their interest into a career, so there’s a need for better industry promotion.”

Alternative talent pool potential

Another barrier to entry is a lack of clear pathways into the profession beyond going to university. This is important, believes Wysopal, as “many talented people who could be good practitioners aren’t the kind of person who wants to do four years at college”.

But it seems that some employers at least are recognising they could benefit from taking a punt on alternative talent pools.

For instance, a recent study by cyber training and certification body ISC2, titled 2025 Cyber security hiring trends, indicated that employers would consider candidates for entry- and junior-level jobs if they had previous IT experience or entry-level cyber security certificates over graduates with no work experience.

Unhelpfully though, a significant proportion of hiring managers also requested that entry- and junior-level jobseekers with certificates hold qualifications intended for more experienced professionals – a situation that inevitably makes it difficult for them to get a foot in the door.

As Finch says: “The first step is always really hard because organisations are overloaded and busy and so want experience. But we’re increasingly seeing people investing in raw talent, and organisations – such as IASME [formerly known as the UK Cyber Security Forum] – working with people on the [neurodiverse] spectrum.”

In a bid to do its bit, the CIIS itself is also offering an entry-level Extended Project Qualification (EPQ) in cyber security. To date, the EPQ has mainly been taken up by private schools, although some progress was made in inner city schools before the Department for Science, Innovation and Technology (DSIT) removed funding.

As a result, the CIIS is currently in the process of setting up a charitable arm to provide the industry with a legal route to help fill the financial shortfall.

Sourcing young talent

But non-traditional sources of employment still remain the exception rather than the rule. ICS2’s report indicates, for example, that recruitment and staffing companies as well as job postings (57% respectively) are still the most favoured hiring route.

Next on the list are internal internship programmes and colleges and universities (55% respectively). Offering internal cyber security apprenticeship programmes is growing in popularity (46%) though.

At the bottom of the pile is hiring people from other internal company departments (22%), taking on military veterans (12%), or other members of the military (8%). Another possibility that does not even make it onto the list is the young gamers currently being targeted by black hat hackers and organised crime.

“Online criminal gangs have to get their talent from somewhere too, so they hire in gaming forums and Discord servers,” Wysopal says. “They look for people with aptitude, and when they see someone dipping their toes into how to break systems or social engineer adversaries, they take an interest and become part of the conversation.”

Casey Ellis, founder and chief executive of crowdsourced security platform, Bugcrowd, agrees.

“Hackers are being recruited into cyber crime as young as 13 from multi-player gaming platforms, using the same recruitment methods drug dealers employed in the 1980s, with 12-to-18-year-olds being particular targets,” he indicates. “The idea is to get them when they’re young as they’re easier to manipulate, so the question is how does the industry step up and counter that to divert young people away from crime?”

It is one of the reasons Ellis set up Bugcrowd in 2012, he says. The company focuses particularly on harnessing the (ethical) hacking skills of millennials and older members of Generation Z to find hidden vulnerabilities in customer software. Between 600,000 and 700,000 have gone through its programme so far.

Playing black hats at their game

The Hacking Games, another organisation of which both Ellis and Wysopal are members, describes itself as intent on unlocking “unconventional talent (gamers, builders, rebels, and deep thinkers)” to “plug them into the global cyber security mission”.

It does this by providing Discord-based communities for young hackers and others from diverse backgrounds to join. This provides them with access to industry figures, mentors, and a jobs board listing open roles. Haptai, a hacking AI recruitment platform, also creates a profile to make it easier for them to explore career paths based on their strengths.

“The cyber security industry is at a disadvantage compared with the criminal gangs as it’s not hiring talented young people in the places they’re hanging out,” points out Wysopal. “But The Hacking Games is one of the things that can help solve that by getting to young people before they’re recruited by the bad guys. After that, it’s very hard.”

But the issue is not just about diverting young people from cyber crime today, Ellis believes. It is also about casting the net wider to better outsmart the criminal gangs and “future proof” the industry.

“There’s much gold in the younger generation,” he says. “It’s not just about finding them a job. It’s about getting their strategic input as they’re native to the tech environment we’re creating right now and so don’t have the assumptions we do – it’s important that we listen to each other and learn.”

A key challenge today though is the widespread misunderstanding of what a hacker actually is, Ellis says. “The difference between black hat and ethical hackers is the same as between burglars and locksmiths,” he points out. “They have the same skills and curiosity but different moral compasses.”

Wysopal agrees that “hacker is a loaded term”. On the one hand, he says, when he joined L0pht in 1992, its members were all hobbyists as there was no such thing as a cyber security profession. On the other, there are varying forms of hacking activity.

“Some people are criminal masterminds and are in it for the money, but there are also those who wrote a tool or tricked someone into handing over a password, who are on the fringes of criminality,” Wysopal indicates. “They may have broken the law, but you have to be careful not to tarnish someone’s entire career as a lot of this happens when people are juveniles.”

What to do with a convicted hacker?

As a result, he says, even with a conviction, he would be prepared to hire someone if he thought they had changed.

“There’s no black and white here,” Wysopal says. “It’s different if there’s a pattern of behaviour and someone’s a hardened criminal, but if they have a conviction for petty theft, it was just one time and it was 10 years ago, do I really not want to take them on as a software engineer?”

Nonetheless, there would inevitably be limitations on the kinds of work they could do, he says.

“The biggest challenge in hiring people with convictions is what does it look like to customers, especially if you’re engaging with them to do penetration testing,” Wysopal adds. “It’s an optics issue and putting a convicted hacker on a network and giving them the credentials to do a red attack feels too risky.”

This means his preference would be to have a convicted hacker work in back-office, non-customer-facing roles, such as researcher or member of the reverse engineering team, where explanations would not be required.

Gillespie agrees the situation is a tricky one. “If I wanted someone tried and tested, a former hacker might be a good idea,” he says. “But the challenge is that a lot of jobs, particularly if you’re dealing with high security government and defence projects, require clearance, and if someone has a conviction, it may prevent you from getting the job.”

Ultimately though, Wysopal believes it is time for the cyber security sector to hire more self-taught talent.

“To some extent, the industry needs to go back to its roots as the world’s a different place now to the 2000s when the industry started growing and graduates became the bulk way of hiring,” he says. “Young people aren’t playing with modems and a PC anymore – they’re playing online games in Discord groups, so you have to go where they are.”