The problem with Cybersecurity job descriptions

The problem with Cybersecurity job descriptions

I’m sure that most of the people reading this will have at some point seen a job description that either makes them laugh, or feel pretty unqualified…. 


Entry Level Information Security Analyst  

Must hold a CISSP…. 

Cyber Security Consultant 

Must be able to build security tools, implement ISO27001, secure the AWS migration whilst  independently responding to security breaches…. 

Penetration Tester  

Must contribute to sales targets and generate revenue….  


These unrealistic requirements can make a candidate’s journey to secure a new role difficult when they are made to feel they should have 20 certifications and have done the job of a 5 person team!   

Although these descriptions do always make me a chuckle, they do highlight more serious problems with the Cybersecurity job market. How will the skills gap shorten when expectations of candidates can be unrealistic, and how do you prevent burnout and retain staff when they are expected to do the job of multiple people.   

So who is responsible for these job descriptions? Unfortunately, there is not a simple answer. It can be the HR or recruitment teams responsible for managing the hiring process. It can be the C-suite and senior leadership who, ever conscious of the bottom line, are reluctant to allocate the budget needed to pay a higher salary or hire more people. But it can also be the existing security team or leadership. Is this because they are too far detached from the day to day security tasks their teams, or are they simply doing what they can with the money they are given?  


Don’t get me wrong I am certainly not talking about all businesses here. There are tons of firms who do it properly and, even for their first security hire, understand what is needed to secure their assets and what they can get for their budget. But there are still too many job descriptions which seem unrealistic.  

If the problem ultimately stems from CISO’s and Heads of having too tighter purse strings to build the team they need, then it falls on the C-suit and leadership to change this. With numerous high profile breaches we’d like to think it will be the forefront of their mind, but there will always be companies who are reactive rather than proactive and will only allocate funds once it is too late.   

There is no quick fix to this. If we need to change the perspective of hiring managers and leadership teams towards paying more then it will take time. The key is industry wide efforts to educate on not only what resources are needed to build an effective security team, but also keep pushing for a proactive approach.  

With this we can hope that over the years to come we will see more achievable job descriptions, more people being able to enter and progress in the sector, and ultimately improving the security of businesses.   


If you would like to speak with me and get some impartial advise on how to progress and take the next step in your career, please contact  

Oliver Legg