How do you gain “experience” in cyber without a job in cyber?

Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.

At 600 words, this briefing is about a 4-minute read.

Gaining cybersecurity experience.

A persistent challenge in the cyber industry is how can new entrants gain meaningful experience before formally entering the field and what experience is considered most valuable. This conversation has become increasingly critical as reports have emerged that the cybersecurity workforce gap has continued to grow year after year. 

However, despite a clear gap forming and reports attributing a significant number of future breaches to this gap, the challenges related to entering the cybersecurity industry still seem as potent as ever. According to IBM’s 2024 report, the company noted that 60% of organizations are struggling to fill roles due to the need for specialized skills. Furthermore, when examining job postings this becomes more evident. 

Technology journalist and former research engineer, Robert Lemos, highlighted several mismatches between job requirements and the actual workforce. For instance:

• Roughly 85% of the current cyber job postings require a degree.
• However, reports detail that only 60% to 70% of cybersecurity workers hold one.

Furthermore, Lemos highlights Will Markow, the founder and CEO of FourOne Insights, who pointed to an “expectations gap.” Markow commented that this gap involves companies posting positions that require three to five years of prior work experience for entry-level jobs. This expectation gap has also been noted by several other reports in the following studies.

• A 2025 SANS workforce report found that 52% of cyber leaders state that the issue regarding the workforce gap is not due to the lack of the number of people but the lack of people with the right skills.
• A 2024 ISACA survey found that 73% of respondents listed prior hands-on cybersecurity experience to be the most valuable trait in candidate qualifications.
• This same survey found that over 50% of respondents believe that less than half of the existing applicants are well-qualified.

Markow also highlighted that this gap is worsened by salary expectations where “a lot of companies don’t want to pay for people,… and I’d say that’s the cause of probably half of the hiring issues.” These challenges clearly demonstrate that the workforce gap requires more than just increasing the industry’s headcount. Rather, it demands a rethinking of how talent is identified, developed, and brought into the field.

Adjusting Expectations.

While numerous solutions have been proposed to address the cyber talent pipeline, the problem persists, though it remains solvable. The key to progress lies in recognizing that gaining experience can occur through multiple, non-traditional pathways that allow candidates to meet experience requirements even when traditional means are not utilized.

While traditional universities and internships are one path that can meet these four-year requirements, another core strategy can be through programs, especially those that offer hands-on experience and strategic thinking, which can be equally impactful. One such example is the Cyber 9/12 Strategy Challenge. For context, this is a competition program that provides attendees with challenges both from a policy and strategy perspective. 

Competitions Cyber 9/12 and those at conventions or other online settings provide tangible, demonstrable experiences for entry-level professionals and students alike. These programs allow participants to build a concrete portfolio of relevant experience for the specific cyber discipline they are interested in. By pivoting expectations, the industry can close this “expectation gap” and redefine what experience looks like and more importantly how it is measured.