Why your cyber security hiring strategy needs a reboot 

Imagine losing control over essential company systems, confidential customer data, and your credibility to trade. If this sounds like a business nightmare, it’s one that cyber criminals are perpetuating on a regular basis.  

Cyber attacks have been a growing concern for business leaders, accelerated by artificial intelligence (AI), the transition to cloud, and geopolitical conflict. In our C-suite research, examining the view of 500 executive leaders, cyber security was identified as one of their top external challenges – higher in priority than even skills shortages and the economic climate.  

A recent spree of high-profile breaches has only underscored the urgent need for a cyber security function that can prevent attacks and mitigate potentially huge business losses and reputational damage. But with many employers still struggling to access the cyber security professionals they need, what hiring strategies are required to withstand the next wave of cyber crime? 

Contending with the new threat landscape 

Earlier this year, Marks & Spencer’s online store was infiltrated in a ransomware cyber attack, causing the FTSE 100 company to cease online orders and stop processing some payments across in-person stores. The retailer admitted that personal customer data was stolen in the process, and estimated the attack could cost around £300m in lost profits.  

Not long after, the Co-op Group was forced to “pull the plug” on its IT systems following a similar intrusion attempt, while major supermarket distributors have also been targeted. But UK retailers are far from the only victims of cyber crime, and a rising number of organisations across various industries have experienced debilitating digital attacks.  

According to the 2025 Data Breach Investigations Report by Verizon, cyber attacks against EMEA-based companies doubled over the past year. The report highlights that system intrusion – incidents involving hacking or malware – is the largest emerging threat pattern, rising from 27% of all breaches in 2024, to 53% this year across EMEA. 

It's not just the profits of corporations at stake either. The public sector is equally susceptible, with cyber-attacks on healthcare organisations and local authorities demonstrating the way malicious actors can disrupt services that are vital to our society.  

The need for a robust cyber security function can’t be overstated, but there’s a sense that some organisations are becoming complacent – whether that’s slowing down on investment or half-hearted hiring plans. And increasingly, hiring managers must reevaluate their recruitment approaches and move past entrenched mindsets when building a cyber security function that can keep pace with aggressors. 

Cyber security hiring strategies 

There’s much talk about the scarcity of cyber security professionals, with some estimates suggesting a four million deficit worldwide. But the real obstacle may be less to do with skills shortages, and more to do with unrealistic attitudes.  

The desire to handpick candidates with the exact technical skills and cyber credentials not only compounds demand and inflates salaries, but raises the barrier to entry for aspiring – and potentially very talented – cyber professionals. In the chase for the illusive ‘unicorn’ cyber candidate, you could be overlooking the very real professionals capable of preventing the very real threat of a breach. 

To build a resilient cybersecurity function, organisations must be prepared to adopt more strategic hiring practices, become more open to investing in overlooked candidates, and commit the necessary resources. Here’s some key considerations when hiring the cyber professionals you need: 

Seek out non-traditional talent 

Don't overlook the potential of diverse talent pools; investing in hidden talent can bring fresh perspectives and desirable transferable skills that even industry veterans might not possess. Try targeting talent pipelines that are too-often overlooked. This might include those who aren’t degree-educated, come from underrepresented demographics, or are breaking out from broader IT fields.  

However, even an IT background might not be a necessity. Almost four-in-ten (39%) of new employees in the sector came from a non-IT role, according to a report by ISC2, an organisation of cyber-security professionals. A former firefighter could have the cool-headedness and resilience under pressure to efficiently assess cyber risks, while somebody from a humanities background might possess the creativity and analytical skills needed to deliver unexpected solutions.  

Take a skills-first approach  

By foregoing the usual shopping list of technical credentials and years’ experience, you’re much more likely to find the right fit for your cyber team – and before it’s too late. A willingness to take on and train candidates with valuable transferable skills – such as emotional intelligence or problem solving – could be the key to unlocking cybersecurity professionals without the premium price tag. And in an AI-era where technical skills requirements are in constant flux, transferable abilities could be a better long-term investment. 

When creating job adverts, consider shifting to competency-based language that focuses on skills and results. Moreover, try breaking down roles into specific duties, and work out what are the core transferable skills required for a candidate to be successful. AI-powered recruitment tools can be both a boon and barrier in this endeavour, helping to filter suitable candidates, but potentially overlooking non-traditional talent. If you’re looking for a proven skills-first model that finds the right balance between human review and innovative technology, get in touch with our Skills and Learning team. 

Prioritise flexibility 

Despite ongoing news coverage of large organisations mandating that their staff return to the office more regularly, it’s clear that tech professionals value flexibility. Our 2025 Salary & Recruiting Trends Guide revealed that 58% of tech employees wouldn’t even consider accepting a future role if it didn’t offer hybrid working. Moreover, flexible working models could be equally important when retaining cyber talent, with almost a third (31%) of tech professionals planning to find a role that better balances hybrid working, and over a quarter (26%) seeking fully remote roles.  

And given the propensity of burnout within the cyber profession – particularly amongst leaders responsible for managing a 24/7 threat – a hybrid policy could better support your existing team and improve your attractiveness for prospective candidates.  

Don’t become another headline 

In an era where cyber threats are escalating in both frequency and sophistication, the resilience of an organisation hinges not just on its technology, but on its people. As AI, cloud adoption, and geopolitical tensions reshape the digital landscape, the need for agile, forward-thinking cybersecurity teams has never been more urgent. 

However, the path to building these teams doesn’t lie in chasing elusive, perfectly credentialed candidates. It lies in broadening our horizons: embracing non-traditional talent, prioritising transferable skills, and offering the flexibility today’s professionals demand. By shifting from rigid hiring models to inclusive, skills-first strategies, organisations can unlock a deeper, more diverse talent pool ready to meet tomorrow’s challenges – and perhaps even help improve the industry in the process. 

Cybersecurity is no longer a back-office function, but a frontline defence. And those who invest wisely in their people today will be the ones best equipped to protect their reputation, operations, and customers tomorrow. 

Discover how our end-to-end recruitment services can unlock talent that’s ready for the future, or discuss your organisation’s cyber needs by contacting  james.walsh1@hays.com.