Finding the right security talent is easier said than done – and with the existing global cyber talent shortage expanding by the day, cyber recruiting is only expected to become more challenging.

To confront this challenge head-on, organizations must stop relying on traditional candidate assessment methods. While degrees and certifications indicate that a candidate has pursued cybersecurity understanding, these qualifications don’t necessarily prove individual capabilities.

Cyber recruitment is further complicated by:

  • A reliance solely on conventional recruitment practices, such as certifications that don’t accurately measure hands-on skills and resumes that don’t accurately distinguish one candidate’s ability from another
  • Unconscious bias within the hiring process
  • A hiring team that may not have a detailed understanding or specialism in the skills a role requires

To ensure that your security teams are actually prepared to take on the next emerging threat, it is important to exercise and benchmark candidates against the specific skills required for the role, rather than using traditional methods.

In this post, I explore the science behind hiring practices and how a skills-first approach can help modernize cyber recruiting strategies.

Biases in recruitment

The default approaches to recruitment, such as CVs and interviews, are rife with unconscious bias, subjectivity, and inaccuracy.  

There are upwards of 175 biases that can influence our behavior, but some of the key ones that impact recruitment include:

  • Similarity bias – the tendency to think more favorably of candidates who are “similar to me.” People gravitate toward the familiar, so will rate people who are similar to ourselves. 
  • Confirmation bias – analyzing information about a candidate in a way that confirms our existing beliefs and assumptions.
  • Halo effect – the tendency to focus on the redeeming aspects of a candidate can influence our opinions of them in other areas.

We need to reduce bias by challenging these well worn out recruitment practices. 

CVs only give a surface-level view of what people can truly offer; you can’t gauge a candidate’s ability to adapt to new security threats or whether they are competent in specific security skills. With interviews, candidates can fake their answers to impress interviewers. 

We need more objective methods to assess a candidate’s proficiency accurately, and measure candidates’ actual skills and performance. 

In order to successfully measure a candidate’s actual skills, organizations must use real-life cyber simulations where a candidate can conclusively demonstrate their ability to respond to real-world threats and situations.

Show me, don’t tell me

The critical value of assessing performance is that it adds objectivity to your recruitment process and reduces recruitment bias. 

Organizations don’t have to rely on assessing CVs and how people perform in interviews when you can measure the actual skills needed to be successful in specific cybersecurity roles, enabling you to uncover their hidden talents.

Performance-based assessments are well-supported in academic research too. 

Academic research shows that performance-based assessments are strong predictors of actual performance on the job and less open to faking by candidates1. Candidates also view these assessments more favorably over other selection methods2

Ultimately, their value comes down to “show me” and not “tell me3.” We don’t ask candidates to tell us how good they are, but to show us through practical demonstrations. This prevents people from inflating their skills and yields more accurate results. 

Recruit at the speed of cyber

When there’s a gap in cyber talent, it’s important to hire quickly when you find the right people. Armed with a database of candidate performance (and a benchmark of current employees), you can much more easily compare skill sets so you can identify a “must-hire” right after the screening. 

By partnering with programs like Cyber Million, powered by Immersive Labs, organizations can reduce barriers to entry for job seekers by creating opportunities and uncovering hidden talent. Through an emphasis on real-world skills and aptitude over traditional evaluation methods – such as academic degrees, certification and job experience – these programs modernize the way organizations recruit for cyber roles globally. By screening candidates, organizations can reduce the pool of candidates and focus solely on those with the skills needed to succeed in cyber security roles. 

To learn more about joining Cyber Million as an Employment Partner or Supporting Organization, please visit our program home page.

1 Boyce, A. S., Corbet, C. E., & Adler, S. (2013). Simulations in the selection context: Considerations, challenges, and opportunities. Simulations for personnel selection, 17-41.

2 Hausknecht, J. P., Day, D. V., & Thomas, S. C. (2004). Applicant reactions to selection procedures: An updated model and meta‐analysis. Personnel psychology, 57(3), 639-683.

3 O’Leary, R. S., Forsman, J. W., & Isaacson, J. A. (2017). The role of simulation exercises in selection. The Wiley Blackwell handbook of the psychology of recruitment, selection and employee retention, 247-270

Check Out Immersive Labs in the News.


September 20, 2023


John Blythe

Director of Cyber Psychology