New research reveals flaws in cybersecurity recruitment approach

New research from Expel has identified a notable gap in enterprise cybersecurity hiring strategies, suggesting the commonly held belief about a lack of talent in the sector may be misplaced.

The study, which analysed over 5,000 active security and security-adjacent job postings from Fortune 100 companies, found several factors contributing to difficulties in attracting and retaining cybersecurity professionals.

Role confusion

The report highlights inconsistencies in job titles across enterprises tasked with similar responsibilities. This lack of standardisation was observed to cause discrepancies in compensation, confusing potential applicants and possibly resulting in missed opportunities for both employers and candidates.

Pay and benefits were also found to lag behind related sectors. Cybersecurity positions, according to the study, often offer less competitive compensation and fewer benefits, such as equity packages, compared to similar roles in adjacent fields.

Remote work trends

Another significant finding related to flexibility in working arrangements. Despite the continued discourse around burnout and work-life balance, only 8% of cybersecurity vacancies offered remote work. However, 43% of remote roles attracted over 100 applicants. This data suggests a strong preference among candidates for flexible work options which is not being matched by companies' offerings.

The analysis also discovered that mental health provisions remain rare in job listings. Only 10% of the reviewed postings mentioned wellness or support for burnout, despite widespread concern in the industry regarding stress and mental health challenges.

AI and leadership

The research examined skill requirements across job postings, noting a rise in references to artificial intelligence (AI). However, no director-level or higher roles called for AI knowledge or experience, indicating that AI expertise is yet to become a strategic priority at senior levels of enterprise cybersecurity teams.

Jason Rebholz, Co-Founder and CEO of Evoke Security and Advisory CISO for Expel, commented on the results. He said:

"We often hear about the cybersecurity talent or skills gap as a defining challenge in this industry, but our research suggests a different story. Enterprises are inadvertently alienating and confusing candidates, pushing highly talented professionals toward other fields. If top applicants can find opportunities that truly align with their expectations, we can dispel the long-standing 'talent shortage' narrative. This report does more than just shine a light on hiring and retention challenges - it provides a roadmap for improving their strategies going forward."

Recruitment disconnect

The findings from Expel's 2025 Enterprise Cybersecurity Talent Index suggest misalignments in employer recruitment strategies may be contributing to perceptions of a talent shortage. Candidates' increasing interest in remote work, support for mental health, and up-to-date compensation and benefits packages do not appear to be reflected broadly in current enterprise recruitment practices.

There is also a technological gap at the leadership level regarding crucial new skills, such as those relating to AI and machine learning, which may further influence both recruitment and the long-term security posture of large organisations.

The report is positioned as a guide for organisations seeking to adapt their hiring and retention policies to meet current and future sector demands, providing data-driven insights on how to attract and retain highly qualified cybersecurity professionals.