The cybersecurity industry has had a persistent skills gap for more than a decade. With 514,359 cybersecurity job openings in the U.S., organizations continue to struggle to find candidates with the skills that match their needs. Unfortunately, artificial intelligence (AI) is in many ways making the hiring process worse.
As the New York Times and Ars Technica recently reported, hiring managers are drowning in AI-generated and AI-optimized job applications. Those organizations are fighting back by using their own AI tools to screen and evaluate the flood of applicants. This escalating AI-versus-AI battle is muddying the already murky waters around the cybersecurity skills gap.
Shouldn’t AI be helping rather than harming the hiring process?
The Current State of Cybersecurity Skills Assessment
Assessing cybersecurity talent has always been challenging. That’s why certifications have been so important in the field. Entire frameworks, like the Department of Defense (DOD) 8570, were built around using certifications to verify the levels of skills for different job roles. It’s also why hiring managers frequently fall back on advanced certifications like the ISC2 CISSP, which validates not just a broad baseline of cybersecurity domains but also real-world experience in those domains.
But degrees and certifications can fail to predict actual performance. An applicant may hold multiple certifications yet struggle to analyze network traffic during an active incident. Another may lack formal credentials but demonstrate exceptional threat-hunting capabilities in the field. This gap between credentials and capability has real consequences. For instance, according to Fortinet, 70% of IT and cybersecurity leaders say skills gaps are creating additional organizational risks.
That’s why the cybersecurity market is shifting towards skills-based hiring. This includes everything from private companies to government agencies. A clear example is the DOD, which is transitioning from the one-size-fits-all DoD 8570 certifications to continuous skill development via DOD 8140.
AI holds a lot of promise in validating more specific skills. Used the right way, it can clear the muddy waters, not make them worse. It can help provide candidates with an objective view of their skills compared to their peers and provide hiring managers with a way to match those validated skills to their organization’s needs.
Best Practices for Validating Security Skills
Using hands-on simulations and exercises to evaluate skills is not new, but AI transforms these types of exercises by capturing and analyzing performance data at a much more granular level.
Think of certifications and degrees like driver’s licenses. They prove basic knowledge and even validate some real-world competency. A person might pass a driving test but struggle to navigate in crucial situations like rush-hour traffic or parking in tight spaces. Similarly, cybersecurity professionals might have several certifications but not know how to use certain tools or perform certain incident response functions with confidence.
At the simplest level, there are two primary steps to integrating AI into this evaluation:
- Capturing baseline data from cybersecurity professionals: To expand on the driving analogy, imagine taking thousands of drivers with different experience levels and recording everything they do during a complex route. AI captures not just whether they reach the destination but also how they use turn signals, their braking patterns, mirror usage and adaptation to complex traffic conditions. In cybersecurity, this translates to analyzing not just whether a candidate detects malware but also their investigation methodology, tool selection and reasoning process.
- Behavioral pattern recognition: This enables AI systems to distinguish between novice, experienced and expert-level performance through subtle indicators. A novice might successfully complete a task but follow inefficient procedures. An experienced professional demonstrates systematic approaches. While an expert reveals advanced techniques and shortcuts that optimize both speed and accuracy.
If done right, this provides a level of granularity and objectivity that was not possible in cybersecurity hiring and upskilling before.
Adaptable Strategies for Business Leaders
While degrees and certifications are still useful, they are big, point-in-time assessments. AI-powered platforms can track skill development over time, identify knowledge gaps as they emerge, and recommend targeted training to maintain competency levels. Business leaders should prioritize two strategies.
The first one focuses on customizing assessments to meet organizational needs. Leaders must embrace role-specific evaluation criteria. Rather than testing general cybersecurity knowledge, they should develop evaluation frameworks tailored to their specific technology stack and operational requirements.
With the right data behind the scenes, AI can also excel in the creation of these labs. This allows organizations and their training partners to quickly spin up labs that match the tasks of a given role and evaluate candidates’ ability to carry out those tasks.
These skills-based approaches represent a fundamental shift in talent acquisition and upskilling of your existing workforce. It opens cybersecurity roles to diverse talent pools while focusing on demonstrated capability over formal credentials.
The second strategy targets internal capabilities. Upskilling existing employees offers significant advantages over external hiring. Current employees already possess foundational knowledge and understand the company infrastructure, unlike new hires who require more extensive onboarding. Organizations can identify internal candidates with strong analytical thinking abilities and provide targeted training to develop cybersecurity-specific skills.
In another scenario, imagine a new cyber threat emerges targeting your industry. Within a week, your team is not only aware of the threat, but you’re able to create a simulation around it and test your team’s ability to defend against it. This future of AI-assisted, role-based targeted training will become commonplace in the very near future.
The Risks of Inadequate Skills Validation
The consequences of poor skills verification extend beyond hiring inefficiencies. In fact, the growing skills gap contributed to a $1.76 million increase in average breach costs, according to IBM.
However, beyond immediate financial losses, inadequate skills validation also creates operational vulnerabilities that compound over time. When cybersecurity professionals lack the practical skills their roles demand, response times increase, threat detection suffers and organizational resilience weakens. The same report found that more than half of breached organizations faced high levels of security staffing shortages, a 26.2% rise over the previous year.
The strategic business impact includes competitive disadvantage, innovation limitations due to skills constraints, and resource allocation inefficiencies from wasting time and budget on ineffective hires.
The Future of Skills-Based Cybersecurity Hiring
The cybersecurity industry stands at a pivotal moment where traditional credential-based hiring must give way to sophisticated skills verification methods. AI-powered assessment platforms provide the precision necessary to distinguish between surface-level knowledge and practical competency, enabling organizations to make data-driven hiring decisions that enhance security outcomes.
The transformation requires a commitment from business leaders to adopt new evaluation methods, invest in assessment technologies, and reassess fundamental assumptions about qualifications. As cybersecurity roles become increasingly complex and specialized, the ability to verify real-world skills becomes essential for organizational survival.
Organizations that adopt AI-driven skills verification now will gain competitive advantages in talent acquisition while building more capable security teams. The technology exists to bridge the gap between credentials and capability — success depends on which organizations will lead this transformation.
