What Fortune 100s are getting wrong about cybersecurity hiring

Many companies say they can’t find enough cybersecurity professionals. But a new report suggests the real problem isn’t a lack of talent, but how those jobs are structured and advertised.

Expel’s 2025 Enterprise Cybersecurity Talent Index looked at more than 5,000 cybersecurity-related job postings from Fortune 100 companies. The findings point to hiring practices that may be turning qualified candidates away, not drawing them in.

“We often hear about the cybersecurity talent or skills gap as a defining challenge in this industry, but our research suggests a different story. Enterprises are inadvertently alienating and confusing candidates, pushing highly talented professionals toward other fields. If top applicants can find opportunities that truly align with their expectations, we can dispel the long-standing ‘talent shortage’ narrative,” said Jason Rebholz, Advisory CISO for Expel.

Remote work is in high demand, but rarely offered

Only 8 percent of cybersecurity job listings offered remote work. But remote roles attracted far more attention than in-office or hybrid jobs. In fact, 43 percent of remote roles received more than 100 applicants. On-site roles, by contrast, hit that mark just 11 percent of the time.

Remote and hybrid roles also filled faster. On-site positions took nearly three times longer to close. Employers that insist on office-only roles may be missing out on top applicants.

Mental health is barely mentioned

Burnout is a serious concern in cybersecurity, especially for analysts managing thousands of alerts each day. Yet only 10 percent of cybersecurity job descriptions included any mention of mental health or wellness support.

This is a missed opportunity. The report suggests using the term “cyber strain” to better describe the stress security professionals experience. It recommends companies include language in job postings that shows a real commitment to employee wellbeing, such as mental health benefits, stress reduction tools, and time-off policies.

Pay and perks aren’t keeping up

The average cybersecurity salary in the dataset was $152,700. That’s solid, but still lower than adjacent roles. IT security and DevSecOps jobs averaged $160,800. Observability roles paid even more, at $165,400.

Equity is another area where cybersecurity roles fell short. Only 4 percent of listings included equity, compared to 10 percent for IT security and 15 percent for observability. These numbers matter. Candidates may be choosing related roles with better pay and perks, even if the job responsibilities are similar.

Degrees are less of a barrier than before

Only 23 percent of cybersecurity roles mentioned a four-year degree requirement. This shows a growing shift toward skills-based hiring, which could help bring in candidates from nontraditional backgrounds.

Still, employers should be careful about how degree requirements are phrased. Even listing a degree as “preferred” could keep someone from applying, especially if they have equivalent skills or certifications.

AI is showing up in job descriptions, but not in leadership

About half of all job postings mentioned AI in some way. Among cybersecurity roles, 46 percent referenced AI. But not a single job at the director level or higher required AI experience. That may reflect a gap in how senior leaders think about AI’s role in security strategy.

The report notes that while AI terms like “automation” and “machine learning” appear often in lower-level roles, they are mostly absent from leadership listings. Companies may need to rethink how AI knowledge fits into senior job requirements.

Security pros are eyeing other options

Observability is one field that’s pulling attention away from traditional cybersecurity. These roles are technically demanding, offer better pay and equity, and often come with more flexibility.

The report doesn’t claim observability is poaching cybersecurity talent—but the data shows it’s an appealing alternative. And that should be a warning sign for hiring managers.