Cybersecurity faces a talent shortage on paper, but hiring systems filter out capable early-career candidates through misaligned screening, outdated job criteria, and overreliance on credentials.
Farzia Khan, Senior Manager of Information Security at TD Bank and Founder of ElleHacks, explains how hiring practices overlook judgment, adaptability, and motivation in favor of narrow specialist profiles.
Closing the skills and equity gaps requires leaders to take ownership of talent development through early sponsorship, real industry exposure, and long-term investment in people.
The cybersecurity industry talks about its talent shortage constantly. Leaders at conferences describe an empty pipeline while workforce studies quantify the millions of unfilled roles. And yet qualified, motivated candidates apply for entry-level positions and hear nothing back. The contradiction points to a problem that has less to do with supply and more to do with how the industry filters who gets in.
It’s a reality Farzia Khan knows well. A Senior Manager in Information Security focusing on Regulatory, Audit, and Compliance Assurance at TD Bank and the Founder of ElleHacks, Canada's first all-women hackathon, Khan has built a career at the intersection of corporate security and next-generation talent. For Khan, the industry's talent challenges are largely self-inflicted, stemming from a disconnect between traditional hiring practices and the skills that actually drive success.
"I hear leaders constantly talk about the talent shortage in cybersecurity, but I meet so many candidates who are ready to work and still can't get hired. So you have to ask, is there really a shortage, or is the system just broken?" says Khan. The system, she explains, is optimized for a candidate who barely exists. Organizations compete for niche specialists while a large pool of early-career professionals with foundational skills and real motivation to learn gets filtered out before a hiring manager ever sees their resume.
The expectation gap: The recruiter screens for one thing, the hiring manager wants another, and job descriptions are often obsolete before the role is even filled. "There's an expectation gap between what the hiring manager is looking for and what the recruiter is recruiting for," explains Khan. "These roles are evolving so fast that even by the time you get hired, the job has already changed. You can't say you're doing the same work you started five years ago."
Certifications are not the full picture: Hiring teams often default to credentials because they are easy to scan and compare, but that shortcut overlooks whether a candidate can think critically, communicate risk, and operate effectively in real security environments. "A lot of candidates have this tendency of just listing 10 certifications or the technical things they've done. That doesn't give me a good picture of the person. What skills do they actually bring? What are their personality traits?"
Khan argues the industry needs to rethink what it screens for entirely. Yes, foundational technical knowledge matters. Understanding how networks, operating systems, and identity and access concepts work is non-negotiable. But beyond that, the skills that separate strong security professionals from average ones are not certifiable.
Sponsorship over mentorship: For Khan, the fix is not another training program or certification framework but a shift in how leaders take responsibility for developing talent. She emphasizes exposure over abstraction, noting, "When students see the industry up close, they stop guessing what cybersecurity is and start understanding where they fit." She also stresses sponsorship over mentorship. "What people really need is sponsorship, because leaders who invest early do not just shape individual careers, they strengthen the future resilience of the industry."
Khan draws from personal experience. She was hired early in her career by a senior leader who saw potential and invested in developing it. That sponsorship shaped her trajectory. She now runs a structured mentorship program at TD where mentors take up to five mentees, matched by biography and background. But she is candid about the limitations.
Do your homework: Many mentees do not know how to drive the relationship, and many mentors are not approachable enough to make it work. Not to mention, the culture at some organizations discourages informal connection between junior staff and leadership. "People reach out and say, 'I want to get into cyber, can you be my mentor?' And I ask, 'What domain?' They don't have an answer. Cybersecurity is a vast field. You need to do some research to understand which domain aligns with your skills and personality."
For leaders considering whether to build or reevaluate their own programs, Khan's advice is direct. "Don't let perfection be the enemy of progress. If you don't know where to start, ask your people what they want. They're going to tell you." She started her program the same way, adapting it over time based on what participants actually needed rather than waiting for a polished rollout.
The skills gap and the equity gap close through the same mechanism, Khan says: leaders who treat talent development as a long-term investment in the industry, not a line item. "When you think like a leader, you're not just investing in one person. You're investing in the industry as a whole. That is how we close the skills gap and the equity gap at the same time."
