Creative Hiring Can Help Solve The Cybersecurity Skills Shortage

In an era of growing cyber risk, how can organizations address the chronic shortage of cybersecurity skills? One way is to look for potential talent in new and unusual places, hiring people from non-security backgrounds and retraining them—and in the process, potentially helping some of the millions of smart and capable people who have lost their jobs due to the COVID-19 pandemic.

“It’s a myth that a degree in computer sciences and a background in cybersecurity is necessary for success in the field,” said Sam Curry, a leading cybersecurity researcher and chief security officer at cybersecurity provider Cybereason, and member of the Cyber Resilience Think Tank. “In reality, people can be anything from former police officers to artists and musicians. It’s more important to possess the right thinking than to come from any particular background.”

Recent surveys highlight the desperate shortage of cybersecurity skills, underlining the need for new approaches to finding talent. A 2019 survey by cybersecurity professional membership organization (ISC)² estimated that there are roughly 805,000 security professionals in the US, but another 500,000 are needed. Globally, the shortage is even worse.[1] (ISC)² also found that only 30% of existing security professionals were women and only 37% were under the age of 35.[2]

A Broader Strategy for Cybersecurity Hiring Pays Dividends

Successfully navigating the cybersecurity talent shortage requires business and security leaders to think differently. But according to a 2018 Deloitte report, many firms overlook opportunities to hire talent from outside cybersecurity field. Organizations can benefit by “exploring the sourcing of talent from nontraditional backgrounds that have relevant work experience” and “hiring more women and minorities,” it noted.[3]

People from different backgrounds can actually enhance cybersecurity by bringing fresh perspectives to security challenges. “Some of the best people in the security field are ‘outliers’ that bring a completely different view to the cybersecurity function,” says Jason Fox, head of education for Mimecast.

For example, Fox hired one employee who had zero cybersecurity experience—and whose previous job was selling cookies. However, she was clearly a self-starter and highly motivated, he says. “She had the type of mind and the right values. She turned out to be an excellent employee,” he explains.

Curry agrees that plugging in “problem solvers” from different backgrounds and careers actually enhances cybersecurity. “Smart people who are motivated can always learn the systems and technology that drive cybersecurity.” Curry looks for people who are “curious, engaged, motivated to learn, not technophobic and get along well with others.”

Move Beyond Job Boards and an HR-centric approach

How can your organization identify and develop unconventional cybersecurity talent? One approach may be to look in unusual venues, such as gaming and hacking conferences. Attendees are smart and tend to think outside the box. Many are highly motivated and may be eager to take on the challenges of cybersecurity.

Another method is to connect to open source communities, including but not limited to cybersecurity-focused communities. Many companies, including some outside the technology industry, have established open source programs.[4] People in these communities may provide input and assistance about security-related matters, but it’s also possible to encourage them to apply for jobs.

A third method is to look beyond universities’ job fairs and get directly involved in their computer science and security programs. Curry says that while he worked for a previous employer, he collaborated with two prominent universities, Carnegie Mellon and Purdue, to develop content and coursework. “We helped them build their cybersecurity program and, in return, we connected with young, highly motivated candidates.” Some of these students went on to work for the company, he says.

Curry takes the perspective that no background or university degree is off limits. He looks for talent in fields as diverse as art, engineering, sales and healthcare. A history or philosophy degree can be just as coveted as a background in cybersecurity.

Develop Talent with Mentoring and Apprenticeships

While there’s no single way to turn new hires with little or no security experience into productive cybersecurity professionals, some methods have proved effective. For example, Curry has established apprenticeship and mentoring programs. New hires, including those that come from non-conventional fields, are assigned a primary mentor. In addition, everyone in the cybersecurity team is encouraged to coach and help out.

In fact, the cultural component is critical. “Everyone on the team is responsible for helping if they see someone struggling and in need of help,” Curry explains. So, while the newer employee receives formal instruction and training through modules and coursework, an established member of the team may also ask if they want practical tips.

In addition, Curry says he strives to “pay it forward” by responding to requests for aid from people outside the company, which may eventually lead to someone coming to work at Cybereason.

Plugging in people from different backgrounds and mentoring to help new hires get up to speed is beneficial for everyone, Curry says. Over time, “the company winds up with a broader and deeper pool of expertise. You’re able to shift people around in an emergency and you wind up with a workforce that has more fluid skills.”

The Bottom Line

Filling open cybersecurity positions remains a big challenge for most organizations. One way to address the problem is to expand the universe of candidates and refocus your hiring methods to include smart and motivated people from non-security backgrounds and fields. You may be rewarded: (ISC)² found that career changers are one of the top sources of new cybersecurity staff. “Make sure the net is cast as wide as possible for undiscovered talent,” it noted.[5]

[1] “(ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide,” (ISC)².

[2] Ibid.

[3] “The cybersecurity talent shortage,” Deloitte.

[4] “Top 3 benefits of company open source programs,” Opensource.com.

[5] (ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide,” (ISC)².