I have had a successful career in Cybersecurity since 2005 when we called it Information Security. Ironically, my background should never have landed me the job, but it revealed an important hiring secret: Sometimes the best person for a cybersecurity position is not a cybersecurity professional.
I know that sounds paradoxical and confusing so let me explain. With the proliferation of job titles and educational programs with the word cybersecurity in them, it might make hiring managers think they need to hire someone with cybersecurity experience, and that is understandable. However, as we keep hearing that there are more jobs than qualified employees, the gap is going to continue and grow, and there is not enough diversity in the field, alternatives become necessary.
Therefore, instead of searching for the perfect cybersecurity employee with a very specific skill set, technical background, knowledge of one particular tool, set of certifications, degree, and many years of experience, look to the less obvious source to hire your next cybersecurity employee – the artist, the accountant, the liberal arts major, the writer, the veteran, or the gamer (to name a few). Here’s why.
Cybersecurity professionals are creative problem solvers, enjoy tinkering with new tools, and like connecting the dots or solving puzzles. They need to be strong leaders and proficient writers. Depending on the role, they may need to enjoy solitude or thrive in chaos. They are good communicators, team players, and dreamers.
My success in this field is because someone gave me a chance when I had no relevant experience. They needed my skill set as an auditor and gave me the opportunity to learn on the job, which I did with their help. The guys I worked with started me off slowly and then started to give me more and more responsibility. They saw that I would ask questions and that I could take what I was learning and use it. Before long I was on client sites alone, traveling internationally and given a lot of responsibility. If it were not for these guys who took a chance on me 13 years ago I don’t know what my career would look like today. I am forever grateful to them and why I have some recommendations for hiring your next cybersecurity employee.
My Top 5 Recommendations for Hiring Your Next Cybersecurity Employee
1. Know the underlying skills needed for the position. Many cybersecurity positions require lots of writing and documentation, sometimes for non-technical audiences. You may find an excellent candidate with a journalism degree or background in technical writing. You may just find that it is easier to teach a good writer about security than teach an IT or security expert how to write and it may offer more qualified candidates for the position.
2. Determine if the role require lots of solitary work like looking at monitors or analyzing log files. You want someone who enjoys the solitude of this type of work and also enjoys puzzles. People who can spend hours alone working on puzzles, crosswords, games, or other brain teasers are well suited for this type of work because they enjoy solving problems and thrive working alone. You will teach them what puzzle they are trying to solve and they will get busy solving them. This may be more challenging to identify in a traditional resume, make it part of the hiring questions or job description where applicable.
3. Know if chaos at the heart of the position. Depending on the role it may involve a lot of chaos like lots of moving parts, threats, cyber attackers, high visibility, high expectations, and competing priorities amongst the business executives and board of directors. Working well or even thriving in chaos takes a special individual; it’s not for everyone and you can’t teach it. Look at military veterans, former police officers, and people who have held positions where chaos was their daily norm, even if outside of IT and security.
4. Understand the amount of technical knowledge necessary. Many roles today are for compliance and a strong auditor could be a great fit, even if they don’t have a strong technical background. Auditors are skilled at learning new topics very quickly and analyzing information to determine deficiencies and gaps. When you give a strong auditor the information they need and the tests to perform they will pick the rest up quickly and learn on the job.
5. Consider on the job training. This will allow you to bring in more entry level employees with less cybersecurity or technical experience at a lower cost and train them with the tools and information that is important to your organization. With the right training and mentorship these entry level employees will thrive and grow into your next generation of leaders.
The traits I’ve listed above are those you need to consider whether you are bringing in someone with previous experience or whether you are looking to diversify and bring in raw talent. There are many qualified employees who will make excellent cybersecurity professionals if given the opportunity and they are hungry to learn and be part of this exciting field. All they need is the chance, a mentor, some training, and the opportunity to learn and grow in the field.
My Top 5 Don’ts for Hiring Your Next Cybersecurity Employee
1. Don’t assume someone with a long list of certifications is a good at security or good in the role you are looking to place them in. Many people can pass a certification, but that does not automatically mean they are right for the job. Does the job require skills that someone who passed the exam would have over someone without the certification? Plus you don’t know how many times they took the test before they passed. The person who finishes last in medical school is still called Doctor. Don’t assume a certification means they are a good fit for the job or that the job needs someone certified, be specific as to why the certification matters before making it a requirement.
2. Don’t dismiss candidates because they don’t have certifications. Yes, this is the opposite of number one, but just as important. I did not have any certifications when I was introduced to this industry. Some certifications require years of experience to get and you will miss out on some great employees if you set the bar for entry unnecessarily high with certification requirements.
3. Don’t assume that people with strong IT backgrounds make good security professionals. IT professionals may not know security just like security professionals may not be technically proficient. While most of what a cybersecurity employee does has to do with technology, it is not all about technology. Make sure that an IT professionals is being considered because they are a good match for the underlying needs of the position and not just because they have IT skills. If they fit into the category of being well suited for the needs of the position and can learn security on the job like the auditor, journalist, or artist we’ve mentioned before than of course they make a great candidate too.
4. Don’t write the job description so specifically or narrowly that only a few people in the world could match it. This is especially true if you are looking for more of a junior role. When you combine a desire for lots of experience with knowledge on very specific tools, and think that someone in your geographic area is going to be a fit, it could take a long time to fill the position. Go to #1 on the Do list instead.
5. Don’t dismiss the importance of soft skills. The best cybersecurity professionals have strong soft skills like communication, writing, and diplomacy. These positions are often in front of executives and other business leaders and require the ability to communicate in language that everyone will understand and in a way that will build relationships, not be adversarial.
Candidates with cybersecurity experience are great and you should definitely consider them as long as they fit the specific needs of the position, not just because of their general experience, education, or credentials. If you are hiring for a senior position or a consultant who will be out advising clients on topics of security, of course you need and want experienced employees; just make sure they are the right employee so that you and they have a long and happy working relationship together.
If you want to discuss hiring for cybersecurity, building teams, or cybersecurity strategy, email firstname.lastname@example.org.
Sharon is an information/cyber security veteran who has been helping clients navigate security and compliance challenges since 2005. She currently works as a Virtual Chief Information Security Officer (vCISO) for small to medium sized clients who don’t have their own CISO or security department. Sharon received her Masters in Forensic Science, High Technology Crimes Investigations from The George Washington University and currently is a Certified Information Systems Security Professional (CISSP).