If you dig into the rosters of many successful cybersecurity teams — be they enterprise organizations, vendors, or service providers — more often than not you'll find some surprising professional back stories. Unconventional backgrounds crop up more than you'd think: humanities majors, former chefs, dancers, lawyers, cops, and plenty of others in between.
And if you ask veteran security managers about their less traditional staffers, they'll often tell you that many of them are some of their best employees. In fact, hiring nontraditional security people isn't a desperation play for them but rather a strategy of strength.
"One of the biggest things I consider when hiring talent is gathering a diversity of perspectives," wrote Geoff Belknap, CISO of LinkedIn. "Many different types of people interact daily with the products we're working to secure, which means our team needs to be able to understand and consider needs, work habits, and challenges from several points of view."
After building out security teams at several companies, Belknap has learned to avoid building a team with identical cybersecurity education and experience.
"I want English majors and chemists and economics experts who can come together to help solve these hard problems, each bringing their unique training, diversity of thought, and ways to approach problems into the mix," he said.
Walking the Walk
It's the old scenario of when the only tool you have is a hammer, then every problem looks like a nail, says Christopher Emerson, CEO of White Oak Security, a security consultancy specializing in penetration testing and red teaming.
"More experiences provide more tools," says Emerson, who opens up his recruiting to nontraditional security candidates. His open mind comes from being one of those folks himself.
A former professional ballet dancer, Emerson many years ago reinvented himself after the toxic nature of his first profession wore on him.
"I found ballet was a better hobby than career for me," he says. "Our leadership was more focused on drawing attention to our faults and failures than they were to recognizing our good work. Leaps could be higher, hand positions could be more crisp, turns could be smoother. It ended up being a very negative feeling. It didn't help that I had to work two additional jobs just to cover my half of rent."
And so he went back to school and got a degree in quantitative methods and computer science. Still, even then he didn't have a lot of offensive security experience — but he was able to get a local CPA firm to take a chance by hiring him as a junior pen tester for its security consulting group. That was 14 years ago, and since then he has built up his professional skills and his own business. Through it all, his firsthand experience as a pro and as a hiring manager has led him to the conclusion that having a great breadth of experiences makes it easier for candidates to tackle security problems.
That breadth is important because infosec is such an interdisciplinary field, says Ryan Cobb, senior consultant in information security research at Secureworks. Whether someone is working as an investigator, a researcher, or a consultant, there are loads of requirements for candidates to have an affinity not just for technology, but also criminal psychology, politics, human behavior, and critical thinking, not to mention communication.
"If you strip away the specific technologies, investigators and consultants require strong critical thinking, reading, writing, and communication skills," says Cobb, who majored in philosophy and minored in art history. The writing requirements of that past life proved invaluable as he pivoted into digital forensics in grad school and beyond, he says.
"I needed those skills to explain complex technical topics in natural language, especially when reviewing my investigation reports with attorneys," Cobb says. "As I grew into a research role, I found myself leaning on philosophical concepts, like ontology and epistemology, to guide and organize my research. I'd come full circle from my degree."
Wanted: Soft Skills
Now that he's doing the hiring, Cobb finds that considering nontraditional candidates is not just a matter of adding new perspectives or broadening the pool of candidates, but also filling in the most acutely felt hole in the cybersecurity skill set: soft skills.
"When I'm hiring new infosec analysts, it's not the technical skills that are in short supply but rather the critical thinking and soft skills that are rare," Cobb explains.
A lot of times those soft skills are functions of innate traits or instincts rather than trainable technical skills. For example, empathy is often named by security hiring managers as a non-negotiable trait for candidates.
"Security professionals need to understand that different engineer, development, and product teams have different requirements on their time, and they don't always have the guidance or tools to implement secure solutions," says White Oak Security's Emerson, who believes empathy is crucial. "Understanding that is key to working with those teams "
But empathy is arguably almost impossible to learn, whereas it's relatively simple to teach someone the ins and outs of a technical framework or tool. The same goes for creativity and the drive to learn. This is where the advantages of unconventional candidates really shines.
"People who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when coming from a nontraditional background," says Nick Tausek, security research engineer at Swimlane.
Tausek likes to look beyond STEM backgrounds for hiring. For example, he says that many great security analysts come from fields that may not require technical knowledge but which teach or draw on strong investigative and documentation skills, like police work or journalism.
"[They] can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence," Tausek says.
The 'How' Behind the Hiring
If all of this sounds well and good but you're wondering how you can attract or even evaluate these nontraditional security candidates, experts say there's no magic formula. It takes a lot of groundwork, starting with completely blowing up how a security organization writes its job requirements and advertises open positions.
"Too often people are put off by requirements listing comprehensive technical criteria or industry qualifications, so getting a diverse group of applicants is an important initial step," says Annabel Jamieson Edwards, manager at Accenture Security.
From there, organizations will need to be creative about how they evaluate nontraditional candidates. For example, when searching for analysts, creative methods can include problem-solving tests, technical writing exercises, and other tests that might call for the candidate to learn a new technical skill and use it to solve a problem, documenting the process along the way, Tausek says.
"Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight into whether that person has the potential to make a good analyst," he says.
Meantime, evaluation for a security consultant should focus more on their coordination or communication skills, Jamieson Edwards says.
"Evaluating nontraditional security workers on their interpersonal and conceptual skills would give you a good indication of how well a candidate would adapt to your professional environment," she says.
If that sounds like it will take a lot of work, that's because it will, says Tausek. It'll add more complexity for HR and take more hands-on involvement from security hiring managers. But this is what it takes to find the truly good candidates out there, no matter what their background holds.
- The Cybersecurity Hiring Conundrum: Youth vs. Experience
- 7 Tips for Infosec Pros Considering a Lateral Career Move
- Is COVID-19 Intensifying the Need for Security Staffing?
- 6 Traits to Develop for Cybersecurity Success
- Latest Security News & Commentary about COVID-19
- State of Cybersecurity Incident Response
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.