Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/13/2020
09:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How Unconventional Professional Backgrounds Can Strengthen a Cybersecurity Team

Getting over the cybersecurity skills gap takes creativity, flexibility, and a willingness to go "off-script" when it comes to picking out candidates.

If you dig into the rosters of many successful cybersecurity teams — be they enterprise organizations, vendors, or service providers — more often than not you'll find some surprising professional back stories. Unconventional backgrounds crop up more than you'd think: humanities majors, former chefs, dancers, lawyers, cops, and plenty of others in between.  

And if you ask veteran security managers about their less traditional staffers, they'll often tell you that many of them are some of their best employees. In fact, hiring nontraditional security people isn't a desperation play for them but rather a strategy of strength.

"One of the biggest things I consider when hiring talent is gathering a diversity of perspectives," wrote Geoff Belknap, CISO of LinkedIn. "Many different types of people interact daily with the products we're working to secure, which means our team needs to be able to understand and consider needs, work habits, and challenges from several points of view."

After building out security teams at several companies, Belknap has learned to avoid building a team with identical cybersecurity education and experience. 

"I want English majors and chemists and economics experts who can come together to help solve these hard problems, each bringing their unique training, diversity of thought, and ways to approach problems into the mix," he said.

Walking the Walk
It's the old scenario of when the only tool you have is a hammer, then every problem looks like a nail, says Christopher Emerson, CEO of White Oak Security, a security consultancy specializing in penetration testing and red teaming.

"More experiences provide more tools," says Emerson, who opens up his recruiting to nontraditional security candidates. His open mind comes from being one of those folks himself.

A former professional ballet dancer, Emerson many years ago reinvented himself after the toxic nature of his first profession wore on him. 

"I found ballet was a better hobby than career for me," he says. "Our leadership was more focused on drawing attention to our faults and failures than they were to recognizing our good work. Leaps could be higher, hand positions could be more crisp, turns could be smoother. It ended up being a very negative feeling. It didn't help that I had to work two additional jobs just to cover my half of rent."

And so he went back to school and got a degree in quantitative methods and computer science. Still, even then he didn't have a lot of offensive security experience — but he was able to get a local CPA firm to take a chance by hiring him as a junior pen tester for its security consulting group. That was 14 years ago, and since then he has built up his professional skills and his own business. Through it all, his firsthand experience as a pro and as a hiring manager has led him to the conclusion that having a great breadth of experiences makes it easier for candidates to tackle security problems.

That breadth is important because infosec is such an interdisciplinary field, says Ryan Cobb, senior consultant in information security research at Secureworks. Whether someone is working as an investigator, a researcher, or a consultant, there are loads of requirements for candidates to have an affinity not just for technology, but also criminal psychology, politics, human behavior, and critical thinking, not to mention communication.

"If you strip away the specific technologies, investigators and consultants require strong critical thinking, reading, writing, and communication skills," says Cobb, who majored in philosophy and minored in art history. The writing requirements of that past life proved invaluable as he pivoted into digital forensics in grad school and beyond, he says. 

"I needed those skills to explain complex technical topics in natural language, especially when reviewing my investigation reports with attorneys," Cobb says. "As I grew into a research role, I found myself leaning on philosophical concepts, like ontology and epistemology, to guide and organize my research. I'd come full circle from my degree."

Wanted: Soft Skills
Now that he's doing the hiring, Cobb finds that considering nontraditional candidates is not just a matter of adding new perspectives or broadening the pool of candidates, but also filling in the most acutely felt hole in the cybersecurity skill set: soft skills.

"When I'm hiring new infosec analysts, it's not the technical skills that are in short supply but rather the critical thinking and soft skills that are rare," Cobb explains. 

A lot of times those soft skills are functions of innate traits or instincts rather than trainable technical skills. For example, empathy is often named by security hiring managers as a non-negotiable trait for candidates.  

"Security professionals need to understand that different engineer, development, and product teams have different requirements on their time, and they don't always have the guidance or tools to implement secure solutions," says White Oak Security's Emerson, who believes empathy is crucial. "Understanding that is key to working with those teams "

But empathy is arguably almost impossible to learn, whereas it's relatively simple to teach someone the ins and outs of a technical framework or tool. The same goes for creativity and the drive to learn. This is where the advantages of unconventional candidates really shines. 

"People who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when coming from a nontraditional background," says Nick Tausek, security research engineer at Swimlane.

Tausek likes to look beyond STEM backgrounds for hiring. For example, he says that many great security analysts come from fields that may not require technical knowledge but which teach or draw on strong investigative and documentation skills, like police work or journalism. 

"[They] can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence," Tausek says.

The 'How' Behind the Hiring
If all of this sounds well and good but you're wondering how you can attract or even evaluate these nontraditional security candidates, experts say there's no magic formula. It takes a lot of groundwork, starting with completely blowing up how a security organization writes its job requirements and advertises open positions.

"Too often people are put off by requirements listing comprehensive technical criteria or industry qualifications, so getting a diverse group of applicants is an important initial step," says Annabel Jamieson Edwards, manager at Accenture Security. 

From there, organizations will need to be creative about how they evaluate nontraditional candidates. For example, when searching for analysts, creative methods can include problem-solving tests, technical writing exercises, and other tests that might call for the candidate to learn a new technical skill and use it to solve a problem, documenting the process along the way, Tausek says.  

"Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight into whether that person has the potential to make a good analyst," he says. 

Meantime, evaluation for a security consultant should focus more on their coordination or communication skills, Jamieson Edwards says.  

"Evaluating nontraditional security workers on their interpersonal and conceptual skills would give you a good indication of how well a candidate would adapt to your professional environment," she says.

If that sounds like it will take a lot of work, that's because it will, says Tausek. It'll add more complexity for HR and take more hands-on involvement from security hiring managers. But this is what it takes to find the truly good candidates out there, no matter what their background holds.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...