Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/13/2020
09:55 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How Unconventional Professional Backgrounds Can Strengthen a Cybersecurity Team

Getting over the cybersecurity skills gap takes creativity, flexibility, and a willingness to go "off-script" when it comes to picking out candidates.

If you dig into the rosters of many successful cybersecurity teams — be they enterprise organizations, vendors, or service providers — more often than not you'll find some surprising professional back stories. Unconventional backgrounds crop up more than you'd think: humanities majors, former chefs, dancers, lawyers, cops, and plenty of others in between.  

And if you ask veteran security managers about their less traditional staffers, they'll often tell you that many of them are some of their best employees. In fact, hiring nontraditional security people isn't a desperation play for them but rather a strategy of strength.

"One of the biggest things I consider when hiring talent is gathering a diversity of perspectives," wrote Geoff Belknap, CISO of LinkedIn. "Many different types of people interact daily with the products we're working to secure, which means our team needs to be able to understand and consider needs, work habits, and challenges from several points of view."

After building out security teams at several companies, Belknap has learned to avoid building a team with identical cybersecurity education and experience. 

"I want English majors and chemists and economics experts who can come together to help solve these hard problems, each bringing their unique training, diversity of thought, and ways to approach problems into the mix," he said.

Walking the Walk
It's the old scenario of when the only tool you have is a hammer, then every problem looks like a nail, says Christopher Emerson, CEO of White Oak Security, a security consultancy specializing in penetration testing and red teaming.

"More experiences provide more tools," says Emerson, who opens up his recruiting to nontraditional security candidates. His open mind comes from being one of those folks himself.

A former professional ballet dancer, Emerson many years ago reinvented himself after the toxic nature of his first profession wore on him. 

"I found ballet was a better hobby than career for me," he says. "Our leadership was more focused on drawing attention to our faults and failures than they were to recognizing our good work. Leaps could be higher, hand positions could be more crisp, turns could be smoother. It ended up being a very negative feeling. It didn't help that I had to work two additional jobs just to cover my half of rent."

And so he went back to school and got a degree in quantitative methods and computer science. Still, even then he didn't have a lot of offensive security experience — but he was able to get a local CPA firm to take a chance by hiring him as a junior pen tester for its security consulting group. That was 14 years ago, and since then he has built up his professional skills and his own business. Through it all, his firsthand experience as a pro and as a hiring manager has led him to the conclusion that having a great breadth of experiences makes it easier for candidates to tackle security problems.

That breadth is important because infosec is such an interdisciplinary field, says Ryan Cobb, senior consultant in information security research at Secureworks. Whether someone is working as an investigator, a researcher, or a consultant, there are loads of requirements for candidates to have an affinity not just for technology, but also criminal psychology, politics, human behavior, and critical thinking, not to mention communication.

"If you strip away the specific technologies, investigators and consultants require strong critical thinking, reading, writing, and communication skills," says Cobb, who majored in philosophy and minored in art history. The writing requirements of that past life proved invaluable as he pivoted into digital forensics in grad school and beyond, he says. 

"I needed those skills to explain complex technical topics in natural language, especially when reviewing my investigation reports with attorneys," Cobb says. "As I grew into a research role, I found myself leaning on philosophical concepts, like ontology and epistemology, to guide and organize my research. I'd come full circle from my degree."

Wanted: Soft Skills
Now that he's doing the hiring, Cobb finds that considering nontraditional candidates is not just a matter of adding new perspectives or broadening the pool of candidates, but also filling in the most acutely felt hole in the cybersecurity skill set: soft skills.

"When I'm hiring new infosec analysts, it's not the technical skills that are in short supply but rather the critical thinking and soft skills that are rare," Cobb explains. 

A lot of times those soft skills are functions of innate traits or instincts rather than trainable technical skills. For example, empathy is often named by security hiring managers as a non-negotiable trait for candidates.  

"Security professionals need to understand that different engineer, development, and product teams have different requirements on their time, and they don't always have the guidance or tools to implement secure solutions," says White Oak Security's Emerson, who believes empathy is crucial. "Understanding that is key to working with those teams "

But empathy is arguably almost impossible to learn, whereas it's relatively simple to teach someone the ins and outs of a technical framework or tool. The same goes for creativity and the drive to learn. This is where the advantages of unconventional candidates really shines. 

"People who work well with others, learn quickly, and possess a proactive mindset toward the work can make great employees, even when coming from a nontraditional background," says Nick Tausek, security research engineer at Swimlane.

Tausek likes to look beyond STEM backgrounds for hiring. For example, he says that many great security analysts come from fields that may not require technical knowledge but which teach or draw on strong investigative and documentation skills, like police work or journalism. 

"[They] can catch up on the technical parts of the job if they already have a mental framework for investigation and analysis, along with the mental agility to reach good conclusions on incomplete evidence," Tausek says.

The 'How' Behind the Hiring
If all of this sounds well and good but you're wondering how you can attract or even evaluate these nontraditional security candidates, experts say there's no magic formula. It takes a lot of groundwork, starting with completely blowing up how a security organization writes its job requirements and advertises open positions.

"Too often people are put off by requirements listing comprehensive technical criteria or industry qualifications, so getting a diverse group of applicants is an important initial step," says Annabel Jamieson Edwards, manager at Accenture Security. 

From there, organizations will need to be creative about how they evaluate nontraditional candidates. For example, when searching for analysts, creative methods can include problem-solving tests, technical writing exercises, and other tests that might call for the candidate to learn a new technical skill and use it to solve a problem, documenting the process along the way, Tausek says.  

"Even if the attempt fails, understanding how well and in what way the candidate learns can provide insight into whether that person has the potential to make a good analyst," he says. 

Meantime, evaluation for a security consultant should focus more on their coordination or communication skills, Jamieson Edwards says.  

"Evaluating nontraditional security workers on their interpersonal and conceptual skills would give you a good indication of how well a candidate would adapt to your professional environment," she says.

If that sounds like it will take a lot of work, that's because it will, says Tausek. It'll add more complexity for HR and take more hands-on involvement from security hiring managers. But this is what it takes to find the truly good candidates out there, no matter what their background holds.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
 

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13485
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
CVE-2020-13486
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
CVE-2020-13482
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
CVE-2020-13458
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
CVE-2020-13459
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.