I've been in the tech industry for 25 years, almost all in cybersecurity. I've held security leadership positions for well over a decade, including the 18 months as head of security for an API platform with more than 20 million users.
I've had a successful career in information security, and I've done it without a college degree.
I'm just not convinced of the value of a degree for cybersecurity jobs. To be sure, some who go to school before embarking on cybersecurity careers may benefit from the education and training. But many others merely find themselves saddled with student debt, just to learn material that's often outdated or may not even be relevant to the job.
At the end of the day, with enough passion, raw intelligence, and hard work, anyone can be a successful cybersecurity professional, whether they have a degree or lack a background in IT and computer science.
Cybersecurity hiring historically has focused on a narrow candidate pool — people with the usual academic credentials, job experience, security certifications, and specific technical security skill sets. But as the demand for cybersecurity professionals keeps increasing, it is clear that the industry must get more creative in the hunt for talent.
The question on every CISO's mind is how. Here are four ideas.
Drop College Degree Requirements
Mandating at least a bachelor's degree for a cybersecurity job (or any tech industry job, for that matter) is obsolete thinking. Skills and personality traits like desire, curiosity, love of learning, calmness under pressure, and ambition are what really matter.
I go back to my own experience. I gave community college a try, because it's what was expected, but I was never a good student because I wasn't interested in the material.
My college turned out to be my first computer job where I spent time on the help desk, as a desktop engineer, as a systems engineer, and eventually left as a network engineer. What I learned during my four years there gave me the foundational knowledge to move to the next job/level.
I loved all technology and wanted to learn as much as I could but couldn't decide if I wanted to be on the network or systems side. I wound up in security because it was an area that allowed me to get involved in all aspects of tech.
Now, years later, I lead a combined security and IT operations team with more than 30 members, focusing on building a modern security program that supports the needs of a fast-growing business.
Look for Talent Outside of Security
Instead of chasing unicorns, companies should mine not only other areas of the IT department but completely different parts of the business for people with adjacent skills that could make them great cybersecurity pros.
Someone with a librarian's background, for example, could bring the strong detail orientation needed for security compliance work. A former military member may possess the grace under fire needed for hectic work in the security operations center (SOC).
Looking harder at candidates who don't fit the typical cybersecurity specialist mold necessitates a more aggressive move toward upskilling and reskilling existing employees. And beyond its benefit as a source of talent, looking inward rather than outward for help also could provide protection against the threat of recession and possible hiring freezes. Which leads to our third point…
Train Like Crazy
If someone has the natural skills to succeed in cybersecurity but has never even seen a SOC, who cares? Skills can be taught. That's why cybersecurity training sessions and boot camps exist.
Companies should invest in formalized training programs for individuals with nontraditional security backgrounds. They should be trained upfront and continually provided with additional training opportunities just like the rest of your team.
Spread the Wealth
The beauty of DevOps and DevSecOps is that they shift some security responsibility from dedicated security teams in operations to the development side, with the idea being that security should be baked in throughout the application development process.
This provides a fresh opportunity for more people throughout the organization to take on roles as security champions, security ambassadors, security advocates — pick your term. And it lessens the pressure on companies to hire for security team positions and increases the incentive to get creative in looking internally for these champions.
By following these four steps, companies can find people who have the aptitude and passion for security and who can be made into top notch professionals with a little bit of training and mentoring.
The industry has been doing the same thing over and over — hunting for the usual suspects — and it's time for new approaches.