Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Keys to Hiring Cybersecurity Pros When Certification Can't Help
There just aren't enough certified cybersecurity pros to go around -- and there likely never will be enough. So how do you fill out your cybersecurity team? Executives and hiring managers share their top tips on recognizing solid candidates.
March 10, 2020
There's a general acknowledgement that there aren't enough trained cybersecurity professionals to go around. Conversations at cybersecurity conferences are often centered on where to find top pros, how much to pay them, and what string of letters behind their names means the most.
Even the organizations that provide cybersecurity certification admit that there aren't enough certified pros to meet the need — and that there never will be enough. So what's a manager charged with finding cybersecurity talent to do?
Many executives and hiring managers say the key to finding solid talent is flexibility in the search. "The process is very much like drafting professional athletes," says Mike Jordan, vice president of research with Shared Assessments. When you can't find a position player that you need, you look for individuals who have the skill sets relevant to the position. Find ones that are smart and hardworking and they should be able to fill the position nicely."
Heather Paunet, vice president of product management at Untangle, says that it's important to get it right. "Searching for candidates to fill cybersecurity positions beyond certifications and years of experience can seem counterintuitive, but there are many other interests and logical business skills that are just as important to consider," she explains.
We asked executives what they would look for in filling cybersecurity positions. What they provided was less a checklist of specific skills than an indication of the broad skills, experiences, and personality traits that make someone a great candidate for the cybersecurity team. What they didn't provide was a simple way to look for those on a resumé — but no one said that solving the hiring problem was going to be easy.
Of course, not everyone agrees that there is, in fact, a shortage of cybersecurity professionals.
"The premise that we are short of cybersec pros is BS spread by businesses with a vested interest in importing HB-1 workers," says Colin Bastable, CEO of Lucy Security. "There is no shortage of cybersec pros — just a shortage of good ones, and that is a good thing. The market decides. Certification is a scam — it just gets us a load of talentless credentialed people who make the world less secure. You want to hire someone who understands how the enemy thinks but without the moral baggage of being a cybercrook. Most employers with a four-year degree will hire someone with a four-year degree, but zero talent." All you have to do is find that elusive thinker.
What do you think — is it possible to hire a great cybersecurity professional in the absence of security certification? If it is, what do you look for in a great candidate? We'd like to know your thoughts; please talk to us in the Comments section, below.
Read on to see what other security hiring managers had to say.
(Image: chokniti VIA Adobe Stock)
While he holds a cybersecurity certification, Tripwire's country manager for Canada, Irfahn Khimji, CISSP, doesn't think certs are a "must" for new members of the security team. "The biggest thing I look for are transferable skills. A good candidate is someone who can think outside of the box, is eager to learn, and has a drive to be successful," he says.
Some of the related skills executives look for can be quite specific. "One of the things we've found to be good indicators for candidacy in cybersecurity roles are proficiencies in scripting languages like PowerShell and Python," says Adam Laub, CMO at Stealthbits Technologies. "Proficient scripting also indicates a willingness to get one's hands dirty -- undoubtedly a desirable trait for a cybersecurity professional."
And the field of parallel skills isn't just the place to look as a fallback position. "We believe the first place to look is at roles with parallel skill sets. Help desk, desktop and server administrators, and application developers are all great recruiting pools," says Joe Moles, vice president of customer security operations for Red Canary. He provides a concrete example of this: "Individuals who are skilled at troubleshooting network problems are typically very good at investigating network anomalies, which translates to a great basis for a network security analyst," he says
For Christoph Hebeisen, head of threat intelligence at Lookout, the lack of certification and formal training programs can actually be an asset. "Candidates that have entered and mastered a field without formal training directly preparing them for the exact job they did, or who have succeeded in applying related knowledge and fill in the gaps themselves, tend to have the discipline, persistence, and smarts required to succeed," he says.
The ability to learn quickly is a quality the cybersecurity field demands by its very nature, says Claire Ginnelly, human resources director at Information Security Forum. "I would look for a passionate 'learner' who has an eagerness to enhance their skills as the industry grows and cyber matures. I want an employee who is ready to relearn and re-educate and ask new questions," she explains.
For Lamar Bailey, senior director of security research at Tripwire, the issue comes down to how quickly a candidate can scan a new situation and make decisions. "Many of the best employees I have hired were not security professionals. They all came from detail-orientated jobs -- accounting, medical, and teaching -- and had the skills needed to communicate, learn quickly, and adapt. Certifications were not required, and I have found that candidates without them tend to perform better when learning in the real world and not from a certification test."
While trying to judge someone is a quick study can be challenging, executives say that it's definitely worth making the effort. "We are looking for learners and team members," says Bill Santos, president of Cerberus Sentinel. "With the pace of change in cybersecurity, the best candidates are committed to continuous learning and joining others in solving challenging problems. We have found this cultural mindset to be the single most significant factor in their success or failure."
Most hiring managers are accustomed to asking questions about work experience in an interview, but some executives say the best set of questions goes beyond the limits of the work day. "Because security is a lifestyle career -- not something you punch into from nine to five -- the largest indicator for me is how a candidate spends their discretionary time," says Tim Wade, technical director for the CTO team at Vectra. "That tells me how invested they are: How are they involved in the security community? What security projects interest them? What contributions have they made? What does their home lab look like? How do they stay up to date with security events -- magazines, books, podcasts? What was the most recent security topic that resonated with them, and what should we, as a community, do about it?"
For Shared Assessments' Jordan, the willingness to learn beyond the standard work hours is critical. "I always look for curiosity and lifelong learning during the interview process," he says. "Ask what their lab at home is like or where their favorite gadgets could do better. Cybersecurity is constantly evolving, and someone who isn't comfortable perpetually and proactively learning will often fall behind over time. It's not a substitute for strong technical skills, but curiosity is an enhancer."
For Vectra's Wade, what a candidate does in their free time is about more than knowledge -- it's about professional temperament. "What will you draw from when it's 3 a.m. and the world is on fire? A candidate that shows me that they're already personally invested with their discretionary time is one that when things are hard, I'm more confident will say, 'Game on' than 'Game over,'" he says.
The era of the lone-wolf cybersecurity professional, scanning the horizon for dangers and picking them off as they come into sight, is long over (if, in fact, it ever existed.) The ability to communicate and work with fellow team members (and the rest of the organization) can be critical for a cybersecurity professional who's going to be truly useful to the organization.
"An enthusiasm for different software environments are great additional skills to have, but being able to communicate information about vulnerabilities in a detailed manner, through reports and analysis, or in training materials for a wider employee population are priceless," says Untangle's Paunet.
For some, communication is part of a larger bundle of desirable skills in a cybersecurity pro. "Being an effective communicator is always important in order to be able to collaborate and work well with others. Increasingly, we will see a focus on hiring people with soft skills, high emotional intelligence, communication, and negotiation skills," says Ginnelly of the Information Security Forum.
One word that no one would ever use to describe cybersecurity is "static." "Innovative problem-solving skills are a key strength in being able to navigate through daily security tasks," Ginnelly explains. "Equally, being able to prioritize work and handle stress in order to keep up with the security needs of new IT initiatives."
Sometimes, that flexibility can be demonstrated in previous positions. "With the complexity of the systems in use, you really need to be good at knowing what it looks like when the systems are working right before you could possibly figure out what could go wrong. For that reason, my advice to hiring managers is to find smart people with good administrative experience in the area you need to secure -- networking, application development, servers, whatever systems hold the keys to your business. If they don't have a lot of security experience but are strong in the underlying technology, that's fine. The security part will come in time," says Jordan of Shared Assessments.
While there are positions and organizations that look for deep, highly specialized knowledge in nearly every position, executives often stress the importance of a broad technical background over point expertise when they're looking for new team members. Roger Grimes, data driven defense analyst at KnowBe4, says that wide experience is critical for cybersecurity context. "[They need to] understand that security isn't the only thing that matters. The business needs to run, operate, and innovate. And that often means that you can't just consider computer security as the only consideration," he explains. "They have to understand that computer security is just a piece of the puzzle ... an important piece of the puzzle, but just one of many considerations that go into a particular business decision."
Cerberus Sentinel's Santos echoes Grimes' thoughts. "We seek cybersecurity professionals that have extensive practical experience in a broad set of disciplines -- networking, routing, systems administration, etc.," he says. "This experience provides a more complete view of the problems they will inevitably be asked to solve, enabling a more holistic view."
Stealthbits' Laub says he has seen the importance of broad knowledge in practice. "Some of the things we've found to be good indicators for candidacy in cybersecurity roles are proficiencies in scripting languages like PowerShell and Python, as well as experience in broader, more general technology roles like IT support and end-user services," he says. "These skills and experiences play nicely into cybersecurity roles because they require an understanding of the interconnectedness between the myriad of technologies within an enterprise, as well as how they work."
For Lookout's Hebeisen, broad experience can show up as problem-solving capability. "I tend to look for prior experience in reverse engineering and exploit development, such as in a pen-testing environment, as well as knowledge of low-level languages -- assembly and C, especially at the operating system kernel level -- and experience in software development," he says. "In addition to this technical skill set, I look for candidates who demonstrate outstanding research abilities -- collecting, combining, and making sense of information gathered from a variety of sources, including original research, getting to the bottom of difficult problems, and not giving up when encountering seemingly insurmountable challenges."
He adds that the breadth should extend to temperament, as well as knowledge. "Researchers often encounter deliberately convoluted or obfuscated code -- malware that tries to hide from discovery by only activating malicious functionality in a certain geography or on certain types of devices," Hebeisen says. "In order to successfully research such malicious code, a researcher must not be daunted by seemingly insurmountable problems and have a high level of creativity in addition to the more obviously necessary technical skills."
Cybersecurity isn't easy. That's why, for some executives, it needs to be more than a simple career interest for a successful candidate. KnowBe4's Grimes puts is succinctly: "The No. 1 thing I look for is a love for computer security and drive to learn as much as they can. If I see they have that, I can teach the rest. You can't teach natural interest in a subject. You've either got it or you don't. And if I find someone who is as crazy about computer security as me and the rest of my team, I've got a winner. That's the person I want to hire."
A love for the subject can drive individuals to the sort of behavior Grimes says he needs to see from a team member. "I want someone I hire to think outside the box. Half the stuff you get told in the computer security industry is just plain wrong ... it's dogma without any evidence," he explains. "I want my security team thinking for themselves, questioning dogma, and using real data to help drive the right decisions. Gut feelings are great, but back it up with data so we know we are for sure making the right decision. You give me all of this and I'll move mountains to pay accordingly to get that person on my team."
Stealthbits' Laub acknowledges that "love" can be difficult to measure, but that it can manifest itself in tangible ways. "The biggest unknown for almost any new hire -- regardless of role -- is always their willingness to learn and their ability to self-motivate," he says. "If you can land a candidate that has a solid technical foundation and a desire to apply their skills in ways that can help an organization defend itself from the imminent threats they face, you probably have the makings of a successful cybersecurity professional."
There's a general acknowledgement that there aren't enough trained cybersecurity professionals to go around. Conversations at cybersecurity conferences are often centered on where to find top pros, how much to pay them, and what string of letters behind their names means the most.
Even the organizations that provide cybersecurity certification admit that there aren't enough certified pros to meet the need — and that there never will be enough. So what's a manager charged with finding cybersecurity talent to do?
Many executives and hiring managers say the key to finding solid talent is flexibility in the search. "The process is very much like drafting professional athletes," says Mike Jordan, vice president of research with Shared Assessments. When you can't find a position player that you need, you look for individuals who have the skill sets relevant to the position. Find ones that are smart and hardworking and they should be able to fill the position nicely."
Heather Paunet, vice president of product management at Untangle, says that it's important to get it right. "Searching for candidates to fill cybersecurity positions beyond certifications and years of experience can seem counterintuitive, but there are many other interests and logical business skills that are just as important to consider," she explains.
We asked executives what they would look for in filling cybersecurity positions. What they provided was less a checklist of specific skills than an indication of the broad skills, experiences, and personality traits that make someone a great candidate for the cybersecurity team. What they didn't provide was a simple way to look for those on a resumé — but no one said that solving the hiring problem was going to be easy.
Of course, not everyone agrees that there is, in fact, a shortage of cybersecurity professionals.
"The premise that we are short of cybersec pros is BS spread by businesses with a vested interest in importing HB-1 workers," says Colin Bastable, CEO of Lucy Security. "There is no shortage of cybersec pros — just a shortage of good ones, and that is a good thing. The market decides. Certification is a scam — it just gets us a load of talentless credentialed people who make the world less secure. You want to hire someone who understands how the enemy thinks but without the moral baggage of being a cybercrook. Most employers with a four-year degree will hire someone with a four-year degree, but zero talent." All you have to do is find that elusive thinker.
What do you think — is it possible to hire a great cybersecurity professional in the absence of security certification? If it is, what do you look for in a great candidate? We'd like to know your thoughts; please talk to us in the Comments section, below.
Read on to see what other security hiring managers had to say.
(Image: chokniti VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024