Think Outside the Box to Close the Skills Gap
The skills gap in cybersecurity is a topic I address a lot, but it is also one of the issues in cybersecurity for which we just can’t figure out the solution. It is a topic that has been front and center of almost every cybersecurity conference I’ve attended in the past decade. But I’m starting to see a trend rising. A conversation at RSA warned that we need to turn away from the idea that our cybersecurity staff will be found in the IT department, while a session at Akamai EdgeWorld 2019 pushed the idea that members of your security team could be sitting at a desk somewhere in your company.
The right people are out there. It’s just a matter of finding them. I talked to Chris Schueler, SVP of Managed Security Services at Trustwave, for advice on how companies can start thinking outside the box about hiring cybersecurity staff and how to best identify potential candidates who may not meet your current criteria but could end up being the right person for the job.
Enjoy Computers
Cybersecurity is not a job for technophobes, Schueler said. While there isn’t a need to be proficient in multi-language coding, potential candidates should at least enjoy working with computers and have some basic understanding of IT.
Schueler looks for people who are creative, naturally curious and enjoy solving complex problems. Those who enjoy games that require strategy, play instruments, or like to tinker around with cars or electronics in their free time will catch Schueler’s notice. That’s because these folks are always in pursuit of knowledge and want to understand why things work the way they do.
“One of the most overlooked skill sets in the cybersecurity industry is having the ability to write and communicate well,” said Schueler. “Taking complex subject matter and transforming it into easily digestible information a C-level executive can understand and then act on is truly an art form.” Having someone with strong communication skills could also improve other problem areas in cybersecurity, such as awareness training and getting budgets approved.
Finding Interested Candidates
Okay, so you have pinpointed some people in-house or on job applications to the organization who fit the description above, but these people appear content with their current duties or have applied for other types of jobs. How do you get them interested in changing career paths to cybersecurity?
You show them how exciting the job can be, said Schueler. “Everyday cybersecurity pros are working to stop cybercrime and bring justice to those who feel right taking from others. This daily mission is a powerful motivator for most people.”
Sparking the interest in cybersecurity should come early, too, so Schueler recommends working with high schools and colleges to plant the seed, especially in kids who might think they want a career path in history or another Liberal Arts path but who is also interested in computers.
“Three years ago, Trustwave partnered with the Chicago Community College system and offered equipment, staff, and other investments to develop a cybersecurity curriculum focused on benefiting new students, those seeking a career change, and former military personnel,” Schueler said. “The program has been so successful that other schools have approached us to start similar programs.”
Law enforcement and military vets are another source of potential cybersecurity workers to close the skills gap. These are people who trained to think like the bad guy and build criminal files. They know how to take practices from their former lives, such as establishing “Proof of Life,” and apply them to ransomware attacks and other digital threats.
Think Outside the Box
It’s easy to say, “Think outside the box to encourage non-IT people to think about pursuing cybersecurity careers.” It’s another thing to get those in the C-suite and HR to expand their definition of a cybersecurity professional to close the skills gap. I witnessed how difficult it can be for new college graduates, even those who had internships, to even get an interview for security positions because of in-house requirements. Many openings require the candidate to have certain certifications—almost all of which can’t be obtained until one has years of experience in the field. That forces many new grads to take non-security jobs, while the security positions remain unfilled.
“Many employers get stuck thinking only about the bits and bytes of cybersecurity and fail to grasp that the ones and zeros are just a means to the cybercriminals themselves,” said Schueler. Coding and other tech skills have their place, but the goal is to stop cybercrime. The best way to do that is first to understand the adversary and how they operate, he noted. Those with degrees in law enforcement, investigators and even data scientists who can quickly spot patterns are incredibly valuable for profiling cybercriminals and uncovering their favorite targets, techniques and tools.
It’s time for organizations and the security industry to stop thinking of security skills in terms of what they should be and start thinking of them as what they could be. It will open the door for a lot of people who never considered this career path before, and that’s how you start to shrink the skills gap.
