There's a dramatic shortage of qualified information security professionals in the industry today.
Globally, we're a million people short, according to Cisco's 2014 Annual Security Report. According to Ponemon's 2014 IT Security Jobs Report, 36 percent of staff positions and 58 percent of senior staff positions in IT security went unfilled in 2013.
The majority of companies surveyed – 70 percent – says their IT security departments were understaffed.
It's no surprise that some companies are turning to some non-traditional strategies for finding their cybersecurity employees.
1. Look to the crowd
Some companies have already been turning to crowdsourcing to find bugs in their software or security holes in their platforms.
But the crowdsourcing venues can also be sources of new staff hires, as well.
“The number one researcher on our platform right now was able to get a job offer from Tesla,” says Marisa Fagan, director of crowd ops at San Francisco-based Bugcrowd.
Bugcrowd allows companies to look at the reputations of its independent researchers, look at leaderboards, and will even do background checks of researchers working on more sensitive projects.
There are currently 12,000 researchers on the platform, and it's growing by around 1,000 researchers a month, she says.
2. Look for self-starters who love to learn
When Rook Security moved from Silicon Valley to Indianapolis, the company lost access to a large and readily available pool of employes.
“There were more people ready to walk directly off the street into a job,” says Rook CEO J.J. Thompson.
But instead of just turning to recruiters to help meet his growth needs, Thompson rethought his hiring criteria – which led him to some unusual places.
Tom Gorup was a service tech at AT&T when Rook hired him, without the typical experience necessary to come in as security operations center analyst.
“What he had going for him was military leadership,” Thompson says. Gorup had been a sergeant and a squad leader in the Army. “What I noticed in Tom was that he was confident, loved and had a passion for the subject matter, and was a voracious learner.”
Gorup originally interviewed for an internship, but was hired as a full time security operations center analyst. He then became the team leader, and, within a year, was promoted to the manager of the security operations center.
“We hire and promote based on what people can do and can accomplish, not based on time in role,” says Thompson. “The security industry changes every day. And it can't be taught, that thirst for knowledge.”
3. Look to the colleges
In addition to hiring experienced professionals, companies should also look at colleges and universities for new hires, says Dianne Fodell, IBM's director for Global University Programs.
“Employers can sponsor or attend Capture the Flag and other security competitions – there are lots,” she recommends. “Interview and hire the winners or – depending upon the particular job requirements -- hire the students who organized the event for their university.”
She also recommends looking for students who are interested in security as a hobby, or who participate in professional organizations such as OWASP – the Open Web Application Security Project, ISSA – the Information Systems Security Association, or Honeynet.org, or who present papers at security conferences like RSA, Black Hat, or Women in Cyber Security.
4. Look to the high schools
Denver-based Azorian Cyber Security is waiting for its newest recruit to get old enough to sign a hiring contract.
“Our hiring practices are based on skill sets, passion, and – some would say – obsession,” says Azorian CE Charles Tendell.
That is to say, he hires hackers. And he hires them right out of high school, off of underground boards and forums, out of conferences and conventions.
“One of my leads is now 19,” says Tendell. “I hired him right out of high school because I saw him give a presentation at DefCon, one of the largest hacker conventions in the northern hemisphere. The skills and style he demonstrated showed that he was bright for 19.”
The traditional career route -- of academic training and professional experience -- can dull a person's edge, he says.
“You kind of have to be a hacker to catch a hacker,” he says. “Hiring people who think that way gives us an edge.”
Azorian CE Charles Tendell
For example, the company is able to use new and creative techniques to do penetration testing, or to track down the real identities of online criminals.
“We hire for passion,” he says. “The additional skills they need, we can teach later, or they can assimilate over time.”
5. Look to the payments industry
“Identity is the new perimeter,” says Andre Bosen, chief identity officer at Ontario-based SecureKey Technologies. “We have to shift the thinking from perimeter thinking to who uses the service.”
The recent high-profile security breaches at major companies show that it's time for a new security model, he says.
“And payments people are particularly well suited to thinking about this, in my view,” he said.
In addition to payments and financial services, Boysen said his company also hires people with backgrounds in the arts and in the legal profession.
“We like diversity in our thinking,” he says.