• United States




No security experience? Apply anyway

Jan 08, 20164 mins

As we're facing an ever-increasing shortage of security personnel, it's time to change our recruitment tactics.

Recruiting Through Social Media
Credit: Thinkstock

We hear it constantly: There’s a shortage of cybersecurity professionals worldwide that is continuing to increase as more companies and industries require skilled security personnel. Graduates from colleges in Silicon Valley who wish to go into software engineering are being snapped up for impressive sums. In light of the scarcity of resources in the usual places, it’s past time to start considering other sources of help.

When I started working in the security industry, it was as a receptionist for an anti-virus software company. When I had a little free time and they needed a hand, I helped out with tasks in the virus research department. Before long, they hired me into the virus labs officially in a customer-facing position. Over time I asked one researcher after another to train me to do tasks that would allow me to take more work off their plates. After a few years of this, I was the one training new people. At the time, I didn’t think much of this: Doesn’t everyone start out doing grunt-work and working their way up?

[ ALSO ON CSO: 5 keys to hiring security talent ]

It wasn’t until I had a conversation with a friend who was higher up the organizational food chain that I understood how novel this situation was. When I started, the prevailing wisdom was that only people who knew virus research already (read: serious, and established hobbyists or people who were already employed within the industry) could do the job we were doing. At the time there were no official cyber security degree or training programs, so you had to have proven that you were already knowledgeable to get hired. This was obviously a very small pool of potential applicants, and it meant that people filling positions were usually leaving other anti-virus companies.  

After they saw that it was possible to train people to do this specialized work, the door was opened for more people to be hired from non-traditional sources. After I had worked my way up to a more senior position, my old job needed to be filled. I recommended a friend, who I met through his job in a local grocery store, because I had seen firsthand how good he is with customers. He was interested in technology, and was taking a class in programming. I figured that he could learn the technological aspects of the job quickly; he already had the more difficult people-related skills he needed to succeed. After him, there were many more people who were hired from outside the usual security sources.

Not an isolated problem

Not all companies have made this leap yet; I still see this mindset in a lot of companies. In order to get hired in cyber security, you already have to know cyber security. This clearly doesn’t provide enough qualified applicants, and the problem will only grow as more companies begin to understand the importance of having a robust security infrastructure.

I’ve heard from a lot of students and hiring managers that computer science degrees don’t offer students enough specialization to help them to get jobs in security companies. Consequently, a lot of potential candidates are being turned away.

Even if there is no one available within your company to mentor a new recruit, cyber security training is widely available now, from beginning to advanced levels. Within the time it would take to search for a candidate who is exactly suited for the position, you may well be able to train a candidate who is “close enough”.

Now is the time to find those people who have most of the skills needed to do security jobs well – a solid understanding of computers, risk management, customer support, education, for example – and get them trained on the aspects that are particular to their role in securing your organization.


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.

The opinions expressed in this blog are those of Lysa Myers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.