The InfoSec market is predicted to grow from $75 billion in 2015 to\u00a0$170 billion by 2020, but \u2013 like any child star \u2013 it finds itself struggling with growing pains.An evolving threat landscape, cyber-crime-as-a-service and cyber espionage are the biggest problems for CISOs and law enforcers today, not to mention the record number of data breaches, but there is a bigger, arguably more basic, problem that stunts the market.Information security has long been suffering from a well-advertised skills gap problem. It\u2019s well cited that (ISC)\u00b2 says that there will be a shortage of 2 million professionals by 2020, with Cisco putting the current global shortage at closer to 1 million. According to 2015 analysis from Bureau of Labor Statistics by Peninsula Press, more than\u00a0209,000 cybersecurity jobs\u00a0in the U.S. are currently unfilled.This shortage spans the industry, but in particular, there is a desperate need for data scientists and data analysts, as well as social engineering and digital forensics experts.This isn\u2019t such hyperbole, for this shortage is already having a day-to-day impact. A (ISC)\u00b2 study with Frost & Sullivan found that enterprises and their security staff are increasingly blaming breaches on a lack of skilled personnel, with a Vanson Bourne\/Intel Security survey revealing that IT managers think that the shortage will make them more likely to be targeted, lose proprietary data or suffer reputational damage.Identifying the root of this shortage, though, has not been easy. Some point the finger at STEM education system seemingly not designed with security or even coding in mind, whilst others see interest taper off at university level as computer science graduates target opportunities working for tech giants like Google, Facebook or Twitter.Then there is the issue of retention, with career \u2018burnout\u2019 a factor and recruitment typically difficult given the intricate skills required for things like malware detection, reverse engineering, crypto and virtualization.CISOs \u2013 and their teams \u2013 can come from other fieldsHowever, there may be ways of convincing both young students and experienced workers that security might still be for them, however old they are and whatever industry they work in.The traditional InfoSec career is somewhat formulaic, a path well-trodden. A student would likely go to college, get a degree, acquire CISSP, CISA or maybe CISM accreditation and then enter industry as a security or network architect.The issue with this model, however, is both time and dedication; Raj Samani, CTO of Intel Security EMEA, once told me how he racked up nearly 30 industry-related qualifications in his career, illustrating there\u2019s little room for the part-timers or hobbyists.And yet, slowly, there\u2019s now the suggestion that InfoSec, offering lucrative salaries and challenging jobs, could start cherry-picking talent from other industries.This writer knows of senior directors at a professional services firm\u2019s security division headhunted from law, and of civil servants trained up to senior cyber roles in the UK\u2019s National Crime Agency (NCA). In this interview with Tech Target in 2014, Akamai CSO Andy Ellis professed to hiring communications, customer support and helpdesk staff for his security team.Anecdotes aide, there are now industry efforts to welcome new people from other sectors; a year ago the Information Systems Security Association (ISSA) started investigating the skills gap and concluded there was a need for an internationally accepted framework that defined the cybersecurity career for individuals in the profession. Thus, the ISSA Cybersecurity Career Lifecycle (CSCL) was born.Government agencies like the\u00a0GCHQ\u00a0and NSA have started offering\u00a0scholarships\u00a0and competitions too, although their relatively low salaries have drawn derision from private sector workers who can earn two, three or even 10 times as much.Taiye Lambo, former CISO of the City of Atlanta and now CTO at CloudAssurance, says he is living proof of someone coming from another industry (engineering), and intriguingly adds that this has affected his own hiring.\u201cIn my corporate CISO roles and as an entrepreneur, I have hired people with backgrounds outside of cybersecurity or even Information Technology, initially as research interns, giving them opportunities to progress into security roles such as analyst or engineer, manager and director. Some of them have become successful Information Security Officers within a few years of me hiring them as an intern.\u201dTroels Oerting, CISO at Barclays, previously worked in law enforcement for the Danish police and then Europol. He believes, unsurprisingly, that outside-in does work, especially at younger ages.\u201cMany talented youngsters in this field would not be attracted to a traditional university education in computer science, and might not even be attracted to university education. But they would be great users and experts of the internet.Barclays are currently trying to tempt younger talent through a Barclays Cyber Academy in cooperation with universities. These shorter, \u201cfocused\u201d training programs \u2013 to be established in US, UK, Lithuania and South Africa initially - are precisely aimed at those not interested in university courses.\u201cSecondly, you will find older talent who works in other areas than traditional cyber, and only need a number of upgrade courses in order to switch.\u201dBut senior roles is where differences can be seenSome suggest the opportunity for hiring from other industries is most active at senior management level:\u201cI have seen hiring from other industries, but\u2026most of these activities have taken place at mid or senior level,\u201d said Forrester security analyst Martin Whitworth, formerly CISO at UK bank Coventry Building Society and British Energy. \u201cI have seen staff successfully move from various other business disciplines, including - operational risk, finance, audit, legal and project\/program management.[ ALSO ON CSO: Relocation costs now a sticking point for job-hunting security managers ]\u201cAt the most senior levels (e.g. CISO) I have seen staff from audit, risk and finance backgrounds take on these management roles and be very successful - I have even heard of someone from an HR background moving into a CISO role. Where the CISO role is truly a junior, C-level position, then the position is seen as a viable stepping stone on the executive development ladder.\u201dNeil Thacker, deputy CISO of Forcepoint, agrees: \u201cI have witnessed many organizations bringing in skilled talent from other areas of the business both either to start in an introductory role to cybersecurity, or from a management perspective.\u00a0\u201cA good manager and leader will be an effective communicator and with the correct team around them, will succeed in cybersecurity.\u201dRichard Benham, director of research at the UK\u2019s National Cyber Research Centre, is less convinced, seeing most entrants from IT backgrounds, but admits we need security incorporated in all job roles.\u201cCyber affects every aspect of our lives. Experts in HR, marketing, the law, customer experience to name a few should have a cyber expertise in their discipline....it's about education.\u201dRecruiters see the switch too\u201cWe will not fill all the cyber vacancies that exist if we do not retrain people,\u201d says Karla Jobbing, director at BeecherMadden, a cybersecurity specialist recruitment agency.\u201cCandidates are coming from risk management, crisis management, project management and marketing into cyber roles. Our research shows that these people are often getting paid more, as they have a breadth of skills to bring to an employer.\u201dInterestingly, she notes more jobs and higher pay for female candidates (just 11% of InfoSec industry is female).Blogger turned security consultant Lee Munson was one of these career-changers, moving on from retail management to specializing in security awareness at Re:Sources UK, part of French advertising firm Publicis.\u201cI've always had an interest in computing, going all the way back to secondary school. My interest in security developed much later though, after I saw friends and family fall prey to online scams and malware.\u201cI put in the necessary research to be able to help them and slowly built up my knowledge over a number of years. It was only recently that people I'd met at conferences suggested I should consider a career in the industry.\u201d\u201cMy advice would be to stick with the traditional pathways into the industry but not rely wholly on them. Go to conferences, join forums, chat with fellow InfoSec professionals on social media and network like crazy while developing communication skills and you'll have the best of both worlds - competence combined with the soft skills many in the industry appear to lack.\u201dHiring the right talentsThacker says CISOs need to stop fearing the unknown, and be proactive in reviewing the competencies of their own team.\u201cAll CISOs should review the capabilities of their teams and adjust accordingly so they are well balanced. Training is important, but so is on-the-job training,\u201d he said, suggesting consultants can boost competence in the short-term.\u201cTeam mentoring is also a successful strategy that is often overlooked. Hiring your future replacement and mentoring them to take your role in time will assist you and enhance your career.\u00a0 Ask them to do the same for their role and filter this down to the most junior team member.\u201d\u00a0Whitworth urges security leads to build a multi-skilled and analytical team, which is ingrained in the business.\u201cCISOs need to first establish what their strategy is - and it must be a truly business aligned strategy.\u201cOnce it is clear how security must support the business, then the necessary business (and technical) skills can be mapped out. Only then can recruitment and retention plans be drawn up. As with any complex business issue, don't think that you can do it alone - work with your HR team to identify how best to fill positions.\u201dWant to comment, head over to Facebook and add your two cents.