Hiring the hidden gems: Should InfoSec hire from other industries?

The InfoSec market is predicted to grow from $75 billion in 2015 to $170 billion by 2020, but – like any child star – it finds itself struggling with growing pains.

An evolving threat landscape, cyber-crime-as-a-service and cyber espionage are the biggest problems for CISOs and law enforcers today, not to mention the record number of data breaches, but there is a bigger, arguably more basic, problem that stunts the market.

Information security has long been suffering from a well-advertised skills gap problem. It’s well cited that (ISC)² says that there will be a shortage of 2 million professionals by 2020, with Cisco putting the current global shortage at closer to 1 million. According to 2015 analysis from Bureau of Labor Statistics by Peninsula Press, more than 209,000 cybersecurity jobs in the U.S. are currently unfilled.

This shortage spans the industry, but in particular, there is a desperate need for data scientists and data analysts, as well as social engineering and digital forensics experts.

This isn’t such hyperbole, for this shortage is already having a day-to-day impact. A (ISC)² study with Frost & Sullivan found that enterprises and their security staff are increasingly blaming breaches on a lack of skilled personnel, with a Vanson Bourne/Intel Security survey revealing that IT managers think that the shortage will make them more likely to be targeted, lose proprietary data or suffer reputational damage.

Identifying the root of this shortage, though, has not been easy. Some point the finger at STEM education system seemingly not designed with security or even coding in mind, whilst others see interest taper off at university level as computer science graduates target opportunities working for tech giants like Google, Facebook or Twitter.

Then there is the issue of retention, with career ‘burnout’ a factor and recruitment typically difficult given the intricate skills required for things like malware detection, reverse engineering, crypto and virtualization.

CISOs – and their teams – can come from other fields

However, there may be ways of convincing both young students and experienced workers that security might still be for them, however old they are and whatever industry they work in.

The traditional InfoSec career is somewhat formulaic, a path well-trodden. A student would likely go to college, get a degree, acquire CISSP, CISA or maybe CISM accreditation and then enter industry as a security or network architect.

The issue with this model, however, is both time and dedication; Raj Samani, CTO of Intel Security EMEA, once told me how he racked up nearly 30 industry-related qualifications in his career, illustrating there’s little room for the part-timers or hobbyists.

And yet, slowly, there’s now the suggestion that InfoSec, offering lucrative salaries and challenging jobs, could start cherry-picking talent from other industries.

This writer knows of senior directors at a professional services firm’s security division headhunted from law, and of civil servants trained up to senior cyber roles in the UK’s National Crime Agency (NCA). In this interview with Tech Target in 2014, Akamai CSO Andy Ellis professed to hiring communications, customer support and helpdesk staff for his security team.

Anecdotes aide, there are now industry efforts to welcome new people from other sectors; a year ago the Information Systems Security Association (ISSA) started investigating the skills gap and concluded there was a need for an internationally accepted framework that defined the cybersecurity career for individuals in the profession. Thus, the ISSA Cybersecurity Career Lifecycle (CSCL) was born.

Government agencies like the GCHQ and NSA have started offering scholarships and competitions too, although their relatively low salaries have drawn derision from private sector workers who can earn two, three or even 10 times as much.

Taiye Lambo, former CISO of the City of Atlanta and now CTO at CloudAssurance, says he is living proof of someone coming from another industry (engineering), and intriguingly adds that this has affected his own hiring.

“In my corporate CISO roles and as an entrepreneur, I have hired people with backgrounds outside of cybersecurity or even Information Technology, initially as research interns, giving them opportunities to progress into security roles such as analyst or engineer, manager and director. Some of them have become successful Information Security Officers within a few years of me hiring them as an intern.”

Troels Oerting, CISO at Barclays, previously worked in law enforcement for the Danish police and then Europol. He believes, unsurprisingly, that outside-in does work, especially at younger ages.

“Many talented youngsters in this field would not be attracted to a traditional university education in computer science, and might not even be attracted to university education. But they would be great users and experts of the internet.

Barclays are currently trying to tempt younger talent through a Barclays Cyber Academy in cooperation with universities. These shorter, “focused” training programs – to be established in US, UK, Lithuania and South Africa initially – are precisely aimed at those not interested in university courses.

“Secondly, you will find older talent who works in other areas than traditional cyber, and only need a number of upgrade courses in order to switch.”

But senior roles is where differences can be seen

Some suggest the opportunity for hiring from other industries is most active at senior management level:

“I have seen hiring from other industries, but…most of these activities have taken place at mid or senior level,” said Forrester security analyst Martin Whitworth, formerly CISO at UK bank Coventry Building Society and British Energy. “I have seen staff successfully move from various other business disciplines, including – operational risk, finance, audit, legal and project/program management.

[ ALSO ON CSO: Relocation costs now a sticking point for job-hunting security managers ]

“At the most senior levels (e.g. CISO) I have seen staff from audit, risk and finance backgrounds take on these management roles and be very successful – I have even heard of someone from an HR background moving into a CISO role. Where the CISO role is truly a junior, C-level position, then the position is seen as a viable stepping stone on the executive development ladder.”

Neil Thacker, deputy CISO of Forcepoint, agrees: “I have witnessed many organizations bringing in skilled talent from other areas of the business both either to start in an introductory role to cybersecurity, or from a management perspective. 

“A good manager and leader will be an effective communicator and with the correct team around them, will succeed in cybersecurity.”

Richard Benham, director of research at the UK’s National Cyber Research Centre, is less convinced, seeing most entrants from IT backgrounds, but admits we need security incorporated in all job roles.

“Cyber affects every aspect of our lives. Experts in HR, marketing, the law, customer experience to name a few should have a cyber expertise in their discipline….it’s about education.”

Recruiters see the switch too

“We will not fill all the cyber vacancies that exist if we do not retrain people,” says Karla Jobbing, director at BeecherMadden, a cybersecurity specialist recruitment agency.

“Candidates are coming from risk management, crisis management, project management and marketing into cyber roles. Our research shows that these people are often getting paid more, as they have a breadth of skills to bring to an employer.”

Interestingly, she notes more jobs and higher pay for female candidates (just 11% of InfoSec industry is female).

Blogger turned security consultant Lee Munson was one of these career-changers, moving on from retail management to specializing in security awareness at Re:Sources UK, part of French advertising firm Publicis.

“I’ve always had an interest in computing, going all the way back to secondary school. My interest in security developed much later though, after I saw friends and family fall prey to online scams and malware.

“I put in the necessary research to be able to help them and slowly built up my knowledge over a number of years. It was only recently that people I’d met at conferences suggested I should consider a career in the industry.”

“My advice would be to stick with the traditional pathways into the industry but not rely wholly on them. Go to conferences, join forums, chat with fellow InfoSec professionals on social media and network like crazy while developing communication skills and you’ll have the best of both worlds – competence combined with the soft skills many in the industry appear to lack.”

Hiring the right talents

Thacker says CISOs need to stop fearing the unknown, and be proactive in reviewing the competencies of their own team.

“All CISOs should review the capabilities of their teams and adjust accordingly so they are well balanced. Training is important, but so is on-the-job training,” he said, suggesting consultants can boost competence in the short-term.

“Team mentoring is also a successful strategy that is often overlooked. Hiring your future replacement and mentoring them to take your role in time will assist you and enhance your career.  Ask them to do the same for their role and filter this down to the most junior team member.” 

Whitworth urges security leads to build a multi-skilled and analytical team, which is ingrained in the business.

“CISOs need to first establish what their strategy is – and it must be a truly business aligned strategy.

“Once it is clear how security must support the business, then the necessary business (and technical) skills can be mapped out. Only then can recruitment and retention plans be drawn up. As with any complex business issue, don’t think that you can do it alone – work with your HR team to identify how best to fill positions.”

Want to comment, head over to Facebook and add your two cents.