Developing more innovative hiring practices is crucial to attracting more talent to the cybersecurity industry, according to panelists speaking during a recent RSA webcast.
The event was held amid growing efforts from the US federal government to attract new candidates to the cybersecurity industry to close the burgeoning skills gap.
Barbara Endicott-Popovsky, executive director of Center for Information Assurance and Cybersecurity and professor at the University of Washington, stated: “It’s been frustrating to watch the lack of awareness of the cyber threats that we face and even more frustrating to spend so much time as we have developing talent and trying to make sure we get the right people to the right places.”
The first step in addressing this issue is to ensure there is much more clarity about the types of people and skills that are needed to work in cyber, according to Lynn Clark, chief of the NSA/DHS Centers of Academic Excellence at the National Security Agency (NSA). “It’s really hard to produce educational programs to prepare people for the workforce if we don’t know what our end objective is,” she outlined.
It is also vital that cybersecurity recruiters recognize the wide variety of motivations candidates have to work in this sector, thereby ensuring they “use the right lure for the right fish,” said Joshua Corman, senior advisor for the Cybersecurity and Infrastructure Security Agency (CISA).
He listed five different drivers (p’s) for those who work in the industry: protector, puzzler, prestige, profit/professional and protest/patriotism, adding that “how you engage and recruit them will be different.”
The discussion then turned to the types of people and skills needed to make up the industry. Endicott-Popovsky observed that traditionally, the cyber industry has primarily been comprised of ‘techies,’ meaning other important skill sets are lacking.
Emily Harding, deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies (CSIS), said that in her experience, character and mindset are more important than qualifications when looking to recruit candidates for cybersecurity jobs. She believes the ideal person needs to be “smart and can think, and who does not get discouraged by bureaucracy or small hurdles, somebody who doesn’t want a roadmap to accomplish things.”
As well as hackers who can use their technical skills to discover security flaws, Corman feels the cyber industry needs more ‘translators’ in its ranks to translate these flaws into action. During previous experiences, he found that people with backgrounds in areas like law and project management are particularly effective at this role. “The things we were able to do were because we came from incredibly different backgrounds, but we had a common cause, common purpose and could be brought together like a team of Avengers to fight the greatest foes and risks,” he added.
Clark concurred with these perspectives, emphasizing the need for security teams to be comprised of people with strong soft-skills, such as communication and collaboration, alongside “people who understand the technology.” She pointed out, “All the technology in the world is not going to protect us from the hacker who can socially engineer somebody into giving him a password or who can spearphish and get the important information they need to access our systems.”
The panel also agreed that the organizations need to adapt their standard requirements for cybersecurity candidates to enable this type of neurodiversity to become a reality. This includes working with HR and legal departments to reduce the emphasis on formal technical qualifications. Additionally, Harding believes “you have to have that human-to-human connection as much as possible, where you’re going out to career fairs and universities and recruiting.”
The principle of favoring character over qualifications is particularly pertinent when it comes to recruiting for leadership positions. Corman observed that individuals are often pushed into leadership roles based on their technical expertise, which is the wrong criteria to use. “You have to make sure you have the right leaders because they set the tone, the cadence, the value set, the culture, as best they can,” he noted.
More broadly, Corman said that all personnel operating in the rapidly evolving field of cybersecurity must be flexible and willing to learn on the job continuously. “An adaptable person will adapt at the speed of cyber,” he commented.