The security field needs more practitioners. The insanity that is our “always-connected” world necessitates more resources to manage, monitor, and maintain personal and enterprise data – from email accounts to mobile phones to chock-full-of-tech refrigerators.
In the past few years, colleges and universities have begun to offer information/cyber security classes (there are even a few with dedicated information security degrees), which is a big step forward from the generic “computer science” degree of yesteryear. It seems, though, that schools can’t churn out qualified candidates fast enough to meet the demand. As a result, many security practitioners feel overworked, overwhelmed, and are prone to burnout at a faster rate than many office-based jobs.
One answer to the question, “where do I find eligible candidates” may be in the schools themselves. This morning as I drive into work, a report about how NASA is grooming high schools students for its manned mission to Mars was playing on the radio. The recruiters for the mission, scheduled for over a decade in the future, are taking into account a wide range of attributes: personality, demeanor, intellectual proclivities, health, etc. NASA is working with scientists from Johns Hopkins University, which was awarded a grant to help identify the best possible candidates for the future mission.
Infosec can take a que from NASA. We could be doing more to introduce information security to younger generations (Science is just as much fun as soccer!), but the fact is, security doesn’t have a decade and half to wait to find the people who will be the great defenders and protectors of our data and systems.
In the short term, hiring managers can be more open-minded about where to look for candidates. Technical skills are important, for certain, but skills can be taught, and learned, by the right candidates. This means, of course, that hiring managers can’t necessarily expect a security analyst to come out of the box fully baked, and grooming your talent has some benefits that buying it doesn’t. Job satisfaction study after job satisfaction study show that employees value personal growth and the acquisition of new skills as highly as salary and benefits. Employees also want to feel valued and appreciated, and if you’re investing time and effort to teach them new skills, you’re very likely to check those boxes and keep happier, more productive staff for longer periods of time.
Mentoring and training only works, though, if enough warm bodies are available to fill those seats. At present, there aren’t enough “techies” to go around, so what’s a security hiring manager to do? Marcus Ranum of Tenable Network Security has said that “the best security analysts are people who think in an organized manner and are curious and who enjoy investigating.” These curious and organized people may come from many different backgrounds and have varying technical capabilities. “If I saw someone's résumé that said they were an archivist or historian or curator I wouldn't dismiss them. ‘Hey, starving writing seminars majors! Come work in information security,’” Ranum half jokes. Even though a curator, for example, might not have networking or programming experience, he or she might bring to the table a whole new set of skills that could be extremely valuable to the team. Creativity and a new perspective are extremely desirable in a world where adversaries are constantly changing their tactics and techniques, evolving to evade detection by traditional means.
Ranum, himself, was a Psychology major, and by all standards, he’s done quite well for himself in the field of security. Many of the best and brightest with whom I‘ve had the pleasure of working have degrees in Religion or English or History. This is not to say hiring managers shouldn’t look for employees with technical degrees or years’ worth of security experience (an equal number of SME with which I work do have technical backgrounds). Quite the contrary. In today’s workplace, hiring managers need to consider many options, not just the candidates who come packaged neatly. The Harvard Business Review published an excellent article on How to Assess a Job Candidate Who Doesn’t fit the Mold. The article is general in nature, but the point is that security teams may need to look outside of the proverbial box to find the next employee.
Curating Your Cadre
Even experienced infosec staff need to feel constantly engaged and challenged. Ranum recommends a variety of team development activities including drills, after-action reviews, competitions, and attending conferences. Embedding infosec staff into business units allows those individuals to gain necessary business understanding; the reverse—embedding business staff into infosec—has the effect of exposing non-infosec staff to infosec and learning who has interest and potential.
Devaluing technical prowess in security would be a ridiculous notion. What can be helpful, though, is opening up the looking glass through which security hiring managers seek new teammates. It might come as a surprise to find that someone with (a currently) limited technical ability brings to the table the creativity, the ambition, and a fresh set of eyes that helps ward off the next incident.