To solve the cybersecurity worker gap, forget the job title and search for the skills you need

BlackBerry CISO Arvind Raman looks beyond job titles when he has open positions to fill and instead focuses on the key skills required to do the work. That mindset allows Raman to readily identify and recruit qualified professionals from outside the security field, instead of simply seeking candidates working their way up the typical chain of security roles.

For example, he has hired finance professionals for risk- and compliance-related work and marketing pros for awareness training projects. “It’s about being aligned with what is really needed and what core functionalities are required for the role,” Raman says.

Some roles, of course, must be filled with experienced security professionals, he says, and in those cases, he looks for candidates who have held prior security roles. On the other hand, he believes many security positions can be filled by people skilled in other disciplines. “And for those you don’t have to limit your search to security people,” he adds.

Raman says he has used this talent-management strategy since at least 2015, which is when he hired a desktop manager as an endpoint security manager. He liked that candidate for his operations experience, which Raman felt was essential for the open security role.

“People asked why I would do that. And I said it’s because he had the right aptitude and attitude,” Raman says, adding that such hires help him bridge the gap between security and IT. Such an outlook also helps Raman blunt the impact of the worldwide shortage of cybersecurity talent on his hiring efforts.

Helping to fill the cyber talent gap

That’s an important advantage, given the figures showing a continuing shortage of security pros. One recent study from Fortinet Training Institute found that 68% of respondents said their organizations face additional risks because of cybersecurity skills shortages. The same study found that 56% struggle to recruit talent and 54% struggle to retain talent.

The International Information System Security Certification Consortium, or (ISC)², calculates that the global cybersecurity workforce needs to grow by 75% in order to meet future demand. More specifically, its 2022 Cybersecurity Workforce Study says the field needs 3.4 million more people above the existing global cybersecurity workforce of 4.7 million.

CISOs have been contending with a talent gap for years, and they’ve long reported challenges with recruiting and retaining workers in such a competitive environment. That has prompted some CISOs to rethink how they find and hire workers for their security teams. They’re concentrating on the skills they need and then searching for professionals with those skills — even if they don’t have a typical security worker pedigree.

“We still tend to think of finding someone who is a cybersecurity professional when we, in fact, are looking only for a particular skill,” says Jim Tiller, global CISO for Nash Squared and Harvey Nash USA. “What I would encourage people to do is try to understand your security strategy and then look broadly across your environment — whether it’s IT, legal, marketing, sales, product development, for skills that you can leverage as you move forward.”

Where to look for security-adjacent skills

Steven Sim, CISO for a global logistics company and a member of the Emerging Trends Working Group with the IT governance association ISACA, has adopted this thinking. For example, Sim has brought workers into his security department from the company’s operational technology (OT) function.

“They may not have the relevant [security] certification, but they have the domain knowledge,” he says, pointing out that OT security has some requirements that differ from IT security which makes that OT background particularly valuable on his team. Sim says he looks for “a passion and keenness to learn” in such candidates. He also looks for candidates who demonstrate ownership of their work, a high degree of integrity, a willingness to collaborate, and a “risk-based mindset.”

Sim then upskills such hires by having them receive on-the-job training and earn security certifications. Moreover, he says drawing workers from OT helps create more collaboration with the function and ultimately more secure OT operations. He says that result has helped get OT leaders onboard with his recruiting efforts, adding that they see it as a “symbiotic win-win relationship.”

Use internal communications to fill holes in the team

Sim also uses an internal communications platform to bring on workers from other business units for projects that require skills he doesn’t have on his own staff. “I can post a project and open it up to the rest of the company,” he explains. In the past Sim sought marketing skills to help his team develop a security awareness program, skills he found in an HR worker who had a background in psychology. And he once brought over someone from his company’s legal department when he temporarily needed additional expertise for privacy-related work.

Jason Rader, vice president and CISO of global tech company Insight, takes a similar tack. He, too, uses an internal communications platform to post information about skills he needs for security projects. He also reaches out directly to company workers whom he knows have the experience he requires. He may, for example, ask automation experts to work temporarily for the security department when automating some security work or for legal department workers to join security for compliance projects.

Long-time security leader Fawaz Rasheed says he, too, emphasizes the skills he needs when building his teams and tackling projects — an emphasis that has led him to internal candidates working in other departments. Rasheed, now field CISO at VMware, has brought in people from internal audit “because I knew they had the building blocks to identify security gaps and could work with others.” He has hired a public relations pro when looking for project management skills.

And he has hired multiple finance folks, citing their risk-management and quantitative analysis capabilities as well as their ability to calculate and present to board members the ROIs on security work. Rasheed acknowledges that such recruits won’t have deep technical and security knowledge and as such won’t be good fits for many security positions.

Identify the specific skills needed for a task

That’s why, he says, it’s essential for CISOs to identify what work is served well by the skills they do have. He also stresses the importance of working with the candidates’ managers so they don’t feel blindsided by their staffers’ moves into security.

Others have similarly found the skills they needed in workers in non-security disciplines. Mike Scott, CISO of software company Immuta, says he had an auditor work on his team part time. The auditor was interested in cybersecurity work; Scott was interested in the auditor’s ability to introduce repeatable processes, believing that experience could be helpful to the security team’s work on a security audit.

“I saw that this person had attention to detail and was technically minded. At the same time, I had a hard time finding people and saw this person as someone I could use to maybe take some compliance stuff off my plate,” Scott adds.

Scott worked with the auditor’s supervisor, who saw benefits in helping a top performer grow at the company. They arranged for a workplace partnership that had the employee working with security for no more than 10 hours a week for about three months. “And because this role was supporting me versus the rest of the security team, I also had to make sure I had the time to commit to this individual,” Scott explains.

Expanding the ranks of the cybersecurity profession

Others share similar stories. Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, says he has hired law enforcement professionals in part for their tenacity and ability to “work a case and track it to closure” and has hired researchers for their skills in “working through processes to figure out what’s going on.”

In one specific case, he had hired a professional with a finance background who was working in the legal department’s contracts division. “He had the skills we were looking for: a problem-solver, someone who knew how to do team agreements, and someone always trying to learn more. He could collaborate with others outside his team, was good about knowing what the tasks were, and holding himself and others accountable for deliverables,” Check says.

Check created a learning path for him, listing out the certifications he would have to earn to join the security team and regularly connecting with him to track his progress over six months. Once the worker was far enough down that path, Check invited him to apply for an open position — putting him through the same hiring process as other candidates and ultimately offering him a job as a security analyst.

Check, Rasheed, Rader and other CISOs who have brought non-security professionals to their security departments acknowledge that this approach has its limits. Certainly, they say, many positions require workers with both proven cybersecurity expertise and experience. CISOs who need to have new hires hit the ground running on Day 1 or those with small teams and limited training budgets will probably need to hire professionals with a proven track record in the roles they’re hired for.

Likewise, CISOs with limited time to recruit will likely have to stick with advertising by standard job titles and looking for candidates with conventional cybersecurity career paths; they won’t have the time to deconstruct roles and upcoming projects to identify needed skills that they can then use to recruit unconventional candidates.

Training unconventional candidates can be faster than finding qualified ones

Still, some CISOs say they have found that taking the time upfront to do that work can be just as efficient, explaining they can find and train unconventional candidates for some roles in the same time it could take to hire experienced cybersecurity pros given the fierce competition for talent.

Tiller says he believes that to be true. And he speaks from experience; he has brought in workers from his companies’ finance, HR, IT, and legal departments to work on security projects. He borrowed workers from the marketing and communications team, using staffers to work with security to develop incident response plans and build more effective tabletop drills. And he once had a worker with telecommunications expertise join a mobile security project.

In all these cases, Tiller says the arrangements were less like the usual interdepartmental collaboration and more like a split position between the worker’s regular job and the security work.

Partner with other company departments

“They become part of your own team,” Tiller says. “So, you have to be clear about their role, the value they bring to the team, and establishing a cadence for the work.” Tiller says in such instances he partners with the workers’ managers, getting approval for exploring whether, when, and how the workers could contribute to the security function.

He says that the process also addresses logistics, including how such workers will be paid. He says identifying in-house workers with the right skills to come onto the security team, whether part-time or temporarily, is typically more economical than hiring consultants or augmenting the security team with outside contractors. Tiller says it may be more agile, too, giving the CISO “the ability to pull in different skill sets at the right time.”

Benefits of the cybersecurity profession

Lenny Zeltser, CISO of security software maker Axonius and an instructor with training organization SANS says this approach helps bring more people into a security field starving for talent. Like others, he says he focuses on the skills he needs when recruiting and hiring. “I don’t recall the last time that I had the simplistic approach of just using the title,” he says.

Consequently, he has hired workers whose background does not match the conventional cybersecurity career path. For example, he hired one worker who had tinkered in IT, had an interest in security, and had worked as a bartender — experiences that demonstrated to Zeltser’s mind that he could successfully multitask and work well with people.

“We need all types of people in cybersecurity because of the variety of challenges we’re solving,” he wrote in a blog on his website. “By allowing non-traditional practitioners to fill entry-level cybersecurity roles, organizations can increase the number of people entering the career funnel. Many of them will develop advanced expertise with the right mentorship and training. This requires adjusting job requirements for entry-level roles, reaching out to people outside the traditional talent pool, and making them feel welcome.”