News Stay informed about the latest enterprise technology news and product updates.

Non-traditional employee recruitment may remedy security hiring woes

With viable job and training opportunities finally emerging, the time is now for CISOs and hiring managers to boost infosec's ranks with non-traditional candidates.

These are desperate times for information security. Not just because so many established protocols have been found wanting, or because millions of records continue to be breached each month, or even because data privacy seems to be under assault from every direction.

The main reason enterprises are desperate is because the one resource that's needed to combat all these issues is in desperately short supply: information security professionals.

As most know, the infosec profession is in dire need of more workers. Cisco Systems Inc. earlier this year estimated the security industry could use at least 1 million more people, while (ISC)2 Inc. has intimated the shortage is even worse.

The tragedy is that the security hiring equation can be solved, if only the two sides could meet: There are plenty of enterprises looking to fill infosec positions, and an abundance of potential recruits from non-traditional backgrounds who are willing and able to learn, if the training and support were available to them.

Making the security hiring challenge personal

Josh Cradic knows very well how tough it is to find the right training and support. The 34-year-old Philadelphian has a background in international development and works as an operations manager for Eastern University. He has been striving to break into the information security field for more than a year, but has struggled because he lacks traditional technical skills and experience.

"Most of my tech background is stuff I did on my own, like desktop repair work; no programming or anything like that," Cradic said. "So when I first started reading about information security and network security, it was a little bit overwhelming to me. I asked myself, 'How am I ever going to learn this?'"

Like many in his position, Cradic wasn't sure where to turn. Dozens of colleges and universities offer graduate degrees in cybersecurity and information assurance, but these programs are financially out of reach for many prospective students. The most influential security industry organizations like (ISC)2 tailor their own offerings to existing infosec pros, deferring to partners on new recruits. Despite having plenty of open jobs, enterprises usually lack the resources to train someone from scratch.

Cradic initially considered pursuing an entry-level security certification, but quickly learned not all employers require one, and those who do fail to realize that a certification doesn't necessarily guarantee a capable candidate.

"A part of me said, 'If I get my cert, I can probably start working right away,'" Cradic said. "I don't know if that's a good thing or a bad thing, because it's easy to prepare for and pass an exam without actually knowing what you're doing."

Training opportunities emerging

Cradic's struggle is representative of what many budding infosec pros experience when trying to join the profession. While viable training opportunities have traditionally been hard to find, the situation is finally starting to change thanks to a growing number of industry initiatives.

Government agencies like the GCHQ and NSA, perhaps among the most desperate to recruit new information security talent, have started offering scholarships and competitions to lure in more individuals outside the field. A scattering of pilot programs have attempted to boost employee recruitment among wounded servicemen and women.

One such promising initiative is the Cybersecurity Career Lifecycle, a new professional development framework from the Information Systems Security Association (ISSA).

Candy Alexander, director of the non-profit ISSA International and a senior GRC consultant with Towerwall Inc., said the lifecycle aims to address the cybersecurity workforce and skills gap by emphasizing what it calls the pre-professional level: typically students, IT generalists, and those from legal or military backgrounds.

For pre-professionals, the lifecycle begins with a self-assessment of an individual's knowledge, skills and aptitude, which helps determine not only what a prospective infosec practitioner needs to learn to break into the field, but also what types of industry roles the individual may be best suited to fill.

Alexander said she recently worked with a student member of ISSA who is studying mechanical engineering, but wants to work in information security. The self-assessment helped identify that the student had a strong aptitude for the integration of physical and logical security.

"We suggested that he may be a really good fit for doing things such as car hacking, not only understanding the boundaries of the mechanical but also having the knack for cybersecurity," Alexander said. "The assessment is very personalized based on what their aptitude is, and then we help them get the knowledge and skills they need."

ISSA's pre-professionals are then given a customized set of training recommendations such as seminars and training courses, many of which are offered by (ISC)2 and made available to ISSA members at a reduced rate.

Participants are also matched up with mentors from nearby local chapters. The mentors help the pre-professionals further customize their training, build a network of contacts and identify additional learning opportunities.

The lifecycle is available only to ISSA members; membership starts at $30 per year for full-time students and $95 otherwise.

Alexander acknowledges that the pre-professional program may or may not be enough to help a newcomer land an entry-level infosec job, which is why ISSA is currently working to build out a formal apprenticeship program that will enable pre-professionals to work alongside mentors in real-world job scenarios. That program is expected to roll out next year.

"The beautiful thing about this lifecycle is that it's more than formal training," Alexander said. "We're here to help individuals through the training and after that training."

For Akamai, non-traditional employee recruitment pays off

While training opportunities emerge, an increasing number of employers have already begun bridging the gap by extending their information security staffing searches beyond traditional candidates.

Andy Ellis, chief security officer for Akamai Technologies Inc., based in Cambridge, Mass., has been experimenting with non-traditional infosec hiring for a number of years, with great success. Amid intense competition for experienced candidates, Ellis has adopted a strategy that focuses less on infosec experience and more on applicants who have the ability to learn quickly, the drive to do great things and a team-first attitude that puts the team's success ahead of their own.

"[CISOs] all have jobs that we need to do that aren't actually security jobs," Ellis said. "A key success criterion for us is to surround people from non-traditional backgrounds with security people so they can learn and grow."

Ellis said he's hired all skill types onto his security team over the years, turning helpdesk admins into firewall management gurus and transitioning communications, customer support and, yes, project management specialists to handle compliance and external communications. He's found places for Ph.D.'s and bio-chemical engineers too, all the while recognizing the importance of realistic expectations.

Long-term more [enterprises] will go looking for those folks, and they will become the traditional backgrounds.
Andy EllisCISO, Akamai

"When we hire someone into a security research or other similar role," Ellis said, "there's about a 15-month spin-up time until they're able to be on their own and drive their own workload."

While some formal training is involved, Ellis said it's even more important to foster collaboration between non-traditional hires and veteran staff. Those relationships, he said, not only facilitate powerful on-the-job learning, but also teach the process of learning about security, which is critical to any successful infosec career.

Based on the success of companies like Akamai, Ellis predicted that more organizations will soon realize that non-traditional infosec hiring is not merely a necessity, but an opportunity to foster diversity and unrecognized talent.

"That's the future of this and more industries," Ellis said. "In a sense, in the short term, I'm glad I'm not competing with as many companies for these non-traditional hires, but long-term more will go looking for those folks, and they will become the traditional backgrounds."

As for Cradic, while he's still unsure when or where he'll land his first infosec job opportunity, he discovered his employer offers a tuition-reimbursement program that enabled him to enroll in the online information security master's program at Our Lady of the Lake University, based in San Antonio, Texas.

"I'm interested in cryptology and pen testing and risk management," Cradic said, "but honestly I'm looking for an opportunity to get broader hands-on experience in a lot of different things."

Only time will tell if more employers will adopt Ellis's mindset and broaden their searches for infosec staff to include candidates like Cradic, but it's clear innovation is desperately needed in information security hiring. Trained defenders need reinforcements, and the industry would be well-served by making the investment in Cradic and the many others like him who are eager to help.

Eric B. Parizo is the executive editor of TechTarget's Security Media Group. Follow him on twitter @ericparizo.

Next Steps

Considering bringing non-traditional hires on to your security team? Resident management expert Joseph Granneman details the pros and cons of untraditional security hiring.

This was last published in November 2014

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization taken any steps to facilitate security hiring from non-traditional backgrounds? If so, how successful has the process been?
Because hiring highly qualified and the top of the IT security techs is so competitive, employers have to go through what is essentially a bidding war to attract and gain these valued employees. My company has tried going the non-traditional route with mixed results. Because my company is small, it is hard to go anyway other than non-traditional. We have to entice employees with a family atmosphere and a range of benefits larger companies cannot.
I’ve seen non-traditional hiring practices have great success in other areas, so it’s no surprise that information security is getting a boost from that approach. Another take on non-traditional hiring practices is to look internally. There are many reasons that people want to change jobs, but if you can find someone that’s already in the company, has the ability to learn, and is a good fit, then much of the problem is already solved. Some of my best people were culled from the business, and moved into IT positions.