These are desperate times for information security. Not just because so many established protocols have been found wanting, or because millions of records continue to be breached each month, or even because data privacy seems to be under assault from every direction.
The main reason enterprises are desperate is because the one resource that's needed to combat all these issues is in desperately short supply: information security professionals.
As most know, the infosec profession is in dire need of more workers. Cisco Systems Inc. earlier this year estimated the security industry could use at least 1 million more people, while (ISC)2 Inc. has intimated the shortage is even worse.
The tragedy is that the security hiring equation can be solved, if only the two sides could meet: There are plenty of enterprises looking to fill infosec positions, and an abundance of potential recruits from non-traditional backgrounds who are willing and able to learn, if the training and support were available to them.
Making the security hiring challenge personal
Josh Cradic knows very well how tough it is to find the right training and support. The 34-year-old Philadelphian has a background in international development and works as an operations manager for Eastern University. He has been striving to break into the information security field for more than a year, but has struggled because he lacks traditional technical skills and experience.
"Most of my tech background is stuff I did on my own, like desktop repair work; no programming or anything like that," Cradic said. "So when I first started reading about information security and network security, it was a little bit overwhelming to me. I asked myself, 'How am I ever going to learn this?'"
Like many in his position, Cradic wasn't sure where to turn. Dozens of colleges and universities offer graduate degrees in cybersecurity and information assurance, but these programs are financially out of reach for many prospective students. The most influential security industry organizations like (ISC)2 tailor their own offerings to existing infosec pros, deferring to partners on new recruits. Despite having plenty of open jobs, enterprises usually lack the resources to train someone from scratch.
Cradic initially considered pursuing an entry-level security certification, but quickly learned not all employers require one, and those who do fail to realize that a certification doesn't necessarily guarantee a capable candidate.
"A part of me said, 'If I get my cert, I can probably start working right away,'" Cradic said. "I don't know if that's a good thing or a bad thing, because it's easy to prepare for and pass an exam without actually knowing what you're doing."
Training opportunities emerging
Cradic's struggle is representative of what many budding infosec pros experience when trying to join the profession. While viable training opportunities have traditionally been hard to find, the situation is finally starting to change thanks to a growing number of industry initiatives.
Government agencies like the GCHQ and NSA, perhaps among the most desperate to recruit new information security talent, have started offering scholarships and competitions to lure in more individuals outside the field. A scattering of pilot programs have attempted to boost employee recruitment among wounded servicemen and women.
One such promising initiative is the Cybersecurity Career Lifecycle, a new professional development framework from the Information Systems Security Association (ISSA).
Candy Alexander, director of the non-profit ISSA International and a senior GRC consultant with Towerwall Inc., said the lifecycle aims to address the cybersecurity workforce and skills gap by emphasizing what it calls the pre-professional level: typically students, IT generalists, and those from legal or military backgrounds.
For pre-professionals, the lifecycle begins with a self-assessment of an individual's knowledge, skills and aptitude, which helps determine not only what a prospective infosec practitioner needs to learn to break into the field, but also what types of industry roles the individual may be best suited to fill.
Alexander said she recently worked with a student member of ISSA who is studying mechanical engineering, but wants to work in information security. The self-assessment helped identify that the student had a strong aptitude for the integration of physical and logical security.
"We suggested that he may be a really good fit for doing things such as car hacking, not only understanding the boundaries of the mechanical but also having the knack for cybersecurity," Alexander said. "The assessment is very personalized based on what their aptitude is, and then we help them get the knowledge and skills they need."
ISSA's pre-professionals are then given a customized set of training recommendations such as seminars and training courses, many of which are offered by (ISC)2 and made available to ISSA members at a reduced rate.
Participants are also matched up with mentors from nearby local chapters. The mentors help the pre-professionals further customize their training, build a network of contacts and identify additional learning opportunities.
The lifecycle is available only to ISSA members; membership starts at $30 per year for full-time students and $95 otherwise.
Alexander acknowledges that the pre-professional program may or may not be enough to help a newcomer land an entry-level infosec job, which is why ISSA is currently working to build out a formal apprenticeship program that will enable pre-professionals to work alongside mentors in real-world job scenarios. That program is expected to roll out next year.
"The beautiful thing about this lifecycle is that it's more than formal training," Alexander said. "We're here to help individuals through the training and after that training."
For Akamai, non-traditional employee recruitment pays off
While training opportunities emerge, an increasing number of employers have already begun bridging the gap by extending their information security staffing searches beyond traditional candidates.
Andy Ellis, chief security officer for Akamai Technologies Inc., based in Cambridge, Mass., has been experimenting with non-traditional infosec hiring for a number of years, with great success. Amid intense competition for experienced candidates, Ellis has adopted a strategy that focuses less on infosec experience and more on applicants who have the ability to learn quickly, the drive to do great things and a team-first attitude that puts the team's success ahead of their own.
"[CISOs] all have jobs that we need to do that aren't actually security jobs," Ellis said. "A key success criterion for us is to surround people from non-traditional backgrounds with security people so they can learn and grow."
Ellis said he's hired all skill types onto his security team over the years, turning helpdesk admins into firewall management gurus and transitioning communications, customer support and, yes, project management specialists to handle compliance and external communications. He's found places for Ph.D.'s and bio-chemical engineers too, all the while recognizing the importance of realistic expectations.
Andy EllisCISO, Akamai
"When we hire someone into a security research or other similar role," Ellis said, "there's about a 15-month spin-up time until they're able to be on their own and drive their own workload."
While some formal training is involved, Ellis said it's even more important to foster collaboration between non-traditional hires and veteran staff. Those relationships, he said, not only facilitate powerful on-the-job learning, but also teach the process of learning about security, which is critical to any successful infosec career.
Based on the success of companies like Akamai, Ellis predicted that more organizations will soon realize that non-traditional infosec hiring is not merely a necessity, but an opportunity to foster diversity and unrecognized talent.
"That's the future of this and more industries," Ellis said. "In a sense, in the short term, I'm glad I'm not competing with as many companies for these non-traditional hires, but long-term more will go looking for those folks, and they will become the traditional backgrounds."
As for Cradic, while he's still unsure when or where he'll land his first infosec job opportunity, he discovered his employer offers a tuition-reimbursement program that enabled him to enroll in the online information security master's program at Our Lady of the Lake University, based in San Antonio, Texas.
"I'm interested in cryptology and pen testing and risk management," Cradic said, "but honestly I'm looking for an opportunity to get broader hands-on experience in a lot of different things."
Only time will tell if more employers will adopt Ellis's mindset and broaden their searches for infosec staff to include candidates like Cradic, but it's clear innovation is desperately needed in information security hiring. Trained defenders need reinforcements, and the industry would be well-served by making the investment in Cradic and the many others like him who are eager to help.
Considering bringing non-traditional hires on to your security team? Resident management expert Joseph Granneman details the pros and cons of untraditional security hiring.