By Tom Gilheany and Donna Maurillo
Your best cybersecurity candidate for tomorrow may be sitting at the admin’s desk today. Or maybe in the marketing department. It may be the person who majored in psychology or who loves mystery novels or puzzles. If that sounds far-fetched, consider this. Technical knowledge and skills can be trained into a candidate. But it’s more difficult to train them in abilities such as curiosity, problem solving, personal interaction, empathy, communications, and other so-called “soft attributes.” These are usually innate or they are developed over many years.
The global shortage of qualified cybersecurity personnel is putting us all at risk. Cybercriminals are profiting from their activities, creating a major underground business worth many billions of dollars with a low cost of entry and a low probability of being apprehended. There just aren’t enough “good guys” to keep them in check.
You could make them more valuable.
The good news is that your organization could find long-term talent inside its walls. With some training, they could become more valuable in their current positions, or they may be motivated to pursue cybersecurity careers within your company, protecting your information, systems, and assets. You will be training people who already know the organization—its culture, markets, expertise, and customers. In addition, every department may need someone in their group who understands cybersecurity. It may surprise you that some of their career skills, education, or hobbies could be quite valuable.
Upskilling current employees can also boost your reputation as an organization that invests in its existing human assets. That alone will help you attract high-quality candidates while retaining those likely to have a good future under your employment.
Tim Erlin, vice president of product management and strategy at Tripwire, wrote, “The cybersecurity industry should not overlook the soft skills that are needed to build a strong security program. The reality is that today’s security pros need to go beyond technical expertise. Security practitioners need to be good communicators who can connect cybersecurity issues to business priorities, rally the rest of the organization to get involved, solve tough problems and handle sensitive issues.
A Gallup poll also states that an impressive 87% of millennials rate "professional or career growth and development opportunities" as important to them in a job.
In this first of two parts, we will explain how your organization could have a significant advantage if management keeps its eyes open for hidden talent and if you have a creative workforce development plan in place.
Who are they?
Here are some examples of those skills when applied to cybersecurity:
Degree in Sociology or Psychology—For these candidates, sociology or psychology may help them interact well in a work group or cybersecurity project team. They understand individual and group dynamics, know how to lead others, and can reach out to client groups and develop insights about their needs. These candidates could be valuable in cybersecurity sales or in a help desk role. They could work on teams analyzing threats by understanding the minds of cybercriminals.
Here’s another angle. These candidates also may understand social engineering techniques (human vulnerabilities) and how best to change risky user behaviors that lead to security weaknesses. Because humans are often the weakest link in the security chain, a deep understanding of what motivates and drives humans is a great advantage. In addition, more companies are performing background checks on employees, contractors, and vendors. People with psychology or sociology degrees may have an edge at managing that process.
Law Enforcement Experience—These people think in terms of law and order. They have a compliance mindset because protecting human and physical assets has been their primary goal. They understand investigation protocols and forensics—how to gather and analyze evidence. They understand proper procedure, how to spot anything suspicious, and how to investigate rigorously.
These candidates know how to stay one jump ahead of a cybercriminal, anticipating the next move, seeking out vulnerabilities, or thwarting imminent attacks. They are great contributors to cybersecurity teams or other work groups, such as those checking on compliance, audits, policies, and investigations. Further, legal and a law enforcement teams (perhaps the FBI) may be involved when a cybercrime is committed in your organization. People on your team who are accustomed to working with law enforcement agencies could be a great advantage in these situations.
Military Experience—Teamwork is basic to military training, and achieving team objectives is a primary goal. They also understand the difference between strategies and tactics. Like those with law enforcement experience, former military people are ingrained with hardening and protecting assets as a first step in preventing attacks. These candidates may serve as valuable team members because they have been trained to be disciplined and to work diligently on problems even if it requires “off hours.” They also know how to work under pressure, to deal with stress, and to remain vigilant. Depending on what roles they filled in their military service, they could fit into any number of teams.
Women and Minority Groups— A growing body of scholarly research suggests that human bias can be largely unconscious. Having a diverse team with different cultural, social, and gender backgrounds helps to combat innate human biases and “group-think.” Diverse cybersecurity teams are more able to think and search outside the box for possible security issues. Remember, cybersecurity is a global problem affecting everyone. The attackers aren’t a homogenous group, and your defense teams should be equally diverse.
Teaching Experience—Candidates with teaching experience can be skilled in leading corporate cybersecurity training, either inside the organization or with client companies. These candidates may be talented with training large groups or smaller project teams in cybersecurity best practices. People are most often the weak points in cybersecurity. Excellent trainers can help ensure that all employees learn, understand, and follow security policies. They also could guide policy writers to ensure that an organization’s policies and procedures are clear, accurate, and understood by those who need to know them.
Degree in English, Literature, or Communications—All written and spoken information for cybersecurity must be clear, accurate, concise, and accessible. Like those with a teaching background, candidates with this kind of training may help improve the quality of cybersecurity instruction materials, policy manuals, PowerPoints, speeches, websites, social media, and other communication avenues. They may be talented with making presentations themselves, or in “training the trainers.” These professionals can help create communication flow charts for crisis situations, and they can help determine the appropriate internal and external messaging during a crisis.
Scientists—Many scientists have transitioned into working with computers and technology. They are familiar with researching a topic, gathering evidence, working to understand what makes something tick or not tick, documenting their processes, seeking out other research, and defending their reasoning. Scientists are accustomed to looking for facts, not opinions. These candidates are valuable when you require a team member who thinks logically, and can process large quantities of information, test theories, and use evidence to prove something.
Administrative Assistants and Staff—People in these roles often know the company inside out. They know who to tap for information. They know the company processes. Frequently, they ensure that processes are running well. A good fit may be on the cybersecurity help desk team. Admins also may be relationship builders. They have a broad, informal network across the company that allows them to take the pulse of things, determine what’s really happening, and smooth over any bumps. They may be a great buffer for the technical team—disseminating updated information during a security event, for example, and protecting the team from interruptions.
Accountants and Financial People—These folks frequently know how to do formal risk analysis, so they may use these skills to calculate cybersecurity risk from a business impact viewpoint. Insurance companies now offering cybersecurity insurance policies are constantly looking for people who understand both finance and cybersecurity. From a cost/benefit analysis, skilled workers in finance can help decide how much the organization should spend to mitigate their cybersecurity risks. Many people working in these departments have been involved with financial audits and are familiar with the audit process. With cybersecurity audits becoming more commonplace, a person with a finance or accounting background can be very useful in understanding and quantifying risks, audits, and controls. With additional cybersecurity training and skills development, they may combine their skills to work on cybersecurity audits and cybersecurity insurance problems.
Talent with Puzzles or Mysteries—Candidates who love to work puzzles or solve mysteries will take a cybersecurity problem, analyze the clues, and follow each one to its logical conclusion. Reaching a dead end does not discourage them. They will simply take another path and keep moving until they find the solution. Then they pick up the next challenge. Even without all the pieces in place, they often can see the bigger picture.
The Oddballs—We’re serious. These candidates try something different just to see what will happen. They take things apart to see how they work, then they create a better way to build them. These candidates think outside the box—sometimes way outside the box. They may or may not fit in socially, and you may have to keep them focused and manage their desire to color outside the lines. But they can be a real asset when you need people who can instinctively spot a glitch. They also may have talent for security-hardening products and performing pen-testing. A common way to find security flaws is to have someone like this do unexpected things that the system designers never anticipated.
In Part Two…
With our next installment, we will give examples of how this practice has been applied, and we will provide links to a variety of training programs for these candidates. In the meantime, what do you think about all this? Have you seen examples of people like this contributing to cybersecurity defense?
 Tripwire News; "Survey Says: Soft Skills Valued by Security Team"; October 17, 2017
 Gallup News; "Millennials Want Jobs to Be Development Opportunities"; June 30, 2016.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.
Donna Maurillo is a content manager at Learning@Cisco, creating white papers, blogs, website content, and other materials. She has a lifelong career in public relations and corporate communications. Her goal is to highlight the many benefits of a connected environment.