By Tom Gilheany and Donna Maurillo
In our first installment of this blog post, we introduced the concept of finding hidden cybersecurity talent inside your organization. This “hidden talent” may include workers who have military, law enforcement, scientific, or teaching experience. It could be among those with liberal arts degrees such as English, literature, or communications. They may not look exactly like the people currently on your security team—they may have a finance or accounting background, for instance. Even the so-called oddballs can offer increased value, especially if they bring fresh perspectives or tangential knowledge to your existing security team.
As cybersecurity threats grow exponentially across the globe, people with cybersecurity training are in seriously short supply. Given that challenge, how do we secure our organizational assets in the long term?
It makes all kinds of sense to broaden our vision and think creatively. Most of these hidden candidates may never move into formal IT or cybersecurity positions, nor is it necessary that they do. Rather, they can add a great deal of value to their current work teams if they take even one or two courses—because, at minimum, security awareness is everyone’s job. Handling security risks is increasingly becoming part of a growing number of more traditional jobs, from designing secure products, to managing supply-chain risks, to assessing the financial fallout of potential losses, and to building awareness of insidious risks.
In this second installment, we will provide examples of this concept in the real world, along with links to several training programs.
It begins with the right training.
How do organizations leverage the unique talents of these potential cybersecurity candidates? Getting them properly trained is an excellent way to start. Employees should have some concept of what types of additional security-related roles and responsibilities interest them. Then they can obtain training to acquire their new skills and enhance their current positions, connect cybersecurity issues to business priorities, rally the rest of the organization to get involved, solve tough problems, and handle sensitive issues.
If they are sufficiently intrigued by career pathways in cybersecurity, they can even investigate the various certifications related to those job roles and skill sets. From there, they can put together a training plan to acquire the knowledge, skills, and abilities to successfully achieve a certification. These certifications help to unlock career doors, proving their competence for new roles and responsibilities.
If you’ve already hired some of this “hidden talent” for other roles, you may consider asking them to step forward if they are interested in obtaining some cybersecurity training. Many of these employees may be stuck with tunnel vision themselves, never considering that they could move out of the predictable roles and add a cybersecurity facet to their positions. Or you could get lucky and find people who, given the opportunity for training, will eventually take the leap into your cybersecurity team.
This is not a far-fetched idea. Major companies are moving in that direction, and the investments are starting to pay off.
Here are some who did it.
Cisco already looks for these kinds of people, knowing that they may bring valuable talents to its cybersecurity team. For example, the Talos team is Cisco’s group of elite malware researchers who roam the Internet looking for cybercriminals and stopping them in their tracks.
Talos threat intelligence manager Joel Esler is one of those whose curiosity led him to an IT career. When he was 14 years old, he collected used radios and telephones just so he could take them apart. “I liked to see how they ran and see if I could put them together again,” he says. “Sometimes I succeeded.”
His passion for hacking machines led him to specialize in telecommunications and security in the U.S. Army for six years before joining Cisco.
Alex Chiu is a Talos threat researcher who has a related hobby. “I love puzzles, and security is not all that different,” he says. “You don’t get all the pieces of the puzzle, but you still have to put them together to make a complete story. And that is a lot of fun.”
Data analyst Kate Nolan is one of a small but growing number of female security researchers within Talos. Her background in data analytics rather than traditional security helps her see things differently. “My colleagues are always looking for a back door, but I think more like a developer, so I think like malware builders,” she says. “How would you put a threat together, rather than how do you take it apart?”
Each of these tenacious IT professionals came into Cisco with a non-traditional talent that allowed them to become part of an elite cybersecurity team. Look around your own organization to see if you can uncover similar gems.
Here's how you can do it, too.
First, identify likely candidates. Then identify the cyber skills that might benefit themselves and the company if their current roles were expanded. In fact, when combined with their current skills, their cybersecurity training could open up entirely new, more valuable job roles. Third, provide the training opportunities so they can acquire those skills.
And finally, give them opportunities to put those new skills to use—“stretch” assignments, handling security risks within their department, or liaising with the corporate cybersecurity or risk management functions.
IBM has its own “new collar” jobs program, which was started two years ago as a way to move non-traditional people into cybersecurity careers. So far, it’s been working well—20% of its U.S. hiring in cybersecurity since 2015 has been “new collar” workers. They point out that cybercriminals put up no barriers to entry. Why, then, do so many enterprises have a limited view of their cybersecurity prospects?
The company is enthusiastic, recommending that other organizations can encourage apprenticeships, certifications, programs at community colleges, and other training venues. Some of IBM’s newest cybersecurity people came from retail, education, entertainment, and law. The common denominator is that these candidates were curious about cybersecurity and were motivated to learn.
Cisco is here to help.
Learning@Cisco offers a broad range of certifications that are well known and respected in the technology industry. Having a Cisco certification adds exponential value to an employee and the benefits they can bring to your organization. This is true whether those employees continue into full-fledged careers in IT and cybersecurity, or whether they remain on their current work teams and increase their value through additional training.
Here are a few of the relevant cybersecurity courses in which you can enroll your employees:
- Cybersecurity Training and Certifications Page – This provides an overview of the many professional roles in cybersecurity. It’s a good start for someone who may have some interest but needs more information.
- Cisco Networking Academy – Some of your non-technical employees may still be attending community colleges. If so, the Networking Academy can expose them to introductory concepts in networking, coding, operating systems, and security. This is an ideal starting point for many young people getting started in their careers.
- CCNA CyberOps Certification – This training helps to start a career working with associate-level cybersecurity analysts within security operations centers (SOC’s), and lays the foundations for higher-level roles in cybersecurity operations, such as advanced cybersecurity analyst, incident responder, cyber forensic specialist, or cybersecurity auditor.
- CCNA Security Certification – Earning this certification lays the foundation for job roles such as Network Security Specialist, Security Administrator, and Network Security Support Engineer.
For those with military experience:
- Certification Resources for Military Personnel – This page explains how to translate military IT experience into a widely recognized credential for military, government, and civilian careers.
- US DoD Approved 8570 Baseline Certifications – US DoD personnel (uniformed services, or civilian contractors) performing Information Assurance functions on privileged systems must hold and maintain an approved certification, according to their job role. Cisco’s CCNA Security and CCNP Security Certifications are approved for Information Assurance Technician (IAT) roles. Cisco’s Cybersecurity Specialist Certification (SCYBER) is approved for Computer Network Defense/Cybersecurity Service Provider (CND/CSSP) Analyst and for CND/CSSP Incident Responder roles.
Even your existing security people can benefit from additional training and certifications. Don’t overlook how these employees can also add more value to their jobs.
For those at the professional level:
- CCNP Security Certification – This certification is for the Network Security Engineer job role. It requires a CCNA Security or any CCIE certification as a prerequisite. Individuals holding CCNP Security Certification have proved that they have professional-level competence in all relevant areas of network security, including next-generation firewalls, next-generation IPS systems, Advanced Malware Protection, and many other key security control technologies.
For those who are experts:
- CCIE Security Certification – This certification is the highest certification that Cisco grants network security experts. These elite individuals typically work at the highest (expert) level of security technology experience, tackling the most difficult and technical of security problems, designing solutions to new security problems, and architecting organization-wide security systems and controls.
Your employees want to help.
We all know that cybersecurity risks are growing. It’s become an accepted fact of life not only for organizations, but for individuals as well. Your employees are already aware that the threats exist. They want to help because they know how important it is to ensure the stability for your organization, for your organization’s customers and suppliers, and for their professional lives. To accomplish this over the long term, management must uncover talent in unexpected places and train more of that talent to help secure the organization.
 Harvard Business Review; "Cybersecurity Has a Serious Talent Shortage. Here’s How to Fix It"; May 4, 2017
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.
Donna Maurillo is a content manager at Learning@Cisco, creating white papers, blogs, website content, and other materials. She has a lifelong career in public relations and corporate communications. Her goal is to highlight the many benefits of a connected environment.