Lamont Orange
Those of us who read a lot of tech and business publications have heard for years about the cybersecurity skills gap. Studies often claim that millions of jobs are going unfilled because there aren’t enough qualified candidates available for hire.
I don’t buy it.
The basic laws of supply and demand mean there will always be people in the workforce willing to move into well-paid security jobs. The problem is not that these folks don’t exist. It’s that CIOs or CISOs typically look right past them if their resumes don’t have a very specific list of qualifications.
In many cases, hiring managers expect applicants to be fully trained on all the technologies their organization currently uses. That not only makes it harder to find qualified candidates, but it also reduces the diversity of experience within security teams — which, ultimately, may weaken the company’s security capabilities and its talent pool.
At Netskope, we take a different approach to staffing for security roles. We know we can teach the cybersecurity skills needed to do the job, so instead, there are two traits we consider more important than specific technical expertise: One is a hunger to learn more about security, which suggests the individual will take the initiative to continuously improve their skills. The other is possession of a skill set that no one else on our security team has.
Overemphasis on technical skills creates an artificial talent shortage
To understand why I believe our approach has helped us build a stronger security team, think about the long-term benefits of hiring someone with a specific security skill set: How valuable will that exact knowledge be in several years? Probably not very.
Even the most basic security technologies are incredibly dynamic. In most companies, the IT infrastructure is currently in the midst of a massive transition from on-premises to cloud-based systems. Security teams are having to learn new technologies. More than that, they are having to adopt an entirely new mindset, shifting from a focus on protecting specific pieces of hardware to a focus on protecting individuals and applications as their workloads increasingly move outside the corporate network.
Some security staffers are finding this change difficult to manage, while others are happy to roll with the transition. But as they learn to secure corporate resources in this brave new world, the technical capabilities they used to land their current job are quickly becoming less relevant to that task.
CISOs who require specific technical skills in job candidates and express disappointment about the absence of resumes that meet those requirements are actually creating the “skills gap.” Their narrow focus when hiring is doing them no favors in the long term.
Critical cybersecurity expertise extends beyond the technical
A better approach is to consider candidates who have little security experience. For example, if the company’s project management teams or line-of-business functions are experiencing disruption, there might be individuals with a deep understanding of the business who are looking for a chance to learn something new. Their knowledge might not match what’s listed in a security job description, but they might bring a new perspective that can make the security team even more effective.
Cybersecurity is not just an engineering problem isolated to flowcharts on a whiteboard. It’s a business problem that requires regular two-way communication with the C-suite, stakeholders and board. That explains why even some CISOs lack a lengthy technical background. Moreover, the world’s best-designed security policy is useless unless employees at all levels of the organization are convinced to comply.
For example, marketing talent can significantly boost the effectiveness of a security function. I think every cybersecurity team should include someone with exceptional communication skills, who understands how to market security concepts to people who are less technical. Including this nontraditional perspective in the security team can greatly increase controls compliance companywide.
Likewise, business and financial analysts may bring complementary skills to a security staff. Experience in scenario planning and modeling can boost awareness of the possible ramifications of different prospective courses of action, therefore adding diverse thoughts to enrich the security approach and effectiveness. Such a hire might provide insights into questions such as: “If we do X, how much friction will we cause with end users?” and “Will approach Y really improve protection of our data, or will it create gaps by changing user behavior?”
What to look for when hiring
When the Netskope security team is hiring, one of our top priorities is to improve the diversity of our skills as a group. Hiring managers look for candidates who really understand the drivers of our business and whose knowledge outside of cybersecurity supplements our existing skill set. We look for people who can translate cyber challenges into business solutions.
Obviously, an interest in security is crucial. We ask marketing- or business-oriented candidates what they do in their spare time. What technologies are running on their personal laptops? Have they learned specific technical skills in their free time — say, writing a script to make life easier around the house? It’s always impressive to hear that someone has stepped outside their discipline to solve a technology problem. People who demonstrate that level of interest in cybersecurity can be trained on the specific technologies we need them to use.
By taking this wider-lens perspective in cybersecurity hiring, we increase diversity within the team. We look for variety not only in skills but also in age and demographic groups. A team with diverse talents and backgrounds is going to think about security problems from more angles than a monolithic group would. Diversity is a core value across Netskope; from the CEO to the front lines, we believe that we will be more successful and more resilient as an organization if we are inclusive of people with a wide range of perspectives.
Ultimately, diversity is the final step in digital transformation. Many security teams are grappling with transforming their controls to reflect ongoing changes in their organization. They will have a better chance of completing this transition and keeping resources secure in the cloud if they also transform the security team itself.
Enterprise security attackers are one password away from your worst day
Comment