While cyber roles vary wildly, surveys rank soft skills like critical thinking and written and verbal communications among the top most requested by employers. Yet, many employers aren’t finding qualified applicants that meet the steep list of technical skills required like IDS experience and Splunk querying expertise.
The goal should be to hire individuals who can think critically about the needs of the organization and also possess a capacity to grasp the technical. Until we shift the way we think about how to hire and train new cybersecurity talent, we will never make a dent in the cybersecurity workforce gap projected to grow to 3.5 million by 2021.
The Great “Base”
Many people will tell you that the best practitioners are born, not made. I encourage you to think with a wider aperture as to what this means for your organization (rather than a pinhole scope of talent). Many candidates possess traits, behavioral attributes, and interpersonal competencies that provide a fantastic base for success as a cybersecurity team member. These are a few of the attributes to be on the lookout for.
1. The Human Hoover
While you shouldn’t avoid analysts that have experience and expertise in a particular domain you are looking to fill, you shouldn’t discount other candidates that have been shown to learn new material quickly. The latter category of hopefuls will be better able to quickly collect, synthesize, and adapt information given the particular situation or environment at hand. This way of thinking is often applied to entry-level positions noting that new employees are “green” or malleable. While that is true, this trait can be found in individuals of all experience levels.
2. A Growth Mindset
A step beyond being able to quickly adopt and apply new concepts is enjoying the challenge of doing so. Stanford psychology professor, Dr. Carol Dweck, refers to this trait as a growth mindset. In addition to being inquisitive, candidates possessing a growth mindset are likely to ask questions specifically to help elicit, refine, validate, and implement the requirements of a security initiative.
The result of this motivated quest for understanding should generate better overall results. Furthermore, candidates who possess a growth mindset are better suited to learn from and build on their failures, rather than ruminate on them.
3. A Two-Way Street
Strong critical thinkers must also have the capacity to communicate clearly and logically. Many candidates mistake a strong communication ability for being articulate. That’s only the half of it. Solid communication skills include the ability to convey one’s views in a concise and intelligent manner as well as the ability to partake in active listening to truly understand the transmitted messages.
The best candidates have the keen ability to translate highly complex or technical topics that they have learned in a way that makes the concept easy for others to understand. Candidates possessing this ability are not only a good fit for your current open position, but may also find themselves on the fast-track for further advancement.
4. A Consensus Engineer
You want a team player – so what does that mean? You need practitioners that can work well, both emotionally and effectively, with their peers. Moreover, a successful practitioner can also build support across multiple stakeholders for the initiatives they are invested in.
Take a play out of the intelligence tradecraft playbook from the Department of Defense. Rather than publishing definitive personal conclusions, analysts must get internal and external agency buy-in on their assessments. Spending the extra time with counterparts with knowledge in specialty areas ensures analysts have strong evidence to justify their ultimate conclusions.
5. A Bird’s Eye Vantage
Great practitioners are constantly thinking about how their work relates to the overall strategic goals of the organization. While fulfilling the direct duties of a position may seem tactical, bonus points are awarded to the candidates who understand what important role they are playing. Test them.
Ask the question: “So, why does our organization need to hire anyone for this position? What would happen to the organization if we didn’t?” Employees should understand their value, and employers should provide every opportunity for every role to feel valued, too.
But What About the Splunk Queries!?
While certain cyber roles require significant doses of highly specialized technical skills, a vast majority don’t. The beauty of cybersecurity is that many required skills are far more teachable than the inherent traits listed above. Historically, the ancestral information security roles of the 1970s-1990s came from extremely diverse backgrounds – not just technical ones.
The cybersecurity skills gap will continue to grow wider until we start thinking about alternative non-traditional sources of cyber talent. If we open our requirements to individuals with the skills listed above absent some of the technical skills currently required, we expand the talent pool with a new wave of capable and motivated candidates. So, if you see a philosophy major come through your talent management system applying for a cybersecurity analyst position, don’t be so quick to press the “reject” button – your organization will be better for it.
(And for you philosophy, social sciences, communication, business, or other majors outside of computer science and cybersecurity, consider showing your dedication to cyber by earning the CompTIA Security+ certification. It’s not always a requirement, but it can always help your chances of getting through to an interview.)