During Cybersecurity Awareness Month, SecurID will highlight insights and best practices to help all businesses and users do their part to protect themselves, secure remote work, and “#BeCyberSmart.”
Earlier this week, SecurID Chief Information Security Officer Kelly Sarber, Global Cloud Identity Architect Ingo Schubert, Chief Product Officer Jim Taylor and Governance & Lifecycle Field CTO Chris Williams reflected on where their cybersecurity careers began and how someone who is considering a career in this field can get started. You can read part one of their reflections here.
As Cybersecurity Career Awareness Week continues, the SecurID leadership team shared some additional perspectives on the qualities they look for when making an infosec hire, why there’s a talent gap in cybersecurity, how to create a more diverse workforce and more:
What skills do you prioritize when it comes to hiring for a cybersecurity role?
Kelly Sarber: For people who are newer to the industry or community, I’m about attitude and aptitude all day long. I look for someone who is really eager to learn and eager to be helpful—someone who just wants to explore. That’s a great indication of someone’s ability to be engaged.
On the aptitude side, I look at a candidate’s problem-solving skills and process. No one knows everything in this field and you never will. But if you always show up with a positive attitude and a solid problem-solving mindset, then there’s nothing I could throw your way that you couldn’t figure out. For me, that’s paramount at any level that I’m hiring for.
When it comes to specific technical skills, then it really depends. I think that ‘back in the day’ security experts tended to be systems admins or came from network security. You didn’t have to be a ‘programmer’—instead, you may have needed to have some scripting skills. Now, because so many companies are working with a DevSecOps mindset, and because so much of our work is in the cloud, I think many roles need automation skills and a developer mindset.
Jim Taylor: There are many good traits for someone working in InfoSec—but two stand out: aptitude and attitude.
This is such a dynamic environment that’s always changing. The challenges we’re facing today are different than 12 months ago or five years ago. You need the ability to learn and a willingness to learn.
It’s great to already have skills and background knowledge, but the reality is if you get a cybersecurity degree today, while the principles and foundations you learn will continue to be important, the specific problems you’re facing will continue to evolve.
Every day there’s a new technology and a new problem that we have to solve. Ten years ago, we weren’t thinking about how to secure mobile—now it’s the only thing we’re thinking of.
It constantly surprises me how fluid and dynamic this space is. You have to be able to embrace that.
Chris Williams: Obviously, there is a myriad of technical skills required—and each security discipline has its own set of required skills.
So, given that the techie bit is very available, I look for strong communication skills, the ability to prioritize and respond to the “current crisis.” And more than anything, I look for genuine interest and commitment to our field.
Why do you think there’s a cybersecurity talent gap and how does our sector close it?
Kelly Sarber: I think part of the issue is that tech is just evolving way too fast, so we’re struggling to keep up. The speed of the innovation and the problems that people are solving are just staggering—and it’s all powered by interconnected cloud services.
There are also a lot of misconceptions about our role and what cybersecurity is. There are lots of both technical and non-technical roles that are needed to support a cybersecurity program. Cybersecurity is a human issue, not a technology issue. Getting people to work and think differently—that’s about changing human behavior, and because of that, we’re frequently up against human nature.
Yes, we need to focus on technical skills, but we tend to be lacking in understanding how to evolve and change with the human aspect of our work. We don’t talk about the human element enough—and if we did, maybe we’d get more people interested and see cybersecurity as more than a technical role sitting behind a desk.
Jim Taylor: There are just not enough good security folks to go around. I have friends across the industry working as services providers, implementors, vendors, partners—they’re all saying the same thing: there’s just not enough good talent around. The demand for cybersecurity skills is just outstripping the supply.
That’s due to a number of causes: security may not seem as cool as working at Blizzard or making movies. On the outside, our work appears really challenging. And we aren’t doing ourselves any favors: we use a lot of jargon and acronyms. It makes me think of doctors: are doctors really cleverer than everyone else, or do they just know how to speak doctor? Have we made security a closed-loop and kept everyone else off?
We should be talking about how cool a space this is and everywhere that it can take you. We should also be teaching this in Kindergarten. Because look at the last two years: if you were four or five years old, then you just spent your first two years of school sitting in front of a laptop on Zoom.
It’s clear we need to provide kids with basic internet safety—that should be a fundamental skill, and as foundational as teaching English or math. Instead, it’s like we’re giving kids cars without teaching them to drive.
Until we treat it like that, then our industry won’t be able to find enough talent, let alone give people the skills they need to live their lives.
Chris Williams: It’s simple: there are more bad actors than there are good defenders. And the hostile folks aren’t bogged down with any concerns other than their own interests. So they tend to proliferate faster than we can respond.
Why is it important to create a more diverse cybersecurity workforce?
Kelly Sarber: It all gets to the classic problem of groupthink—you get a bunch of people with similar a background, then they’ll head down some specific paths. They’ll miss other opportunities and solutions because of that.
At my first job in a SOC, I started as the only female on a team of 25 to 30 people. Eventually, there may have been three women. My first manager told me that he loved throwing me in with a group of guys because I thought differently—and having my male colleagues react to me made them come up with different outcomes.
When you have a bunch of highly technical people, having diversity—whether it’s diversity in gender, heritage or even in the companies that you worked for—really can breed new ideas and help people think outside of the box. It’s imperative to be mindful of how we create diversity on multiple levels throughout the organization.
Ingo Schubert: For the same reason why a diverse workforce is important anywhere else: different backgrounds can lead to different ways to approach problems. There seldomly is just one way to solve a problem and it often isn’t the way you would have picked on your own.
Personally, I find a diverse workforce way more enjoyable. People from around the world, different cultures, religions and ethnicities working together on solving problems? Nothing is more inspiring and humbling.
Jim Taylor: This is another failing of ourselves as an industry. For something that’s as dynamic an environment as this, we do a horrible job collecting more diverse perspectives.
We’re serving a diverse audience, but we don’t have perspective. The more diverse you can make something, the better it is.
Chris Williams: Collectively, a diverse population should produce more variances in how we approach and address issues—as well as more strategies, tactics and solutions.
What’s a final thought you want to share about careers in cybersecurity?
Kelly Sarber: Come and join the fun!
Jim Taylor: If I had a soapbox, I would say: just try it. If this isn’t for you, then that’s fine. But having some additional security awareness is becoming a fundamental life skill, like learning to cook. And you’ll be better in whatever you do if you have a basic understanding of security.