I have a confession: After almost 15 years in cybersecurity, I have never successfully transformed a security engineer or hardened IT technician into a good cyberthreat analyst.
While such roles vary, one cybersecurity workforce survey after another ranks soft skills like critical thinking, and written and verbal communications, among the most important talent gaps in the industry. So why, if their goal is to hire IT and security generalists who can think critically and holistically about the needs of the organization, do hiring managers seek highly trained security specialists with focused skills like intrusion detection or penetration testing?
We often hire square pegs to fill a round hole. We are looking for cybersecurity talent in all the wrong places. Until we shift the way we think about, hire, and train threat analysts, we will never make a dent in the cybersecurity workforce gap of nearly 2 million.
Beyond providing significant opportunities for career advancement and job security to individuals interested in security, filling this gap is important to the security of organizations and consumers.
We have become incredibly reliant on Internet-connected devices like phones, tablets, thermostats, and fitness devices, and many people assume that the data they share using those devices is secure. But good security is only possible if good cybersecurity professionals, technology, and practices in place behind the scenes ensure that things work (and are used) properly.
What makes a great cybersecurity analyst?
Great cyberthreat analysts are generally born, not made. So before evaluating a candidate’s technical experience and skills, a hiring manager should assess his or her inherent traits, behavioral attributes, and interpersonal competencies.
The best analysts have the following qualities:
They are sponges. Lots of analysts have experience and expertise in a particular domain, but the best analysts demonstrate their ability to perform tasks in unrelated fields and learn new materials quickly. They can quickly collect, synthesize, and adapt information, given the particular situation or environment at hand.
They are puzzle solvers. Their brains are wired to connect disparate dots and see the bigger picture. Having a growth mind-set, they enjoy being challenged with increasingly difficult problem sets. They are inquisitive, and their questions specifically elicit, refine, validate, and implement requirements. And they can recognize, and work with, complexities, using analysis, evaluation, inference, and deduction to develop reasonable conclusions.
They are good communicators. Strong critical thinkers must also have the capacity to communicate clearly and logically. This is most often demonstrated through their ability to translate highly complex or technical topics in a way that makes the concept comprehensible for a layperson.
They are consensus builders. They can work well with others, building support across multiple stakeholders for various initiatives. They play well with others, even when others disagree or are unruly. They spend a lot of time working with counterparts in a variety of specialty areas to ensure that they have strong evidence to justify their conclusions. And they get broad internal and external buy-in on their assessments before publishing definitive conclusions.
They see the bigger picture. Many analysts have tunnel vision into a specific task; they don’t take into consideration the broader impact of their work. Great analysts constantly think about how their work relates to the strategic goals of the organization—and about how they can articulate it and apply it.
Where did we go wrong?
There’s a reason that this list doesn’t cover any technical skills. While certain cybersecurity roles require highly specialized technical skills (think security architects or engineers), a vast majority of roles requires acquirable technical knowledge or skills that then translates into an indicator, a policy, or some other business-related action. And this technical know-how is far more teachable than the soft skills and inherent qualities listed above.
In an attempt to solve our cybersecurity talent problem, the industry has created a single-track cybersecurity education model, eschewing the concept that diverse backgrounds (whether in gender, ethnicity, or discipline) and foundations of experience lead to more creative and effective solutions to security problems. While cybersecurity is a complicated issue that goes well beyond technology departments, universities have doubled down on technical skills and created cybersecurity degree programs that often disregard the most needed traits for success in the job market.
In my role at a cybersecurity workforce education company, I have met many job candidates loaded with ostensibly required degrees and certifications and yet no promising job opportunities. The cybersecurity industry will not solve its chronic talent problem until employers and hiring managers invest real time and energy in identifying the root of the problem—and start seriously considering nontraditional sources of cybertalent.
Changing the status quo
You can teach a lot of IT and security skills, but you cannot always teach the soft skills. If you have a role in filling your talent gap, think about your sourcing, recruiting, and hiring in the context of the long game:
Interview smarter. Proactively screen candidates for their big-picture skills. Ask them about the last time they had to quickly get up to speed on an unknown or unfamiliar topic, and how they approached it. Do this by asking behavior-based questions (i.e. “tell me a time when…”), and don’t be afraid to challenge them on the specifics. Ask them how they have handled constantly changing goals and priorities in previous situations. The goal is not for them to answer in one particular way, but rather to gain some tangible insight into their problem-solving process. And last, but not least, really probe them to ascertain whether they really understand the needs and goals of the organization, and can find ways to help it more efficiently realize its objectives.
Invest in the future. Companies must evolve to meet this future demand, and to ensure that they are identifying the right raw talent instead of paying a premium for a particular skill or literacy in a specific tool. They also need to invest in their employees’ continued learning and skill development. By focusing hiring on the broadly applicable soft skills, and training on the job-specific technical skills, they might be able to attract and retain more talent.
There are undoubtedly situations in which an organization is willing to pay for the hire that already has every technical skill it needs, but it’s better to focus efforts on hiring smart, passionate generalists, and then investing in their development into cybersecurity ninjas. It certainly beats repeating the same ineffective strategy of the last 15 years.