Cybersecurity skills shortage prompts new hiring approach

It's been called a tech pipeline: a recruitment path for graduates of computer science or national security, both traditionally male-dominated disciplines, into the cybersecurity workforce. This pipeline is one reason why the cybersecurity industry is so homogenous in terms of diverse backgrounds.

When hiring managers choose from a pool of candidates who share similar backgrounds, it's natural that the end result is not representative of a wide range of experiences and educations. Sometimes these limits are taken for granted by leadership in charge of hiring. It is almost a given that candidates for cybersecurity positions should come from computer science or IT educational backgrounds. But by taking the blinders off and considering people with nontraditional backgrounds, some veteran security professionals hope to diversify their teams in an effort to combat diverse threats.

Chris Schueler, senior vice president of managed security services at Trustwave, acknowledges the homogenous composition of the cybersecurity industry today -- and the need for more diversity. He cites evolving cyberthreats coupled with a cybersecurity skills shortage as the top two reasons to recruit candidates with nontraditional education and backgrounds.

Editor's note: The following transcript has been edited for length and clarity.

What are the advantages of more diversity in cybersecurity?

Chris Schueler: The one thing a professor always told us was to avoid groupthink -- if you all agree to everything, that's probably not a good thing. The advantages of having a group together are the different backgrounds, approaches and personalities. I think that's one of the challenges that we have in cybersecurity. We look for people who are similar to what we're accustomed to, or we look for skills that we know are effective. So, if it's a computer science background, someone who has experience in operating systems or computer networking -- they're a good match. Anybody else: Preclude them from our search.

Chris Schueler

But if you think about it from a criminal perspective, what we're trying to do is find criminals. Adversaries are trying to steal money and data or harm countries in the case of a foreign adversary. So, what skills do we need to catch criminals? Approach it that way, versus what skills do I need to accomplish a cybersecurity mission or a job. It's not just the bits and bytes and people that can manage and configure devices or look at logs, but people that can actually profile an adversary. There are between 150 and 200 cybersecurity gangs in the world. They recruit people constantly on the dark web. If you know that, why would you not be profiling those gangs, and then in your service, leverage those profiles to look for those adversaries?

Look at what skills you do not have -- not the bits and bytes, but the profiling. People that have a psychology degree, who have a criminal justice background or maybe a law degree. All these skills are unique. We even look at some of the wilder degrees, like parks and recreation. One of my best leaders in America has a parks and recreation background; he wanted to be a park ranger out in Colorado. Because the job wasn't available that summer, he happened to get an IT job, a temporary gig working at this little company out in Boulder, Colo. called IBM, and realized this is neat, this is a cool field and he took off. His approach is completely different than that of his peers because he approached it from a different angle.

We're really going back to avoiding groupthink. There are nation-state actors today that have tens of thousands of people working for them that wish to do harm to our customers. If you think about it from that angle, we have to maximize. If I have 500-plus people in my organization catching this number of criminals around the world and nation-state actors, I need some sharp people with diverse backgrounds to avoid that groupthink.

What does the ideal diamond-in-the-rough candidate look like?

Schueler: Are you curious? Natural curiosity is what we're always looking for because those are the people who are never going to stop. The second type is a personality trait of someone who looks for a challenge. Those nontrained traits are what we look for because they're going to be successful in a threat hunting career. The backgrounds in skills is secondary. Many times that's what gets them in a discussion with us, but the ones that we really want to invest in are the ones who will keep going deeper until they find something.

What are the diversity goals? When do you think we will see a less homogenous cybersecurity workforce?

Schueler: If you think about groupthink, gender, culturally, ethnically, those things can play into the diversity that we need in the workplace. Cybersecurity is not a huge workforce in the grand scheme of IT, and when you think about the skills and personality traits that we need, it becomes smaller and smaller. If you have a bunch of Caucasian males looking at the same data and they all agree, that's groupthink. We need people who are going to challenge [the] status quo and think differently. People who will not just agree with what one person talked about. I think the important piece is looking for different backgrounds and diversities and genders to push diversity.

It's not just the bits and bytes and people that can manage and configure devices or look at logs, but people that can actually profile an adversary.

People who have effective leadership or organizations surround themselves with people that are better than them. I'm always looking for people who are better than me from different backgrounds to challenge not just me, but each other.

I have a female on my team, for example; when she says something, pretty much everyone on the team perks up because she doesn't say the same things as everyone else. She approaches it completely different, like 'Did you think about this from the customer's perspective?' Ultimately, that's who we're servicing is the customer. No matter who you are and what business you're in servicing cybersecurity, you have a customer. You need to approach it from a different angle all the time.

What can cybersecurity employers do to combat this lack of diversity?

Schueler: We have to invest in the next generation. We went to Chicago city colleges and the Chicago City Council Chancellor and said we want to partner with you. With this community in Chicago, we can help train the next generation of young, diverse workers to be cybersecurity professionals. Selfishly, I do it because I want a pipeline of people to recruit from -- we hire a lot of interns from their program. And if we want it to be a diverse community that can actually catch adversaries, I think we have to give back. We do this not just in the U.S., but in Europe, Australia, Singapore -- wherever we have presence. We partner with universities because that's the next generation.

Think about it from an age perspective as well -- who are the Millennials and Generation Z's that we're looking at now? They are the next set of leaders in our company when we're well and gone. We have to seek talent that may have not come up through the cybersecurity path. They may currently be a criminal defense attorney. Defense attorneys don't give up and they look between the lines to identify stuff. That's the talent that we want at our organization.

What advice would you give to people who aren't from that typical tech pipeline, who may count themselves out of cybersecurity as a career path? Do you think they need to market their nontraditional skills?

Schueler: Absolutely. There's a minimum required to at least have some IT background or experience, but also a level of curiosity. Those are traits we're always seeking. I do not want to hire people that come in and just want to make the donuts every day. Because I know my adversaries aren't. It's not 'I did X, Y and Z so I'm a good cybersecurity professional.' How are you constantly challenging [the] status quo and being effective in doing so?

I know from a lot of my peers, we are completely open to all skills and talents. I'm trying to push the envelope on the status quo and not just look for someone with the same set of backgrounds. Look past the basic requirements. When we're turning into a homogenous community, it's just a waste of time and the adversaries are going to win.

What else should leadership know about this hiring strategy of nontraditional backgrounds as a solution to the cybersecurity skills shortage? Is this the way to close the skills gap?

Think about the cybersecurity skills shortage that we have. If you have an interest in cybersecurity at all, don't exclude yourself from this field. If you have an inkling of interest, explore it and see if it actually is a fit. Explore yourself and see if these things interest you in the field -- the always being curious, on the hunt and suspicious, trying to constantly improve.

I get people in the door who have those skills and are motivated, they move very fast in my organization. Frequent promotions and opportunities get thrown at them because those are the ones that make a difference and make change.

Is that the kind of person you want to see in leadership?

Schueler: Absolutely. We want people who are going to lead from the front, who are going to do things and improve their organization and explore new areas. Simple things, such as how to reduce leadership. I think in our field you can't have the hierarchical leadership model -- you need to be very flat. The generation of people that we're hiring, they don't respond well to that hierarchy, rather they respond well to leaders as close to them as possible, and being with them as they do their job. Though there are more than 500 people in my organization, I'm literally two levels from anybody else. I want to keep it that way. We can make changes and communicate quickly. Those types of leaders are absolutely being sought out right now across cybersecurity.