NEW YORK — For companies scouting cybersecurity talent, it can seem as though everyone is fighting to land the same small group of people with the same background and certifications. But the talent pool can grow significantly if companies are willing to look beyond traditional avenues and invest in the necessary training. During the WSJ Pro Cybersecurity Conference on Wednesday, experts shared some tips companies can use to land top security employees from nontraditional backgrounds.
- Focus on mindset over technical skills. At the end of the day, technical skills can be taught, says Jennifer Steffens, CEO at IOActive Inc. While technical chops are of course useful, she says she looks for candidates with a passion to defend. Some of the best candidates have “the evil bit,” the part that helps them think like an attacker, “but wants to be on the good side.”
- Fix your job descriptions. “Have you actually read your job descriptions lately?” Theresa Payton, president, and CEO of Fortalice Solutions and former CIO at the White House, asked the audience Wednesday. A posting that drags on about firewalls and administrative tasks can be soul-crushing. Employers should play up the job’s sense of mission, she said. “People who are good at tradecraft are mission-driven and want to serve a noble cause,” Ms. Payton said. “You have to spell that out.”
- Meet potential recruits where they are. That means getting out to industry conferences, scouring online forums and other popular hangouts for hackers. Many of the most talented security thinkings are unlikely to seek out corporate positions on their own. Ms. Payton also recommended finding recruits at bases where people are detaching from the military. “Lots of times they want to fight the good fight,” Ms. Payton said. “You can teach them the technical stuff.”
- Prepare to invest in training. And that doesn’t mean a two-hour orientation session. The security landscape is shifting constantly, and companies must invest to keep their teams up to date. To do that, firms have run internal boot camps, or giving employees the flexibility to take classes or pursue an additional degree. Coaching may also be needed for the softer skills. For instance, corporate clients may flinch if someone on the security team refers to them as a “target.” The same principles apply to C-level security positions where the candidate doesn’t come from the corporate world. “You don’t come out of a career life in government and understand business right away,” said Jeremy King, founder, and president of Benchmark Executive Search.