People with experience in project management, analytics and data science, technical writing, law, policy, third-party oversight, or physical security functions like law enforcement or military roles, may all be able to qualify for cybersecurity jobs by fine-tuning some critically needed skills, said Pete Metzger, a recruiter of c-suite cybersecurity professionals with consulting firm DHR International.
“The fact is that, because of the imbalance in the equation of supply and demand, these jobs have become not only hot but highly paid,” said Metzger, who started his career in the Marine Corps and later served as a foreign intelligence officer with the Central Intelligence Agency.
Companies are looking for people who can help them “reshape” how they think about security, he said. Having the ability to “solve problems, having exceptionally well-tuned leadership skills and the ability to influence people in various lines of business,” are critical to what corporations are seeking in cybersecurity executives and staff, he said.
In addition, companies are increasingly being asked to cooperate with one another, with government agencies or with international organizations to share information about threats and incoming attacks. Doing so involves carefully creating channels for sharing sometimes sensitive information and building trust between factions who might not traditionally get along. Those jobs require excellent relationship-management skills and the ability to help move partnerships forward, especially those that involve a mix of the public and private sectors, Metzger said.
People with experience quantifying risk have become particularly valuable, including accountants and data analysts, said Sekar. “It’s a very broad landscape. There are aspects of psychology, being able to understand users and user behavior. There are aspects of strategy, for people with experience formulating business strategies,” Sekar said.
He used the example of how British military officers in World War II used a timed crossword puzzle in a newspaper — not complex math problems — to try to find people well-suited for solving the encryption of Germany’s code-generating Enigma machine.
“Some early solvers of encryption problems were linguists, not mathematicians. What is necessary or critical in cybersecurity is the ability to analyze, and the curiosity and the desire to understand how things work,” he said.
Many cybersecurity job listings focus very little on technology qualifications: Chronicle, the new, secretive cybersecurity company launched by Alphabet in January, is recruiting for technical writers who can provide “a key link between engineers, UX, product, marketing, and customers.” The job calls for some experience interpreting source code, but doesn’t ask for a technical degree, instead focusing on people who have experience with “technical writing, product documentation, or online publishing, including experience with writing technical customer-facing materials.”
Apple is recruiting for a security counsel to help aid in investigations of cyber intrusions, fraud and other breaches. The job requires a law degree. Three of the top skills required don’t even mention technology, but instead ask for investigations experience “in a prosecutor’s office, law enforcement agency or corporate environment” and “excellent diplomacy and communication skills.”
Many companies require certifications in cybersecurity, and the CISSP, or Certified Information Systems Security Professional, is still the “gold standard,” said Metzger. But he adds that even top cybersecurity executives have entered the field from leadership positions in IT and risk, only to get those critical cybersecurity certifications later. “The key is really having those strong leadership skills and the ability to communicate and put a price on how these issues could hurt the company financially,” he said.