5 non-traditional hiring tips for InfoSec

There's a dramatic shortage of qualified information security professionals in the industry today.

Globally, we're a million people short, according to Cisco's 2014 Annual Security Report. According to Ponemon's 2014 IT Security Jobs Report, 36 percent of staff positions and 58 percent of senior staff positions in IT security went unfilled in 2013.

The majority of companies surveyed 70 percent says their IT security departments were understaffed.

It's no surprise that some companies are turning to some non-traditional strategies for finding their cybersecurity employees.

1. Look to the crowd

Some companies have already been turning to crowdsourcing to find bugs in their software or security holes in their platforms.

But the crowdsourcing venues can also be sources of new staff hires, as well.

[ States worry about ability to hire security IT pros ]

"The number one researcher on our platform right now was able to get a job offer from Tesla," says Marisa Fagan, director of crowd ops at San Francisco-based Bugcrowd.

Bugcrowd allows companies to look at the reputations of its independent researchers, look at leaderboards, and will even do background checks of researchers working on more sensitive projects.

There are currently 12,000 researchers on the platform, and it's growing by around 1,000 researchers a month, she says.

2. Look for self-starters who love to learn

When Rook Security moved from Silicon Valley to Indianapolis, the company lost access to a large and readily available pool of employes.

"There were more people ready to walk directly off the street into a job," says Rook CEO J.J. Thompson.

But instead of just turning to recruiters to help meet his growth needs, Thompson rethought his hiring criteria which led him to some unusual places.

Tom Gorup was a service tech at AT&T when Rook hired him, without the typical experience necessary to come in as security operations center analyst.

"What he had going for him was military leadership," Thompson says. Gorup had been a sergeant and a squad leader in the Army. "What I noticed in Tom was that he was confident, loved and had a passion for the subject matter, and was a voracious learner."

Gorup originally interviewed for an internship, but was hired as a full time security operations center analyst. He then became the team leader, and, within a year, was promoted to the manager of the security operations center.

[ 5 CISO skills critical to your success in the next five years ]

"We hire and promote based on what people can do and can accomplish, not based on time in role," says Thompson. "The security industry changes every day. And it can't be taught, that thirst for knowledge."

3. Look to the colleges

In addition to hiring experienced professionals, companies should also look at colleges and universities for new hires, says Dianne Fodell, IBM's director for Global University Programs.

"Employers can sponsor or attend Capture the Flag and other security competitions there are lots," she recommends. "Interview and hire the winners or depending upon the particular job requirements -- hire the students who organized the event for their university."

She also recommends looking for students who are interested in security as a hobby, or who participate in professional organizations such as OWASP the Open Web Application Security Project, ISSA the Information Systems Security Association, or Honeynet.org, or who present papers at security conferences like RSA, Black Hat, or Women in Cyber Security.

4. Look to the high schools

Denver-based Azorian Cyber Security is waiting for its newest recruit to get old enough to sign a hiring contract.

"Our hiring practices are based on skill sets, passion, and some would say obsession," says Azorian CE Charles Tendell.

That is to say, he hires hackers. And he hires them right out of high school, off of underground boards and forums, out of conferences and conventions.

"One of my leads is now 19," says Tendell. "I hired him right out of high school because I saw him give a presentation at DefCon, one of the largest hacker conventions in the northern hemisphere. The skills and style he demonstrated showed that he was bright for 19."

The traditional career route -- of academic training and professional experience -- can dull a person's edge, he says.

"You kind of have to be a hacker to catch a hacker," he says. "Hiring people who think that way gives us an edge."

Azorian CE Charles Tendell

For example, the company is able to use new and creative techniques to do penetration testing, or to track down the real identities of online criminals.

"We hire for passion," he says. "The additional skills they need, we can teach later, or they can assimilate over time."

5. Look to the payments industry

"Identity is the new perimeter," says Andre Bosen, chief identity officer at Ontario-based SecureKey Technologies. "We have to shift the thinking from perimeter thinking to who uses the service."

The recent high-profile security breaches at major companies show that it's time for a new security model, he says.

"And payments people are particularly well suited to thinking about this, in my view," he said.

In addition to payments and financial services, Boysen said his company also hires people with backgrounds in the arts and in the legal profession.

"We like diversity in our thinking," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitystaffingInfoSec Staffing

More about IT SecurityRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place