There are many theories on how to eliminate the shortage of cybersecurity professionals. One expert suggested an outside-the-box approach in which HR departments and hiring managers consider candidates with nontraditional paths, but who have the appropriate soft skills.
Soft skills are skills that are desirable in all professions, including skills like critical thinking, problem-solving, public speaking, writing, teamwork, digital literacy, leadership, a professional attitude, work ethic and more.
SEE: Security incident response policy (TechRepublic Premium)
“Lots of people learn from different industries, like medical, auto, etc., that lives can be at stake when software goes awry,” said Sammy Migues, principal scientist at Synopsys Software Integrity Group, in an email. “We are artificially creating a skills shortage because we are not hiring those who can grow through internal training.”
Soft skills to look for in a job candidate
There are, according to Migues, certain soft skills that are desirable for everyone. He added, “Positions at most companies require a variety of personality types, where the person’s approach is a critical success factor that cannot necessarily be taught.”
Examples of valuable soft skills:
- Attention to detail: The ability to manage details closely and accurately.
- Visualization: The capacity to see the big picture when under pressure.
- Risk awareness: The prowess of understanding the problem and determining the risk involved going forward.
- Effective Communication: The propensity to pass information along correctly and understandably to the appropriate people.
- Problem-solving ability: The means, once the solution is determined, to follow through according to the plan.
Not the first skills shortage
This is not the first time there has been a shortage of people with cybersecurity skills. “This is not new,” Migues said. “Some of you will remember when we suddenly needed thousands of anti-virus people, router people, firewall people, cloud people and so on.”
Migues said he believes we’ve hit a point where internal training is the way to go—find someone with the right inherent skills and teach them about cybersecurity and risk management.
The right skills
Migues used interesting examples to explain what inherent skills to look for in candidates for cybersecurity positions:
- Technology skill: Candidates must have an understanding of how computers and computer communications work. “There are many online training videos on this, so taking the initiative to study up ahead of time is recommended,” Migues said.
- Curiosity: There is an innate need for curiosity, as cybersecurity work involves a tremendous number of unknowns. An example: “If weird coincidences, broken patterns, and unusual circumstances make you go ‘Hmmm … ,’ that’s a good sign.”
- Efficiency: Some tasks are worth doing manually each time, but most can be automated—determine whether candidates would look for more innovative ways to work. “If applicants wash dishes as they’re cooking a large meal, that’s another good sign,” he said.
- Risk recognition: Cybersecurity involves things going wrong. HR interviewers should determine the candidate’s aptitude for understanding how things can go wrong and what they would do about it. “Are you the person who just naturally gets how things can go wrong and prepares for it?”
- Communication: Clear, concise communications that the listening party understands, are vital, especially in the middle of a cybersecurity event. “Your friends have been chatting for 15 minutes trying to decide where to eat, with numerous pros and cons on the table. You’re the person who sums all that up in one sentence and obtains a decision.”
Communication is mentioned again because of its importance. For a real-world example, Migues suggested using an entry-level cybersecurity position, such as a data analyst, as a way to fill needed slots within a company. It’s a role targeted to nontraditional applicants who lack experience in data analysis. “For this specific role, the need is for someone who will manually examine incoming and historical log data from various kinds of systems and look for anything abnormal—perhaps indicating a cyberattack,” Migues said.
The person hired will use the company’s technology—applications, filters, command lines, procedures and so on—and the inherent soft skills mentioned earlier to help keep the company and its customers safe from cyberattacks.
How to get started
The first step—and likely the most important—is to determine what soft skills are needed within the organization. The next step is to look for candidates with the required soft skills, in particular: the ability to understand a problem, explain the risks involved and work through the decided-upon solution. It is a reasonably safe bet that people interested in solving problems will welcome learning the technical intricacies of cybersecurity.