The cybersecurity skills gap remains a top concern for C-level executives and is increasingly becoming a board-level priority.
To keep pace with the growing number of cyberattacks, organizations must build and retain a global workforce that will defend their critical assets. It has been reported that 80% of breaches can be attributed to a lack of cyber skillsets and/or awareness. As a result, CISOs and security leaders need to source talent from untapped industries and types of experience.
During a MassTLC Security Community fireside chat, “Non-Traditional Paths to Security,” security leaders discussed their current roles and shared ways they evaluate candidates who may not have the typical skillsets that have defined security roles in the past. Panelists included Sonal Agrawal, GRC Director, Sprinklr; Ada Nakama, SciSec, Devo; and Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT. The panel was moderated by Kayla Williams, CISO of Devo.
Here are some key takeaways.
Why do you think the cybersecurity industry still struggles with a skills shortage?
“I think this is because the umbrella of cybersecurity is so large and it’s not very well organized or disciplined as a field yet. Half of the time, people who are hiring don’t even know what they need. This results in fewer people trying to get into one of these jobs or knowing what they need to prove to show that they can do the job. There is a lot of interest, but not a lot of understanding or organization of the field itself.” Ada Nakama, SciSec, Devo
“I would say number one, it’s intimidating, the term cybersecurity. They think that they need to be a world-class hacker when there are so many different sub-areas of cybersecurity. It’s a lot less daunting once you get into it, you realize that there really is a home for everybody. And it would be nice to get more people to come through the door and look before they are immediately turned away thinking that it’s too technical.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
“Essentially cybersecurity is a new field. At least when I went to college there was no cybersecurity degree, people went into the field by default or through interest. I think it’s key to identify that the skills shortage may not be in the industry, but more from an interest perspective.” Sonal Agrawal, GRC Director, Sprinklr
What do you look for when hiring in cybersecurity?
“We look for motivation more than anything. There is a lot in cybersecurity that is similar to accounting, for example, and checking controls. Is that highly technical? Absolutely not. Does it require a level of precision? Absolutely. If you have thrust, we can give you vector. But if you don’t have thrust, then it doesn’t matter what vector you have. It’s all about motivation.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
“I feel like instincts for security strongly inverse correlate with the amount of societal privilege a person has. The less you have, the more you’re navigating risk in your day-to-day life because you have no choice. And that translates, especially with a little bit of guidance and fostering quite well into just good security skills basics. From there, if someone wants to go into a technical role, it’s a lot easier to pick that stuff up if you already know how to think in terms of good security.” Ada Nakama, SciSec, Devo
“What interested me about security was how it changes. Every day it’s exciting or it could be scary or something interesting may come up in the news. I think one of the things I look for when I’m hiring is people who can adapt to changes and are willing to learn or explore. I have certain people in my team who are not very technical, but they’re able to take a problem at hand and try to figure it out, which is what security is filled with.” Sonal Agrawal, GRC Director, Sprinklr
“One thing that I think really helps is encouraging other hiring managers to say yes to someone that you might not otherwise because I found that reaps dividends. Being willing to say, “All right, I’m gonna take a hit in the short term while I get this person trained up on specifics,” because I know they’ll do a good job if I’m willing to take that time as a leader to invest in them. I think that’s important.” Ada Nakama, SciSec, Devo
What advice would you give to individuals who are looking to jumpstart cybersecurity careers?
“Think about the stuff you’re already doing and think about how it might apply in a security context or think about how you can add security concerns into what you’re doing. Knowing what you’re already doing and knowing how to make it fit can go a long way because security is so broad, you have a lot of avenues if you know what you’re looking for.” Ada Nakama, SciSec, Devo
“Having a mentor, finding a mentor, even just looking through LinkedIn or social media and understanding what they do and finding where you fit in. I was in audit and that’s all I was doing, but I was interacting a lot with security professionals and started to understand their day-to-day and what are they working on, that’s how I made my way through is through my contacts.” Sonal Agrawal, GRC Director, Sprinklr
“Do you need a whole list of certifications? Absolutely not. It’s better to get the basics, or a good mentor, get into it, get on-the-job training, and figure out where you want to go before you start delving too deeply into some of the certificates. There is no substitute for on-the-job training, it’s more a matter of getting involved than trying to be overly academic about it.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
Is there any guidance that you can provide to anyone who wants to start a mentoring program?
“I’m in an internal Schneider mentoring program. I also am retired military, so I mentor young soldiers, sailors, Marines, and airmen that are getting out. I think it’s mostly getting people over the first hurdle, getting them into it, and understanding that cybersecurity is a journey. The stuff that I learned 20 years ago is barely applicable, or some of the concepts are broadly applicable, but a lot of the technical details are long since lost. The fact that you’re going to be in a career that’s going to morph, you do have to be willing to change and learn. Be a flexible self-starter.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
How can we seek out talent in unconventional places?
“Looking within your company in other departments. We recently had someone that we worked with a lot on the IT side and now they are transitioning over to our team. They may not be as technical, but they have a lot of potential.” Sonal Agrawal, GRC Director, Sprinklr
“I have an open-door policy, I’m happy to talk to anybody about anything and I don’t get upset. I would rather you come in and tell me, we have a problem and dig through it technically than have employees that fear me and don’t want to bring something up to me.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
“Psychological safety isn’t just crucial to have, it’s crucial to be proactive in creating. Anger is extremely common in the workplace in ways that are often subtle and invisible. By letting anger sort of have free reign in business conversations, you’re going to make it harder for people from non-traditional backgrounds to show up in the first place, much less be comfortable. By diminishing hero culture, you can make it okay for people to show up and be themselves.” Ada Nakama, SciSec, Devo
How much does training and development prior to joining the cybersecurity field matter?
“We have stopped putting degrees and certificate requirements in our job descriptions. I think training and development are good just in terms of understanding some lingo and making sure you’re up-to-date.” Sonal Agrawal, GRC Director, Sprinklr
“If they have motivation, it is never a problem, because you can start them off on small tickets or checking a control status, etc. You don’t need a lot of incredibly technical stuff to get started. And then for some of the more technical things network security, I did externally higher, but it is a mishmash of all these people coming together.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
Additional thoughts on cybersecurity?
“Cybersecurity as a field is often framed in an adversarial way. Red team, blue team, thinking about malicious outside actors or internal threats. It’s very easy to let that sort of adversarial framing come into your day-to-day operations in life. It’s extra important for folks in cybersecurity to go out of their way to not let that take over your culture, give people the feeling that it’s okay to fail and that their careers aren’t at risk. If you give them that space, they’ll give you their best work.” Ada Nakama, SciSec, Devo
“Cybersecurity is the ultimate team sport because anybody in the company can give me a really bad day. Anybody can click on something and make my life and my team’s life miserable. So, as team sports go, cybersecurity is the best, and I try to stress that in a lot of our outreach and things like that. If you want an interesting career that you will learn for the rest of your life, cybersecurity is for you. You will never have to worry about finding a job because it will come to you. And it will always be something new and interesting.” Tony Parrillo, Global Head of Cybersecurity, Schneider Electric, Enterprise IT
“I try to not focus on the negatives and take it as a learning experience and move on when I have a hard day. Because those hard days are the days that you actually learn a lot and figure out a better way or something else to get through the next day.” Sonal Agrawal, GRC Director, Sprinklr
Non-Traditional Paths to Security was hosted by the MassTLC Security Community. To join the community and attend future events, contact Community Manager Joanna Rosenberg at firstname.lastname@example.org.