In 2012, Shelly Epps was determined to leave her job as a genetic counselor and research coordinator for Duke University Health System.
She was surprised when the chief information security officer for the healthcare group reached out and asked her to interview for a position on the security team. She agreed, but came away from the interview convinced that she lacked the qualifications for the job.
Her parting pitch to the security team: If they wanted someone with her skills—comfortable talking with executives, knowledgeable about medical research, and a career learner—then she would learn information security.
They gave her the job.
"I told them you shouldn't hire me for the job you described in the job posting. And in the end, they told me, 'You are the least qualified person that we interviewed, but the person who the security team most wants to work with.'"
—Shelly Epps
As companies struggle to hire and retain skilled security staff, stories such as Epps' show how some organizations have found a different way forward. Retraining employees to tackle security has become a solid strategy; companies just can't find professionals with a long laundry list of required security skills.
The "war for talent" is one of the most critical issues facing SOCs, says Micro Focus' 2019 State of Security Operations Update. Here's why your next SecOps hire should come from a different discipline.
Retraining: The hot new strategy
It is critical to bolster the security workforce. Currently, the readiness and reliability of security operations centers (SOCs) is suffering due to a lack of skilled professionals.
Another report had similar findings to Micro Focus': The top barrier to SOC excellence is the lack of skilled staff, said 58% of respondents to the 2019 SANS SOC survey.
Stan Wisseman, chief security strategist with Micro Focus, said companies should be looking to train and retain, not hire from others. Retraining a developer, for example, can have big benefits for the employee as well, he said.
"Software plus soft skills equals big pay for aspiring programmers with a senior management role in their sights."
—Stan Wisseman
Current programs aren't delivering security workers
The shortfall in cybersecurity professionals is a critical concern for many companies. There's an estimated shortfall of 2.9 million workers globally, and Asia faces the greatest shortfall, at 2.14 million. This is according to the 2018 Cybersecurity Workforce Study sponsored by (ISC)2, which offers a variety of cybersecurity credentials, including the popular Certified Information Systems Security Professional (CISSP) certification.
Adding to the pressure, one-half to two-thirds of cybersecurity workers are baby boomers or older and will likely retire in the next decade, said Wesley Simpson, chief operating officer of (ISC)2.
There are not a whole lot of people coming in from the younger generations "in the volume that we need" to backfill these new openings, he said.
"So the question that companies need to answer is: Where are these people going to come from?"
—Wesley Simpson
A diverse background is a strength
In addition to filling holes in their teams, security managers who hire non-traditional workers can gain significant diversity. Finding employees with varied backgrounds—from database administrators to software developers to medical professionals—gives the SOC staff a diversity of viewpoints that can bring skills that otherwise would have to be learned by security staff, the Micro Focus report said.
"If you only hire people who are heads-down technical, then you are only going to get solutions that are heads-down technical."
—Shelly Epps
Organizations should not hire just anyone for a position, but should make sure that the hire fits in with the other needs of the security team, she said. For her part, Epps brought strong communication skills and knowledge of the medical-research sector.
If you are going to take a risk on a non-proven security analyst, you want to know that they have strong skills in a key area, Epps said.
"You want to know that they are a strong communicator or a great problem solver. You want to find that soft skill that you are trying to expand into and make sure they are really great in that area."
—Shelly Epps
Good hires prove they can learn
Epps promised she would learn security, and she did. Finding potential candidates who have shown an interest in cybersecurity, and who have already learned some of what they need, is a strong sign that they will continue to learn, she said.
It's a good sign is if the person is already tinkering in security, Epps added.
'If someone is showing up at local security meetings, and developing the skills, they might not be there yet, but they could be developed into a security role."
—Shelly Epps
Find the right skills, mindset to retrain
In many ways, mindset makes the most difference. Developers, for example, may seem to have the right lateral skills for security, but it's no guarantee. "
"Retraining can work, but I’ve had mixed results. The resource has to have the right mindset to be successful, and some don’t."
—Stan Wisseman
Wisseman recently hired someone with no cybersecurity experience, but "she had a strong desire to learn and get into the field," he said. So far, she has worked out better than some technical hires, he said.
Security leaders should remember that, while a lot depends on the right candidate, support from the team is also essential. Epps repeatedly credits the security team for helping her through rough patches and giving her time to learn.
Companies that focus on advancing the career of their employees will find they retain workers for longer, said (ISC)2's Simpson.
"Candidates want to be a part of an organization that respects and understands and values them. They are able to pick and choose where they want to go, and they are choosing the organization over the salary."
—Wesley Simpson
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.