Creative Hiring From Non-Traditional Places

Published: 2018-06-23
Last Updated: 2018-06-23 01:52:58 UTC
by Russell Eubanks (Version: 1)
5 comment(s)

The lead story in the SANS NewsBites from today was "White House/DHS Announce New Cyber Skills Pipeline Initiative.” The two statements below caught my attention.

1 - “The Federal Government struggles to recruit and retain cybersecurity professionals due to a shortage of talent along with growing demand for these employees across the public and private sectors.”

2 - “As agencies prioritize their cyber workforce needs, they will likely need to adopt innovative hiring techniques to ensure the best and brightest cyber talent can seamlessly enter the Federal Government.”

With the cybersecurity talent shortage, we must get creative in where we look to fill our open cybersecurity positions. Many years ago a good friend in the Human Resources department gave me the advice to hire character and train skills. For many years I have experienced success in finding team members from non-traditional areas and then sending them to learn our craft. A couple of examples include Fraud and Abuse, Help Desk and Network Operations. I found it interesting to learn from them how their former departments operate as well as learning firsthand how their department viewed the information security program. Yes, it pays to have thick skin.

From what non-traditional areas have you found talented members to join your information security team?


Russell Eubanks

ISC Handler

SANS Instructor


Keywords: cyber
5 comment(s)


Having worked for a government contractor in the past, one of the biggest problems that they'll have in trying to find talent is the issues with recreational drug use and potentially disqualifying criminal background.

Additionally, in the private sector, many firms offer perks which the federal government cannot, including excellent health benefits, more vacation and time off, educational benefits, better ability to cross train, flexible work scheduled (or working remotely), and no need for a security clearance, which can take anywhere from 6 months to 2 years to complete.

We lost 20 analysts in 30 months due to better paying positions in the private sector and the growth opportunities which were available.

It's amazing how much the federal government whines about not being able to attract top talent (if they could compete with the private sector, perhaps they'd get the talent they're looking for)...

Thanks Bill for your insight into the problem. I remain hopeful that the plan outlined will help move from admiring the problem to taking action. I am encouraged by the work streams listed in the article.

Taking Stock of the Current Cybersecurity Workforce and Identifying Gaps, Developing Innovative, Recruitment, Retention, and Mobility Strategies, Reskilling Employees to Fill High-Value Cybersecurity Roles and Building a Pipeline of Cybersecurity Talent each resonate with me and I hope that 1 year from today significant progress will be made.

I also like what I see in the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework).

Thanks for supporting the ISC!

I would like to give a perspective from an IT professional who aspires to make a move into the info security arena. Although I do not have a formal IT education, I worked at a helpdesk all throughout college, and even for the year following graduation (I saw more malware infected PCs during my time there than an any point in my career). The other half of my career has been in web application support. I have applied to dozens of infosec entry-level positions, and recently got a video interview with a well-known SOC SaaS organization. However, I would be facing a 21% salary decrease should I choose to accept a potential offer with that SOC organization. I fully believe in "taking experience over a paycheck" but when you have a disabled spouse not able to work, finance must be considered. I have 13 years of professional IT experience yet to move into infosec I feel I need to apply for a entry-level position, which is extremely hard to even get an interview for if you do not have prior experience. These level-1 positions all want someone who has prior IT security experience of 1 - 3 years, which is unreasonable to ask for given the current talent environment. I have Network+ & Security+ certs, plus a Secret security clearance for my current job. I am studying for the CySA+ exam and will take it next month. I feel that I am a strong candidate who can be trained and be valuable to an organization, but to get to that point, what else am I to do? A few times I have been close to putting a SANS course on my credit card, just to try to get a leg up on the competition (maybe?).
About 11 years ago I got an interview from a head-hunter for DHS. I have a background as a programmer, plus a lot of experience in IT and had done my first forensic investigation at my last job. The headhunter said "Wow! With your background I can probably get you 30, maybe 35 thousand a year!" No, really, she thought this was an "impressive" pay grade for a CyberSecurity geek who'd held two different security clearances with DOD and DOE and over 20 years experience in IT and programming. Yeah.... good luck with that...

I gave up on the idea of working for government when I saw how certain folks with clearances were treated by the NSA and FBI when whats-his-name started leaking info about the NSA's programs to the press. People who weren't responsible for the leaks, who were merely suspected, lost their clearances, lost their jobs, mortgaged their houses to pay for legal defense bills, went bankrupt, etc. So I'm in no hurry to get a clearance again. I don't want to be on ANY access lists for anything someone else might leak.

I think I'll stick with the private sector for now. I just don't trust the government agencies to pay me what I'm worth or to behave ethically.. Or even legally...
As someone who has had responsibility in hiring L1/L2 SOC Analysts, I can try to offer some insight.

I never shied away from hiring from "outside" security, but I was always wary. The last few years especially, there were a ton of applicants who were all about getting into it because it was the next big thing, and they wanted to cash in, not because they were genuinely interested in the field.

Because of this I rarely made a decision based solely on whether or not they had experience or were already in the field. If their resume looked reasonable for an entry level (they had some knowledge or experience with security tools, maybe a basic cert or two), they would probably get an interview. That interview was always technical to start, and if you could show me your enthusiasm for security, and the ability to teach yourself, I wouldn't care what your current job was, you would immediately jump to the top of the list. I can train you in the tools, I can't train you to love the field.

The other side of things was monetary. Depending on the size of a company, a hiring manager will probably have a strict range where that analyst has to fall in, whether or not it is within "industry norms". I usually couldn't go outside of that unless there was an exceptional circumstance. If you're interviewing at a third-party SOC provider, keep in mind, there are usually contractual limits to the amount a customer is willing to pay, and to make money, the company will try to beat that. That usually doesn't work in the long run, but that's the tactic some places use.

My advice to someone trying to make it from outside, get a couple of basic certs. Understand what you're talking about. Think about why you want to get into the industry, and make it known. You're looking at getting into an industry where you need to be constantly thinking of the security implications of what you're doing, what others are doing, etc. If that makes you tired right from the start, you're not going to last in the industry. Someone who can enthusiastically tell me how they built or hardened their home network, why they chose what they did, what they'd do if they had more resources, will get a better response than someone who says "well, I work with computers all day, so at home I just have the router or whatever the ISP gave me." Go to some of the smaller/free conferences, and start networking. Talk to people who you know in the industry already and make it known you're looking to get into security. Look for a local DC group or B-sides and become as active as you can, in person, on their mailing list, or both.

Diary Archives