As a hiring manager, you may be presented with a choice: hire the candidate with the most experience or a natural ability to get things done. While tenure is the indicator of expertise in many careers, the case can be made for hiring based on aptitude versus experience in cybersecurity.
Aptitude Predicts Future Performance while Experience and Skills Show the Ability to Repeat
When it comes to cybersecurity jobs, the only certainty is change. As cybersecurity professionals are constantly forced to adapt to new threats and new tools, they must be imminently improvisational. The ability to demonstrate the capacity to try new things, work with different tools and vendors, and weave together a fluid framework of people, process, and technology beats bullets on a resume every time.
In positions where experience denotes expertise, there's little variance in performance expectations. A tailor that makes bespoke suits can usually be judged by tenure, as the end product is the same. However, in information security, the expectation is that critical information stays safe despite a constantly evolving threat from anonymous bad guys. Bad actors have to be right once, where defenders have to be perfect 100% of the time. While experience and skills certainly help, aptitude is what keeps the lights on.
In an Intensely Competitive Environment, Experience May Not Be an Option – and that’s Okay
The cybersecurity skills gap is well documented, and those with more years of experience are well compensated. While finding experienced Tier 1 and 2 cyber analysts may take 18 months or more and cost more than $150,000 fully loaded, the alternative approach – finding smart problem solvers that are willing to learn, and possess the motivation and desire to transition to a field with financial upside and real staying power – might be the better approach.
Even the Federal Government is getting creative, creating a cybersecurity “tour of duty” to try to lure highly skilled private sector security professionals to fill 3500 open positions by the end of the year through “badging and credentialing programs, rotational assignments, and efforts to make current cyber employees subject matter experts in their field.”
This intense and expensive competition is forcing all but the organizations with the biggest budgets to get creative.
Cybersecurity as a Career Path for Generalists
We’ve talked with CISOs from mid-sized enterprises that have decided to stop competing for highly decorated cybersecurity experts, and have instead opted for a new approach: working with smart, ambitious IT generalists to create a specialized career path to transition to cybersecurity.
In these cases, companies are providing tools and training to those that have demonstrated a unique aptitude to solve problems through a combination of process and technology.
Also, instead of hiring a busload of highly paid and experienced cyber analysts to manually follow-up on alerts, getting problem solvers that are eager to embrace a combination of automation, process and creativity makes a clear delineation between the work that should be done by experts and those that can be done through more efficient means.
Recognizing the demand for professionals with this mix of skills, SANS Institute last year launched the SANS UK Cyber Academy. It’s a highly selective program for which applicants must take its CyberTalent Aptitude Assessment, which it describes as “a technical and psychometric assessment designed to uncover traits that suggest suitability for a career in cybersecurity.” In addition to measurement of technical knowledge, the assessment includes “math problems, comprehension tests and logic puzzles to assess the innate personality traits that highly successful cybersecurity personnel often display. This includes the ability to parse information and extrapolate important elements, and to pick up new technical concepts quickly.”
Aptitude and Experience Aren’t Mutually Exclusive
I should mention that experience and aptitude are not at odds. The intent of this article isn’t to say that someone with experience means they lack aptitude; far from it. Instead, the reality of today’s cybersecurity job market places such a premium on experience that finding someone with the right pedigree may be impossible for companies without luxury budgets.
The smart approach is to understand your company’s specific cybersecurity needs, and to consider building a repeatable farm system.