freshidea - Fotolia

Cybersecurity skills gap: Get creative about cyber hiring

Hiring candidates from disciplines beyond infosec can go a long way to address the widening cybersecurity skills gap, says industry veteran Javvad Malik.

The widening cybersecurity skills gap is influencing business processes in every sector. The trend should serve as a wake-up call for organizations to get creative about their information security hiring process, according to Javvad Malik, security advocate at AlienVault and an 18-year veteran of the infosec industry.

In part two of this two-part Q&A, Malik spoke to SearchCIO about why organizations should not shy away from hiring cybersecurity talent from other departments and diverse disciplines. He explained that mentorships can help train these job candidates to address the cybersecurity skills gap. Malik also discussed why communication is a key skill set that cybersecurity professionals should master and offered tips about the resources available for infosec professionals to hone their skills.

Editor's note: The following interview has been edited for clarity and length.

How can companies address the cybersecurity skills gap?

Javvad MalikJavvad Malik

Javvad Malik: Organizations should be creative about where they are looking for talent. Ideally, you would want someone who's worked in security for five years. ... But if you can't find someone there, you can always look internally at general or other IT departments and recruit from there, then train people up.

The key is to have a solid platform upon which you can bring people in and train them. Trying to find skilled people is probably challenging, but they should try to find how they can mentor more people from different disciplines, and it doesn't necessarily need to be from a technical discipline. Some very good security people have come from very diverse backgrounds.

What are the top cybersecurity skills to have right now?

Malik: Cybersecurity is such a broad field that there is no one set of skills that would apply across the board. Some roles are super technical; others are more managerial and a lot broader. With that in mind, if we look at the really high level, I would say communication skills is one of the top things to have. That's not necessarily just speaking to the board, but also the way that pen test reports are written.

Trying to find skilled people is probably challenging, but they should try to find how they can mentor more people from different disciplines, and it doesn't necessarily need to be from a technical discipline.
Javvad Maliksecurity advocate, AlienVault

Internally, when you write risk statements, or quantify risks, or when you present vulnerability findings, all of these can be done a lot better. Cybersecurity is becoming so mainstream and relevant, it needs to be explained in a manner that's comprehensible to the majority of people.

How can CISOs improve their security communication with the board?

Malik: One of the mistakes a lot of CISOs historically have made is they start with technology and they try to explain why there is a problem. If there is one thing they should do, they should start with the business.

Start with the outcomes and understand what the business is doing. If it's a public company, read the shareholders report and see how the company is approaching the shareholders. And then say, 'OK, how can security help support the company in achieving those objectives?' If they start doing that, it will help change the dynamic and make the communication a lot easier.

What steps should cybersecurity professionals take to keep their skills up to date?

Malik: There are a lot of self-studying materials freely available now if you go to YouTube, and there are tutorials as well. Attending conferences is helpful, too, and a lot of these talks are recorded on YouTube.

Beyond that, there are lots of free webinars out there, not only by vendors, but by analyst firms. They give a really good overview of market trends, new technologies and what vendors are good or not. It's also important to look at skills outside of infosec or technology: Things like better writing courses and presentation skills can really help individuals.

Professionals can also document some of their stuff and share publicly. Personally, I found that really useful in my learning, because you get a chance to share what you know and then people can critique. It also helps you network with your peers.

In part one of the Q&A, Malik shares his thoughts on the top cybersecurity trends to watch out for in 2018.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG