A jeweller, sociologist, composer, a mum, go into cybersecurity…
This is not the start of a joke: CISOs are searching beyond conventional talent pools...
Making a career change into cybersecurity may seem daunting to many people. The Stack spoke to a composer, a jeweller, a salesperson, a sociologist, a stay-at-home mum and a veteran who have made the leap.
They have been backed by the growing number of CISOs who are keen to hire not for existing skill sets but unique attributes and fresh eyes. (BBC CISO Helen Rabe and MongoDB CISO Lena Smart are among them; Holland & Barrett CISO Dinis Cruz has also spoken passionately about the need to recruit widely for diverse talent.)
“When you think of ‘cyber’, you think of someone in a hoodie over a black screen typing some crazy code really fast, you don't see the whole other world and all the other jobs that are available out there,” says Nicole Borbely, 37, a stay-at-home mum who also ran a jewellery business pre-lockdown.
She decided to enroll in the CAPSLOCK cybersecurity “bootcamp” during the pandemic. “I'm not very technically savvy, I hate Linux with a passion, '' she says – but “I ended with the highest marks in my cohort”.
She’s now an associate working in Governance, Risk, and Compliance (GRC) at PwC.
“It’s a really good industry to work in. If more mums knew it was possible to still be a good mum, but still have a job, I think the industry would be so full of women,” she tells The Stack.
Making a career change into cybersecurity: Skills can transfer surprisingly well
Sociologist Dr Sanna Nissinen had a career break from humanitarian fieldwork to have children and then decided to make a career change into cybersecurity when she came back to work.
When exploring the idea of the career change, she said she asked herself “what fills me with passion that I can use my skills in, that can transport me globally, without physically having to be in the field?”
She overcame the anxiety of not just returning to work, but plunging into a new industry. Her research skills and investigatory background helped her make the transition, she says, adding that she believes there is a real opportunity in cybersecurity for women post-career break as organisations eye returnship programmes: “I think there's a potential supply button of very clever cyber workers,” she says.
“Their confidence might be a bit low but they’re very talented women with valuable skills and insight.”
Join your peers following The Stack on LinkedIn
Rebecca Massey, former classical composer, educational consultant, and local politician would tend to agree.
“If you went straight into cyber from university, you just would not have half the scope to pick up the volume of experience that I’ve had,” she says. Rebecca brings a wealth of varied experience to her role as cybersecurity awareness specialist for a law firm, saying: “I do very firmly believe that the human side of technology is really underestimated; especially when the technological side starts getting more and more automated. We just need to be more open minded about people at a later stage with different backgrounds entering the career,” she says.
“I think the industry as a whole needs more convincing that you can have a broad talent pool.”
It's not just career returners that can feel nervous about a career change into cyber security. Former recruitment consultant Max McKay felt “riddled with self-doubt” because “I didn’t get any A Levels or a degree or anything,” he says. Similarly, navy veteran Matthew Golby, 36, never sat his maths GCSE. After leaving the forces, he worked as a security guard, taxi driver, and caravan cleaner – “whatever paid the bills”.
Now, Matthew is a cybersecurity analyst paying more in national insurance than he was earning per year before his career change into cybersecurity. “People need to realise that ‘cyber’ is a massive world, and there really is a role here for everyone,” he says. Max is a cybersecurity architect at a consultancy firm meanwhile, with the UK government as a client. “People are afraid to go into it because it's a completely new entity. I think it's very important for people in cyber of all levels to be honest and help people,” he says.
Full-time parents often don’t realise that the role can be flexible
Judy Kelly, a senior product security engineer at Red Hat, first joined the company as an intern – in her 40s.
The mum-of-two had spent 20 years working in bank branches “mortgages, loans, customer service” before watching the industry collapse during the financial crisis of 2008 – when she was on maternity leave.
She told The Stack: “When I came back into the banking industry, everything had changed. I had a small family at home. I was absolutely miserable. It was a very difficult place to be in, listening to all the hardship stories.”
She ultimately decided to study for a BA in Computer Forensics and Security at Waterford Institute of Technology – alongside a class of teenagers (“I was invited to one of their 18th birthday parties,” she laughs.)
It wasn’t easy, Kelly admits: “I was the only mature student on my course, I was the only female and was a small class as well” – she built a rapport with many of her fellow students by helping them out with maths, she says, adding “my coding skills were good at the end of the four years, but my first one or two years was hellish.
“It just took me so long to grasp. But I'm tenacious and I never gave up.”
She is now a senior security engineer focusing on secure development practices at Red Hat, with a focus on threat monitoring: “I guide and assist engineering teams through the threat monitoring process… it’s never stagnant at all. Every engineering team I meet, I also learn something.”
As well as the dynamic environment and a culture Kelly clearly relishes at Red Hat – “they hired a person” she notes, rather than just someone with a CV that fitted a role – she says it’s family friendly: “One of the things that I didn't realise this industry would [offer] is flexibility to be able to be both a mom and have a great career. And I think that's really important, because I can adapt my hours to suit my family. For me, that's everything.”
CISOs aren’t looking for qualifications, they’re looking for aptitude
All have been welcomed into work by a growing cohort of CISOs looking for fresh thinking amid a sometimes obsessive industry emphasis on deep technical capabilities that can result in brittle gatekeeping.
Helen Rabe, CISO at the BBC, says the gatekeeping has since eased somewhat, but the industry still needs to rethink how it approaches talent. The current industry shortage of good professionals makes it exceptionally hard for CISOs, particularly in the public sector, to compete when hiring from a small pool, she adds: "There's no way even in the private sector that I could compete with an £80,000 starting bonus from a big CSP, who follow the heavy hitter CISOs and then they approach our teams with money.
She tells The Stack: “I come from what I consider a non-traditional security background. I did network projects for most of my career so I had that old fashioned perimeter-based security experience, but the entry barriers were epic; during the late 90s to naughties, you could forget it. If you didn't have a deep tech background, you were scoffed at, literally; I had that happen in my face. But there is no one-size-fits-all CISO.
"You need good architects. But you also need someone who can sit in front of a board and do a 45 minute presentation on one slide and get them to part with £9 million [to help keep you secure].”
Debate continues to rage about the importance or otherwise of a degree and/or multiple certifications.
For Lena Smart, CISO at MongoDB, formal education is almost irrelevant given the pace of industry change: “The cybersecurity training that I am seeing being given today in a university is out of date the minute you open the book,” she says. Even cyber-specific certificates don’t really mean much to Smart: “I’ve got all those letters [CISSP, CH, CISM, CISA], but I couldn’t write a line of code if you paid me.”
Smart, who left school at 16 and doesn’t have a degree, introduced the Security Champions Programme at MongoDB to encourage employees to work in different cyber teams. “We have hackathons, we do movie nights, we have capture the flags and training at an advanced level and a basic level,” she explains.
Smart’s own executive assistant rotated through the company cyber department and is due to start a full-time cyber role early next year.
She says: “I kind of fell into security about 20 odd years ago.. I came back from a conference and I said [she was working in the power industry at the time] ‘Hey, I think people are going to start hacking power grids’ and my boss was like, ‘okay, well go do something about it!’ So we bought a firewall, and we installed it that weekend. I think because we had moved so quickly and so aggressively, we became seen as thought leaders for security… my job moved from the basics of, you know, building firewalls and keeping things secure from the internet and making sure the grid doesn't get hacked to working in Fintech, insider threat and regulatory purpose.”
Smart remembers when she started out in cyber that “there were maybe only four or five disciplines within security. Now there’s hundreds.” It’s among a CISOs many tasks to attract different types of job hunters, she says.
How CISOs are hiring, and how they determine a good candidate
Ed Tucker, a former award-winning CISO and Head of Cyber Security at the UK’s HMRC, also has no degree and is at the forefront of innovative hiring practices. “Security tends to be pretty shit everywhere, which says we need to do something different,” he tells The Stack bluntly. “Probably the thing that we need to do differently is think differently. So, get people in who are not just going to follow the textbook, because it doesn't apply.”
For Smart and Tucker, the ideal candidate has the kind of curiosity that makes them take an iPhone apart and put it back together again or fall down a rabbit hole trying to find the solution to a problem. “People who are just naturally curious about security, I would take one of those any day over someone who's got a PhD in cybersecurity,” Smart states. “What we're looking for is a human being with a certain skill set, aptitude, potential knowledge – potential, not experience,” Tucker emphasises.
When recruiting for a certain role, Tucker first does “due diligence” in order to decide what skills to put in a job description. Then, it’s a case of marketing. “I want to create a buzz,” Tucker says. “I want that person to apply who has absolutely no interest in a new job.” His hope is that by taking an unusual hiring approach, he will find people who offer a fresh perspective to the job. According to Tucker, newbies “ask completely different questions which is really healthy.”
Neither Tucker nor Smart ask for a certain number of years’ experience in the sector in their job adverts, something Smart calls “lazy recruiting.” Tucker places huge importance on the individual he is hiring. “How are you translating your CV into a story about you to pique my interest? What type of human being am I after?” These are the questions on Tucker’s mind during the hiring process.
Why not roll the dice?
The main factor that both CISOs repeatedly mention, is the importance of finding a new hire who will match their company. “I can teach that person cybersecurity. The hard part is making sure that it's going to be a cultural fit,” Smart says. “It all boils down to making sure there is a personality and cultural fit,” Tucker agrees.
With a clear call for lateral thinkers and diverse types of candidates to enter the space, it’s an exciting time to give it a try, much as it looks like a challenge to a novice. “The biggest onus I think is on the employers remove barriers as much as humanly possible,” Tucker says. For the CAPSLOCK alumni, irrespective of their backgrounds, the bold career change into cybersecurity has been truly life changing, not least for the salary increases.