What type of people work in cyber security?

The need for diversity in security teams is a given. Different backgrounds with diverse life and academic experiences provide different viewpoints on security problems. But recruiting a diverse team is an almost insurmountable problem for SMEs.

SMEs recruiting security personnel need immediate effectiveness from new staff. This requires academic qualifications together with real world experience. The combination rarely exists within the security budget of the SME – a candidate may provide the right qualifications or experience, but hardly ever both. SMEs do not have the luxury afforded to large corporations that can recruit based on the person and aptitude, and then train in-house to either gain certifications or acquire experience.

Adding diversity to the academic and experience requirements makes it an almost impossible task for the SME.

Diversity of soft skills in the security team

Effective security isn’t simply a case of adding security products to the IT infrastructure. Social engineering attacks are a good example – no technology can provide a guarantee against sophisticated social engineering. The best solution here is to educate the entire company into being part of the security solution, so that every user effectively becomes a human firewall. This requires the ability to communicate security to non-security people in multiple different departments.

Communication skills are consequently an important part of a diverse security team. The head of the security team needs to understand the business and be able to talk bizspeak to senior business leaders so that they understand the security risk to the business and will deliver the budget necessary to mitigate that risk.

The rest of the team needs to be able to talk to and communicate with the clients/users and the different business departments. They must be able to hear the users’ concerns and deliver acceptable solutions. They have changed from being the people who say, ‘No, you cannot do that because it’s not secure’ to being the people who say, ‘Well, we can do that if we do it this way…’

They need to be able to work harmoniously with many different business departments within the company. Obviously with the IT department so that new IT processes can be introduced securely; with HR over new skill sets required for the security team and the secure storage of personnel files; and with the legal team (or person) over the legal implications of privacy and data protection regulations (which can become very complex if European customer data needs to be exported to a parent company in the U.S.).

Communication skills with the specific ability to communicate with different aspects of the business are the primary soft skill requirement for a strong security team. But you won’t find all these soft skills in one person – which is why you need to recruit a diverse security team with special aptitudes above simple technical and security understanding. People with some practical experience within these departments, or academic training in associated skills, are a priority.

Diversity and women in security

It is often claimed that recruiting more women into IT and security will close the skills gap and make recruitment generally easier. This is a gross over-simplification of the problem. It is true that women are poorly represented in IT/security. It is also true that no scientific study has ever shown a lesser aptitude for the subject in women – women are as naturally suited to IT and security as are men.

The problem comes from young women themselves – they are simply not seeing or seeking IT/security as a career. It has often been thought that this is an education problem, and that the education system can change things. But the problem pre-dates school and goes back to early childhood training. From the moment that parents give boys toy cars and tractors, and girls dolls and dolls houses, we are conditioning their future. The lack of women in IT/security is primarily a societal problem rather than an education problem – and societal problems take many years to solve.

There is, then, no short-term solution to the under-representation of women in IT/security. But that doesn’t change a fundamental need for there to be women within the security team. Since most companies will have women comprising at least 50% of their workforce, one or more women in the security team will make communication between the team and the staff more effective.

There is one other anomaly in the statistics of women to men ratios in security that is worth considering: there is a higher percentage of women security leaders (CISOs) than there is women security engineers. There is no obvious scientific reason for this, but the fact remains that successful women in IT/security make successful leaders.

“To me diversity should include an introvert, an extrovert, a communicator, an intellectual – that to me is diversity and that’s what makes a great team.”[1] - Candy Alexander, international president of ISSA, discussing the findings of The Life and Times of Cybersecurity Professionals 2021[2]

The one essential

In a security team diversity stretching across ethnicity, gender, psychology, religion and more can contribute to a holistic view of security issues from different standpoints. At the same time, this diversity can lead to better communication between the team and the users. However, one essential skill still needs to be filled: the ability to spot the genuine threat within a mountain of alerts.

This is the fundamental task of the security operations centre (SOC). Security products and policies can only go so far in detecting and protecting the network from intrusions. Network compromises will happen ‒ and the security team needs at least one analyst with the special ability to isolate the genuine threat from the many false positives generated by security products ‒ the process known as threat triaging.

This skill tends to be natural or learned from years of experience. It is an expensive commodity to buy into a security team. There is, however, one ready-made source of supply: the reformed hacker. Opinions vary over using this resource. One opinion is that you can never trust a criminal, reformed or not. Another is that a hacker’s skills are too valuable to ignore. A hacker knows how hackers hack ‒ and will likely detect signs of a malicious intrusion before anyone else. But you must be careful.

Would you employ an ex-hacker? “Absolutely, yes… former hackers are your best threat hunters, able to determine when something suspicious is happening. So absolutely, hire them. They're the people that have the perspective into thinking like a hacker; and I think all organisations must have at least one person who has that mindset.” - Joe Carson, chief security scientist (CSS) & advisory CISO at Thycotic.[3]

The impossible dream team

Such diversity in the security team is a target that is often achieved by large corporations with deep pockets. But it is beyond the resources of most SMEs. Such diverse psycho-social backgrounds underscored by experience and/or qualifications in IT/security are hard to find and expensive to employ.

But there is a route within the reach of the SME. Rather than attempt to go it alone, with all the difficulties and expense this entails, the SME can employ the services and ready-made security team of a managed security service provider (MSSP). A good MSSP is better able to find and employ a truly diverse yet fully qualified and experienced security team able to pass on the advantages of diversity to its customers.

An MSP such as CyberGuard[4] will deliver the security team that is normally available to only the largest corporations.

[1] https://www.securityweek.com/mismanagement-driving-cybersecurity-skills-gap-research

[2] https://2ll3s9303aos3ya6kr1rrsd7-wpengine.netdna-ssl.com/wp-content/uploads/2021/07/ESG-ISSA-Research-Report-Life-of-Cybersecurity-Professionals-Jul-2021.pdf

[3] https://www.securityweek.com/ciso-conversations-zoom-thycotic-cisos-discuss-ciso-career-path

[4] https://www.ogl.co.uk/your-cyber-security-partner