Cyber-security: Employers look outside the industry for new staff
How do galaxies form? What happens when they collide? These are the kinds of questions Dr Leila Powell grappled with in her previous life as an astrophysicist.
But in 2015 she put those galactic-sized questions to one side and moved into cyber-security.
“The pursuit of understanding the universe is really important, but I got to a point where I felt like I wanted to do something that impacted people’s daily lives more,” she says.
And like many jobseekers, Ms Powell was looking for better pay and conditions.
“There are various challenges in the academic career path that can dissuade people from sticking at it, including job security and pay in comparison with industry,” she says.
Dr Powell is lead security data scientist at Panaseer, a company that helps organisations to understand where they might have gaps in their cyber-security controls.
She’s one of many people who have brought their skills from other careers into cyber-security.
Cyber-security includes a range of roles that all aim to protect organisations and their technology from cyber-attacks. Some people help to prevent incidents by analysing or improving the security of applications, networks and devices. Others help organisations to continue operating or to recover when they are attacked.
According to ISC2, an organisation of cyber-security professionals, 39% of new employees in the sector came from a non-IT role.
“I saw an advert for a [cyber-security] job that said they needed someone with data expertise,” says Dr Powell. “The problem space appealed to me.”
“Because I was coming from a different industry, I would see things in the data that I might not have seen had I been looking for something in particular.”
When she hires new team members now, Ms Powell doesn’t mind where people acquired their skills. “I would encourage people that don’t think they have the right skills to actually have a look. If I hadn’t seen that advert, it would never have crossed my mind that cyber-security could be an industry I could get into.”
ISC2 estimates that four million more cyber-security professionals are needed worldwide.
“I would argue that it’s not necessarily a skills gap because the skills are out there,” says Amanda Finch, chief executive of the Chartered Institute of Information Security (CIISec). “It’s actually getting the people with the skills into cyber and then getting them to develop further.”
“I think a lot of [the shortage] is because people don’t understand what’s involved in cyber,” she adds. “A lot of security is about people, process and technology. When we do our survey of the skills we’re short of each year, technical skills come out lower than communication, analytical and problem-solving skills.”
For newcomers the pay can be good.
Cybershark Recruitment surveyed more than 2,000 UK cyber-security professionals about their salaries. Those with between one and three years’ experience earned between £40,500 and £58,000 in digital forensics; and between £39,500 and £55,000 in threat intelligence.
CIISec recommends that organisations trying to fill cyber-security roles look at the transferable skills career changers can bring.
Ms Finch advises organisations to break jobs down into duties, so it’s easier to identify the associated skills. “If you are looking at analysing logs and trends, you need somebody that’s got good analytical skills,” she says. “If it’s incident management, you need somebody that’s able to work under pressure in a crisis with good communication skills.”
Calum Baird acquired skills like these at Police Scotland, where he worked for nearly 10 years. His roles there included response policing, violence reduction, digital forensics and cyber-crime investigation.
Now, he is a digital forensics and incident response (DFIR) consultant at Systal Technology Solutions. The company helps its clients to investigate and recover from cyber-incidents, including ransomware attacks.
“The police taught me how to quickly assess risk, and prioritise based on that risk, which is a skill that’s very helpful when it comes to dealing with cyber-incident response,” he says. “It is not quite life and death [in cyber-security], but it’s a significant cost to businesses and a significant disruption to people.”
His communication skills developed in the police are helpful in his current role, which includes supporting clients on what may be the worst day of their careers. “The soft skills are sometimes understated in cyber-security,” he says. “That ability to speak with the client, to put them at ease, to clearly explain the process and reassure them that they’ve got someone on their side fighting their corner.”
Mr Baird says he has a lifelong love of learning new skills, which was vital in the police, and remains valuable in the private sector. “There are just so many devices, so many operating systems, so many different applications out there that you won’t find anyone that knows everything in depth,” he says. “A key skill in cyber-security is the ability to find a topic and dig deeper.”
According to ISC2, 41% of companies are trying to recruit non-technical people into cyber-security from other roles within the company. Rebecca Taylor is an example of someone who made that transition. She is a threat intelligence knowledge manager at Secureworks. The company provides threat detection and response technology and publishes advice on threats.
“My role is focused on grabbing anything that pertains to a threat, making sure it’s accurate and useful, and bringing it into our systems,” she says.
She joined Secureworks as a personal assistant. “It was making teas and coffees, taking minutes, sitting in conversations,” she says. “I saw very quickly that this was a field that was changing and a hundred percent fit with what I wanted, which was to keep learning.”
After working in resource coordination and change management, she became incident command knowledge manager, where she was part of the ransomware response team. “They were trying to find someone to capture notes, capture indicators, and be there to help nurture that engagement through,” she says. “I loved it.”
She works alongside people who studied history, geography and archaeology and says her own humanities background helps with her work today, processing information. “If I reflect on my English and creative writing degree, [it was about] reading significant volumes of text and being able to pull out the interesting parts.” Her writing studies help with the blogs and other materials she produces to explain cyber-security threats.
“There’s a huge perception that cyber-security is going to be all technical chat, coding and AI,” she says, “but there’s so much more to cyber than technical. I wouldn’t describe myself as a technical individual. I’m just someone that has found a passion for distilling useful information.”