George Gerchow is the chief security officer at Sumo Logic.
He graduated from a college I’d never heard of. He earned a master’s degree from Villanova, but it was in human resources development. He spent 16 years in the Marine Corps in various military and civilian roles, but none directly involved cybersecurity. His most recent job was as a project manager at a construction firm.
When I asked other senior executives at my company, Sumo Logic, to interview him for a security operations center (SOC) manager position, I initially was met with shoulder shrugs and eye rolls. “Why am I talking to this guy?” went the typical response. “He doesn’t seem a fit at all.”
What they didn’t know was that in my earlier interview with Roland Palmer, I concluded within a half-hour that the job was his. I was blown away by his intense desire to take on hard assignments and win. This ex-Marine had faced daunting challenges, such as planning communications operations in Afghanistan and helping evacuate hundreds of people from an area in Japan contaminated by a nuclear spill. Managing a SOC can be grueling, a constant barrage of crises and incident tickets, but Roland, despite the lack of security work on his resume, seemed born for it.
I told my colleagues, “I’d like for you to talk to him, but if you don’t, I’m hiring him anyway.” They ended up falling in love with Roland, too. He got the job.
That was three years ago. In 2020, Roland was promoted to senior SOC manager. The same year, he won our company’s highest award for employee achievement.
I’m telling this story because I think it says something about what companies and their cybersecurity organizations need to be doing to power over one of their highest hurdles: hiring great talent in an absurdly tight labor market.
“The cybersecurity skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half (57%) of organizations,” said a recent report by the Information Systems Security Association and analyst firm Enterprise Strategy Group. There are now 3.5 million unfilled cybersecurity jobs – enough to fill 50 NFL stadiums – according to Cybersecurity Ventures.
At a time when ransomware attacks, data breaches and supply chain intrusions are skyrocketing — the volume of cyber intrusion activity globally soared 125% in the first half of 2021 compared with the same period last year, according to an Accenture study – what is a company supposed to do?
Cybersecurity is too important to risk having team members who can’t (no pun intended) hack it. Wait to find the best people, no matter what.
Today’s chief security officer (CSO) needs to start by not only accepting but embracing the talent hunt as a core part of the job. (I spend at least 10% of my week on it, often more.) Then they need to tear up old assumptions about where good security professionals come from and be open-minded and creative in their search.
Five pieces of advice:
Beware the warm body syndrome
Let’s be honest: It’s tempting to just grab anyone you can, not only because cybersecurity jobs need to be filled but due to additional pressures such as protecting headcount before any open positions are cut in a layoff after a bad quarter.
Don’t do it. Cybersecurity is too important to risk having team members who can’t (no pun intended) hack it. Wait to find the best people, no matter what.
Graduating from a prestigious institution is a feather in someone’s cap, and I don’t at all mean to discount it, but it’s down my list of prerequisites. Drive, ambition, calm under pressure, team spirit and situational awareness are far more important.
In my first week at Sumo, in 2015, I attended an introductory meeting with several fellow executives who had graduated from schools like Stanford, UC-Berkeley and MIT. When it was my turn to share more about myself, I told everyone around the conference table about my alma mater: Regis University, a small Jesuit university in Denver.
I wasn’t embarrassed; I was proud. And in hiring others, I’ve maintained a philosophy of valuing skills and personal qualities over college backgrounds.
Resilience matters as much as or more than experience
Working in a cybersecurity organization is one of the world’s most stressful jobs, with burnout a constant concern. According to a report by the Chartered Institute of Information Security, 51% of security pros are kept up at night by work stress.
So while past security experience is a huge plus, an ability to handle or even relish the pressure matters as much. I always tell job candidates, “This job is going to be a grind, it’s going to be tough. But the mission is vital.” Some people’s eyes light up when they hear this – that’s who you want, regardless of what’s on their resume.
Exploit nontraditional sources
Roland Palmer is one example of how the best cybersecurity pros don’t necessarily come from the cybersecurity world. But there are many others.
For example, I’ve found software development organizations to be a fertile breeding ground for security talent. Agile development methods such as DevOps are taking development, operations and security out of their traditional silos. Everyone is now expected to work together to foster a fast, efficient, secure software pipeline.
This offers new opportunities for developers to stretch out into the security specialty and help drive the company’s software lifecycle in a different way while expanding their own horizons.
As I often tell developers, “If you join our team, you get to work on infrastructure in the cloud, you get to work on applications, and how APIs and microservices play together. And along the way, you’re developing a higher-level understanding of the software pipeline and helping drive a security-baked-in culture. And if you decide to return to engineering in the future, you’re better prepared to do so with broader experience and the security mindset that has become so crucial.”
I also look at folks with financial operations backgrounds because of their regulatory compliance orientation and attention to detail that is essential to security work.
When I got started in security, I sensed other employees would hide from me when they saw me walking down the hall. They viewed me as the bad guy arriving to rap their knuckles over some security issue.
In today’s more collaborative culture, that no longer flies. Security pros need to be seen as trusted teammates to feel comfortable around. Therefore, a collaborative, empathetic personality is a trait I always look for in prospective hires.
Whether they like it or not, hiring top-notch people has become one of the most important and challenging facets of a CSO’s job, and that won’t change anytime soon. But with determination and some out-of-the-box thinking, they can answer the challenge.