What does it take to begin a career in cyber security? Bundles of qualifications? An in-depth knowledge of the IT Crowd? A music degree?
Much has been debated around the beleaguered credit report giant Equifax’s Chief Security Officer possessing a higher education in music composition and not, as may be expected, an IT-related discipline. This has once again brought to the fore the issue of what exactly is needed to enter a career tackling one of today’s biggest global threats.
MWR has never found a background in IT/Security to be a requirement to becoming good at security. Many of MWR’s technical experts come to us from a range of backgrounds including philosophy, biology, and physics. Others had no formal education when they started and we have staff who joined us from jobs such as musician and kitchen porter and are now truly excellent securitists.
This is not to say that computer science degrees are worthless – the majority of MWR’s staff have such a degree – and there may well be a difference in hiring attitudes between the UK and, for example, the US.
However, MWR works with a large number of security leaders from all backgrounds and have worked with a large number of leaders with no computer security background, as well as excellent security leaders with no formal education at all.
This isn’t just MWR’s experience. A survey commissioned by MWR just last month found that a curious mind and practical on-the-job experience were considered to be the most important traits to be a successful cybersecurity professional. Indeed, out of the 200 high-ranking UK IT Security Professionals surveyed, none felt that a degree of any kind was the most important accomplishment for a potential new recruit.
Furthermore, when asked “What is the most important priority in addressing the industry skills shortage in the UK”, 29% of respondents to our survey felt the answer lay in attracting people from non-IT disciplines. Only improving the industry’s image amongst young people achieved a higher response rate.
So what does matter? MWR’s direct experience, as well as that of those polled is curiosity and creativity, combined with deep on-the-job experience. As a security leader, the job is around building and using internal (as well as external) networks to drive security in the organization. The key skill of great security leaders is getting the organization to take security seriously and that requires communicating risk as well as understanding it. This is something not taught on degree courses but learned over a career of trying and improving.
While the criminal probe into Equifax’s breach is on-going, the cyber security industry must not see the case as a reason not to look beyond the traditional subjects it recruits from. Recruitment from non-IT based disciplines can enrich and diversify an organization’s talent pool.
As one commentator on the marketwatch website pondered, “Would you hire a pre-law major who dropped out of college for any type of IT job? Would you even consider them for a management or executive position in IT? If you said "no", then you would have refused to hire Bill Gates.”