Editor’s note: ISACA welcomed cybersecurity expert Naomi Buckwalter for an Ask Me Anything (AMA) session on ISACA’s Engage platform 30 October–3 November. Buckwalter is the Director of Product Security for Contrast Security, founder and Executive Director of the nonprofit Cybersecurity Gatebreakers Foundation, and author of the LinkedIn course, “Training today for tomorrow's solutions—Building the Next Generation of Cybersecurity Professionals.” This AMA session led to an engaging community discussion of topics around common concerns of hiring entry-level professionals, what the ideal candidate looks like and how to go about hiring them. See highlights from the thread below, and for additional insights and conversation, the complete thread can be found here.
Cybersecurity can be a difficult and intimidating field to break into. With constant debates around necessary credentials, education and training—in addition to ever-evolving legislations, standards and protocols to keep up with—many professionals do not know when or where they can begin their career.
Fortunately, leaders in the cybersecurity field are always looking for new talent. Naomi Buckwalter is one outspoken advocate for hiring entry-level cybersecurity professionals—so much so, in fact, that she posts relevant job listings on her LinkedIn every week specifically targeted toward these less experienced professionals.
Common hesitations when hiring entry-level cybersecurity professionals include the time it takes to educate and train them, budgeting for this additional guidance and teaching them the specific tools the organization uses. Buckwalter acknowledges that, yes, you will need to spend time to educate this newcomer, but she argues that it is often a shorter time commitment than one might think.
“For example, how much training would you expect someone to need in order to create and maintain an asset inventory? Or follow standard procedures for tasks like identity and access management or password resets?” Buckwalter writes. “I would argue, not much time at all. People are very intelligent, and many of these entry-level tasks don’t need technical skills or years of experience to do. You do need to have good documentation and processes in place for entry-level folks to follow, that’s true. But it should also be true that good documentation and processes are in place regardless.”
Buckwalter goes on to list free and inexpensive resources that entry-level professionals can learn from at home, including the tools that many organizations use, keeping the financial side of the hiring process in good shape. (Coursera, Udemy, Google, Cybrary, ACloudGuru and Black Hills Information Security, to name a few.) The professional in question simply needs a computer, an internet connection and the desire to learn.
In addition to these technical skills, the ideal “soft skills” that a candidate might have include critical thinking, a strong work ethic, professionalism and a strong sense of integrity. As identified in ISACA’s State of Cybersecurity 2023 report, communication skills are also key. Buckwalter maintains that these professionals must not be satisfied with simply following a framework—they must take it upon themselves to ask, “Why?” and “Could this be done in a better way?”
As far as leadership buy-in goes, Buckwalter suggests creating a solid business case for all roles, not just entry-level ones. “Make a solid business case. Say that you need to focus on the fundamentals of information security, which include asset management, configuration management, change management, and access control. Your entry-level hires can be trained to do this work,” she writes. “You wouldn't want to have your senior people doing this work—they'd be quite bored and overpaid! You want your senior folks to [focus] on the complicated tasks and security architectural decisions, which DO require years of experience in order to do well.”
After identifying what skills are needed and securing leadership’s approval, the next step is actually hiring these qualified professionals. Buckwalter is “cautiously optimistic” about the future state of entry-level hiring in cybersecurity and shares her hopes that hiring will have settled into a more reasonable state in five years’ time. Her nonprofit organization, Cybersecurity Gatebreakers Foundation, is on a mission to convince hiring managers of the value of trusting professionals without previous cybersecurity experience, and that it’s OK to give people a chance.
“My suggestion is to look around you and see potential in EVERYONE. Anyone that you are speaking with knows something that you might not know,” Buckwalter writes. “Anyone can be your teacher! You just have to open your mind to that fact—that there is potential in everyone. It’s actually quite amazing—you start to see the beauty in humanity!”