In a former role, Dave Estlick, noticed a developer with a talent for security — she just didn't know it yet.
Because she consistently scored the highest on mandated security training practices, he thought about building an application security team around her.
But first he had to convince her of her propensity for cyber.
Estlick and the developer "sat down [for] coffee multiple times to try to convince her that this was good for her career. And now she leads a team of eight and is doing a fabulous job," he said while speaking on a cybersecurity collaboration panel at NRF last week.
Incumbent CISOs have an obligation to make parallels between security and other jobs that working professionals won't make for themselves.
CISOs can help professionals understand that they can leverage a "critical background," said Estlick, CISO of Chipotle. "I'm as likely to hire somebody with an economics degree as I am with computer science. Economics is about finding patterns in the data. And that's exactly what our job is."
With a 0% unemployment rate, cybersecurity is always hiring. But cybersecurity is a relatively new field.
Looking for someone with six years of experience in cyber is unrealistic, said Adam Mishler, VP and global CISO of Best Buy, speaking on the panel. "We're not going to have that large talent pool to actually look toward," he said.
CISOs willing to adopt a more generous approach to recruiting will have a greater return on value. It also won't scare off potential candidates.
Pushing beyond the confines of the security organization forces security practitioners to be more cognizant of how they talk about security jobs and what they really entail because the route to becoming a cybersecurity professional isn't clear, said Misher.
Target breeds security talent in-house using a program called "security ninjas," said Rich Agostino, SVP and CISO of Target, while speaking on the panel.
The program entails using traditionally non-security resources but "good technical people" sitting at senior developer levels to collaborate with Target's product team. "They're essentially our advocates." The security advocates teach the product team the threat landscape and "what the bad guys are doing," said Agostino.
Malicious hackers have graduated from basement dwellers to teams that resemble the ones CISOs oversee. Hackers can scale operations — and toolkits — on demand. The dark web grants them access to a market where they can "purchase just about anything that they don't know how to build themselves," Agostino said.
The extended security team improves the security posture of the whole enterprise. "The talent benefit of that is you have your own team. But then you have this wide network of people that are kind of pseudo cybersecurity folks," he said.
Despite the confusion around shifting careers into cybersecurity, the jobs have an appeal other IT roles don't. Hollywood doesn't write movies about system administrators, said Estlick. "There's a little bit of a sex appeal to what we do for a living."
