Whether you’re on the recruiting side or the job searching side, finding the right fit for a cybersecurity role is challenging.
The reason behind the industry being understaffed and overstretched (apart from overly complex tools that are inaccessible to the non-technical population) is old-school thinking when vetting candidates on the hiring managers’ part.
Cybersecurity job requirements are too rigid, with many expecting college degrees from Ivy League universities and sometimes even not-so-relevant qualifications, such as mathematical degrees. There’s no actual evidence pointing to graduates from prestigious schools or graduates holding particular degrees performing better than their counterparts without degrees.
We had the pleasure of speaking with Ron Sharon, Director of Technology and Head of Information Security at Mercer Advisors, who believes that many companies are missing out on incredible talent because of unrealistic expectations of employee prospects. Ron encourages managers to look for the “X-Factor” - a trait or a soft skill - in candidates who strive to learn and be mentored.
Discover comprehensive tips on finding the best candidate, reclassifying folks into security from various backgrounds, and breaking into infosec at the entry level.
Grant: Hey folks, it's Grant. Welcome to another one of the Fletch insider series of some of the best people in cybersecurity. With me today, I have Ron Sharon. He's Director of Technology and Head of Information Security over at Mercer Advisors. Ron does a lot of advocacy for the whole industry, and he does a lot of cool stuff. You can look him up on LinkedIn and other socials. I'm honored to have Ron on here today and welcome. Can you tell me a bit about yourself?
Ron: Hey, Grant. Sure. Yeah, thank you for having me, first of all. Again, my name is Ron. I’m the Head of Information Security and the Director of IT at Mercer Advisors. I've been with the company for just about three years now. Before that, I was the Director of IT at Ibotta. It's an app company here in downtown Denver. And before that, I did some consulting for myself and others, big and small companies like Mercedes Benz, Los Angeles Clippers. These were fun places to work in. And I've been doing technology and cybersecurity for the past 17 years.
Grant: And, really quick question Ron.
What kind of evolution have you seen over the last 17 years? What are the most profound things you've seen happen?
Ron: Technology moves in a very fast-paced way. The most I've seen is the technology changing. When I first started, I started with exchange servers, 5.5. And really, my first computer was XT turbo with those little turbo buttons, that if you press on it, it increases the speed from 32 to 64. So technology is one of the fastest things that changed in the past couple of years. And, and because technology changes so fast, we always have to keep on learning all the time. So there's a lot of changes in the way we learn, how we learn, and what we learn.
Grant: So it's interesting to talk about change and learning. Because we're in a really interesting time in cybersecurity, the world's changing at a faster pace than ever, and we have a bit of a talent shortage; something like 500,000 jobs is the gap right now. And you and I kind of connected over this issue, and you have a really passionate stance on this issue.
So how does hiring work in cybersecurity traditionally? And how could it be better?
Ron: So I'm in a little bit of disagreement with you about the shortage, I think the number was 450,000 open positions for cybersecurity jobs that was an article that was published a couple of weeks ago, I don't think the number is that big. I think there is a shortage of working cybersecurity professionals. But I also think there is some sort of adjustment that hiring managers and recruiters need to do when they recruit for cybersecurity talent. They're treating it as a usual kind of hiring process. But it's really not. Cybersecurity talent is very diverse. For instance, I've seen some sort of requirements for mathematical degrees or degrees in mathematics for cyber security professionals. And just way out of scope, you don't need to have a degree in mathematics to become a cybersecurity professional. And I think that a lot of companies are missing out on great, amazing talent, because they have these stringent requirements that they put in place with old school thinking of degrees and college education, as well.
Grant: Even I couldn’t have said that better myself, I could look at all the recs out there. You don't need this for that job, especially with the way we're going with the tools in the industry these days. If you look at the oldest cybersecurity tools, they use languages that even super technical people have to go spend days, hours, months of their lives having to learn. We're starting to be in a world where machines have an opportunity to take care of a lot of complexity, the humdrum work, and we can hire and uplevel people of different backgrounds. So talk to me about this better way that you see to solve this gap. I'm very passionate about this, too. And so there's a gap. We both agree on that.
But what's this better way? How do you retool? How do you reclassify? How do you get these people with different diverse backgrounds into our world?
Ron: So there’s two prongs to it. One prong is educating hiring managers and recruiters again and to look for the X-Factor in a candidate, not just a degree, or something like that or experience in x industry. I've seen a lot of those as well. We need a cybersecurity expert that has a degree in engineering and seven years of experience in manufacturing, it’s these kinds of things that prevent really good people to apply. The other prong is experience in the work they used to do, like you can get people that know technology and re-educate them, I would put it, to know cybersecurity in-depth. It's just a matter of taking some certifications, or classes, or even some training or shadowing a person that does that on a day-to-day basis. It's not very complicated to get started in it, it's just complicated to get your foot in the door to get hired in it.
Grant: So, let's dig into the second prong for a second here. I say this a lot too. It's a mentorship model. And you need to get these people, the X-Factor, who want to learn this stuff. And there's a lot of gatekeepers and a lot of elitism, and they're like, well, I went through all this pain and this kind of stuff and so, they do put this in the job descriptions.
And so talk more about how hiring managers or managers can start thinking very differently about this, create mentorship programs, and how they can work with recruiters to foster this pipeline.
Ron: The simplest way to look at it is, look if the person has the talent to do the job. If you have technological experience, any background in service desk, help desk, or network engineering, you can change and shift your direction into cybersecurity in a matter of a couple of classes in a mentorship program. And it's important to have certain certifications. That's just my personal point of view. If you had like A Plus, Security Plus, and Network Plus, you can start doing some sort of cybersecurity work right off the bat. And I know it's hard for smaller companies to have mentorship programs. But it's important to facilitate that because you can mentor someone for three to six months for a certain position. And then they will thank you. And they will run into your company for a long time just because you helped them get to where they needed to get.
Grant: So let's say you're in a company, and you are a help desk person.
What are some of the things you could do to educate yourself? Free resources, ways of thinking, articles, websites? What's your advice to those people? It’s like, hey, you know, there's a retooling opportunity here for you.
Ron: The internet is full of cybersecurity education. All you do is go to Google, type cybersecurity, I want to learn cybersecurity, and there are 1,000 websites that will help you do that. And if you go on Twitter, and you do infosec, the hashtag infosec. There's a lot of people on Twitter that are new to infosec. They will help you on your journey. You can ask in your company if there's somebody that has an infosec role, to shadow them, to talk to them about it. But there is no shortage of tools to get educated about cybersecurity.
Grant: And Ron, maybe I'm putting you on the spot a little too much here.
Can you talk about a situation in your role as a leader, how you've actually done this with somebody?
Ron: I don't have a story about cybersecurity. Since I'm also the director of IT, I have a story more about the IT side than the cybersecurity side. There was a person a couple of years ago, they wanted to be in networking. So I took them on. And I showed them how and I told them what certifications they need to get. I recommended, hey, you can take Security Plus, it's a compTIA course. It starts from the ground up. And it gives you a great background. And after they did that, I gave them some advice on how to have a home lab. So, I said to them, hey, go on eBay and buy these old routers and switches, and you can practice at home. That person ended up getting a better job eventually, just because I pushed them and I got them to where they needed to be from the network engineering side. That person ended up accepting a different position in a different company. That was with my full encouragement, and that's all I could have hoped for.
Grant: That's awesome. That's a good story. And we talked a bit about recruiters, you kind of joked about on LinkedIn with me.
What's your advice to recruiters so they can actually start playing a better role here?
Ron: First of all, start from the job description. If a hiring manager gives you a job description that recruiters see as too stingy, like very strict, like we want a degree in engineering and 10 years experience for an entry-level position, recruiters have to push back. That's why they're there. They know recruiting. They know what's out there in the market. They need to say to the hiring manager, look, the market right now, that's not going to work. You're not going to get a candidate or you're not going to get a good candidate. So let's change it. And there's a lot of ways to change it. You can substitute experience for a degree. You can say, I need four years of experience plus five years, if you don't have a degree, four years plus five. If you do have a degree, just a degree and five years of experience. We shouldn't be putting blocks around people that don't have degrees. Degrees are not for everyone. College is not for everyone. Some people have different ways of studying and learning. Some people don't have the funds to go to college. And that's quite alright. It's great if they educated themselves, if they took the right courses, if they know the job, and they know what to do, not having a degree shouldn't prevent them from doing any kind of job. And it's not just specific for cybersecurity jobs.
Grant: Yeah, this is actually part of why I created Fletch. Because I want to create software that helps up-level this next generation of folks and let machines do the humdrum and hey, let's let these people exercise that X-Factor and make them a lot more productive and a much happier part of the workforce. Thank you so much for being with me today, Ron.
Any parting words on where you think cybersecurity is going, anything exciting going on you want to share?
Ron: Well, cybersecurity is important. I want everybody to know that. Think about it as insurance for your business. You have no problems paying for insurance. You shouldn't have any problems paying for cybersecurity. Because at the end of the day, you actually don't want something happening to you, because that's going to cost you a lot more. So always have a cybersecurity plan. Always have a cybersecurity person. Don't stinge out on that.
Grant: Well said my friend, well said. Thanks for being with me today. This was a lot of fun. And I'll see you later, folks.
