“Companies are busy hunting for unicorns when they really just need to stop and look at all the squirrels around them.”

Twitter: @InfoSecSherpa

Tracy Z. Maleeff is an information security analyst for the New York Times Company. She earned a master of library and information science degree from the University of Pittsburgh, as well as undergraduate degrees from Temple University (BA, magna cum laude) and Pennsylvania State University (AA). Tracy holds a SANS GIAC GSEC certification. As an InfoSecSherpa, Tracy is an active member of the InfoSec community and frequently shares her expert knowledge through her OSINT blog and InfoSec newsletter, in addition to Twitter. Tracy is a frequent presenter on a variety of topics and has given talks at DEF CON's Recon Village, DerbyCon, and several BSides events. In her past career as a librarian, Tracy earned the honor of being named a Fellow of the Special Libraries Association and has won the Dow Jones Innovate Award and the Wolters Kluwer Innovations in Law Librarianship Award. A native of the Philadelphia area, she lives and dies with its sports teams.

Do you believe there is a massive shortage of career cybersecurity professionals?

No, I don't believe that there is a shortage of cybersecurity professionals. Rather, the shortage is in companies who are willing to train people or develop talent. I personally have been fortunate that my current and most recent past employers very much embraced training and talent development. There are many career changers like myself who came to cybersecurity with a polished skill set from another industry. I was a librarian who made a career change into information security. I had a master of library and information science degree as well as a hard work ethic and transferrable skills. As was said to me during the interview for my first information security job, “We can teach you the tech. We can't teach someone all these other skills you already have that complement the job.”

I understand the argument that cybersecurity isn't necessarily an entry-level job. However, every other headline these days screams about how this shortage of professionals is becoming its own security risk and crisis levels. Employers aren't helping themselves by placing unrealistic job requirements on their open cybersecurity positions. A Tier 1 SOC analyst does not need a CISSP to do that job. Yet, it's not uncommon to see cybersecurity job requirements that don't match the actual skill set needed or are appropriate for the job. Companies are busy hunting for unicorns when they really just need to stop and look at all the squirrels around them.

Desperate times call for more creative hiring and training. Whether it's a new graduate or a seasoned professional from another industry, employers need to think creatively about the best person for the job based on their aptitude, their willingness to learn, and their desire to do the job. The HR firewalls that companies put up to filter people are not configured correctly for cybersecurity jobs. Many smart people who are passionate about security are getting stonewalled and frustrated. Many move on to something else eventually. No, there's no shortage of cybersecurity professionals—there's a shortage of good hiring and training practices among employers.

The HR firewalls that companies put up to filter people are not configured correctly for cybersecurity jobs.

What are your communication tips for interacting with executive leadership?

Be bold. Be brief. Be gone.

• Be bold—Speak or write with confidence. If presenting in person, “mirroring” helps. Meaning, leave the hacker hoodie at your desk. Try to dress like the people to whom you are presenting. Your mileage may vary; base it on what your leadership looks like.
• Be brief—Cut to the chase. Give the bottom line. Don't get mired in storytelling or long backstory explanations. If your discussion involves money, give explanations of why spending x amount now will save x amount later.
• Be gone—After you've given your confident and brief presentation, disappear like a magician in a puff of smoke, if that's an option. It's possible that discussions about what you've just said need to be had and can't take place while you are still in the room. Again, your mileage may vary. Understand before going into your communication if you are to stay or go.

Michael Cooper has great information about communicating with specific brain types. I highly recommend that people check out his Innovators and Influencers site to get more information about communicating with different brain types.

Do you have any favorite books to recommend for people who want to lead cybersecurity teams?

I like to defer to the Cybersecurity Canon for books related to the industry. Those books are vetted by industry professionals and are recommended for information security practitioners, including management books.

• Spencer Johnson's classic Who Moved My Cheese is a valuable resource to help understand dealing with change, which is an important skill to have on a cybersecurity team.
• I honestly believe that self-help types of books like The Four Agreements: A Practical Guide to Personal Freedom by Don Miguel Ruiz are key to leadership. You must understand yourself, and the feelings and motivations of others, to best lead, guide, and manage.

Choose books that inspire and motivate you and then take those lessons and apply them to leadership.