It depends on your hiring criteria and where you're looking for talent, Ellis says. "If you say, 'I'm looking for a CISSP,' recruiters will find you someone. If you say, 'I want somebody who deeply understands safety analysis,' it's a hard problem especially because there aren't a lot of them in the security community yet."
In particular, candidates that fall between mid-level technical staff and senior staff can be scarce. "When you want people to already have 10 years of security experience, and a deep technical background -- there really is a shortage of good quality folks like that," Ellis says.
Akamai's solution is to venture outside the security community for many of its hires. The company recruits people who have done release management, or software engineering, or safety and hazard analysis, for instance. Or people who come from a different technical background entirely, such as biochemists. (See the full story, Akamai CSO takes a creative approach to finding security pros)
While Akamai casts a wide net for security talent, one quality that's highly valued is passion. "We look for people who are really bright, who are passionate about something," Ellis says. It would be nice if that something was security, but it doesn't have to be.
Admittedly, not every company has the resources to turn bright people into cybersecurity professionals. An out-of-the-box hiring approach takes extra work on the part of recruiters, hiring managers, and the people who train newcomers.
"Instead of the problem being that I can't find good people, my problem is that I have to turn great people into great assets," Ellis says. "Now you have to make sure that they learn your systems, that they learn security and understand the language, and that you can mentor them."
Some of that hard work is unavoidable. Whether a company sets out to hire someone with a traditional cybersecurity resume or from a nontraditional path, there are going to be compromises -- the idea of finding someone who can immediately do everything and doesn't have to learn anything is absurd. "You're going to have a hard time if that's your standard," Ellis says.
No one hire will fill all the gaps, and continuing education and training is imperative to build a strong security team. "There's no magic potion here," Stroud says. "It has to be a sustained and continuous program."
Sign up for CIO Asia eNewsletters.