How to break into cybersecurity, as told by Accenture’s head of cyber

Among the most in-demand industries is cybersecurity. Major companies, including those in the Fortune 500 are in desperate need of the talent, as previously reported by Fortune, but are running out of options of where to turn. One challenge? Cybersecurity requires a wide range of skills to be successful—and not all of them can be taught in a classroom setting.

“In terms of the talent shortfall, I think one of the things that’s hard to appreciate about cyber talent is it’s not like it’s just one skill set—there’s at least 17 discrete skill sets needed for cybersecurity,” Ryan LaSalle, head of Accenture Security’s North America practice, tells Fortune. Accenture is a global Fortune 500 technology and consulting company and employs more than 500,000 people across the globe. 

Accenture officials including LaSalle are of the attitude that cybersecurity talent can be developed in people even without a technical background. For that reason, the company offers a multitude of training opportunities for current and future employees to learn cybersecurity skills. These include Accenture’s apprenticeship program and upskilling programs for current employees who are interested in making a career switch to cybersecurity. 

Fortune sat down with LaSalle to learn more about the cybersecurity talent demand the company is seeing and what it takes to be a successful cybersecurity professional. 

Fortune: What does cybersecurity service demand look like for Accenture?

LaSalle: For sure, cyber talent is in high demand. In terms of the talent shortfall, I think one of the things that’s hard to appreciate about cyber talent is it’s not like it’s just one skill set—there’s at least 17 discrete skill sets needed for cybersecurity. And within those, there’s different product lines and technical- and process-related skills that make it really, really hard to define exactly what we need in the cyber skill area. 

There’s definitely a technical aspect to cyber that I think is what most people think about when they think about cybersecurity. The hackers—the people who really understand how computers work and how to abuse them and then how to protect from that abuse.

But there’s also a big human dimension to it. How do you help psychologically improve the way that people in organizations respond to cyber threats? How do you help make people harder targets? How do you train and change behaviors and improve risk-based decision making and all these different things that cyber professionals have to be able to do in order to be effective with those technical solutions? It’s a really broad skill space.

What type of cybersecurity roles does Accenture hire for?

The big joke in cybersecurity is that everyone’s looking for entry level people with five years of experience. We spend so much time trying to get to the right set of credentials that we’re not looking for the right qualities. We definitely look for experienced hires to help make our practice better. We look for people who are seasoned professionals and are experts in the field and are sometimes even luminaries in their field to help lead and expand the capabilities we can deliver. 

We also look for very junior, entry-level people who are more raw talent and are excited about starting a career in security and looking for ways to enter and serve a structured development program that allows them to pick up the skills and become that expert over time. So we look at all different levels and different entry points into the career model.

What does it take to be a good cybersecurity professional?

We are certainly looking for technical skills. The move to the cloud has made every company, every organization, every agency realize that there’s a gap in their knowledge base in their teams, not just in how to move their enterprises to the cloud, but also how to do that securely. It requires a different way of thinking. There’s different tooling; there’s different approaches that you need to take. Making sure that we have the best cloud security team possible means that our clients can get to the cloud faster. They can achieve those benefits faster and more securely when we have the right talent. 

We’re definitely looking for people in that space, but security is pervasive and it’s going into all different parts of how enterprises and agencies and government agencies work. It’s going into the boardroom and into the C-suite to help them figure out what kind of decisions they’re taking on when they’re taking on new strategic moves: How do they balance the risk of those things? In product engineering, it’s making sure that all the new consumer devices that are shipping are secured by design and making sure that they can sustain the security of those things once they’re in the field.

It’s looking at the explosion of regulatory requirements on companies and agencies to attest to what they’re doing and helping to understand how to make sense of all those regulations and turn them into action. 

What type of education do you need to be a cybersecurity professional?

There are different archetypes of how people find their way into security. I’m not classically trained in security. I found my way into it at the midpoint of my career. A lot of other people have similar stories of how they found their way into security. I do like the undergrad and credit school programs that are putting some rigor around information security. I was a computer engineering undergraduate and didn’t have a single security class in any of my computer engineering and computer science classes. That wasn’t really something we learned about when we were learning about large complex systems and networking and any of that stuff.

I’m really glad that people are putting those programs in place. The NSA Centers of Academic Excellence and those kinds of programs have really helped increase the rigor and readiness of the students who come out of those programs. And we do hire out of those programs. 

We also hire people who aren’t in those programs and don’t have a security background who have a real pension for learning and who are self-taught. Maybe they’re in computer science, but maybe they’re not. Maybe they’re in anthropology or economics or social science. And they’ve got a way of approaching problems that combines both their creativity and their inquisitiveness and they’re picking up security skills along the way. We’re happy to teach them. 

And then I also see another trajectory, which are people who are somewhere in their career and they want to make a change. Some of those continued education programs, certification programs, self-study programs, and even some of the master’s degrees, and online programs really help those folks make the pivot with some confidence. 

We will take a chance on people all the time. We’ve done it over and over again when we find people that we think have a real potential in security. When people have demonstrated with their own commitment to go through one of those programs, it helps them with their own confidence and helps us with our confidence that we know it’s a safer bet.

We’ve talked about the technical aptitude it takes to be successful in cybersecurity. What other traits should these professionals have?

It’s interesting because I think there’s a whole lot going on in the market right now and there are psychographic and behavioral analysis to try to figure out that exact question. There are companies out there who are building products to help find the needles in the haystacks of the people who could become great in cybersecurity—people who haven’t found their way into security. But for me, what I’ve found is there are a couple things that tie our professionals together. 

The first is a real sense of mission. It’s that real sense of right and wrong that says: “Every day, I want to get up and I want to help protect our way of life.” That is a very distinct and unique characteristic of security professionals. So if someone has that strong, moral compass, really strong sense of mission and purpose, security might be for them.

The second one is the hacker persona: somebody who rattles the locks on all the doors and windows and tries to find their way in. And a tinker similarly is experimenting. They’re trying to learn by doing it and get their hands dirty while doing it. That tends to lend itself very well to security.

The last one I think is imagination because most security failures are actually a failure of imagination to think like the attacker. When you possess a great imagination, it can help put yourself in the perspective of who wants to take something you have, or do something to you, or have a motivation to to attack your company. You can think differently about how to defend the company. 

What type of cybersecurity upskilling does Accenture offer?

We have two different ways of tackling that. We have a learn-by-doing program called our Apprenticeship Program, which looks at people from non-traditional backgrounds that haven’t traditionally found their way into consulting and in professional services. We look at people from non-four-year degrees from other community-based organizations and bring them in and put them in one-year long developmental roles in security. You get paid as an apprentice, and you get put on these programs and projects. It’s a year of learning by doing.

Additionally, we found that other people at Accenture and other people that we’ve recruited sometimes benefit from upskilling and reskilling, as well. If I find a data analyst who has a pension for that mission and creativity piece and they want to join security, I have an upskilling program for them. They may be in a different career trajectory center. I can bring them in and put them through a pen testing program or put them through a cloud security program and they can upskill and reskill on the job and then start their new career with our security business.

What other advice do you have for aspiring cybersecurity professionals?

The talent shortage is not a supply side problem. It’s an attractiveness problem. We have to do better at luring people and helping them capture their imagination, helping them understand why this is a great industry to be in. Then the supply will come and we can help build those people. We know how to do it. Almost everybody in security didn’t start in security. They all learned it along the way.

We know we can do it. We just have to make it exciting and sexy for other people.