Akamai CSO takes a creative approach to finding security pros
March 9, 2015
What do a chocolatier, theater director and dog-sledding adventurer have in common? All found work with Andy Ellis, the chief security officer at Akamai. And all have passion – an indispensable quality for Akamai’s CSO.
Ellis has a different mindset than most when it comes to building a security team. At a time when the tech industry is bemoaning a lack of security talent, a willingness to think outside the security hiring box is an advantage for Ellis, who oversees the security architecture and compliance of Akamai’s global network.
For starters, he’s mindful about overvaluing certifications. Hiring managers are often singularly focused on people with the right certifications, and many candidates looking for security jobs are stuck on a “certification treadmill,” he says. These job seekers accumulate credentials, often by jumping from employer to employer to climb the ranks.
“Are these good candidates or not good candidates? In a sense, they all look the same,” Ellis says. “It's hard to say, ‘here's somebody who really knows what they're doing and is deeply passionate.’”
In addition, there’s a lot of competition in the talent acquisition world for people with keyword-friendly resumes that cater to job requirements checklists, which adds to the hiring challenge. “Everybody gets overvalued simply because everybody is looking there. So you'll talk to somebody, and they're already talking to five other companies,” Ellis says. (See related story, Shortage of security pros worsens)
Akamai’s solution is to venture outside the security community for many of its hires. “We look for people who are really bright, who are passionate about something,” Ellis says. It would be nice if that something was security, but it doesn't have to be.
The company recruits people who have done release management, or software engineering, for instance. Or people who come from a different technical background entirely, such as biochemists. Safety and hazard analysis is another attractive skill, as is experience with incident response and supply chain management.
Through its nontraditional approach, Akamai has assembled one group, for example, that focuses on formal methods, a discipline that uses mathematical techniques to model and verify complex systems. “You don't just make assertions, you have to prove them,” Ellis says of the mathematical discipline.
Applied to operational security, formal methods expertise brings a new mindset, Ellis says. “Security and safety are so tightly correlated, and the rigor that formal methods thinking brings is very helpful for identifying hazards,” he says. “In the operational security world, things will always be broken. But what the formal methods world teaches us is that you can at least reduce how much things get broken, and better understand where your problems are."
Along with passion, another sign of a good candidate is someone who has demonstrated that he will do self-learning, Ellis adds. “By self-learning, I explicitly don't mean that they got their boss to pay for a conference. Anybody can do that. I want to see that you went and did some learning on your own in some fashion,” he says.
How to hire without a checklist
Ellis doesn't waste time searching for perfect candidates – the mythical “purple squirrels” with the ideal mix of skills, education and experience. Each hire is viewed as part of a team, and people’s expertise and contributions vary. “We're not hiring for just one job,” Ellis says. “If I find somebody who's not perfect, that's ok. There is no perfect.”
One advantage of such an approach is that fewer companies are going after these candidates for operational security roles – though that doesn't mean they’re not sought-after talent. “They're probably also talking to four or five other companies. But you can make them an honest and serious offer,” Ellis says.
Worth noting: Nontraditional doesn't mean cheaper. Ellis doesn't recommend undervaluing people who enter the security world from alternative paths. Striking a deal that saves the company a little money in the short term will only lead to a difficult conversation a year later when the employee comes looking for a pay raise or leaves the company, he says.
Deviating from a checklist hiring mindset is not without its challenges, however. Often you've swapped one problem for another, Ellis admits. "Instead of the problem being that I can't find good people, my problem is that I have to turn great people into great assets,” he says. “Now you have to make sure that they learn your systems, that they learn security and understand the language, and that you can mentor them.”
It hasn't always gone smoothly, and Ellis acknowledges shared responsibility for the difficult hires. “If we didn't provide the right training -- was it their fault or our fault?” he says. “We're working at better formalizing an information security curriculum that’s really focused around the concept of safety and critical thinking, which we find is helpful to have.”
An out-of-the-box hiring approach also is tough on recruiters. “It's very hard. We go around and around with our recruiters. Our recruiters have been great partners -- but they would really like it if we would hand them a checklist of seven keywords to find on a resume,” Ellis admits.
Job requirements might specify a bachelor’s degree or equivalent experience -- a subjective measure that makes it harder to evaluate people. To Ellis, candidates who can demonstrate that they've done something interesting are most appealing. He mentions one applicant who worked on the One Laptop per Child program. “I don't even care what his degrees are if he spent four years building computers and the software to go on them,” Ellis says. “That’s totally equivalent experience.”
The onus isn't only on recruiters. Akamai's hiring approach requires a lot of time and resources on the part of managers, too.
“You have to invest very heavily in interviewing,” Ellis says. “The rule of thumb that I generally tell my managers when they go to hire -- and they don't all believe me the first time, but I think by about the third time they go to hire, they really believe it -- is that if you're in the middle of hiring, then half your job is to go hire. If you're not spending half your day working on hiring, then you're not going to be successful.”
If managers don’t commit, neither will recruiters. “The recruiters will engage with you to level you engage with them. If you're going to spend an hour a week looking at resumes, the recruiters know they only have to send you resumes once a week. But if you're engaging with them every day, they'll put you at the top of their priority list.”
It’s also important for hiring managers to get feedback from team members who've taken time to interview prospective hires. “After each person does the interview, you really need to sit down with that person and get their feedback in a one-on-one session, and then get the group feedback,” Ellis says. “If you're going to invest the time in having six people interview somebody, then you should invest the time interviewing those six people to figure out if this person is someone you want to hire. Otherwise you're wasting everybody's time.”
Good people don’t have time to waste. Case in point: One of Akamai's security pros is currently on sabbatical for six months because he's riding his motorcycle in Tierra del Fuego, an archipelago off the southernmost tip of South America.
"This is one of those things you have to put up with. When you hire passionate people, they'll say, ‘hey can I take six months off to go ride my motorcycle around the world?’ And you say yes, because your alternative is they quit,” Ellis says. It’ll take months to replace that person, who will then find work with somebody else instead of coming back to you. It’s better to be flexible and retain that passionate person, he says.
“Go ride your motorcycle, I'll hold your seat for you.”