Demond Cook says he was largely misunderstood when he got his start in security. In 2014, he started as a security analyst with the National Basketball Association (NBA), doing corporate security work overseeing doors, locks, badges, and cameras.
“When I would tell people I was in security, they just thought I was a security guard standing up in front of a building,” he says. “And I didn’t really like the perception.”
While working with the NBA, Cook started hearing more about careers in cybersecurity, which sounded like a more challenging—and more lucrative—career path. At that point, he “went down the rabbit hole” and after doing some research, Cook decided to make a career switch into cybersecurity. The transition took about two years to work.
Some 100 or so interviews later, Cook got his first big break into cybersecurity with First Data Corp. and went on to hold cybersecurity positions with NBCUniversal, Interpublic Group, and Trace3 before founding Cyber Security Launchpad and Cook Consulting Group, where he now serves as CEO. Cook Consulting Group works with companies to develop better cybersecurity recruiting practices and improve diversity in the industry.
“Most recruiters are not qualified to be interviewing cybersecurity folks because all they’re looking for is buzzwords and certifications,” Cook tells Fortune. “They don’t really know what it takes to find a good security professional, so I just decided to do something about it.”
Fortune sat down with Cook to learn more about his journey to cybersecurity and what it takes to help close the cybersecurity talent gap. Estimates show that there are more than 700,000 open cybersecurity positions in the U.S. alone.
This interview has been edited for brevity and clarity.
How to break into the Cybersecurity industry
Fortune: How did you learn cybersecurity?
Cook: A lot of it was self study—just becoming obsessed with cybersecurity. I stopped listening to music altogether and just listened to podcasts and certification prep on YouTube. I would put it on 1.5- or 2-times speed just trying to get through as much material as I could. Anytime I heard something I didn’t know, I would just go down a rabbit hole on YouTube—really, YouTube University—and try to learn as much as possible. I was preparing for the Security Plus certification. That’s what gave me the confidence to be able to speak and interview in cybersecurity, even though I didn’t have the experience. I started positioning myself and promoting myself as a cybersecurity professional before it even happened.
And I just love networking and reaching out. If I saw somebody had a suit on, I would say, “Hey, I don’t know if you know anybody, but I’m trying to break into cybersecurity right now.” I was never quiet about it. I was on LinkedIn looking for mentorship all the time and being active and posting so that I would be top-of-mind whenever there was an opportunity. LinkedIn is the biggest free marketing tool. Find mentors—people are actually willing to help.
Why is it seemingly so hard for people to break into cybersecurity?
I feel so bad that I can’t help more folks. I think that cybersecurity is a unique field where almost nobody started their career in cybersecurity. Everybody started somewhere else.
Cybersecurity degree programs aren’t that old. People did computer science, and then they would leverage that experience to work in cybersecurity. I think it’s getting better with the government spending tons of money there. I think it takes people in power to open up positions on their team and say, “Hey we need people in here who are young, and we can give them some experience.” There’s not one cybersecurity team in the country that is not swamped with work or doesn’t need extra help.
I think it’s a little bit easier if a person is already mid-career making the transition—say you’re in accounting or something like that. You can reach out to the head of cybersecurity at your company and offer some help, which they need. That’s the real life experience you can add to your resume. That’s something I really encourage folks to do.
Cybersecurity Recruiting
What do you focus on in recruiting for cybersecurity roles?
Every time I get a new role out of a place, the most emphasis is on finding a diversity candidate. So I’m looking for minorities, I’m looking for women, I’m looking for underrepresented folks. A lot of times these roles are tough and I can only find a white male, but I will give everybody else the first, second, and third crack before I present the white male candidate.
I’m in a bunch of diversity groups in cybersecurity and tech, so I really have access to a lot of candidates who are at a company, and they’re not willing to make a move anytime soon. But, if I give them a call, they’ll be willing to have a conversation.
At a certain level, these candidates are not going to be applying to your job ads or going on your career site at all. It’s a relationship game at a certain level. The average recruiter is not in cybersecurity groups. They’re not going for certifications and going to cybersecurity meetups like I do.
How important are cybersecurity certifications?
Usually when I’m meeting with the hiring manager, I’m asking what their must-haves are. Does this person really need to have a master’s or do they really need to have this certain certification? If they can prove that they have the skill set and they’re a hard worker, will you want to see them? Usually when you are asking the hiring managers a question like that, they’re willing to make some concessions. And a lot of times, it’s not them writing the job description. That’s where the disconnect comes into work.
The first thing is pushing back on some of the lofty and unrealistic standards that they have in cybersecurity. I see a lot of jobs that are asking for a CISSP, which requires five years of experience. Candidates with only two years of experience are not allowed to even sit for that certification. I push back on some of the unrealistic expectations for a lot of these job descriptions.
For me, it’s about finding folks who have the aptitude, who have proven that they’re studying for certifications, but they just haven’t gotten that first chance to take one.
How many truly entry-level cybersecurity positions are out there?
Internships are real-world experience to me. I’ve worked with a lot of young folks who just graduated college and gotten a cybersecurity internship, and they proved their worth and were able to be hired on to the company that I interned at. More companies should give those opportunities. I think that might be the biggest place where we can bridge the gap is more internship opportunities to get people to a role or experience, so they can take the next step, either within the company or take that experience and go elsewhere.
Most cybersecurity roles are not technical. There are some where you have to be able to code or hack, but those are the minority. I’ve worked in governance risk and compliance where it’s not a technical thing at all. It’s applying a certain framework to the company security policies and procedures to make sure that they’re able to function and pass audits and be in compliance with government standards.
I think a lot of times it’s an intimidation thing and people don’t think that they can work in this field.