Conor O’Neill, founder of OnSecurity, explains why he looks beyond third-level qualifications when recruiting cybersecurity staff.
Irish entrepreneur Conor O’Neill has a slightly different approach to some of his competitors when it comes to hiring cybersecurity talent.
He founded the Bristol-based company OnSecurity, which focuses on penetrative testing, in 2018. Also known as pentesting, this refers to authorised simulated cyberattacks designed to assess an organisation’s security vulnerabilities.
With lots of industry players scratching their heads over how to fill the demand for cybersecurity workers, O’Neill’s antidote to the ongoing problem is pretty simple – hire some self-taught techies rather than rely exclusively on university graduates.
That’s not to say all of his employees have no third-level education, but around 10 out of the total team of 28 have been teaching themselves about all things cybersecurity since they were teenagers.
OnSecurity doesn’t stipulate that its employees must have a qualification to work for the company, but an interest in pentesting and IT is certainly required.
‘We honestly don’t care if you have a degree or not. If you do, great; if not, also great. It’s about your enthusiasm, interest in your subject and potential ability to learn’
– CONOR O’NEILL
“What we look for is aptitude and enthusiasm,” O’Neill told SiliconRepublic.com.
“If we interview someone that’s not in the industry, but they already know a lot about cybersecurity or pentesting, that is a very good indication that they’re the type of person we’re after.”
So, how does the company find these tech stars? The team keeps tabs on underground hacking sites to keep an eye out for emerging talent.
Online forum Hack The Box is one source O’Neill mentioned. This online cybersecurity training platform helps people level up their skills by competing in challenges.
“We’d watch the leaderboard on this and when we notice someone creeping up that leaderboard, we reach out,” he explained.
The youngest employee OnSecurity has “poached” in this way was still in secondary school aged 16 or 17, while the oldest was in their mid-40s.
As well as teenage whizzkids, the company has a former medical doctor, bartender and a cybersecurity college student on its books. They are all proof that you can get into a cybersecurity career without a traditional education or training background.
O’Neill said he isn’t convinced of the value of going to university for a technical discipline. “We honestly don’t care if you have a degree or not. If you do, great; if not, also great. It’s about your enthusiasm, interest in your subject and potential ability to learn.”
While O’Neill himself got a degree from IT Blanchardstown and a master’s degree, he took his time doing both, choosing to prioritise travel and work over study – a decision he’s happy with looking back.
“I was working as a labourer digging trenches on a building site in Australia when I was 29. By 39 I owned a cybersecurity business with 25 staff and seven-figure revenues.
“I’ve no regrets, I’m happy with my convoluted journey to this point. In fact, I can’t think of anything that I would have liked to have done less in my 20s than running a business and being responsible for paying the mortgages of 20 people.”
His own break into the cybersecurity industry started when he got a job with Barclays in the UK, which sent him on a pentesting course.
Fast forward to September 2022 and OnSecurity launched its own pentesting-as-a-service tool. It builds on the introduction of Radar, a threat intelligence tool that was designed to show businesses how they appear to hackers. As well as pentesting, OnSecurity offers vulnerability scanning to its customers.
Thinking outside the box for hiring isn’t only a matter of getting the right talent or filling skills gaps. For bootstrapped companies like OnSecurity, unconventional recruitment programmes are a necessity as they can’t compete with the budgets of many competitors.
“A lot of our competitors would be funded so it was the competition for salaries basically. We just couldn’t compete,” O’Neill said.
“Where we might offer, a few years ago, a relatively junior pentester a salary of, say, €35,000, we had competitors who didn’t care about budget and could double or triple that salary.
“We couldn’t compete so we had to start being a bit more clever about how we acquired pentesters and junior pentesters. We started this programme and will soon be looking to do the same thing again.”
Does this way of hiring cause problems? O’Neill said there can sometimes be issues when it comes to the professional consultancy aspect of the business.
For example, many pentesters OnSecurity would find may not have a huge amount of experience in dealing with customers. For this reason, O’Neill said the company is built slightly different compared to its competitors.
“We accept that for certain people, doing a call or a pre-sales presentation with a customer is their worst nightmare. So we try to just let our pentesters do pentesting.”
“We try to bend the company towards our staff, rather than the other way around. All we let our pentesters do is test, if we can help it.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.