Courage. Creativity. Agility. Resilience.

Those are the characteristics that a panel of federal and industry representatives said they value in hiring cyber workers during the CyberCon 2017 conference held Nov. 28.

Finding and training workers versed in cybersecurity has long been sticking point for federal agencies. According to an April 2017 report from the Government Accountability Office, the federal government needs to hire more than 7,500 workers in those areas.

But members of the CyberCon panel said there have always been more empty seats than qualified people to fill their jobs. Instead, with the rapid pace of change in the industry, employers want to hire workers who demonstrate specific characteristics, rather than those who come only with technical skill sets.

“You can’t be inside the box,” said Harry Wingo, a faculty member at the college of information and cyberspace at the National Defense University. Wingo once managed a program to help Google hire more military veterans. “You have to have the confidence to advise that combatant commander and say, ‘That’s the way to go.’”

Workers also need to be able to adjust on the fly.

“When the attack vectors change, they can change with it,” said Deborah Pierre-Louis, the director of the State Department’s office of policy, liaison and training.

But none of the workforce issues facing cyber leaders will change overnight, or even in a few short years. Hiring is just part of the solution, said Trent Teyema, chief of cyber readiness at the Federal Bureau of Investigation.

“We’re not going to hire our way out of this,” he said.

Teyema pointed to two strategies the FBI has used to bolster its staffing. First, the agency has worked to ensure employees are in the room for more personalized training and not just watching virtual sessions. Secondly, the intelligence agency has specifically targeted high school and college students for internships and eventual full-time jobs.

Finally, experts such as Joey Muniz, a technical solutions architect for Cisco, said employers need to incentivize good behavior and should not be above shaming employees for inadvertently dangerous acts.

For example, Muniz pointed to a “wall of shame” at Cisco for users who click on fake phishing emails. By calling out those users, Muniz said, companies and agencies can tangibly show employees how their actions could lead to additional expenses, providing a valuable lesson in the process.