Before DaVonda St. Clair ever reviewed a firewall policy or assessed an infrastructure vulnerability, she was managing pallets of military equipment for the U.S. Air Force. As an Air Force logistics manager, her job was to make sure the right supplies were in the right place. “Just in case we went to war,” she explained over Zoom.
She didn’t know it then, but she was already doing the work of a cybersecurity architect — which is now her job at IBM. More specifically, St. Clair advises Air Force Civil Engineer leadership on cyber risk management and infrastructure protection. She also holds a Lean Six Sigma Master Black Belt — a credential she’d earned in practice before knowing it existed.
St. Clair’s path from Air Force logistics manager to cybersecurity architect isn’t a detour; it’s a direct route. For security leaders struggling to build their A-team, her story is just one example of where to look. This article explores why some less obvious backgrounds are a natural fit for cybersecurity and how CISOs can home in on a largely untapped talent pool.
What the resume doesn’t show
As recently as 2024, the conversation about the cyber talent gap focused on headcount, with reports citing millions of unfilled roles. But skills shortages have since become the top concern, casting doubt on the traditional hiring profile.
What organizations typically look for in a candidate — computer science degree, technical certifications, teeth cut in IT — is no longer sufficient. Today, 95% of cybersecurity teams report at least one skills gap, with governance, risk, and compliance among the more notable shortfalls.
St. Clair holds a degree in computer information systems, which isn’t unusual for a cybersecurity architect. But her resume told a different story — one that, while seemingly unrelated on paper to cybersecurity, turned out to be exactly the right preparation for it:
- Checking shelf life on war reserve materials is, functionally, software auditing: verifying what you have, what’s expired, and what needs to be renewed.
- Assessing which squadron needs what equipment translates directly to understanding which teams need what tools and access levels.
- Sourcing materials from other bases without stripping them of critical resources is a form of third-party risk management — solving your own problem without creating another elsewhere.
When St. Clair took on her first IT role after leaving the Air Force, then, the overlap was obvious. “It was the same thing,” she says. “I just had to change my job title.” She already knew how to control levels of access and manage assets — she just needed to learn the language and translate it to a new context.
What hiring practices often miss
Technical fluency is the minimum requirement for most cybersecurity roles. But the ability to think across an entire system — to ask what happens on the other side when something fails — is harder to screen for, and rarer than most hiring managers realize.
“When you have engineers who are solely technical, they’re thinking of this switch, that router,” says St. Clair. “It needs to go here, it needs to go there. And most of the time, they’re not thinking — what is the communication path behind that switch or router? And how would that affect the end user?”
St. Clair was already applying this process-oriented way of thinking in the military long before she earned her Lean Six Sigma Master Black Belt. This certification — built around process improvement, waste elimination, and variation reduction — formalized what she’d spent years practicing in the Air Force without knowing it had a name.
“There are people who will put blinders on so they can really focus and get things done, and that’s fantastic,” St. Clair acknowledges. “But if you’re not looking at the entire picture, you may have to do something over again.”
The problem is, this mindset isn’t easily represented on a resume — at least not in the keywords the ATS (applicant tracking system) will scan for. Someone who can anticipate a process breakdown before it becomes a vulnerability is the kind of candidate organizations want but rarely find. Had St. Clair applied for a role requiring five years of security-specific experience and a CISSP, her resume wouldn’t have made it past the first filter.
What uncovering talent actually looks like
St. Clair landed her first cybersecurity role thanks to a director who noticed she did something her peers didn’t: she made it her business to understand everyone else’s job.
It didn’t happen overnight. After leaving the Air Force, she spent several years in adjacent roles, steadily moving closer to cybersecurity while doing what she’d always done: ask questions, solve problems, and learn every part of the operation around her.
“I was working in inventory management, but I wanted to get into tech,” she explains. “I was ordering the equipment and software. But I would go around to every team and say things like, ‘You’re ordering a lot of these parts. Why is that?’ Then, ‘What are you doing with this cabinet? If I order bulk pieces, could we store them here?'”
“I’m not good at sitting behind a desk all day,” she laughs. “There’s always something we could do better.”
Once, when a vendor sent the wrong shipment and told St. Clair to keep it, she tracked down another site that could use it instead. Another time, she helped an engineer think through how to sunset aging software without disrupting thousands of customers.
The director noticed the way she approached problems — even those that weren’t hers to solve — and encouraged her to apply for a job in information assurance, a field adjacent to cybersecurity that draws on many of the same skills she’d been using all along.
It wasn’t a meticulously worded job posting or an ATS that uncovered St. Clair’s talent. It was someone watching her work. That distinction matters.
Takeaways for tech leaders
Stories like St. Clair’s are, admittedly, atypical. They require leadership who are willing to look past job titles to recognize real, demonstrated capabilities. The takeaway here is that the signals worth looking for won’t always be found on a resume.
CISOs and security leaders might instead pay attention to how candidates talk about their previous work — whether they describe processes, ask about downstream effects, and think about the people on the other side of a decision. Someone who spent years in logistics, compliance, law enforcement, or any field demanding operational thinking under pressure may be exactly what your team is missing.
