6 cybersecurity soft skills to elevate your career
Cybersecurity professionals have the technical skills to protect their corporate networks, but they also need to master certain soft skills if they truly want to be effective.
Information security professionals must embrace new technologies and the perpetual learning curve that comes with them -- the industry attracts those with a voracious appetite for knowledge.
At the same time, career success requires more than just understanding technologies. Soft skills -- characteristics that enable people to work well with one another -- rank high on the list of desired attributes for practitioners in cybersecurity, governance, risk and compliance roles. This fact isn't necessarily a revelation for the industry. Information security and risk management programs are most often described as encompassing people, process and technology -- in order of priority.
Indeed, leadership roles demand characteristics that align more with the management of people than of systems.
Honing the skills listed below will help industry professionals stand out in their current roles, as well as demonstrate aptitude and readiness for moving upward in their careers.
Soft skills that matter for all security practitioners
Regardless of rank -- from C-level to entry-level -- every security practitioner should possess the following soft skills:
- Basic troubleshooting. Developing strong basic troubleshooting skills is a must. This goes beyond the simple ability to conduct research related to system issues. It is the ability to not just know how to solve a problem, but to do it while interacting with colleagues and clients calmly and reasonably. This leaves a lasting impression.
- Human interaction. Let's face it: The classic depiction of technologists and security practitioners is that of a socially awkward recluse. Due to fears that interacting with this archetype would result in a variety of variations of the word "no," others purposely keep their interactions as brief as possible. For professionals looking to move upward in their careers, break free from this stereotype. Not everyone is an extrovert, but a little effort goes a long way. Be accessible.
- Empathy. Theodore Roosevelt is quoted as saying, "Nobody cares how much you know until they know how much you care." Practice putting yourself in the shoes of those in your charge, as well as those in charge of you and your colleagues, and recognize that while the knowledge you bring to an issue or decision is valuable, the way in which you handle the interaction matters even more. Issue resolution should never be a finger-pointing exercise, and condescension must be avoided during any such interaction.
- Self-advocacy. Rarely is it true in today's world that one's work speaks for itself. If it does, the message is fleeting and usually not received by those in a position to help cybersecurity professionals move up in their careers. Maintain a log of key successes and be ready to speak about them when asked. Whether it's an annual performance review or an interview for a new position, being able to intelligently reference and explain accomplishments -- and draw parallels between those successes and the next steps in one's career -- is a critically underrated skill.
Soft skills that matter for security leaders
The preceding soft skills are key for security practitioners and managers alike. The following skills are also important for any security leader to achieve:
- Understanding and supporting the motives of the business. Practitioners take a significant leap forward once they realize that no standard, framework, certification or nebulous list of best practices signs their paycheck or invoice. Instead, information security professionals who are on the path to leadership speak about the needs of the business rather than an imperative to "make things completely secure." By viewing information security priorities through the lens of the business, practitioners demonstrate alignment with executive leadership. More importantly, expressing this alignment in unambiguous terms during even the most mundane of operational reporting exercises creates a lasting impact in the minds of those who make promotion decisions.
- Divorcing emotion from risk-based decisions. Ask information security professionals what keeps them up at night and the responses will range from threats, such as ransomware and catastrophic utility outages, to budget challenges. The savvy leader, however, knows that self-imposed worries do not help decisions get made -- especially when those decisions are made by others, namely executive leadership. The security leader's role is to detail to top management those risks deemed most significant to the business and offer recommendations about how to mitigate those risks. The choice is on the business at that point; should the business decline the recommendation, the case made was either compelling or it wasn't, but the decision made was an informed one. The conscience of the practitioner should be clear.
This industry does not need more anxiety. It does, however, need more leaders with the cybersecurity soft skills necessary for working with others in a way that enables everyone to be as productive as possible.
Mike Pedrick is a vCISO and consultant, advisor, mentor and trainer. He has been on both sides of the IT, IS and GRC consulting/client table for more than 20 years.
