Remember your first interview for a cybersecurity role? You were probably peppered with questions about subnetting, port scanning, running your home lab, and a laundry list of other technical trivia.
While technical skills will help you get your foot in the door, though, they’re rarely enough to help you land your dream job.
I entered the field decades ago with no formal technical training, and I pursued a handful of technical certifications to help me score my first cybersecurity job. I was immediately pigeonholed as a certified button pusher, although I knew I was capable of doing a lot more.
While my technical chops helped me land that first job, my career really picked up speed when I started developing my soft skills.
There were four (4) soft skills in particular that helped me take control of my career, enabling me to do what I want to do in the way that makes the most sense to me.
I want to share those skills with you so you can take control of your own career even more quickly than I did.
1. Communication Skills
The key to getting people to understand the importance and value of what you do is communication, and the secret to effective communication is empathy.
Your non-technical coworkers see you as a wizard. Technology and sorcery are indistinguishable in their eyes, and the language you use full of jargon and acronyms only enhances that image.
If you want to convince people to stop clicking on links in phishing emails, you’ll find more success if you can forget everything you know for a second and look at those emails through their eyes. You need to speak to them in their language. You need to meet them where they are.
If you want to convince your peers to back a project that will help strengthen your organization’s cybersecurity posture, you need to walk a mile in their shoes so you can better understand how your project will impact their day-to-day. If you can pitch your project in a way that emphasizes how it will ultimately help them as well, they’ll quickly start pitching your project for you.
And if you want to convince the executive team to fund your project, you need to stop talking about cybersecurity best practices, and you need to start talking about how the project will benefit them. How is your project ultimately going to help the business continue to grow? How will the project ultimately help them advance in their own careers? (C-level execs are just as motivated as you are to keep moving forward in their careers.)
Talk to the people around you, and listen to them, REALLY listen. Ask them to explain what’s important to them and why. Listen, and don’t interrupt, don’t challenge their way of thinking. Listen to learn, and ask for clarification or additional insights throughout that conversation.
Approach every discussion you have and every message you send by first considering how it will be received. Start speaking their language, and you’ll be amazed how many roads open up ahead of you.
2. Research and Analysis Skills
Communication may arguably be the most important soft skill in any field, but research and analysis skills have a unique benefit to cybersecurity professionals.
Every IT pro is expected to know their field. Database admins know databases. Linux admins know Linux. Developers know their code.
Cybersecurity pros, though? They need to know a little bit about everything.
And it doesn’t stop with technical knowledge. You need to understand the surrounding processes. You need to know how things are built as well as how to break them so you can figure out which security controls to deploy and where to deploy them.
You could also benefit from some legal knowledge, since regulation plays such a key role in what we do. You don’t need to have your JD, but you do need to know enough to hold your own in a conversation with your Chief Privacy Officer.
Your ability to research different fields and to analyze your newfound knowledge through the lens of cybersecurity is key. That research and analysis is going to improve your ability to communicate effectively with each and every team you engage, and like we just discussed: communication is soft skill number one.
Cybersecurity professionals frequently combine their research and analysis skills with their communication skills to convey critical information to different audiences. More often than not, they do this through writing and reporting.
Metrics are going to tell the cold, hard truth of how well your cybersecurity program is doing in meeting its quantitative goals, but the art meets the science when you can wrap stories around those metrics.
Take a penetration test report, for example. You can list all the vulnerabilities you found and you can include the step-by-step process that shows how you exploited each finding. Will a C-level exec care? Will they even read the report?
If, however, you can tell the story of how a cybercriminal might exploit that same vulnerability, and you can weave in a description of the potential damage that would result from an actual attack, damage that would impact the organization’s ability to execute on their future plans…
Now you’re getting somewhere. Now you’ve got them hooked.
BB King, a pentester with Black Hills Information Security, delivered a terrific presentation on this very topic at BSides Columbus 2020. It’s definitely worth checking out.
Your ability to research various fields, both technical and nontechnical, and analyze your findings in another key skill. Translating your findings into a message or presentation that connects with your audience can help you move mountains.
3. Problem Solving Skills
When you’ve convinced yourself that you already know it all, you’ve already lost.
The most successful cybersecurity professionals are insanely curious. When they look at a system or application, the first question they ask themselves is, “How does this work?” The second question they ask is, “I wonder if I can make it do something it’s not supposed to do?”
Cybersecurity professionals exercise problem solving skills every day. They take the big challenges and break them down into smaller, more manageable chunks of work. Then they tackle each chunk one-by-one until they’ve solved the larger problem.
If there’s something you don’t know, read an article or blog on the topic. Watch a YouTube tutorial on how to do something you’ve never done before. Listen to an online class to make deeper connections between what you already know and what you want to learn.
Cybersecurity professionals also embrace creativity when it comes to problem solving. You don’t look at a challenge and say, “That’s impossible.” Instead, you say, “No one’s figured out how to do that yet. It’s a good thing I’m here.”
Create mind maps. Have conversations with people who have in-depth knowledge of a field you’re exploring. Build connections between disparate disciplines to come up with new and innovative ways of solving problems.
Then, take everything you’ve learned and package it up so you can teach others what you know. When you can teach something to someone else, that’s when you know that you really, really understand it.
Cybersecurity is a virtual arms race. The adversary has shifted from script kiddies defacing websites to criminal organizations and nation states with repeatable processes and automated tool sets. They’re constantly sharpening the tools in their shed, and you should be doing the same.
Find a relatively small challenge, dig into it until you figure it out, and then teach your solution to others. The more you can practice your problem solving skills on a smaller scale, the more effective you’ll be at applying those same skills to much larger problems.
4. Strategic Thinking Skills
Tactical cybersecurity professionals speaking in terms of vulnerabilities and exploits. Strategic thinkers speak in terms of risk.
We’ve seen this shift in NIST special publications, as well as in the OWASP Top Ten list. The entire cybersecurity industry is more and more focused on understanding risk rather than just vulnerabilities. Why is that?
Because risk language resonates with the business.
When you change your language to start emphasizing the risks associated with cybersecurity weaknesses, you’ll start to think more and more in terms of how those weaknesses might impact the business.
An ineffective password security policy makes it easier for an attacker to compromise a valid set of credentials. Why does that matter?
Compromised credentials alone aren’t the risk. The risk is what an attacker might do with those credentials. Can they steal sensitive information? Now you’re facing a possible data breach (and all the costs that come with it). Can they take production systems offline? That’s an availability risk that will likely affect your ability to deliver services to your customers (not to mention the impact it’ll have on your reputation).
Your understanding of the risk to the business will ultimately drive action to mitigate that risk, but beware of the trap of knee-jerk reactions. Think strategically while acting tactically. What is the heart of the problem? Are you addressing the actual problem, or just a symptom? If your response to that risk is short-sighted, you’re not solving anything. You’re just kicking the can down the road.
This shift toward thinking strategically in terms of risk will also lead you to the standards, frameworks, and regulations drafted in response to those risks. You should dive into these resources, but try viewing them not as individual controls, but as a whole. Why were these documents written? How have they changed over time? Understanding where they came from will help you get ahead of inevitable changes in future versions.
Once you adopt a strategic mindset, you’re in a much better position to embrace a leadership role. Keep in mind, though: you don’t need the title CISO to be a leader. You can lead within your own team. You can lead as an individual contributor. You can lead by sharing your insights with the larger cybersecurity community.
When you demonstrate that you see the big picture, that you can see the connections between where your organization is today and where they’re going in the future, people within your organization will seek you out for counsel and advice.
And that, my friend, is an excellent place to be if you want to take control of your cybersecurity career.
Takeaways
My experience is not everyone’s experience. There are plenty of cybersecurity professionals who have walked down a different career path.
And that’s fantastic! While our paths often cross, no two paths are exactly the same. It’s on you to choose the path you want to follow (or better yet, to forge).
Focusing on these soft skills definitely worked for me, and I’m continuously grateful that I’ve been able to help as many people as I have throughout my career. I’ve built cybersecurity programs from the ground up, I’ve consulted with organizations ranging from mom and pop shops to federal agencies, and I’ve worked with some truly amazing, truly brilliant people.
Most importantly, I’ve been able to provide for my family by doing something that brings me a sense of purpose and satisfaction.
If you’re interested in learning even more about soft skills for cybersecurity professionals, you’re welcome to check out my LinkedIn Learning class on the topic.
I’m forever the student, though, and I’m sure that there are other soft skills that other cybersecurity professionals have found valuable in their own careers.
What soft skills would you put at the top of your list?
— — —