Information security professionals must embrace new technologies and the constant learning curve that comes with them. The industry attracts people with a voracious appetite for knowledge.
At the same time, a successful career requires more than an understanding of technology. Soft skills – the traits that enable people to work well with one another – rank high on the list of desired qualities for practitioners in cybersecurity, governance, risk and compliance roles. This fact isn’t necessarily surprising for an industry where information security and risk management programs are most often described as encompassing people, process and technology, in that order of priority.
In fact, leadership roles require characteristics that are more consistent with managing people than systems.
Developing the skills listed below will not only help industry professionals stand out in their current roles, but will also help demonstrate aptitude and readiness for career advancement.
Important soft skills for all security professionals
Regardless of rank (C-level to entry-level), all security professionals should have the following soft skills:
Basic troubleshooting. Having a strong foundation in basic troubleshooting skills is a must. This is not just the ability to do research related to system problems. It’s not just knowing how to solve a problem, but the ability to do so while interacting calmly and rationally with colleagues and customers. This will be remembered for a long time. Human interaction. Let’s be honest, technologists and security professionals are stereotyped as socially awkward recluses. Some intentionally keep their interactions as short as possible for fear of resulting in various variations of “no.” Professionals looking to advance in their careers should break away from this stereotype. Not everyone is an extrovert, but a little effort can go a long way. Be approachable. Empathy. Theodore Roosevelt is quoted as saying, “Nobody cares how much you know until they know how much you care.” Practice putting yourself in the shoes of those you manage and your and your colleagues’ managers. Recognize that the knowledge you bring to a problem or decision is valuable, but how you interact with them is even more important. Problem solving should not be an exercise in blame-shifting, and condescending attitudes should be avoided in such interactions. Assertiveness. In today’s world, it is rare that your work speaks for itself. Even if it does, the message is fleeting and usually not received by those in a position to help cybersecurity professionals advance in their careers. Keep a log of significant successes and be prepared to talk about them when asked. Whether it’s your annual performance review or an interview for a new position, being able to intelligently mention and explain your achievements, and to draw parallels between those successes and the next steps in your career, is a highly underrated skill.
Critical Soft Skills for Security Leaders
While the soft skills mentioned above are important for both security personnel and managers, the following skills are also important for security leaders to master:
Understand and support business motivations. Practitioners get a long way when they realize that standards, frameworks, certifications, or vague lists of best practices are not going to sign their pay stubs or invoices. Instead, information security professionals on their path to leadership speak about the needs of the business, not the mandate to “make things perfectly secure.” Practitioners demonstrate alignment with C-suite executives by viewing information security priorities through the lens of the business. More importantly, articulating this alignment in clear terms even in the most mundane business reporting exercises will have a lasting impact in the minds of those making promotion decisions. Separate emotion from risk-based decisions. Ask information security professionals what keeps them up at night and you’ll hear a range of answers, from threats like ransomware and catastrophic utility outages to budgetary challenges. But wise leaders know that self-imposed anxiety doesn’t help them make decisions, especially when those decisions are being made by others: the C-suite. The role of security leaders is to detail to management the risks they believe are most significant to the business and provide recommendations on how to mitigate those risks. The choice at that point is with the business. If the business rejects the recommendations, the case presented may or may not have been compelling, but the decision made is an informed one. The practitioner’s conscience must be clear.
Our industry doesn’t need more fears. But we do need more leaders with the cybersecurity soft skills they need to collaborate with others so that everyone can be as productive as possible.
Mike Pedrick is a vCISO, consultant, advisor, mentor and trainer with over 20 years of experience in both IT, IS and GRC consulting and client roles.
Learn more about careers and certifications