To have a successful career in cyber security it's not enough to have superior technical skills. Even in security companies, security is a cooperative function, it requires the active participation of other people and teams in an organization. This truth is especially true for those who are or aspire to be in a leadership position. Soft skills are imperative to your success.
This page serves as the stepping off points for all of the soft skills that I believe is worth investing in to build a successful career.
The essential soft skills for cyber security professionals
This first list covers the set of skills that I believe applies to anybody working in the field, regardless of your position, discipline, title, or level.
Security is a team sport, to succeed we need to be able to communicate with each other without hostility, with our non-security colleagues, with our bosses, and with our friends and family. Effective communication has many dimensions from listening, speaking, to non-verbals.
Storytelling and public speaking
Ever watched a compelling TED talk or sat through a hilarious stand-up routine? Effective speakers are very frequently effective storytellers; while this is technically a part of communication, I think storytelling deserves a special call-out as a means to effectively communicate complex or challenging subjects.
Working in security as we do, we spend a lot of time writing, from documentation to security assessment reports. Being able to structure your thoughts in a way that it can be quickly consumed and gets read and acknowledged is critical if you want to move the needle.
You've probably heard me say before that security is a team sport, it requires us to involve others who we are trying to protect, who are trying to build things, who have jobs to do that don't include security. To get those people onboard with a security initiative that we need to exercise some degree of influence skills.
There's always going to be more things to do, more code to look at, more alerts to triage, or more requests to look over. To maintain a sense of sanity and effectiveness you need to understand how to manage your time efficiently or risk excessive stress, missed deadlines, frustration, or burnout. None of those are good for anyone, least of all yourself.
Building effective relationships
Ever heard the term it's not what you know it's who you know? I don't think that applies in absolute terms in cyber security as one certainly needs to understand their discipline and provide value, but investing in relationships can elevate everyone.
Teamwork and collaboration
Sometimes it's enough to step into a task or a project and apply a superhuman degree of hard work to bring it over the finish line. Many times though, that just doesn't cut it, or things may end up worse off in the long run; I've seen this happen many times in my own career. Related to the influence skill discussed above, we need to understand how to effectively work as part of a team.
Feedback is an integral part of personal and professional development. Nobody is perfect, but by giving feedback to others and welcoming it with open arms ourselves, you can begin to find those areas of your skill set worth investing in and improving, perhaps more importantly, what things you may want to stop doing altogether.
Security and technology both change quickly; there's always some new technique, some new tool, or some new threat group to familiarize yourself with. It can be mind-boggling (and somewhat impossible) to keep up with everything, despite your best efforts. Understanding how you learn and where to spend your extra cycles learning new skills can help you lay the groundwork needed to continue to grow your career.
Adversarial thinking and the red team mindset
As security professionals we must be ready to challenge assumptions, we must be able to put ourselves in the shoes of an adversary and think about problems, think about opportunities. Developing your ability to think like a red teamer can serve you in all aspects of security, from incident response, policy making, to quite obviously, hacking and penetration testing.
Risk assessment and talking about risk
Part of our jobs in many cases is to uncover risks to an organization. Communicating those risks in a way that people act on them is a whole separate but important beast. The sky isn't always falling so we shouldn't be showcasing our risks as though it is.
Soft skills for cyber security leaders
This second list is more exclusive to those in a current or aspiring leadership role. It's worth noting that this list is by no means absolute; individual contributors can definitely benefit from these skills as well. The reason for this segmentation is to make it clear where leaders really differentiate from individual contributors in terms of their contribution to the team's success, both are essential, both are hugely valuable, but they are different.
As a leader you're going to have a lot of moving pieces, projects will start and they will run until abandoned or completed. Being able to manage a project from the start includes everything from planning and design to maintenance.
People need to be supported, listened to, and managed. This does not mean constant micromanagement, rather, it means to support and leadership. This is a skill not easily learned when somebody has spent large parts of their career solving technical problems.
There are so many competing priorities as a security leader, vendors will all tell you that what they're selling must move to the front of the line, your stakeholders all have different opinions and your budget is limited. You must be able to discern what is actually important and what you must say "no" to, at least for right now. This is not an easy thing to do, but it is one of the most important skills you can acquire as a leader.
Chess is a difficult game to master, especially when you're playing against a studied expert. In chess, unlike security, each player has access to the entire board, there is no secret information other than your opponent's intention and strategy. As security leaders, we need to be capable of making decisions quickly and we need to make them with imperfect data, without all the logs, with tensions rising.
Strategic planning is the process of figuring out what you're going to do, how you'll allocate resources, and how you'll do it all. There are a lot of frameworks and books out there on this particular skill, figuring out the way to make it work for you, your strengths, your weaknesses, and your context is the important part.
Board members and other executive leaders often get a bad rap from the security community that they simply don't understand risk. I believe the exact opposite is true, since building a successful business is all about managing risk and opportunity. It's our responsibility to communicate the particular type of risk that we wrestle with in a way that is consumable and actionable for our audience.
Hiring and team building
Tools don't build programs, people do. Hiring is the way that you bring people into your program, invest in diversity, and increase the collective brain power in your ranks. It's important to have solid processes in place that are in alignment with your strategy as you embark on a hiring plan.
Motivation is a key skill for any leader in any field. Getting people to contribute their maximum effort even when they may not feel like it. Being able to motivate others to get behind your strategy or even better, contribute their own unique perspective to it, is clutch.