The “cyber security skills gap” narrative is consistently making headlines these days. One study predicts there will be a shortage of 2 million cyber security professionals by 2019.
Cyber security is a fast-paced sector that hinges on advancements in technology – so it’s almost inherent that we’ll constantly be chasing a skills gap. Today’s immediate skills needs for our workforce revolve around hot technologies like the cloud, IoT open source and DevOps.
In particular I think strong IT and cloud knowledge are a must. We as security professionals need to have a firm grasp on where we have come from, what we have to work with, and where we are going. As the “defenders of the kingdom,” we need to know what we’re protecting.
But there’s also a range of skills that I believe we as security professionals will always need. This range includes both “hard” skills, those that are specific and teachable, and “soft” skills, which are more innate and often have to do with socialization. I believe the right combination of these two skills areas – along with ongoing professional development – can lead to a long career in cyber security.
The two hard skills I think are most important are:
- A deep understanding of controls: Security focuses on risk and controls, and understanding which tool to use where – and for what risk mitigation – is crucial. Don’t use a sledgehammer when tightening a screw will do; and
- Knowing your business and mission: Regulations and compliance requirements are a crucial component of security. You must also know how your business’s risk changes at the speed of business.
Security professionals should undergird these essential hard skills with the various certifications that our industry offers. The certifications might not provide all the tools needed, but they do help keep businesses take a comprehensive approach to their security posture.
My list of soft skills is longer:
- Communication: Cyber security is dynamic and confusing to many. You need to be seen as a strong communicator, approachable, and open to inquiry and requests for assistance.
- Creativity: The adversary is always thinking creatively as they seek new attack vectors and approaches. You must have a creative spirit.
- Inclusive and accepting of diversity. It takes the desire to embrace unique thinkers who bring different, if not controversial, approaches.
- Inquisitive/curious: Cyber security is a fast-moving space. Some of the best cyber security professionals have a strong sense of curiosity and are always looking at how things “work” and “break.”
- Networking: Find opportunities to share challenges and successes – and learn from others (often through industry conferences and coalitions).
I believe these skills lay the groundwork for success in cyber security. Of course different careers within cyber security require different mixes of these hard and soft skills. For instance, a CISO or other security executive needs strong communication and strategy skills – and in particular, the ability to prioritize and communicate risks to management, colleagues and the larger organization. He or she will also be well served by knowing industry regulations, acting as a change agent, and building bridges within the company and beyond.
But as another example, a security analyst’s skills mix looks a bit different. Creativity is key, as are curiosity and technical proficiency.
If I were to turn this evaluation on me, I’d attribute my success in cyber security to my skills in communication and empathy, along with my willingness to take risks and pursue a challenge, and building and maintaining strong teams. Each professional brings different skills to the table – that’s the beauty of working in teams and in organizations – so this list isn’t meant to be definitive. But these skills are what I’ve observed to be the building blocks for longevity in the field of cyber security.