Cybersecurity encompasses a broad range of specialty areas and work roles. No single education training can be expected to cover all the specialized skills and sector-specific knowledge desired by each employer. Nevertheless, there are certain soft skills or “people skills” that are important for any new employee in a cybersecurity role, regardless of the field they are in.

Soft skills refer to character traits and interpersonal skills that will influence how well an employee can work with others, including executives, co-workers, and vendors. We asked 7 cybersecurity professionals their opinions on what are the different soft skills that one needs to master in order to become successful cybersecurity professional. Some of these soft skills are easily acquired by nature and some of them can be learned by yourself. Continue reading to see their insights.

Monika Geitlinger (Information Security Officer at Raiffeisen Switzerland) 

Varying communication skills: For information security personnel, the ability to discuss the topic on various levels in a company is essential, so you can communicate the needs on every company / hierarchical level. 

Flexibility and the willingness to compromise: Enabling people to do their work more securely and efficiently without compromising your company’s data and security should always be your goal. If that means you must change some of your plans to fit the needs of the company better, allow some degree of flexibility to accomplish both the goal and compliance with your policies and guidelines. 

Engage with your colleagues: The more engaging you are, the more people will be willing to work with you to enhance their security behavior! But just as important, if they have engaging person training and help them with security issues, they’re more likely to be invested in the topic and build an emotional connection with you and with the topic of security.

Colin Hardy (Malware Specialist) 

Communication and relationship skills have been essential for me to progress within the industry; both in managerial and non-managerial positions. Let’s have a look at both. 

Communication: I found quick success within the industry through being able to articulate complex topics into meaningful bite-size detail coupled with a risk-based lens. Oftentimes organizations are targeted with super-complex attack scenarios (e.g., SolarWinds) however C-Suite Executives tend to focus on security risk and the potential for operational business impact versus the associated cost. Understanding the technical complexities of an attack scenario and translating that into language senior leaders are familiar with will ensure you’re able to add value to an organization. Next time you’re trying to explain something complex (even to your peers), try and write it in a tweet! 

Within managerial positions, I’ve found communication to be essential in motivating, supporting, and developing a team, especially within the age of COVID as more teams are working remotely and balancing home/work life. Establishing how to communicate, how often, and for what purpose has been a voyage of discovery for me personally, but I’ve enjoyed the outcomes – I’ve had meetings in Virtual Reality, walking team meetings in the wind and rain, heartfelt 121’s and virtual all-hands meetings where we’ve been able to really nail down an operational security-maturity strategy. 

Also, being able to translate high-level strategy from C-Suite executives back through to technical audiences is a skill I continue to develop to ensure teams really understand the organizational strategy and how each person can play a significant part in that journey. 

Relationships: Building relationships both within a small team and throughout the wider organization is key to understanding how security relates to the wider business strategy. Oftentimes, running a security team will simply cost the business money straight from the bottom line, and therefore understanding the various priorities around the business and how security can best interface with the plethora of tools, technologies, and processes a typical business has will help ensure that you can add the most value to an organization. 

Also, in terms of personal development, I have found the key to building a successful relationship with mentors and peers is to focus on building your own credibility whereby you can add value to the conversation. Mentoring is great, but often the conversation is one-sided; the mentor delivers great insights, and the mentee consumes all the information. What has worked better for me is to focus on also delivering value back to the mentor by sharing ideas and different ways of thinking, thus, helping to cement a future lasting relationship that continues to promote professional growth.

Ivan Rivic (CISO at DataStore) 

There are many skills needed to be a respectful professional. Positive energy, possibility to drive your colleagues, punctuality, ability to challenge your colleagues, presentation skills, and others. 

Nevertheless, I would point out that calmness in daily work and especially in high-tension situations, like security incidents, is one of the most important skills that cyber security professionals can have. Besides that, trustworthiness (“you can count on me”) is much appreciated. Since cybersecurity is a complex and highly dynamic area, the ability to have a broad view and to point out the main points would be also one of my favorites.

Marcel Prisi (Security Expert at Kudelski IoT Security) 

To me, the biggest soft skill of any security specialist is keeping an open, curious & creative mind. The people on the other side of the fence are incredibly ingenious and ready to invest unlimited time, and in some cases, a large amount of money in a single goal. They know the security tools we are using, so we need to be creative and go the “extra mile” in order to have any chance of sustaining some of these attacks. 

Fred Streefland (CEO at Secior) 

Great question. I think that several soft skills are essential for a security professional, with communication skills as the most important one. It is the security professional (CISO) that needs to communicate with the Board of Directors, the IT manager, the Legal Counsel, the Developers, the HR Director, and all the other employees in the organization. 

To secure an organization, the security professional should be understood and supported by all of them. In order to get this support, the security professional needs excellent communication skills to inform all of them in their own ‘language’ (business language/IT language/Developer language, etc.) so they are aware of cybersecurity and act accordingly. 

Chris Whalen (Assistant Director and Cyber Architecture at Bank of Canada) 

Communication is so important that I will stick to that. In cybersecurity, we have an understanding of technical and complex issues that can be hard to explain, even amongst ourselves. 

Let’s start with knowing your audience. The message I deliver to the board or executives is going to be different from the message I deliver to the rest of the organization (e.g., to HR or to a technical team). 

Imagine learning about a new adversary technique where your organization may be at risk, but mitigating that risk requires additional resources. I understand the technical details and the potential damage if the risk is realized, but I need to translate that into the impact on the business and why asking for resources is justified. 

This message is important to craft and deliver, otherwise, it might not be properly received, and the risk remains, possibly until it’s too late and the damage is done. And that there is no guarantee the risk can be 100% mitigated. Risk analysis helps of course, but you need to be able to communicate that line of thinking and be able to back it up. 

Take that further and apply it to a cross-functional project like cybersecurity compliance. In working towards building a compliance program from scratch to achieve a successful SOC 2 audit, I needed to work with different parts of the organization from HR, Legal, Finance, and technical teams in R&D, along with my own team. Having the ability to convey the importance of SOC 2 to them, explaining their role, and getting their buy-in is essential for success. Even before you get to that point, you need to support at the top. It is a big investment and a lot of people agree and help. 

If you can’t convey your message in a way that your audience understands, you won’t get very far. 

Laura Voicu (Manager Security Assurance at Elastic) 

I strongly believe that in any information security role we need more than technical skills. There ’is a lot of good advice out there on the technical skills needed in the information security world. But soft skills can easily be more valuable than technical skills. As security professionals, we need to communicate with people. Information security is a shared responsibility across a company. Our job is to work collaboratively and at all levels to foster a culture of security. We need to make sure security policies are not only in place but followed. 

Critical thinking is something that everyone wants, but it is difficult to define clearly. In my mind, critical thinking means starting with the result you want to achieve and mapping out a logical path to that result. In the case of information security, the result is protecting business assets and processes. Anything we do should support that end goal. If not, it can be eliminated. 

Last, but not least, as security professionals, we are here to help the business be successful and enable the business to succeed – that’s the bottom line and having this mindset is extremely important.