“People, Not Technology, Are Key Elements of Cybersecurity,” write Ivo Ivanovs and Sintija Deruma in an ISACA Journal issue. In fact, finding candidates with the right skillsets to develop countermeasures against cyberthreats or attacks means not only finding professionals with proven technical abilities and sound knowledge in the field, but also IT practitioners with the right creative, problem-solving skills and talents to discover flaws and apply solutions to strengthen the company.
The right combination of soft and hard skills is in high demand, and job seekers are asked to showcase both in order to be considered for positions at any level. So are soft skills more important than hard skills for a cybersecurity professional? Or do technical skills still prevail?
The Essential Skills InfoSec Needs
identifying required skills for any IT practitioners, it is important to point out what are the main differences between the two sets of skills. In reality, there is one main distinction: hard skills come from training, while soft skills are for the most part innate. Hard skills have to do with the knowledge a professional will build through years of studies, experience and work in the field. Although talent can always play a role in the ability to acquire, retain and apply knowledge in most complex situations, the majority of technical skills can be honed through hard work and keen interest in a subject; they can also be more easily tested and measured.
Not so for soft skills. These can be much harder to assess, as they have to do with the personality sphere, the candidate’s ability to adapt to situations and the capacity to respond to circumstances and pressure. These skills can be perfected and accentuated, but, in most cases, are related to the professional’s own personality.
Technical skills are obviously essential in order to keep up with advanced threats. First of all, a strong knowledge base in cybersecurity and an overall good understanding of most IT sectors is needed: from network management, network security fundamentals (i.e., understanding the main concepts of how to secure a computer network) and network troubleshooting to communications and data handling. Security professionals are expected to know their systems inside out. Many employers are looking for practitioners with a proven track record of excellence in the use of the newest security tools, good incident response skills, and the ability to analyze data and implement countermeasures. Good scripting ability is often a strong requirement and, more and more, forensics or pentesting-like skills are preferred.
Employers are also interested in candidates who continuously update their knowledge in areas such as breach management, secure change management, risk management or vulnerability management. InfoSec Institute, for example, mentions the following skillsets as worth having in a security manager:
- Application, data and host security
- Business continuity
- Ethical hacking basics
- Penetration testing
- Security policies
It’s said the talent shortage is driven, in part, by the need for specialized skillsets among IT workers and security managers. So the “IT Talent Gap Grows with Tech Roles,” as PR Newswire put it when discussing Manpower Group’s 2016 Talent Shortage Survey.
Lately, however, soft skills have been increasingly listed as important in more and more job vacancies. In fact, a Burning Glass analysis discovered that of the over 25 million online job listings, one in four of the sought-after skills were soft ones.
As the cyberthreat landscape increases in complexity and as attackers become ever more creative with attack methods, defending digital assets is ever more challenging, The defense needs to be supported by quick advances in technical tools, but also by having the right person with the right mix of security skills on board—this is key!
But what skills do infosec pros need? For one, they must have personal skills like communication, negotiation ability, critical thinking and troubleshooting skills, which are applicable in the IT security sector. Supporting a strong security program needs better, more innovative ways to resolve problems to assure the confidentiality, integrity, availability (CIA) and accountability of an organization’s information assets; as well, it needs seamless collaboration between IT teams and all other sections of a company and users at all levels.
For someone in a management position, soft skills may be more important than hard skills. Managers have to be able to communicate changes, explain problems, lead meetings and make presentations to other members of management and executives. In a leadership position, the ability to effectively communicate, listen, digest and analyze information is key, as the professional is engaged in a role that requires working closely with management and staff, customers, suppliers, and business partners. However, communication is actually key in any role to convey findings, explain issues, relate information, translate technical necessities into layman’s terms, break down complex concepts and documenting issues and actions.
Other essentials are problem solving and analytical skills necessary to face the ever-changing threat scenarios and to review, compile and transform thousands of little pieces of data into useful information. In addition, creativity is essential in order to think outside the box and remain one step ahead of malicious hackers. This is an extremely important skill, especially for professionals in ethical hacking and pentesting.
As mentioned earlier, teamwork and collaboration are also essential. IT professionals do not work in a vacuum; they need to coordinate with management, staff and each section of the organization in order to understand the customers’ requirements, get funding, and create an IT infrastructure that fully supports the business objectives and engages the entire organization in asset protection. Training and presentation skills are also very valuable: many IT professionals in different capacities may be asked to prevent facts, findings or solutions to stakeholders within their own scope of work. Some infosec professionals are entrusted with the training of staff in cybersecurity awareness and the creation of tools for user support and education.
Organizational skills and being detail-oriented are also important, as infosec pros might be faced with any number of procedures and any amount of collected data. Understanding anomalies in processes and systems, in fact, also requires understanding and tracking what is “normal” for that particular environment.
There are also two other soft skill that are highly valuable and that are often overlooked. The first one is the professional’s ability to view the “big picture.” Infosec professionals need to be able to devise strategies and create policies that address the organization as a whole and that fully support the goals of the entire company. The second one is even more essential: the will to continue learning throughout their entire career. Most jobs require knowledge updating, but in cybersecurity, technology and adversaries’ skills move so fast that practitioners quickly find themselves behind unless they have the drive to continue studying, reading and being “students” for the rest of their professional life!
Ethical Hacking Training – Resources (InfoSec)
Soft Skills vs. Technical Skills: Who Wins?
It is no surprise that to be an infosec professional often requires a higher education (a computer science degree) combined with a varied skillset. However, standing out in a hiring competition and advancing in a career requires also a plethora of other traits that employers, nowadays, are valuing increasingly. Finding candidates with the right knowledge and technical abilities is paramount, but companies are also realizing that much can be learned even after hiring and that screening instead for soft skills can truly make the difference.
When examining the sought-after attributes of InfoSec pros, the
2013 (ISC)2 Global Information Security Workforce Study (a web-based survey) revealed that respondents ranked many soft skills in the top ten success factors of professionals.
In addition, a Harris poll of hiring managers revealed that 77 percent of employers value soft skills as much as hard skills. Excellent communication abilities, the ability to fit seamlessly in a team, the willingness and ease of sharing information and knowledge as well as the ability not to crumble under pressure are skills that can be improved but, in most cases, are innate. In a pool of applicants with similar technical abilities, these traits will make the difference when recruiters evaluate how the candidate would fit into the company culture. For higher positions, they are absolute essentials.
At any level in an organization, though, what you can do is being matched in importance by how you do it.
For infosec professionals, hard skills are still essential in order to be considered for and offered a job, but soft skills are gaining momentum, and they are definitely becoming the most important element in career advancement. “While technical skills open the door to new career opportunities for IT professionals, soft skills are essential for landing promotions and leadership roles,” says John Reed, executive director of Robert Half Technology. In 2016, the company surveyed a number of chief information officers (CIOs) on which areas they believed technology professionals could use the most improvement, and basically only soft kills were identified:
- Communication skills – 28%
- Problem-solving skills – 21%
- Accountability and reliability – 18%
- Creative thinking – 13%
When asked which skillsets or abilities are most important for technology professionals who want to advance their careers, the CIOs identified, once again, soft skills:
- Problem-solving skills – 26%
- Communication skills – 25%
- Work ethics – 18%
- Creative thinking – 14%
There are jobs on the market that are strongly supported by either one of the two types of skills. For example, a highly specialized metalworker will be mostly evaluated on his actual technical skills, while a salesperson will need more people skills.
That being said, infosec pros truly require a balance of hard skills and soft skills. They need to have the technical know-how to design and evaluate systems and network architectures, as well as be able to keep up to date and understand the latest information on trends, best practices, standards, and methods. However, they also need the ability to collaborate and be team players, have the creativity to devise countermeasures to cunning malicious hackers and the communication skills to explain results to various stakeholders.
Solving the Talent Shortage, Manpower Group
10 Soft Skills Every IT Professional Should Develop, Harvard Extension School
Making A Hard Case For Soft Skills, Robert Half
Hard Skills vs. Soft Skills: What’s the Difference?, The Balance Careers
Growing Soft Skills for Better IT Business Relationships, InformationWeek
Most Orgs Worried Skills Gap Will Leave Them Exposed to Security Flaws, The State of Security
Survey Says: Soft Skills Highly Valued by Security Team, The State of Security
IT Talent Gap Grows with Tech Roles Second Hardest to Fill Globally, The State of Security