One reason companies can’t find the experienced cybersecurity professionals they need: there just aren’t many tech pros who have mastered not only the necessary technical abilities, but also “soft skills” (such as clear communication)—and those who have, well, they’re already employed (often with hefty salaries and benefits designed to keep them in place for the long term).
With that in mind, if you want to plunge into a career in cybersecurity (and there’s no reason you shouldn’t, at least in terms of salary), here are some of the traits you’ll need to exhibit.
Solid Work Habits
First, you’ll need some essential work habits, including the ability to work methodically (and in a detail-oriented way). The following abilities also come in useful:
- Eagerness to dig into technical questions and examine them from all sides.
- Enthusiasm and a high degree of adaptability.
- Strong analytical and diagnostic skills.
- A current understanding of common web vulnerabilities.
- Maintaining awareness and knowledge of contemporary standards, practices, procedures and methods.
That’s in addition to the aforementioned soft skills; remember, security professionals often need to communicate complicated subjects to people who might not have much of a technical background (such as C-suite executives). With that in mind, mastering the following is usually a perquisite for climbing to more advanced positions on the cybersecurity ladder:
- Excellent presentation and communications skills to effectively communicate with management and customers.
- Ability to clearly articulate complex concepts (both written and verbally).
- Ability, understanding, and usage of active listening skills (especially with customers!).
From a cybersecurity perspective, soft skills will also allow you to identify examples of, and explain, social engineering, which is a pervasive issue within the security community. You can put all kinds of hardware and software security measures in place, but hackers can still use social engineering to convince unsuspecting employees to give them passwords, credentials, and access to otherwise-secure systems.
Which technical skills do cybersecurity pros need? That question is a bit trickier to answer, as there are many sub-disciplines within the cybersecurity field. That being said, many such jobs share a common technical foundation.
For starters, tech pros should understand the architecture, administration, and management of operating systems (various Linux distros, Windows, etc.), networking, and virtualization software. In other words, get to know—and love—things like firewalls and network load balancers. That’s in addition to general programming/software development concepts and software analytics skills.
There’s also the need to understand the more common programming languages, including Java, C/C++, disassemblers, assembly language, and scripting languages (PHP, Python, Perl, or shell).
Many employers demand certifications as a perquisite for employment, and it’s easy to see why. In a recent survey, the International Information System Security Certification Consortium (ISC)² noted that a degree and certifications were often a major factor in hiring. “Cybersecurity certifications are essential to showing the level of knowledge of a cybersecurity professional. However, they should never alone be the only reference,” Joseph Carson, the chief security scientist at security vendor Thycotic, told Dice in an email.
Potentially important certifications include the following:
- CEH (Certified Ethical Hacker)
- OSCP (Offensive Security Certified Professional)
- CISA (Certified Information Security Auditor)
- GCIH (GIAC Certified Incident Handler)
- Certified Information Systems Security Professional (CISSP)
- Information Systems Security Architecture Professional (CISSP-ISSAP)
- Information Systems Security Engineering Professional (CISSP-ISSEP)
- Information Systems Security Management Professional (CISSP-ISSMP)
While these types of certifications are good to have and show employers that the candidate is interested in continuing education, “certifications should be combined with solid industry experience to get the right level of skillset required,” Carson added.
Any good cybersecurity pro knows how to examine a company’s security setup from a holistic view, including threat modeling, specifications, implementation, testing, and vulnerability assessment. They also understand security issues associated with operating systems, networking, and virtualization software.
But it’s not just about understanding; it’s also about implementation. They study the architecture of systems and networks, then use that information to identify the security controls in place and how they are used. Same with weaknesses in databases and app deployment.
More junior cybersecurity professionals might use their coding skills to write tools that automate certain security tasks; depending on the company’s technology stack, there is often a choice of pre-built tools that will automate many functions, as well.
Senior cybersecurity pros, meanwhile, must organize and coordinate technical vulnerability assessments, including systems and network vulnerability assessments, penetration testing, web application assessments, social engineering assessments, physical security assessments, wireless security assessments and implementing secure infrastructure solutions.
They recommend and set the technical direction for managing security incidents, and ensure the integrity of the resulting process and approach. In terms of using soft skills, they’ll need to explain to management (and show forensically) how an attack was conducted.
Grasping the Big Picture
Professionals at all levels not only understand security concepts and principles; they also know the most up-to-date privacy and security regulations. For example, the California Consumer Privacy Act of 2018, which offers some modest fines for privacy violations, will become law on Jan. 1, 2020. No wonder many analysts regularly identify security and privacy as the top two issues facing businesses today—failing to maintain security not only leaves data open to hackers, but it can risk fines from government entities increasingly concerned about how data is managed.