Six Skills You Need to Succeed in Cybersecurity

One reason companies can’t find the experienced cybersecurity professionals they need: there just aren’t many tech pros who have mastered not only the necessary technical abilities, but also “soft skills” (such as clear communication)—and those who have, well, they’re already employed (often with hefty salaries and benefits designed to keep them in place for the long term).

With that in mind, if you want to plunge into a career in cybersecurity (and there’s no reason you shouldn’t, at least in terms of salary), here are some of the traits you’ll need to exhibit.

Solid Work Habits

First, you’ll need some essential work habits, including the ability to work methodically (and in a detail-oriented way). The following abilities also come in useful:

  • Eagerness to dig into technical questions and examine them from all sides.
  • Enthusiasm and a high degree of adaptability.
  • Strong analytical and diagnostic skills.
  • A current understanding of common web vulnerabilities.
  • Maintaining awareness and knowledge of contemporary standards, practices, procedures and methods.

Soft Skills

That’s in addition to the aforementioned soft skills; remember, security professionals often need to communicate complicated subjects to people who might not have much of a technical background (such as C-suite executives). With that in mind, mastering the following is usually a perquisite for climbing to more advanced positions on the cybersecurity ladder:

  • Excellent presentation and communications skills to effectively communicate with management and customers.
  • Ability to clearly articulate complex concepts (both written and verbally).
  • Ability, understanding, and usage of active listening skills (especially with customers!).

From a cybersecurity perspective, soft skills will also allow you to identify examples of, and explain, social engineering, which is a pervasive issue within the security community. You can put all kinds of hardware and software security measures in place, but hackers can still use social engineering to convince unsuspecting employees to give them passwords, credentials, and access to otherwise-secure systems.

Technical Skills

Which technical skills do cybersecurity pros need? That question is a bit trickier to answer, as there are many sub-disciplines within the cybersecurity field. That being said, many such jobs share a common technical foundation.

For starters, tech pros should understand the architecture, administration, and management of operating systems (various Linux distros, Windows, etc.), networking, and virtualization software. In other words, get to know—and love—things like firewalls and network load balancers. That’s in addition to general programming/software development concepts and software analytics skills.

There’s also the need to understand the more common programming languages, including Java, C/C++, disassemblers, assembly language, and scripting languages (PHP, Python, Perl, or shell).

Many employers demand certifications as a perquisite for employment, and it’s easy to see why. In a recent survey, the International Information System Security Certification Consortium (ISC)² noted that a degree and certifications were often a major factor in hiring. “Cybersecurity certifications are essential to showing the level of knowledge of a cybersecurity professional. However, they should never alone be the only reference,” Joseph Carson, the chief security scientist at security vendor Thycotic, told Dice in an email.

Potentially important certifications include the following:

  • CEH (Certified Ethical Hacker)
  • OSCP (Offensive Security Certified Professional)
  • CISA (Certified Information Security Auditor)
  • GCIH (GIAC Certified Incident Handler)
  • Certified Information Systems Security Professional (CISSP)
  • Information Systems Security Architecture Professional (CISSP-ISSAP)
  • Information Systems Security Engineering Professional (CISSP-ISSEP)
  • Information Systems Security Management Professional (CISSP-ISSMP)

While these types of certifications are good to have and show employers that the candidate is interested in continuing education, “certifications should be combined with solid industry experience to get the right level of skillset required,” Carson added.

Implementation Skills

Any good cybersecurity pro knows how to examine a company’s security setup from a holistic view, including threat modeling, specifications, implementation, testing, and vulnerability assessment. They also understand security issues associated with operating systems, networking, and virtualization software.

But it’s not just about understanding; it’s also about implementation. They study the architecture of systems and networks, then use that information to identify the security controls in place and how they are used. Same with weaknesses in databases and app deployment.

More junior cybersecurity professionals might use their coding skills to write tools that automate certain security tasks; depending on the company’s technology stack, there is often a choice of pre-built tools that will automate many functions, as well.

Management Skills

Senior cybersecurity pros, meanwhile, must organize and coordinate technical vulnerability assessments, including systems and network vulnerability assessments, penetration testing, web application assessments, social engineering assessments, physical security assessments, wireless security assessments and implementing secure infrastructure solutions.

They recommend and set the technical direction for managing security incidents, and ensure the integrity of the resulting process and approach. In terms of using soft skills, they’ll need to explain to management (and show forensically) how an attack was conducted.

Grasping the Big Picture

Professionals at all levels not only understand security concepts and principles; they also know the most up-to-date privacy and security regulations. For example, the California Consumer Privacy Act of 2018, which offers some modest fines for privacy violations, will become law on Jan. 1, 2020. No wonder many analysts regularly identify security and privacy as the top two issues facing businesses today—failing to maintain security not only leaves data open to hackers, but it can risk fines from government entities increasingly concerned about how data is managed.

38 Responses to “Six Skills You Need to Succeed in Cybersecurity”

  1. John Zavgren

    Excellent article. I agree with the author’s attitude about certification. I’ve taught courses (cryptography, Internet security, defensive coding practices, etc.) that have enabled my students to pass the CISSP examination. But, I’ve never seriously considered taking it, because it costs too much and the certification isn’t sufficient for professional competence.

    I’ve seen a lot of job postings over the years that emphasize certification. I’m not sure that the potential employers really understand anything about security. One telecommunications company, who’s recruiter (a friend of mine) contacted me, merely wanted to fill a position for the lowest possible salary. The recruiter leveled with me: the executives of the company merely wanted someone to point to when the issue of security came up. “Look guys, we’re doing the best job with the best people”. I see all too much of this.

  2. Latrese

    I would like to become marketable for employment in the wireless security sector. What type of education/certifications should I persue. I have Cisco CCNA and experience in LAN/WLAN Networking and Mobile Platforms

  3. John Doe The 1337

    Greetings,
    I have just started my Cyber Security degree, and it’s no joke. It’s my first year, and I just don’t get coding, it’s frustrating me specifically coding in .bash (Perl, C, C++, Python). Is it something that I will eventually get through just making simple scripts or shall I rethink my degree choice? I understand networking and VPN’s, hardware and software (linux OS’s, MS, Apple).

    Thank you sir(s) and ma’am(s),
    John

    • Andrew

      well John, you don’t sound like you enjoy your current field too much. you should look at another field, like something more along the lines of networking, or setting up and administering the network, instead of protecting it. if you do enjoy your field, by all means, continue. you should still do your best to become proficient in coding regardless what IT job you choose, because most will use some form of coding. making scripts will help you, especially when you add or build off them. if you have trouble, python is in my opinion the easiest, and it is taught first in schools because it has similarities to many other languages. if you still have trouble, there are many websites out there that may help you through, with learning courses to brush you up on your skills, or improve them. it may also help to keep a log or list to refer to for every code you use, so you can just look back on the list instead of struggling, or searching for the code online. coding is by no means simple whatever, and i struggle too. i am still a student, and currently taking my Microsoft Technology Associates Security fundamentals certification. i hope i was able to help a little. keep at it, you’ll do fine in any career you choose with practice.

      -Andrew

  4. Many areas to cover… remember how to eat an elephant, one bite at a time!! I’m working on my Bachelor’s in Cybersecurity, and its a great challenge, my professor stresses generalism, knowledge of many things. But I wouldn’t trade it for anything, the greatest challenge in the world.

  5. John,

    I just recently completed my CyberSecurity degree
    and I experienced those same frustrations you are describing.

    In short, it is imperative that an InfoSec (information security/cyber security) professional have the ability to *detect* and mitigate threats, risks and vulneralbilities in informational resources.

    A popular technique of cyber criminals is hacking informational resources via loop holes/back doors in computer programs. Furthermore, an InfoSec professional can mitigate/respond to /eliminate *some* incidents/threats/risks via writing code.

    That being said, to be an effective cybersecurity professional, understanding computer programming and the associated risks and vulnerabilities is very important. Your professors should have explained this if he/she is “any good”

    Good Luck and hang in there!

  6. If anyone needs training, Cybrary.it offers a bunch of training courses for free. They have CISSP, Cisco CCNA, PMP, Ethical Hacking, CompTIA Security+, and a bunch of other stuff that might help you with advancing your career in Cyber Security.

    There’s also Code academy for programming – Just depends on what you’re looking for.

  7. hi guys. i am a computer science engineer from Tunisia. i’m searching for a subject for my thesis in smart cyber-security so if can anyone have an idea or can help me. we don’t have many researches in this domain in my country. thnx

    • Andrew

      Chetan, i know this is most likely WAY later than you need this, but yes, you need to know at least a little code(but hopefully become proficient in said code). all fields use code of some sort. you should definitely see what code your chosen field uses (probably many) and try to learn them. it won’t be easy, but you can do it. i suggest starting with python, because many languages are similar to it.

      -Andrew

  8. Hashtag Realtalk

    [John Doe The 1337 said: Greetings, I have just started my Cyber Security degree, and it’s no joke. It’s my first year, and I just don’t get coding, it’s frustrating me specifically coding in .bash (Perl, C, C++, Python). Is it something that I will eventually get through just making simple scripts or shall I rethink my degree choice? I understand networking and VPN’s, hardware and software (linux OS’s, MS, Apple).] Well, what happened? Did you rethink? I think you should have re-thought if coding “frustrates” you. Lots of cattle ranches need workers.

  9. Simon Dean

    Just to say a word to all frustrated InfoSec candidates: “Don’t proceed if you can’t enjoy it.”

    The security industry is embarassed enough from people who join the field with no special interest to the topic and this is hurting the industry as a whole.

    If you don’t like coding, pick a domain that doesn’t involve coding, for instance, network security. Coding is mainly for programmers who specialize later in the app security domain.

    Security is not a specialization as a whole and you can’t never master it. However, you can specialize in one or two of its domains.

  10. Erin West

    I finished my Master’s in Info Sec last Dec-Management track and although I had 6 general classes that covered the domains for the CISSP, I did get to pick a few classes that interested me like Risk Management, Forensics, etc. I have no interest in writing programs myself, but have interest and experience in 3 of the domains. Your degree may be broad, but you as long as you know the principles, you will be fine.

  11. Cliff Randolph

    This was a good article. It has a lot of good advice. However, as an IT Security Professional, how do you protect against the following:

    -100 % of PC component manufacturing happening in China? (I have been shopping around for PC components that are not made in China. They are simply not available. Go down to Fry’s Electronics, search online, check out Best Buy, check out CDW and others if you don’t believe me.) How do you know that that device doesn’t have malware in it? Oh, the Chinese Government would never put malware in their products… yah right…

    -How do companies protect themselves against offshore software development? Their vendors use them, they often use them, partners use them. It only takes one script to create a backdoor. And how many lines of code are in an organization or company?

    -How does a company protect itself against devices that you aren’t the administrator of? BYOD is major problem, IMO.

    -After reading the comments above, how does someone that wants to learn IT Security get the training he or she needs? Companies have outsourced a lot of their IT Development outside our borders so a lot of the expertise is elsewhere. And a lot of things change after 2-3 years… Organizations like EDD/Worknet aren’t providing this training. (I just checked into it and they provided a bunch of redtape and side talk. Fill out these forms, go online and fill out those forms, register with this site…. Guess what, I already did that and received zero responses….It’s frustrating, I know. And these agencies advertise training programs, but who’s getting the training? Is the money for these programs sitting in a pool somewhere?

    -And finally why isn’t there a “Driver’s License” for Developers. Every time code is created, modern technology should stamp the creator of the code’s ‘drivers license’ on the code itself. This way the people creating malware could be caught and held accountable. And if they refuse to get a driver’s license, then their code won’t work. Technology companies would have to enforce this within their technologies. Let me say that I’m not a fan of this kind of Big Brother envolvement but there is so much hacking happening today that something has to be done… And if you are a Security Professional that says you haven’t been hacked, I would say that you just haven’t learned enough to detect it.

    • Why isn’t there more stuff manufactured in the United States? There are lots of excuses. I find the lack of security in America terrifying. I don’t understand the reason that I need to put my money, time, and life at risk to use computers and the internet. There is too much importance placed on marketing and not enough on security.

    • Ghostie

      The reason you can have confidence that you aren’t going to have malware on your computer from China or something of that nature is that malware is basically software, so it’s going to reside where software is stored (the hard drive). Drives ship unformatted, meaning there’s no possible way for any information to be on the drive, and when the drive gets formatted, everything gets erased anyways.

    • When you say “drivers license” for a code, I’m assuming you are referring to code signed by a digital signature. I agree that digital signatures could be leveraged more and the general public could be educated adequately of their importance

  12. Here is my take. I started out with a bachelor’s in It. I started work for a fortune 500 in the e-discovery and forensics side of things… this lead to me learning a lot about the legal side of things and various other things revolving around litigation.

    A few months ago I was approaches by a director and offered a lateral move into FAIRY more specifically the Incident Response side. I thought forensics required a lot of attention to detail, but putting together detailed cases on the security side is much more involved, but with the right tools you can put together the whole story.

    That being said cyber security seems to be much harder to get into, but once you do… your value increases drastically and you get the benefit of being experienced and proven in a field with a 0% unemployment rate.

  13. This is not an answer but a question, I am currently studying in middle school and I choose my subjects 2 years ago and I choose ICT as a subject instead of computer science and now I can’t change it, so the question is that can I do cyber security with ICT?

  14. Dilmi DeSilva

    i have started my degree.And this is my second year i have to choose my specializing area. and i am really interested in cyber security. i am scared of doing coding. and im not much good in coding. and CS is hard i think. but i like to do CS.. still i dont have any knowledge about CS. can i do cyber security.? do we need perfect coding skills for CS..? help me please.

  15. Chitpara

    Hi,
    I’m doing Masters of Computer Applications specialization in Software Engineering before, I did my graduation in Mathematics Honors.
    I’m interested in Cyber Security but due to my non-CS background, I’m confused and disoriented about how should I proceed toward this field and have a good knowledge+ career in it.
    Please, do give some advice.
    Thanks in advance!

  16. Hi,
    Im super keen to learn coding, programming, CS, but for someone who missed this era. Where do I start?
    I’m not afraid to start at the beginning, but I’m trying to find out where the beginning is?
    Do I start with a for example taking an ‘A’ level in IT/Computer Science? Or can I go straight onto a coding/programming course or one that covers both?
    Please help

  17. Hi
    I am a first year student in IT, I have really been in need to pursue a cyber security course, can the genarized IT degree land me to a cyber security specialised ?please assist me with some clarification