Developing Your Portfolio of Soft Skills for Cybersecurity

Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
Cybersecurity professionals to present to company officials.

You have been hearing about the importance of “soft skills” forever. In fact, you are probably tired of hearing about soft skills. But don’t stop reading in this blog post yet. I’m going to share some hard information about those soft skills you need and how to obtain them. These are the soft skills that will help you further your career in cybersecurity and other areas of information technology.

My starting point is a survey published by the Society for Information Management in 20201. SIM is an established professional organization whose members are Chief Information Officers of their respective firms. According to surveyed members the most important soft skills are:

CIO's Rate Importance of Soft Skills for Cybersecurity Professionals

Soft Skill or Personal Attribute Most Difficult to Find Most Important to Organization
Critical Thinking 1 1
Strategic Thinking 2 2
Leadership 3 3
Systems Thinking 4 6
Emotional Intelligence/Empathy 5 6
Business Knowledge 6 5
Innovation 7 8
Change Management 8 8
Problem Solving 9 10
Relationship Management 10 15
Collaboration (Teamwork) 11 4

Some points regarding this list: if you don’t report to the CIO, your boss’s list might be different2. The majority of CISO’s do report to the CIO. Secondly, the list applies to IT staff generally, not just security professionals. The priorities can and do change depending on your exact role. Finally, if you have these skills you should promote them on your resume and social media profiles, just as much as your technical certifications. You should have in mind backup evidence as to how and where you demonstrated the skill, since most soft skills don’t have hard certifications.

Another point relates to communication skills, both written and oral. Neither is in the above list, although both were listed in earlier surveys. I believe that communication skills represent a “meta skill”, necessary for any of the skills listed. You can check out my blog post on the importance of communication, or my interview with Jeffrey Brown, Connecticut State CISO.

What if you don’t have the skills listed here? Time to continue reading. I will discuss four here as they apply to information security. Then you can create your action plan to improve your own skill level.

Soft Skills Needed for Cybersecurity

Let’s look at “critical thinking”, “strategic thinking”, “systems thinking” and “emotional intelligence”. In later blog posts, I will look at the other seven skills.

Cybersecurity professionals at a strategic meeting.

Critical Thinking “Critical thinking” is something that everyone wants, but few can define clearly. In my mind critical thinking means starting with the result you want to achieve and mapping out a logical path to that result. In the case of cybersecurity, the result is protecting business assets and processes. That’s it. Anything you do should support that end goal. If not, it can be eliminated. We can apply Ray Dalio’s first principle3 : #1 think for yourself to decide what you want; #2 decide what is true; and #3 what you should do to achieve #1.

Strategic Thinking I can’t say enough about the importance of this in achieving cybersecurity success. Too often, daily tasks (incidents) can consume all your waking hours. You must devote resources to improving the security program AND be able to demonstrate these ideas to management. You first need to attain broad exposure to your organization. Second you need to put your observations together in an original manner. Next you will need marketing skills to get your point of view across. Thinking is not enough; you must sell you concepts to the organization4.

Systems Thinking This is a skill that CISOs have personally told me they look for in new hires. If you “patch” security vulnerabilities in one part of the organization, are you creating holes elsewhere? Complex security protocols or software may look good on paper, but will human errors facilitate new vulnerabilities? The entire system must be secure and those who can see this will be more valuable to the organization.

Emotional Intelligence One of the best posts I have heard on this topic was Alex Stamos’ talk at 2017 BlackHat. It’s worth listening to the former Facebook CISO’s talk in full. As he says: “As an industry we have a real problem with empathy . . . We have an inability to put ourselves in the shoes of the people we are trying to protect.” So, this skill may well rate at the top for successful security practitioners. Do not fall into the trap of thinking that the users are the problem.

Soft skills can easily be more valuable to you than technical skills, depending on where you are in your security career. At any point, they will be essential to successful implementation of your security program. Make sure you allocate time and energy to developing these skills in parallel with your technical acumen.

Quinnipiac University’s online MS in Cybersecurity provides students with the skills to be successful in this field. Industry-experienced faculty will guide students to be proficient security defenders that are also business savvy. For more information, please visit Quinnipiac University’s MS in Cybersecurity program.

1Leon Kappelman, et al, “SIM IT Trends Study”, 2020 (requires SIM membership).

2Leon Kappelman, et al, “Skills for Success”, Communications of the ACM, August 2016.

3 Principles, Ray Dalio, Simon & Schuster, 2017.

4 “How to Demonstrate Your Strategic Thinking Skills”, HBR, Nina Bowman, September 2019.


Related Articles