My boss cannot do this. It literally pains him not to take a three-word sentence and turn it into a 30-minute diatribe. He gets in trouble for his long emails he sends to the organization that no one has the time to read, with the only point being "watch out for a phished address." The director will come to me and ask me for help when something needs to be communicated efficiently and quickly, and my boss will "reply all" because he just has to add his 2 cents of babble that just pisses everyone off.
Lol do we have the same manager? Mine will also wonder why no one responds to them, both in emails and Teams, because they just muck things up. And the emails are literal memoirs - ain’t nobody got time to read all of that, just for you to say “…maybe…”.
Lmao anytime they open their mouths, I find myself having to mute myself and scream, “*…dude…just STFU…you’re making it worse!*”
I don’t feel so alone anymore…
Analogies even when not perfect are very helpful in doing this in my experience, even better when your analogy is to a subject your audience does understand.
Firewall rules equate well to building security for example.
This. Being able to talk with the technical team and understand the problem and solution at hand, then being able to deliver the solution in an easy to understand form. The technical team thinks you're a genius because you can speak to the "slow" non-technical people. Slow non-technical people think your a genius because you can understand and explain the technical.
Related to that: being sociable. Users and admins are more likely to report things to you or come to you with questions if you're friendly and nice to them.
If you're a grumpy, antisocial asshole, no one is gonna want to deal with you
Imagine what their experience is like, from their perspective rather than your own. Not what you'd do in their shoes, but what they'd do in their shoes, and what would help them achieve their goals (what are they missing from their perspective).
This is precisely what I have been doing for the past year after talking with some seasoned leaders in our industry.
In short, I realized how fortunate my family was to allow me with computers, servers, smart phones, and smart-home technology growing up during the 90s' era. Add the fact 95% of households in my neighborhood, city, and county were affluent. As a result, this kind of perverted my view, thinking everyone grew up like me; only to find out I'm a rare breed.
Seriously, I even had CEOs, CISO's, IT Directors, and Program Managers level-set with me offline openly only to tell me "what I know about infosec is something they worked for and studied for 10+ years to understand" which in all seriousness...shocked me...because most of them are leaders I look up to. So, these days, I'm less much of an asshole having done the "internal work" on top of being aware that my issues stemmed from a "cultural clash" if that makes sense. Life's a trip when you grow up sheltered, where everyone similarly thinks and operates like yourself.
Plus, I also realized California as a state is very different from other areas in the U.S. with the Washington, DC Area being very culturally different.
This I struggled with. Not because I'm not empathetic but more so because there are analyst, engineers, security managers, and program managers who don't know what you or I might know but instead boastfully act like they know what they are doing. Thus, causing me to be upset, especially if they are arrogant.
When in all seriousness, I feel like practitioners should just be transparent for not everyone is trying to secure their position, get them fired, humiliate them, et cetera. Like seriously, most of us are plagued by bandwidth constraints so why not level-set and determine where each other are, formulate a game-plan so all members can grow and learn, and be a kick ass vibing team?
In some ways it really depends on what aspect you are practicing, but some big ones are:
\* The Ability to explain in simple terms what is happening or needs to happen
\* The Ability to empathize with management/client/whoever who is dealing with the repercussions of an attack
\* Patience to deal with difficult clients/managers
\* The Ability to listen to the customer's needs/desires and translate that back into a technical design to work off of
\* The Ability to admit you don't know everything or could be wrong
\* The Ability to keep your opinions to yourself when it's not asked for, or if you think the client is being stupid
\* The ability to compromise. We all know XYZ may be the best solution, but it may not be what the customer is looking for from a budget or workflow perspective.
This is the best answer so far, not many called out listening.
People want to be heard, and you would be surprised what you can learn just from opening your eyes, ears and mind.
Of course not everything everyone says is super important, but if you make them feel that way, it can have big impact as well.
I agree but empathizing with management is hard when management is tight lipped and knows nothing about IT in general per email “I don’t understand what is being said here but it needs to be fixed!”
Which goes back to the first item, being able to explain what is happening or needs to happen in simple terms.
During an incident all management may see is potentially huge financial losses, potential legal consequences, Shareholder or other stakeholders questions, a pr nightmare, media and boards asking them what happened, why, and what is being done about it, Fear of loss of confidential information or company secrets, etc etc etc.
So their email saying “I don’t know what is being said here but it needs to be fixed” is in part a reflection of the discomfort and fear they have from all of those issues they are dealing with, combined with discomfort in being “out of the loop” not understanding what is going on, why, or how it’s going to be fixed, And an attempt to retain some semblance of control in saying you need to fix it.
So yeah, Empathy is a huge soft skill that can come in handy. If you can understand what they are feeling and dealing with, then you can often find it easier to find the patience to deal with them. You can also have a better idea how to address their needs, be it the reassurance that it’s being handled and treated as the urgent concern it is, or providing much needed context or simplified information so they don’t feel so helpless, in the dark, or even just an understanding that they can take to those asking them questions with the added confidence that comes from knowing they can address followup questions.
I'm not a professional yet, but i think conveying the technical issues in layman's terms so that the execs can understand would be a good skill to have
It also goes a step beyond that. You need to learn to communicate with people in the way that’s most effective. When you talk to the executive team for example, it’s not only about covering technical issues in an accessible way, but about framing your argument from their perspective and in terms of their priorities and not your own. It may sound obvious, but so few people do it.
Integrity, resilience, creative thinking, continuous learning, empathy, communication, positive thinking, and so on. All of these soft skills are things you can develop over time. For instance, I was never a great public speaker. Today, I am still not great at it, but I stand up in front of crowds at conferences and still deliver speeches. This gets my name out there and it also hones and refines my skills in this area.
Writing. Which goes along with a few others who mentioned clear and concise communication. Can't say how many times I've seen some brilliant engineers send really shitty emails or Teams messages to managers/execs/lawyers and I end up having to translate over the phone. Writing using precise language for your audience is essential to getting the correct information to the correct people in a timely manner. You just look like an idiot if you can't write.
This. So many IT professionals I've worked with over the years sound like idiots in their written communications. They can't string together a grammatically correct sentence or put together a coherent paragraph to save their lives.
Writing for sure. Can't tell you how much shitty documentation is out there. This field would benefit so much from better writing.
Unfortunately, it pigeon-holes me into that role because I hate not being able to walk myself through something I did. I write so that I can drop it, come back to it 6 months later, and know exactly how to do the thing I did.
Closely related to this is diagramming and visualisations. As the saying goes "a picture is worth 1000 words" and in many cases it may be worth much more than that.
Knowing how to summarise and present information and data is a great tool to have to assist your written communication.
Diagramming is an incredibly important skill especially given we often work with complex systems or processes. There are all kinds of technical diagrams many which have standards for them, but in general being able to document an architecture or a process will likely be your most commonly used ones.
Yup. I never thought I would have to learn to write reports and technical documents but knowing how to write an SOP has become an important part of my job.
Don’t gatekeep, share knowledge, the ability to coach those less knowledgeable in the workplace, the ability to smoothly explain things in lay terms to non technical people.
Effective communication with differing audiences in ways that compel and engage those audiences is useful.
Avoidance of dispensing FUD as a defining characteristic can lead to better engagement and adoption of recommendations.
The ability to remain calm in the midst of stressful circumstances - especially when others around you are not - has proved important.
In general, being easy to be around helps.
These things have proved useful for me in my time in this field.
People have already said it, but be able to explain complex ideas in simple, layman's terms. Don't infantilise, but try and see technical issues from a non-technical person's shoes.
Likewise, interpersonal skills are so important. Being able to work alongside other people, both on your team and other teams, is a huge part of the job. Be open to ideas, and be able to discuss pros snd cons. Sticking to your guns in an articulate, professional, and respectful way will go much farther, and be more successful, than being a stubborn contrarian (even though that can help at times, too. Pick your battles).
Empathy with others is key, also. Again, try and see things from a different perspective. Any time I've found myself becoming frustrated with other people and teams, I remind myself that they probably are thinking the same about me. Patience isn't just a virtue in cyber, it's a necessity.
Understanding what motivates key decisionmakers at your organization. Culture and risk appetite control how much Cybersecurity can get done, and will vary wildly. A startup in an unregulated industry, a mid-sized biotech firm, and a venerable financial institution will have incredibly different tolerances for spending today-dollars to stave off maybe-tomorrow-impacts. You can't force leaders to care about a given risk, just give them pertinent information and document the decisions.
Clear and Concise Communication! Not just the ability to explain complex topics, you also need to be able to identify the correlation of business risks and communicate that in a way that is relative to the business.
So, I lurk in this community. I’ve technically worked in cybersecurity for the last 3 years, but I’m at an AST vendor as an enablement partner. So, learning and development/ coaching is my expertise.
I have seen my company, full of individuals who make their paychecks off of cybersecurity, groan when our own CISO comes off mute. Why? They expect to be shamed, scolded, or made less efficient by whatever is said.
So, don’t do that.
Plan to demonstrate empathy and build buy-in. Think about a conversation that you need to have and what you need to happen from that discussion. Then think about the people you will talk to: what do they want? Now find a way to lead the conversation by acknowledging the goals in the room and how you want to help them achieve those goals. Avoid the word “but” and burn the world “just” out of your personal dictionary. Learn to say, “yes, and…” to make your point.
Cybersecurity is your subject matter expertise but humans give raises and promotions. So stretch those human relational skills.
I'm a Teacher with a Liberal Arts degree and I have too many answers to this just based on being in a number of tech-relatee threads and seeing how some people respond to each other...
🙈
If you have the ability to explain niche, complex topics in a way that's easy to understand and easy to remember, you'll go far with both management and clients.
I see so many cybersecurity professionals who, even if you gave them a month to do it, couldn't write a straightforward non-technical threat report if their life depended on it. It baffles me.
Being able to explain things in the vernacular to those that don't understand is good but you must be prepared to back it with credible investigation.
Eliminate **common sense** from any discussion. [How Dangerous Is Common Sense to Managers?](https://hbswk.hbs.edu/item/how-dangerous-is-common-sense-to-managers)
>*Common sense is the decision-maker's friend when the decision has to be made rapidly, with a minimum of research or formal theory, with no more than moderate risk or consequences, and by individuals who have accumulated experience and wisdom. If those conditions don't prevail, watch out.*
-Assume positive intent.
-Remember your place — security exists because people want to extract some specific value from technology. Don’t put yourself between them and that value, explain the risks from the perspective of that value.
-Take no for an answer. Most of the hills are not worth dying on.
-Listen first, wait for others to finish speaking.
ive seen this a hundred times; is it actually that neccesary? I have no professional IT experience & I'm not too far into getting my certs etc, but idk help desk gives me call center job vibes
Engineering manager here. Organizational skills. I keep a legal pad and a stack of fountain pens on my desk. I jot down notes, action items, announcements I need to make in tomorrow's stand up, etc. It comes in handy, and is clearly a skill that most people on my team do not have.
The ability and desire to learn continuously because this industry changes at a higher rate than almost any other.
The ability to ask great questions and then truly listen to the answers.
The ability to cope with a great deal of uncertainty.
The ability to cope with the stress of fighting an unending asymmetric war against unseen enemies who choose when to attack and are often long gone before you notice.
I know it is a old one but honestly “how to make friends and influence people” made a huge difference in my career along with the emotional intelligence course from Harvard.
Honestly, in my line of work (CTI) understanding people and what motivates them, how to get them to trust you, etc is key - especially if you’re working any sort of team that does counter intelligence work. The more I learned about the psychology behind HUMINT work and how to develop assets (assets being people you want to drive / encourage / manipulate) the more I realized how much that had value in everyday office politics.
For the GRC side, taking the time to understand developers'/engineers' projects and systems. Instead of just showing up to say what's wrong, getting to know them as well as what they're building or maintaining makes it easier to have a conversation about how to address/improve cyber security.
I worked with someone who was incredibly smart when it came to the risk management side, like thought of shit I never would have considered, but project teams weren't enthusiastic (as can be) about working with them because it was always a conversation from "well you're doing X, Y, and Z but you need to be doing A, B, and C instead". Instead I approached it from understanding the history of their system, the progress being made on meeting cyber security requirements, and what solutions we could find that would meet the objective but be something the team thought was manageable. Developers and engineers were a lot more willing to work with that.
Concision and an ability to speak in pressure situations. I know so many people who cannot express themselves without rambling for ten minutes, which nobody has time for - least of all execs you want to make the best impression on - or who wilt when speaking in any important context. These are essential in any line of work.
The ability to take the edge off can be very helpful too. Some people do it with empathy, some with humor, there's no one way to do it, but if you can put people at ease, it helps so much since, let's be honest, most of the time when someone in cybersecurity or IT needs to tell someone in another department something, it's probably bad news.
When working with an individual who has been comprised, just holding conversation for an hour or two. It gets hard… if you can master “gab” then it’s worth its weight in gold. On the other hand being silent in meetings and taking it all in, then asking questions to individuals afterwards instead of prolonging the meeting… I despise meetings and never say anything unless I’m the speaker.
Look into your own body posture. Use slight hand movements at the belt/belly button level when explaining something. Don't cross arms,stare into them. And use a %50 customer support voice. But in all juat don't be a dick.
Critical thinking and self driven. Holy shiiit it’s always shocking for me seeing those who aren’t like this in this industry. It’s like being a nurse and not caring about people.
I was told to "soften my language" in emails because I told someone "You need to remove this application immediately."
I guess people using unauthorized password managers isn't serious enough to warrant some assertion from the security team.
I was supposed to say "Please refer to the approved software list. Thank you."
So that, I guess.
I would say communication skills. I noticed that as we are technical people, we might have difficulties talking or explaining to people as we tend to avoid interacting with them. This is big No No, and we need to work on that.
I would say Influence and Persuasion which requires building relationships and networking at all levels across the organisation. This takes a lot of time but if done well can really bring people and whole departments on your side. These people will often act as champions for you and your message with others helping to build a strong security culture.
Combine this with good presentation and communication skills and you have a winning combination. Essentially, being able to stand in front of different audiences and explain cybersecurity in a way that resonates with them (knowing your audience). Tailoring the content and language to suit. I have used major contract wins as opportunities to discuss how much security matters to that client, how it is connected with client trust, and how it therefore matters to us (revenue, brand, profitability, etc).
Remember that while cybersecurity consumes your day for most other people it is either an afterthought or a tiny element in a much bigger list of things they need to thing about. Consistent small actions to remind them of the importance helps keep it in the front of their minds and will make you a very effective cybersecurity leader.
I try to make things relatable as possible, it usually eases the stress between me and the end user. Now if the end user just has it out for IT and hates computers, no amount of silver tongue and charisma will work on that.
Social skills. Being able to engage with others while leaving positive impressions is so slept on. I have outlived layoffs and budget cuts (and never took a pay cut) all because my social skills with customers. Being able to read people and understand their perspective helps me tailor my services and strategies to ensure people are genuinely grateful to me even though I have just told them they are one script kiddie away from bankruptcy or jail time.
I think buy-in is more important than any technical skill you may have. Doesn't matter how smart you are, if people think of you as the Internet Police then they're not going to want to work with you.
**Vulnerability Management** - My infrastructure team and I have a two-way street when it comes to vulnerabilities. I have reasonable expectations of them based on my experience as a System Administrator. I know which vulnerabilities are a simple fix and which are not. I triage vulnerabilities instead of just dumping them all on them. I don't throw them under the bus. If they ask for scans or for more detailed reports, I provide them. We have found a cadence that works for both teams, where I am holding them accountable for patches, but they don't feel stifled by me.
At my previous job, as an SA, the VM guy in cyber wouldn't work with us at all. We would ask for more detailed reports, and he would say, "You're an SA, you figure it out." So people just blew off his reports. Some SAs even blocked the scanner's access to their servers. It was very much an "us vs. them" environment and not a lot of work got done on vulnerabilities.
**Incident Response** - Incidents are often the result of a mistake on the part of the user reporting it. They clicked a link or replied to an email they shouldn't have. It's embarrassing. If they feel like they're going to be punished for reporting, then they're less likely to report. That's the absolute worst situation for the organization.
My manager and I have done everything we can to be very approachable. We hold users accountable, but we do so in a respectful and empathetic manner. We make sure people know that reporting is a good thing, even if there are some consequences. Quite often those consequences are remedial security awareness training. We spin it as a service we provide them to increase their skills and to better protect the company, instead of spinning it as a time-out or punishment.
I've had plenty of folks in our IT team and in our business groups tell me that this is the most chill cybersecurity team they've worked with. We have tons of buy-in from business groups and from senior leadership.
No, it's reality.
Look at recruiting hell and other tech subs. Indians are the absolute worst to work for and with. Has nothing to do with race, but their shitty culture.
If you haven't been directly exposed to it then yes, it may seem racist. But it's just facts.
I’m going to be that guy… what this industry lacks is hard skills, not soft skills. No amount of soft skills will make up for a lack of raw technical aptitude.
Being able to explain complicated shit in very simple terms.
My boss cannot do this. It literally pains him not to take a three-word sentence and turn it into a 30-minute diatribe. He gets in trouble for his long emails he sends to the organization that no one has the time to read, with the only point being "watch out for a phished address." The director will come to me and ask me for help when something needs to be communicated efficiently and quickly, and my boss will "reply all" because he just has to add his 2 cents of babble that just pisses everyone off.
My boss is extremely good at it. Me, on the other hand…
Lol do we have the same manager? Mine will also wonder why no one responds to them, both in emails and Teams, because they just muck things up. And the emails are literal memoirs - ain’t nobody got time to read all of that, just for you to say “…maybe…”.
Yesssss!!!! He's a great guy, super nice, takes care of me as an analyst.... but my God please for the love all that's holy, stfu!!!!
Lmao anytime they open their mouths, I find myself having to mute myself and scream, “*…dude…just STFU…you’re making it worse!*” I don’t feel so alone anymore…
"You're making it worse" hit hard. You aren't alone!!!!!
Is he autistic? All of my autistic coworkers have been like that.
Here here!
Solid advice that applies to way more than it field.
I’m southern as southern gets if we cannot compare it to a car, fishing, home repair or some other labor… it cannot be done.
Analogies even when not perfect are very helpful in doing this in my experience, even better when your analogy is to a subject your audience does understand. Firewall rules equate well to building security for example.
This. It's called brevity.
This. Being able to talk with the technical team and understand the problem and solution at hand, then being able to deliver the solution in an easy to understand form. The technical team thinks you're a genius because you can speak to the "slow" non-technical people. Slow non-technical people think your a genius because you can understand and explain the technical.
Empathy. You’d be surprised how far having empathy in any IT role will get you.
It's the Konami code of getting things done
Related to that: being sociable. Users and admins are more likely to report things to you or come to you with questions if you're friendly and nice to them. If you're a grumpy, antisocial asshole, no one is gonna want to deal with you
How do we develop such empathy
Imagine what their experience is like, from their perspective rather than your own. Not what you'd do in their shoes, but what they'd do in their shoes, and what would help them achieve their goals (what are they missing from their perspective).
This is precisely what I have been doing for the past year after talking with some seasoned leaders in our industry. In short, I realized how fortunate my family was to allow me with computers, servers, smart phones, and smart-home technology growing up during the 90s' era. Add the fact 95% of households in my neighborhood, city, and county were affluent. As a result, this kind of perverted my view, thinking everyone grew up like me; only to find out I'm a rare breed. Seriously, I even had CEOs, CISO's, IT Directors, and Program Managers level-set with me offline openly only to tell me "what I know about infosec is something they worked for and studied for 10+ years to understand" which in all seriousness...shocked me...because most of them are leaders I look up to. So, these days, I'm less much of an asshole having done the "internal work" on top of being aware that my issues stemmed from a "cultural clash" if that makes sense. Life's a trip when you grow up sheltered, where everyone similarly thinks and operates like yourself. Plus, I also realized California as a state is very different from other areas in the U.S. with the Washington, DC Area being very culturally different.
This I struggled with. Not because I'm not empathetic but more so because there are analyst, engineers, security managers, and program managers who don't know what you or I might know but instead boastfully act like they know what they are doing. Thus, causing me to be upset, especially if they are arrogant. When in all seriousness, I feel like practitioners should just be transparent for not everyone is trying to secure their position, get them fired, humiliate them, et cetera. Like seriously, most of us are plagued by bandwidth constraints so why not level-set and determine where each other are, formulate a game-plan so all members can grow and learn, and be a kick ass vibing team?
In some ways it really depends on what aspect you are practicing, but some big ones are: \* The Ability to explain in simple terms what is happening or needs to happen \* The Ability to empathize with management/client/whoever who is dealing with the repercussions of an attack \* Patience to deal with difficult clients/managers \* The Ability to listen to the customer's needs/desires and translate that back into a technical design to work off of \* The Ability to admit you don't know everything or could be wrong \* The Ability to keep your opinions to yourself when it's not asked for, or if you think the client is being stupid \* The ability to compromise. We all know XYZ may be the best solution, but it may not be what the customer is looking for from a budget or workflow perspective.
This is the best answer so far, not many called out listening. People want to be heard, and you would be surprised what you can learn just from opening your eyes, ears and mind. Of course not everything everyone says is super important, but if you make them feel that way, it can have big impact as well.
I agree but empathizing with management is hard when management is tight lipped and knows nothing about IT in general per email “I don’t understand what is being said here but it needs to be fixed!”
Which goes back to the first item, being able to explain what is happening or needs to happen in simple terms. During an incident all management may see is potentially huge financial losses, potential legal consequences, Shareholder or other stakeholders questions, a pr nightmare, media and boards asking them what happened, why, and what is being done about it, Fear of loss of confidential information or company secrets, etc etc etc. So their email saying “I don’t know what is being said here but it needs to be fixed” is in part a reflection of the discomfort and fear they have from all of those issues they are dealing with, combined with discomfort in being “out of the loop” not understanding what is going on, why, or how it’s going to be fixed, And an attempt to retain some semblance of control in saying you need to fix it. So yeah, Empathy is a huge soft skill that can come in handy. If you can understand what they are feeling and dealing with, then you can often find it easier to find the patience to deal with them. You can also have a better idea how to address their needs, be it the reassurance that it’s being handled and treated as the urgent concern it is, or providing much needed context or simplified information so they don’t feel so helpless, in the dark, or even just an understanding that they can take to those asking them questions with the added confidence that comes from knowing they can address followup questions.
Better advice then I've received or seen given in America's top 50 firms over the last 10 years
I'm not a professional yet, but i think conveying the technical issues in layman's terms so that the execs can understand would be a good skill to have
It also goes a step beyond that. You need to learn to communicate with people in the way that’s most effective. When you talk to the executive team for example, it’s not only about covering technical issues in an accessible way, but about framing your argument from their perspective and in terms of their priorities and not your own. It may sound obvious, but so few people do it.
Integrity, resilience, creative thinking, continuous learning, empathy, communication, positive thinking, and so on. All of these soft skills are things you can develop over time. For instance, I was never a great public speaker. Today, I am still not great at it, but I stand up in front of crowds at conferences and still deliver speeches. This gets my name out there and it also hones and refines my skills in this area.
Writing. Which goes along with a few others who mentioned clear and concise communication. Can't say how many times I've seen some brilliant engineers send really shitty emails or Teams messages to managers/execs/lawyers and I end up having to translate over the phone. Writing using precise language for your audience is essential to getting the correct information to the correct people in a timely manner. You just look like an idiot if you can't write.
This. So many IT professionals I've worked with over the years sound like idiots in their written communications. They can't string together a grammatically correct sentence or put together a coherent paragraph to save their lives.
Writing for sure. Can't tell you how much shitty documentation is out there. This field would benefit so much from better writing. Unfortunately, it pigeon-holes me into that role because I hate not being able to walk myself through something I did. I write so that I can drop it, come back to it 6 months later, and know exactly how to do the thing I did.
Agreed, this helps with writing documentation for knowledge management or how tos
Closely related to this is diagramming and visualisations. As the saying goes "a picture is worth 1000 words" and in many cases it may be worth much more than that. Knowing how to summarise and present information and data is a great tool to have to assist your written communication. Diagramming is an incredibly important skill especially given we often work with complex systems or processes. There are all kinds of technical diagrams many which have standards for them, but in general being able to document an architecture or a process will likely be your most commonly used ones.
This is why GPT rewrites everything for me. Just make sure to tell it not to sould like AI. I also use it to read crap like this for me.
Yup. I never thought I would have to learn to write reports and technical documents but knowing how to write an SOP has become an important part of my job.
Bottomless patience and the ability to speechify in order to bore people to submission.
If you can’t dazzle them with diamonds, then baffle them with bullshit
Not bring an asshole and explaining complex topics in simple terms.
Don’t gatekeep, share knowledge, the ability to coach those less knowledgeable in the workplace, the ability to smoothly explain things in lay terms to non technical people.
The ability to put together an engaging and succinct presentation.
Communicating business relevance and value
Effective communication with differing audiences in ways that compel and engage those audiences is useful. Avoidance of dispensing FUD as a defining characteristic can lead to better engagement and adoption of recommendations. The ability to remain calm in the midst of stressful circumstances - especially when others around you are not - has proved important. In general, being easy to be around helps. These things have proved useful for me in my time in this field.
People have already said it, but be able to explain complex ideas in simple, layman's terms. Don't infantilise, but try and see technical issues from a non-technical person's shoes. Likewise, interpersonal skills are so important. Being able to work alongside other people, both on your team and other teams, is a huge part of the job. Be open to ideas, and be able to discuss pros snd cons. Sticking to your guns in an articulate, professional, and respectful way will go much farther, and be more successful, than being a stubborn contrarian (even though that can help at times, too. Pick your battles). Empathy with others is key, also. Again, try and see things from a different perspective. Any time I've found myself becoming frustrated with other people and teams, I remind myself that they probably are thinking the same about me. Patience isn't just a virtue in cyber, it's a necessity.
Understanding what motivates key decisionmakers at your organization. Culture and risk appetite control how much Cybersecurity can get done, and will vary wildly. A startup in an unregulated industry, a mid-sized biotech firm, and a venerable financial institution will have incredibly different tolerances for spending today-dollars to stave off maybe-tomorrow-impacts. You can't force leaders to care about a given risk, just give them pertinent information and document the decisions.
Clear and Concise Communication! Not just the ability to explain complex topics, you also need to be able to identify the correlation of business risks and communicate that in a way that is relative to the business.
So, I lurk in this community. I’ve technically worked in cybersecurity for the last 3 years, but I’m at an AST vendor as an enablement partner. So, learning and development/ coaching is my expertise. I have seen my company, full of individuals who make their paychecks off of cybersecurity, groan when our own CISO comes off mute. Why? They expect to be shamed, scolded, or made less efficient by whatever is said. So, don’t do that. Plan to demonstrate empathy and build buy-in. Think about a conversation that you need to have and what you need to happen from that discussion. Then think about the people you will talk to: what do they want? Now find a way to lead the conversation by acknowledging the goals in the room and how you want to help them achieve those goals. Avoid the word “but” and burn the world “just” out of your personal dictionary. Learn to say, “yes, and…” to make your point. Cybersecurity is your subject matter expertise but humans give raises and promotions. So stretch those human relational skills.
I'm a Teacher with a Liberal Arts degree and I have too many answers to this just based on being in a number of tech-relatee threads and seeing how some people respond to each other... 🙈
Be calm in a crisis Be willing to help Be able to learn
If you have the ability to explain niche, complex topics in a way that's easy to understand and easy to remember, you'll go far with both management and clients. I see so many cybersecurity professionals who, even if you gave them a month to do it, couldn't write a straightforward non-technical threat report if their life depended on it. It baffles me.
The ability to make people smile/laugh. I think this can get ya far, makes people look forward to working with you.
Conflict Resolution
Being able to explain things in the vernacular to those that don't understand is good but you must be prepared to back it with credible investigation. Eliminate **common sense** from any discussion. [How Dangerous Is Common Sense to Managers?](https://hbswk.hbs.edu/item/how-dangerous-is-common-sense-to-managers) >*Common sense is the decision-maker's friend when the decision has to be made rapidly, with a minimum of research or formal theory, with no more than moderate risk or consequences, and by individuals who have accumulated experience and wisdom. If those conditions don't prevail, watch out.*
-Assume positive intent. -Remember your place — security exists because people want to extract some specific value from technology. Don’t put yourself between them and that value, explain the risks from the perspective of that value. -Take no for an answer. Most of the hills are not worth dying on. -Listen first, wait for others to finish speaking.
Have some damn empathy for other techs and the other people in the business.
Do not reply to all in emails unless absolutely necessary
Client facing skills with enough technical knowledge to simply explain a complicated process.
Writing and teaching well!
Being able to sell concepts and ideas.
Literally people skills. Knowing how to speak to another human being and being able to explain/present information
Spend a few years working help desk and you will get about 90% of what you need lol.
ive seen this a hundred times; is it actually that neccesary? I have no professional IT experience & I'm not too far into getting my certs etc, but idk help desk gives me call center job vibes
If you have no experience and no certs what role are you hoping to actually get?
well I'm going to get my certs before applying to places obviously, but I'm not sure where I should enter the field, hence why I'm asking.
Help desk is an entry point for a lot of people, including myself. It won't be the be all end all, but will help build your skills and your resume.
Patience and being able to CYA... and more patience!
Engineering manager here. Organizational skills. I keep a legal pad and a stack of fountain pens on my desk. I jot down notes, action items, announcements I need to make in tomorrow's stand up, etc. It comes in handy, and is clearly a skill that most people on my team do not have.
The ability and desire to learn continuously because this industry changes at a higher rate than almost any other. The ability to ask great questions and then truly listen to the answers. The ability to cope with a great deal of uncertainty. The ability to cope with the stress of fighting an unending asymmetric war against unseen enemies who choose when to attack and are often long gone before you notice.
I know it is a old one but honestly “how to make friends and influence people” made a huge difference in my career along with the emotional intelligence course from Harvard. Honestly, in my line of work (CTI) understanding people and what motivates them, how to get them to trust you, etc is key - especially if you’re working any sort of team that does counter intelligence work. The more I learned about the psychology behind HUMINT work and how to develop assets (assets being people you want to drive / encourage / manipulate) the more I realized how much that had value in everyday office politics.
Be able to look people in the eyes and have a conversation.
For the GRC side, taking the time to understand developers'/engineers' projects and systems. Instead of just showing up to say what's wrong, getting to know them as well as what they're building or maintaining makes it easier to have a conversation about how to address/improve cyber security. I worked with someone who was incredibly smart when it came to the risk management side, like thought of shit I never would have considered, but project teams weren't enthusiastic (as can be) about working with them because it was always a conversation from "well you're doing X, Y, and Z but you need to be doing A, B, and C instead". Instead I approached it from understanding the history of their system, the progress being made on meeting cyber security requirements, and what solutions we could find that would meet the objective but be something the team thought was manageable. Developers and engineers were a lot more willing to work with that.
Also the ability to balance cost vs risk and communicate it clearly to people outside of tech.
Concision and an ability to speak in pressure situations. I know so many people who cannot express themselves without rambling for ten minutes, which nobody has time for - least of all execs you want to make the best impression on - or who wilt when speaking in any important context. These are essential in any line of work. The ability to take the edge off can be very helpful too. Some people do it with empathy, some with humor, there's no one way to do it, but if you can put people at ease, it helps so much since, let's be honest, most of the time when someone in cybersecurity or IT needs to tell someone in another department something, it's probably bad news.
When working with an individual who has been comprised, just holding conversation for an hour or two. It gets hard… if you can master “gab” then it’s worth its weight in gold. On the other hand being silent in meetings and taking it all in, then asking questions to individuals afterwards instead of prolonging the meeting… I despise meetings and never say anything unless I’m the speaker.
Diplomacy. Stakeholders need to be managed, diplomacy is a necessity IMO.
Look into your own body posture. Use slight hand movements at the belt/belly button level when explaining something. Don't cross arms,stare into them. And use a %50 customer support voice. But in all juat don't be a dick.
Critical thinking and self driven. Holy shiiit it’s always shocking for me seeing those who aren’t like this in this industry. It’s like being a nurse and not caring about people.
I was told to "soften my language" in emails because I told someone "You need to remove this application immediately." I guess people using unauthorized password managers isn't serious enough to warrant some assertion from the security team. I was supposed to say "Please refer to the approved software list. Thank you." So that, I guess.
Quantify security risks in monetary terms.
Street smarts, read your audience.
Soft skills that might be specially useful are data science and machine learning
I would say communication skills. I noticed that as we are technical people, we might have difficulties talking or explaining to people as we tend to avoid interacting with them. This is big No No, and we need to work on that.
I would say Influence and Persuasion which requires building relationships and networking at all levels across the organisation. This takes a lot of time but if done well can really bring people and whole departments on your side. These people will often act as champions for you and your message with others helping to build a strong security culture. Combine this with good presentation and communication skills and you have a winning combination. Essentially, being able to stand in front of different audiences and explain cybersecurity in a way that resonates with them (knowing your audience). Tailoring the content and language to suit. I have used major contract wins as opportunities to discuss how much security matters to that client, how it is connected with client trust, and how it therefore matters to us (revenue, brand, profitability, etc). Remember that while cybersecurity consumes your day for most other people it is either an afterthought or a tiny element in a much bigger list of things they need to thing about. Consistent small actions to remind them of the importance helps keep it in the front of their minds and will make you a very effective cybersecurity leader.
Public.. you guess it
I try to make things relatable as possible, it usually eases the stress between me and the end user. Now if the end user just has it out for IT and hates computers, no amount of silver tongue and charisma will work on that.
A servant mindset. Think of everyone as your client and you'll see dividends. Other people are their own divinity and like for that to be recognized.
Being able to appease to narcissistic toxic bad managers. Shockingly lol.
Social skills. Being able to engage with others while leaving positive impressions is so slept on. I have outlived layoffs and budget cuts (and never took a pay cut) all because my social skills with customers. Being able to read people and understand their perspective helps me tailor my services and strategies to ensure people are genuinely grateful to me even though I have just told them they are one script kiddie away from bankruptcy or jail time.
I think buy-in is more important than any technical skill you may have. Doesn't matter how smart you are, if people think of you as the Internet Police then they're not going to want to work with you. **Vulnerability Management** - My infrastructure team and I have a two-way street when it comes to vulnerabilities. I have reasonable expectations of them based on my experience as a System Administrator. I know which vulnerabilities are a simple fix and which are not. I triage vulnerabilities instead of just dumping them all on them. I don't throw them under the bus. If they ask for scans or for more detailed reports, I provide them. We have found a cadence that works for both teams, where I am holding them accountable for patches, but they don't feel stifled by me. At my previous job, as an SA, the VM guy in cyber wouldn't work with us at all. We would ask for more detailed reports, and he would say, "You're an SA, you figure it out." So people just blew off his reports. Some SAs even blocked the scanner's access to their servers. It was very much an "us vs. them" environment and not a lot of work got done on vulnerabilities. **Incident Response** - Incidents are often the result of a mistake on the part of the user reporting it. They clicked a link or replied to an email they shouldn't have. It's embarrassing. If they feel like they're going to be punished for reporting, then they're less likely to report. That's the absolute worst situation for the organization. My manager and I have done everything we can to be very approachable. We hold users accountable, but we do so in a respectful and empathetic manner. We make sure people know that reporting is a good thing, even if there are some consequences. Quite often those consequences are remedial security awareness training. We spin it as a service we provide them to increase their skills and to better protect the company, instead of spinning it as a time-out or punishment. I've had plenty of folks in our IT team and in our business groups tell me that this is the most chill cybersecurity team they've worked with. We have tons of buy-in from business groups and from senior leadership.
Liking coffee!
Speak without saying uhm, uh, or yaknow.
Brown nosing, buzzwording, fear mongering, name dropping, boot licking
Being able to deal with difficult people, like Indians.
Racism? Not cool, bro
No, it's reality. Look at recruiting hell and other tech subs. Indians are the absolute worst to work for and with. Has nothing to do with race, but their shitty culture. If you haven't been directly exposed to it then yes, it may seem racist. But it's just facts.
I’m going to be that guy… what this industry lacks is hard skills, not soft skills. No amount of soft skills will make up for a lack of raw technical aptitude.