people skills

The Future of Cybersecurity: Innovations in Technology Still Not as Critical as People

cybersecurity peopleCybersecurity is a discipline that’s hard to predict. It’s an ever-changing environment. Cyber threats evolve, the tools to defend against attacks mature, and people must continue to hone and adapt their skills. While no crystal ball can pinpoint the future of cybersecurity, we know there are three key components: people, processes, and technology.

These three elements will shape the industry’s future, but the wild card is people. Cyber professionals have a greater weight than processes and technology. Innovation in technology to combat cybercrime has great momentum, aided by AI. You can do a lot to improve your security posture, but without people who have both soft and technical skills, your organization will be at a greater risk.

Let’s ponder the future of cybersecurity, touching on what the threat landscape will look like and how technology, processes, and people can address them.

The Future Threat Landscape

When looking at the future threat landscape, we can’t move too far ahead. Cybersecurity is too volatile to map out what things will look like in a decade. So, we’ll concentrate on the immediate future. Expect these threats to make an impact.

The Cybercrime Economy Is Booming

Cybercrime is the world’s third-largest economy and will cost the world $8 trillion in 2023 and $10.5 trillion by 2025. This economy is booming right now. Anyone can buy access to networks and ransomware online. Cybercriminals don’t need the technical skills to deploy a sophisticated attack. With this opportunity, there’s a new option for threat actors—cybercrime-as-a-service.

The cybercrime economy is also flourishing due to the Russia-Ukraine conflict, where cyber-attacks have created their own war zone. Any time there’s instability in a region, the proliferation of cybercrime should be expected. In fact, 93% of cyber leaders believe geopolitical instability is moderately or very likely to lead to a major cyber event.

The Remote Worker Continues to Be a Risk

The world of work is different now and unlikely to transition back to what it was before the pandemic. Employers must be flexible to attract and keep talent, which means remote work is here to stay. It extends the endpoints for any organization with hackers eager to find ways to exploit vulnerable or misconfigured systems.

You can no longer assume that all devices across the enterprise have perimeter security. Experts point to the adoption of zero-trust models to mitigate this risk.

Highly Targeted Cyber Attacks Will Become a Bigger Problem

The industry has transformed rapidly over the past few years, and hackers have been able to focus on weaknesses via highly targeted attacks. Since attackers can now outsource the actual hacking, they have more time to be strategic and research organizations to hit.

Their main target is finding those businesses most likely to pay a ransom to regain their data. These criminals look at organizations within regulated industries like healthcare. They know that those in healthcare face steep fines and reputational harm from data breaches and believe they’ll remit the ransom.

Technology Advancements to Defend Against Cyberattacks

As the threats above continue to surge, what new technology will be available to combat them? Much of it will involve AI (artificial intelligence) and ML (machine learning). However, it’s a bit of a double-edged sword.

AI and ML Technology: A Boost for Cyber Professionals and Hackers

The industry has optimism and worries regarding AI and ML. It’s become a great innovation to detect issues across a network with automation. It can take over many repetitive, rules-based tasks, freeing cyber professionals to be more strategic. There are several positive impacts associated with AI and ML, including:

  • Detection of fraud and anomalies: AI and ML are excellent tools for detecting and recognizing patterns. They take the pressure off humans having to monitor every system.
  • Email spam filtering: Phishing remains a key tactic for hackers. Cybercriminals are becoming much more sophisticated with these attacks. Even employees with high knowledge of phishing, genuine-looking emails can still trick them. Using AI to filter email spam can prevent them from getting to anyone’s inbox.
  • Identifying botnets: ML algorithms can find and prevent bot attacks. They also can detect behavior patterns, which would be very labor-intensive and timely for humans to do alone.
  • Data leak prevention: No organization wants to expose its data, and AI can classify specific data types in text and non-text formats. The algorithms can learn to distinguish sensitive information by searching for data in videos, images, and voice recordings.

AI and ML also have benefits for cybercriminals who use them to:

  • Gather data for victim profiling and social engineering.
  • Deploy ransomware with success.
  • Create sophisticated phishing scams.
  • Generate deepfakes with voice phishing.
  • Hide malware by mimicking legitimate network traffic.
  • Break passwords and CAPTCHAs.

Next, we’ll look at how specific processes can adapt to cybersecurity’s future.

Processes and Workflows Must Evolve

The next piece of the cybersecurity future puzzle is the process. Process in this manner means any tactic or workflow that’s part of cybersecurity operations. Technology is redefining these, with AI and ML able to automate many labor-intensive things. There’s more to reinvent, as well, including:

  • Risk assessments: Your threat landscape is growing and changing rapidly, so you need more flexible workflows to reassess risk consistently.
  • Penetration testing: Any organization needs to leverage penetration testing by qualified third parties. White hat hackers use tools to automate some of this, but humans still need to be part of this, so it’s not advisable to just let the bots do it.
  • Organizational design review: Your organization’s structure affects risk management. The most important is to have cyber professionals within the C-suite. Security experts need to have the ear of leadership to convey the risk landscape and receive the right support.
  • Supply chain security refresh: Supply chain risk continues to be a security risk, but you can’t operate in a vacuum. Instead, you must prioritize third-party risk management, conduct ongoing assessments, and secure privileged access management.
  • Implementing DevSecOps: By adopting this principle, you can progress the strategy of being secure by design. DevSecOps enables security and agility.

As an umbrella over all these recommendations, your overarching cybersecurity strategy needs a regular update to consider what the present and future hold.

Now, let’s move to the third and most important pillar—people.

The Future of Cybersecurity: It’s Still People-Centered

Innovation in cybersecurity depends on technology and processes. However, your people play a significant role in creating a culture of innovation. That innovation may be elusive to you for several reasons, the most glaring being the cybersecurity talent shortage. It’s hard to innovate when you have to do more with less. Additionally, your people may be unwilling or unable to progress in their perspectives or mindsets.

To future-proof your cyber staff, you’ll need to help them become great communicators, collaborators, and critical thinkers. There’s a framework to do this called the Secure Methodology™, which has seven steps to support the new era of cybersecurity.

The Secure Methodology Transforms Technical People to Drive Innovation

Here’s a quick preview of each step and how it contributes to preparing your cyber workforce for the future.

  • Awareness: Technical folks often struggle with being aware of themselves and others, which causes conflict and barriers to progress. Awakening awareness helps people widen their perspectives and be better collaborators.
  • Mindset: Shifting people from a fixed to a growth mindset makes them able to consider the future and how to address emerging threats. Developing a mindset has a lot to do with understanding motivation and breaking down walls.
  • Acknowledgment: As a cyber leader, you have a lot of control over this. Starting with an appreciation for staff goes a long way in building trust and respect. Positive reinforcement can affect how workers see themselves in the enterprise. They’ll feel like they are part of something and will be more adaptable to what’s coming. Accountability is important here, too, but keep the correction to private conversations.
  • Communication: If technical people have poor communication skills, innovation, and future-proofing will remain out of reach. They must learn to speak inclusively (no geek speak!) and listen effectively. How you communicate with your team and others set the standard. Discussing the importance of honest and transparent communication should be something you reinforce daily.
  • Monotasking: In monotasking, people concentrate on a specific task. It’s the opposite of multitasking, which increases the likelihood of mistakes and errors. It fits into the future conversation because technology and automation can remove a lot of the manual strain so that cyber professionals can focus on higher-level work without distractions.
  • Empathy: Cognitive empathy describes the ability to understand someone else’s feelings and perspectives. It’s an attribute that supports awareness, mindset, and communication. Creating a culture of empathy in your cybersecurity team means they can grow and evolve as dynamics change.
  • Kaizen: This is a Japanese term that means “continuous improvement,” and any organization needs this as a pillar to be ready for cybersecurity’s future.

The Secure Methodology steps drive change so your people can weather the future. They are your most valuable assets and the centerpiece for innovation.

Check out the Secure Methodology course today.

Cybercriminals Are Always Evolving Their Techniques; Your Cyber Team Should Too

cybercriminalsCybercriminals are persistent and determined. These are great qualities to have in a technical field, but for your organization, it means risk and threats are never static. They are always changing, evolving their techniques to exploit weaknesses and vulnerabilities. As a result, your cyber team must as well. You can’t use the same methods against new challenges.

While some of this upskilling is technical, much of it involves soft skills and developing the attributes that enable flexibility, proactiveness, and perseverance. In this post, we’ll review trends related to cybercriminals and their approaches and discuss ways to arm your technical folks with the right skills to win the cyber war.

Cybercriminal Trends

Cybercriminals diversify their attacks and find new avenues to pursue all the time. The trends in cybersecurity relating to their approaches offer some insights for cybersecurity professionals.

Vulnerable Entry Points Are Attractive Targets

The proliferation of IoT (Internet of Things) devices has been a monumental implementation for many industries. They collect data for various applications that deliver intelligence to organizations, including health care, manufacturing, and retail.

For all the benefits they bring, they are also the most vulnerable endpoints. Cybercriminals are becoming IoT experts and have infiltrated these devices and been able to transfer between them. It’s familiar ground for hackers to find out how to endanger security through something that helps businesses operate based on data-driven decisions.

The QR Code Comeback

Cybercriminals look for ways to use technology trends to plan attacks. QR codes have been around for some time and had a resurgence during the pandemic, including scanning them for menus. Advertisers use them in CTV (connected TV) and broadcast TV ads, prompting users to scan them while watching. A Super Bowl commercial in 2022 for Coinbase featured a QR code (and not much else). It was so popular that the site crashed.

Hackers follow consumer preferences and create malicious QR codes that direct people to fake sites.

Ransomware Keeps Adapting

Cybercriminals invested lots of time and energy into ransomware attacks in 2022. According to data, ransomware increased by 13% in 2022. Cybersecurity has great concerns over ransomware, as many organizations experience it regularly, some with dire consequences, such as disrupting healthcare delivery.

The attraction to this method is the money. Many businesses have paid the ransom to retrieve access to data. Even those with backups and mature cybersecurity defenses can be a victim. The adaptation of ransomware occurs as hackers attempt to breach networks.

Hackers Expose Multifactor Authentication Shortcomings

Multifactor authentication (MFA) has been a tenet of cybersecurity and access control. The premise is to require more than a password, but hackers have found ways around this. One example is an attack created by Lapsus$ and Yanluowang threat actors. It bypasses the MFA framework through spamming original account holders, referred to as MFA bombing, MFA spamming, or MFA fatigue. It’s worked successfully in incidents involving Microsoft and T-Mobile.

Phishing and Social Engineering Are So Sophisticated

The earliest days of phishing were almost comical in delivery. The misspellings and awkward phrases were easy to spot. That was long ago, and hackers are more advanced and sophisticated in social engineering efforts.

It hinges on manipulation and the receiver believing the hacker is truly someone else. More of this is happening at the business level, with employees receiving communications from leadership asking for help. This email spoofing to impersonate others has become very effective. Hackers also use multiple channels, including email, SMS, SIM jacking, and piggybacking.

There has also been an increase in the use of Google properties for phishing. Millions of people use Google Drive and Google Ads for business. Hackers are attempting to “share” documents, “tagging” in the comments of documents, or inviting you to access a Google Ad account. For many, it would seem a logical email to receive and click, and that’s what hackers are counting on them doing.

Cybercriminals Focus More on Smaller Fish

Most of the headlines about cyberattacks involve well-known companies. It’s more newsworthy since these can cause outages and downtime and impact millions. However, most hackers don’t put a target on these whales. Smaller fish are easier to penetrate, and many have valuable data. Small- and medium-sized businesses (SMBs) often have less robust cybersecurity protocols and may be dealing with being understaffed as well.

It’s an ideal scenario for hackers eager to infiltrate a network and take control. The result can be a data breach with the aim of selling these assets on the dark web or ransomware. SMBs are highly aware that they are a target but lack the resources to combat them in many cases.

Cybercrime as a Service Lowers the Barrier to Entry

A new phenomenon, cybercrime as a service, is another troubling hacking trend. Hackers are for hire, so bad actors no longer need technical aptitude. Rather, they can find a cybercriminal on the dark web to do their bidding. These groups operate like legit businesses in many ways, with developers and engineers.

Seeing the commoditization of cybercrime is a concern for tech teams. It’s increasing the number of attacks, and their sophistication is improving daily.

As you can see, hackers never rest on their laurels. They evolve their methods consistently to reach their goals. It’s the same approach the good guys should also take. Here’s how to keep pace with cybercriminals.

Keeping Pace with Cybercriminals; Cyber Professionals Must Adapt Too

Developing your team’s capabilities and expanding them should be a priority for you as a leader. Such a strategy involves both technical and people skills. Focusing on continuous improvement is a requirement to outperform today’s hackers. Here are some critical steps you can take.

Being Proactive versus Reactive

A lot of cybersecurity is reactive. It’s how you’ll respond to a threat or attack. All that’s necessary. You have to have a cyber resilience and contingency plan in place. It can often overshadow being proactive, which is something organizations find difficult.

The barrier to being proactive is not so much technical failures. Much of the time, it’s the people and the way they communicate, collaborate, and operate. Cyber professionals tend to think in black and white and crave certainty. There’s much fear around what they perceive as new territory, so they stay set in their ways. As a result, you incur more risk because there’s limited exchange of information or ideas.

To be more proactive, you’ve got to break down those silos and create an environment where communication and collaboration are a priority. You must be an example and find ways to hone these people skills through exercises and other activities. If everyone’s not on the same page, you’ll be stuck in reactive mode, which gives hackers an edge.

Creating a Cybersecurity Culture

cybersecurity culture, in this respect, alludes to the principles and values of your technical team. Building a team that can swiftly adapt requires healthy people skills, including communication, awareness of self and others, trust, a growth mindset, and empathy. It may seem daunting to pursue this, but it’s critical in the cyber war.

When these things are absent, your company increases risk. The environment may be toxic, with bullying, posturing, and disengagement. Any hacker would love to attack such an organization, so it’s critical not to be one of these!

Constructing and maintaining this culture requires several key elements:

  • Employees need to know that their contributions matter and how they align with the company’s goals and wins.
  • Encouraging the growth of each individual and acknowledging their improvements.
  • Continuous development of strong communication skills, including what people say, how they say it, and how they listen.
  • Removing self-centered thinking patterns and embracing cognitive empathy.

Emphasizing Innovation

Cyber professionals understand innovation, often more from a technical lens. That’s crucial, but a culture of innovation is where new ideas thrive. If you open up your team to operate this way, many great things can happen regarding security. One way to make it front and center is to define what innovation means to your team and discuss ways to sustain it over time.

There is often a misnomer about security being the downfall of innovation. That’s not true, and the two can work in tandem, such as in the framework of DevSecOps. There should be a constant link between security and innovation. It’s a continuous cycle of improvement that enables better results, which are easy to understand for technical folks.

Cybercriminals vs. Cyber Professionals: Winning the War

On the battlefield, cybercriminals and cyber professionals are at war. Cybercriminals have had many advantages, much of which are due to their constant evolution and adaptability. Keeping up with hackers involves cyber professionals doing the same thing.

With these tips, your team can forge ahead. You can find more advice and resources for this in my book, The Smartest Person in the Room, which features the Secure Methodology™, a seven-step guide to transforming technical people into better communicators and collaborators. Get your copy today.

Improving Cybersecurity Communication Skills: Why It’s More Than Just Being Articulate

Cybersecurity Communication skillsCommunication is a skill vital to every role in an organization. Without it, we make assumptions, and breakdowns occur in processes and workflows. It’s often the leading reason for dysfunction in a group. It has equal importance in cybersecurity. However, cybersecurity communication skills are often poor or nonexistent.

When communication fails, your cybersecurity provisions and safety nets can, too. It raises risk and creates distrust in the group. It’s also the most vital soft skill that organizations seek in hiring, according to a recent industry survey.

So, there’s no argument from the field that cybersecurity communication skills are critical. The problem is that most companies aren’t doing anything to develop it in their people. If they are, the training may be obsolete or ineffective, such as online learning classes. Can you really hone your communication skills by watching a video? The answer is likely no. It requires interactive exercises and a strategic approach.

Further, companies often put communication skills in a box that doesn’t apply to all facets. For example, being a great communicator isn’t simply about being articulate. Many technical people are. Yet, communication failures still occur. Communication is a multi-faceted skill that includes being aware of others and their perspectives, understanding nonverbal cues, being active listeners, and communicating to be inclusive (versus lots of jargon and tech-speak).

Communication is step four of the Secure Methodology, which is a seven-step guide I documented in my book, The Smartest Person in the Room. Its purpose is to help cybersecurity leaders transform their people with soft skills to work together more effectively to combat cyberattacks.

In this post, I’ll break down each element of communication and offer tips to develop those in your people.

Cybersecurity Communication Skills: The Four Facets

There are four components of becoming a great communicator as a technical professional. Consider all these when crafting a program that lifts soft skills.

Inclusive Language

Technical people have a reputation for talking in jargon that only “insiders” understand. They do this for several reasons. First, it makes them feel more confident and that they have control of the conversation. They feel comfortable with the geek speak as a nod to their superiority over all things cyber-related.

Using this language also means that others are less likely to call them out, which they secretly fear. If other people understood what they were saying about risks, threats, and solutions, they might receive more questions and requests for explanations. They would see this as losing “control” of the interaction.

Ultimately, this type of communication helps no one. Your technical people don’t get better at defining threats and solutions, so you don’t improve in that area. Also, they won’t be able to convey critical information to leadership, which could impact funding and resources. As a result, the entire organization suffers from greater risk exposure. These patterns are the hardest to break but pivotal because shared language leads to success.

Understanding Nonverbal Cues

A big part of communication is the things we don’t say. Body language presents context around what people say. Often, words don’t match these cues. According to Mehrabian’s 7-38-55 theory, most comprehension is via body language (55%). So, what does that mean exactly?

Focusing only on the spoken words can be an opportunity to miss the message. Ignoring body language as a part of communication causes communication breakdowns. When interacting with others, we need to pay attention to body language because it conveys more than words.

Body language can change suddenly in a conversation, and catching those clues is critical. When a technical person speaks to someone who isn’t, they often use a lot of jargon and acronyms. As the other party takes in this information, they may say little. The body language, however, may say more. They may become guarded or disinterested. This matters because your cyber professionals are talking to their clients (whether internal or external). If they shut down because they don’t understand what the person is saying, it’s not good for anyone. It causes silos between groups, and no one knows the biggest priorities.

There can often be inconsistencies between spoken words and body language. Facial expressions that seem opposite to what words are said or failure to make eye contact indicate the person isn’t comprehending the message. That’s not a good place to be with cybersecurity. This can happen between co-workers and with cybersecurity professionals and leadership.

Tone of Voice

Another aspect of Mehrabian’s 7-38-55 theory is tone, which is 38% of the communication bubble. Tone is the way you speak, which adds context to the words. There is a variety of different tones that people use. Here are some examples

  • Assertive: This tone represents a declarative approach where the person speaking is not amiable to moving their position. It’s often considered rude and curt and is usually counterproductive.
  • Respectful: The person speaking is careful with their words and does not let frustration or bias impact what they say. It can motivate others in the conversation to feel they are free to voice opinions or concerns.
  • Accommodating: This tone promotes collaboration and cooperation. It’s like respectful but even more non-threatening.
  • Dismissive tone: This tone of voice is harmful in that the person speaking is flippant about the situation and anyone else’s position on it. In this category, technical folks are posturing, often speaking quickly, believing no one else could understand.

We can all relate to sentences having different meanings depending on the tone. For example, the simple response of “I don’t know” could have many connotations. An assertive tone could communicate anger. If said dismissively, it could come off as sarcastic. On the other hand, if said with a respectful or accommodating tone, it could be a starting point to go deeper and find the answer together.

Tone interpretation can lead to assumptions, resentment, and disillusionment when negative. If positive, it can change how people respond and interact. It clarifies and conveys meaning.

Active Listening

The last component of cybersecurity communication skills is the ability to be a good listener. In many cases, people listen to prepare their response, either as agreement or dissension. That’s the first obstacle to overcome. Active listening is making a conscious effort to hear the words spoken and the tone to receive the message.

Becoming an active listener takes practice, and several techniques are valuable:

  • Pay attention to the speaker by giving them eye contact and removing distractions from the environment.
  • Illustrate you’re listening with body language gestures, such as nodding, smiling, having an open posture, and encouraging the speaker to continue with comments like “uh huh.”
  • Reflect on what’s being said by paraphrasing back to the speaker (“I’m hearing you say…), asking questions for clarity, and summarizing what you hear.
  • Allow the speaker to finish their points before you interrupt, as that only frustrates the person and creates a negative experience.
  • Be honest and open with responses, opinions, and other information in a respectful manner, even if you have differing perspectives.

Remember that your people will only improve if they take the need to change seriously and practice it consistently. Every conversation they have should include active listening!

Cybersecurity Communication Skills: More Tips and Tricks

Within each realm of communication, you now have a view of what impacts communication. Each aspect requires practice and work. Making this part of your organization’s foundation is crucial for your team to be cohesive. Here are some more tips to consider:

Encourage Transparency in Communication

Do you think your people are afraid to say things? Some avoid transparency to keep the upper hand, but others may be apprehensive because they’re concerned about questioning things. You want people to question stuff and look outside typical approaches. Thus, you’ll need to create a space to “question.” Show your employees that you appreciate and expect honesty. It can improve communication and trust levels.

Lead by Example

How are your communication skills? Do you need to practice what you preach? You have to be the ultimate example to your staff. As they see you leading as a strong communicator, they’ll realize that you are taking this seriously, and it can immediately begin to improve rapport in the group.

Ask Them to Consider Perspective

When technical people communicate with others outside the field, they should keep in mind their perspective. They should think about what this person’s role is in cybersecurity. Is it to support the team? Provide funding? Manage risk? Have visibility into the threat landscape. From perspective, your employees can better manage tone in conversations. What they say will mean different things to different people, and making these adjustments drives better communication.

Communication Is the Most Vital Skill to Develop

Throughout my book, I harp on communication. The emphasis on it is deliberate because it’s where most things go off the rails. In the book, you’ll find exercises, tips, and techniques to develop your staff into effective communicators. Read it today to get started.

5 People Skills Every Successful Cybersecurity Professional Possesses

cybersecurity people skillsIf cybersecurity were just a collection of robots, maybe the need for people skills wouldn’t exist. However, we’re not at that juncture yet. There’s always going to be a need for human intervention in the cybersecurity war.

People skills are hard, not just for technical folks. It’s more than just being personable or sociable. Much of it deals with communication, and as a collective human race, we all have work to do.

The concept of people skills as necessary for cybersecurity roles is something relatively new. In many cases, hiring staff was probably 99% based on their technical aptitude and experience. There was no test on people skills, and leaders often thought they’d be fine. Unfortunately, that’s not true, and I’ll go as far as to say that technical acumen is something to seek but is less important than those relating to communication, collaboration, and adaptability.

This argument is the basis for my book, The Smartest Person in the Room. I’ll sum up how technical skills cannot trump people skills with this example:

Would you keep or let go of your most proficient technical employee if they didn’t align with your culture? And by culture, I mean they were combative, condescending, and had no emotional intelligence.

I would, without a doubt, let that person walk. Why? Because you can upskill, train, and coach a person to become more technically able. Cybersecurity is an industry that’s constantly changing and requires agility. Are you going to let an inflexible, stubborn person run the show? Trust me, I’ve known many of these people over the years, and it’s not worth it. They corrode culture and never learn because they believe they are the smartest person in every room.

So that brings us back to people skills and their importance in cybersecurity teams. Next, we’ll examine why cyber professionals struggle with them, the most critical skills for success, and how to fix the problem.

Technical People Often Struggle with People Skills

My analysis of the industry is from my own experience. I’m not lumping every technical person into one category. Many people working in cybersecurity have these skills, but it would be a disservice to pretend this isn’t a major problem. So, why do technical people struggle with people skills?

Black and White Thinking

When we’re young, black-and-white thinking makes sense. We don’t have the experiences or brain power to see the shades of gray. When people are drawn to technical disciplines, they often hold onto some of this perspective.

In coding and math, there is one right answer. However, those things don’t encompass all of cybersecurity. There are actual people behind these attacks, and people are always gray. With this type of subject, communication is critical. You have to ask questions and talk about stuff outside the ones and zeroes.

Insecurity Is a Key Indicator of People Skills Deficiency

Those smartest people in the room types need to be right all the time. They don’t want to hear any alternatives or learn from discussions. They have a massive fear of someone questioning their logic, so they avoid it.

Insecurity means that two-way dialogue is impossible. It’s a dead end, and they’ll resist it through any means necessary.

Honest, Transparent Communication Scares Them

In cybersecurity, clear and open communication is critical to keeping data and systems safe. It doesn’t mean that technical people can’t have conversations and discuss projects cordially. The problem is that they don’t listen or articulate their points very well.

When communication is only surface-level, and no one’s challenging anyone to think more creatively or consider new approaches and information, it’s not effective. It will put your organization at risk in so many ways.

Now that you understand how grave these issues are, you’ll want to seek out staff with the soft skills that will make them successful. Or at least find people with the potential to develop these and have an open mind.

People Skills Cybersecurity Professionals Need

Cyber teams need to be just that. Everyone has to work together, which requires leaning into soft skills rather than hard ones. The following are the most critical ones.


We could all agree that there’s an absence of empathy these days. While empathy is great in the real world, it’s also a core component of successful companies. There’s been considerable research on the value of empathy. Data suggests that those with empathetic managers have higher levels of creativity and engagement. It can also be critical for preventing burnout and turnover.

There are some misunderstandings about empathy. It’s not the same as sympathy. Rather, it’s connecting with another individual and understanding their perspective as your own. Being empathetic also means sharing your feelings with others and letting them do the same.

Empathy is a big part of my book, and I write that a culture without it will fail. The people skills to hone in around empathy include cognitive and affective. Cognitive is logical empathy in that you can understand a person’s mental state. It’s not a feeling; it’s a skill to develop.

Affective empathy is the sharing part where someone can actually feel the emotions of another. In the cyber world, cognitive empathy is the goal. Deeply emotional influence won’t be an asset as you work toward solving technical challenges.


We’ve talked about communication a lot, and in these terms, it’s a specific skill set. Communicating includes how you speak to others as well as how you listen. How you communicate with others consists of your words, tone, and body language. Someone can say something that makes sense and moves the conversation, but people may dismiss it because of an arrogant tone.

The best communicators think about all these things before they express their thoughts. They want to deliver an impactful message but also invite discussion. They are deliberate with their words and work hard to speak with people, not at them.

The second part of communication is listening. Those with poor communication skills only listen to respond. They are looking for things to either validate their “rightness” or be ready to counter something they disagree with, and that’s not listening.

Those that are successful communicators are active listeners. They comprehend what others are saying and give them their attention. The responses are then more thoughtful and helpful.

So, why does communication matter in cybersecurity? Miscommunication or assumptions are a leading cause of cybersecurity failures. You’re also never going to evolve your cybersecurity operations to the next level if your technical folks stay in their own silo and don’t have meaningful conversations that go beyond technical elements.


Of course, adaptability is a sought-after people skill. It’s a dynamic field with new threats emerging every day. Yet, most cyber professionals aren’t flexible. They cling to certainty and will not bend, and that leads to broken states.

I opened this article asking if you’d keep or let someone go who is technically adept but inept at people skills. It’s got to be in their DNA to hack it in cybersecurity. They must adapt to the industry’s dynamics and be open to change within themselves and the team.


A curious nature is critical in technical fields because there’s always a need to uncover things — bugs, breaches, incidents, etc. Having an investigative mindset is good for cybersecurity. These people want to know why. As a result, they are often more natural communicators and collaborators.

They see puzzles to solve and get excited about what they’ll learn and experience. They are eager to innovate, adapt, and try new things. Those are all positives for cybersecurity teams. Curiosity can be a bit contagious, too. Once others see that asking why leads to new information, they may be more apt to ask more questions.


Many think that being vulnerable means being weak. It’s the opposite. Vulnerability as a people skill means that you are honest and willing to share your ideas and opinions, no matter what response they may elicit.

Vulnerability has everything to do with trust. It’s a hard skill to develop for any person. It also requires that the space in which the sharing occurs is a safe one. That’s something you must build for your team. If you do, and there’s trust there, then vulnerability can lead to some great outcomes. No one is scared to be wrong, and that kind of approach is helpful in solving cybersecurity challenges.

Fixing the People Skills Challenges with the Secure Methodology

You can enhance and build soft skills in those willing to do the work. Not everyone will believe they need these or want to change. So, first, you have to take the temperature on how people feel about these skill sets (and their lack of them). Open minds (and hearts) can grow. My book has many exercises, tips, and strategies to develop these in your teams through the Secure Methodology. Get a copy to find out how to use the framework to upskill your people.

Check Out The Smartest Person in The Room

Why Communication Aptitude Is the Number One Soft Skill Cybersecurity Professionals Must Possess

communication skillsHaving effective communication skills is an asset in any career, even cybersecurity. It’s a soft skill that nicely complements technical ones. Having communication aptitude is a must for cybersecurity professionals. Without this cybersecurity soft skill, a lot can go wrong.

Poor communication and interpersonal skills are often the roots of cybersecurity incidents. That’s a theme in my book, The Smartest Person in the Room. Unfortunately, some organizations may not see the value in developing communication because they believe cybersecurity is black and white. It’s not. It’s many shades of gray filled with assumptions and a lack of understanding. These things breed when communication isn’t consistent and clear.

The question becomes how to improve communication and make it a priority. In this post, I’ll explain why technical people struggle with people skills, why they need them, and how to develop them in your team.

Why Cybersecurity Professionals Struggle with Communication

My perspective on the struggle comes from years of being a cybersecurity leader as well as research. The points I make in no way are a denunciation of the field. I’m just here to help organizations improve with employees with well-rounded skillsets.

Here are the key reasons cybersecurity teams have a hard time being excellent communicators.

They Are Afraid to Look Vulnerable or Incompetent

One thing that’s necessary for healthy communication is asking questions. Cybersecurity professionals rarely do this for fear they’ll look like they don’t know everything. They’ll make assumptions and fall back to standard ways of resolving issues. That’s not effective in a dynamic and ever-changing landscape with new threats always on the horizon. Fear keeps these people from discovering what they don’t know, which increases risk.

Technical Folks Never Want to Be Wrong

Instead of facing the fact that everybody is wrong at some point, cybersecurity professionals cling to certainty. Except certainty is impossible in the field. This, combined with never wanting to be wrong, prevents healthy communication.

Misconceptions That Technical People Don’t Need to Be Great Communicators

There’s a deep fallacy that exists in technical jobs. The prevailing misconception is that technical people don’t need to be great communicators. They’ll let their technical skills do the talking. But they really need to engage in conversation to improve their technical aptitude and do their job effectively.

Lack of communication sinks cybersecurity. It doesn’t just apply to the technical person’s inability to have productive conversations. They also don’t actively listen when others share their insights, opinions, or other information. They only listen to respond in a defensive posture, so they don’t hear what the other person is conveying. They are only planning their rebuttal.

We’ve touched on the need for cybersecurity communication skills. Next, we’ll dive further into why they are so critical.

Why Do Cybersecurity Professionals Need to Be Effective Communicators?

At a foundational level, cybersecurity professionals need to be effective in their communications because they are part of the problem without it. Data breaches, ransomware attacks, and other cybersecurity failures are often directly tied to poor communication. It’s not that you didn’t have the best technology or strategy. It’s that your people didn’t talk to each other or anyone else!

Here are the other reasons why technical roles need these soft skills:

  • It improves transparency in operations, which typically leads to a greater understanding of the threat landscape and greater trust among teams.
  • Healthy, consistent communication supports problem-solving. That’s a big part of a technical person’s job, and teams can’t excel at this without proper discussions.
  • Good communication builds trust and respect among teams, and that’s essential for their ability to solve cybersecurity problems.
  • Soft skills allow people to be more adaptable to change, and cybersecurity is full of that. New people and threats come into the ecosystem routinely. Without flexible communication skills, adaptability remains low.

Current Communication Styles Are Often Off-Putting

Some of your cybersecurity employees may be talkers. Again, that doesn’t make them great communicators. The style they use is often off-putting and aggressive. They like to use a lot of jargon, which doesn’t mean anything to people outside their technical bubble.

They approach communication in this way because it makes them seem superior. It also covers up their lack of comprehension. The strategy is to make communication so technical and abstract that non-technical people will simply defer to them and end the conversation.

This type of speak can also impact how technical people work together. Because cybersecurity is so broad, there are many roles, and they all have their own “language.” As a result, communication failures happen here, too.

When they learn these soft skills, it can change the dynamic completely. However, communication isn’t just about what you say. It also includes body language and nonverbal cues. Those are just as critical as words.

The 7-38-55 Theory of Communications

Mehrabian’s 7-38-55 Theory of Communication highlights that it’s more than just words. The principle states that communication is 7% word choice, 38% tone of voice, and 55% body language.

This is an important concept to share when helping people evolve their communication styles and how they interact in conversations. It can also make them more aware of their tone and body language, which may be causing a barrier. Awareness is the place to start when you begin to navigate communication skills.

Such a theory also taps into technical minds. Communication isn’t just some soft skill. They can recognize its power in influencing how they work and why it could mitigate risk.

Once you have more awareness, you can begin implementing plans to improve communication. The process will take time and commitment. What you get in return is well worth the work.

How to Improve Cybersecurity Soft Skills

We’ve looked at the why and how of communication failure. Now it’s time to talk about how to fix the problem. That’s not an easy road because you’re up against a resistance to change. That resistance often consists of your people being unaware of the communication issues.

Thus, they have to become aware before they can work toward adapting behavior.

Encourage Self-Awareness

Technical people have to get out of their own way, so to speak. They need to be self-aware of how they communicate and why it’s an issue. This requires introspection and a new perspective.

In The Secure Methodology, the framework from my book, Awareness is the first step. In that chapter, I offer multiple ways to help your people through this transition.

Demonstrate the Importance of Communication

If you want your team to be better communicators, you need to make it a priority and lead by example. If there are specific examples you can point to that were communication breakdowns and the consequences, it’s no longer this intangible thing. Now it’s in front of them, and that’s impactful to those that are more logic-based in their thinking.

Champion Active Listening

Technical people who master active listening perform much better than those that don’t. In every conversation we have, we may hear the words but not really absorb and comprehend them. It goes back to the earlier notion of people just listening to prepare their response.

Providing guidance on how to listen actively and exercises can make a difference. As with any change, your team has to be willing and able to adapt.

Make Perspective Key to Communicating

Perspective is another challenge in communication. Often people have no way to see anything other than from their own eyes. That impacts how people collaborate and solve problems.

If you can guide people to open up their perspectives, better communication is more likely. In my book, I spend a bit of time talking about perspective and the best ways to approach it.

Tap into Their Motivation

Everyone has different things that motivate them to change (or not). If you can understand their motivation and make it part of their awareness, communication will improve. It can also help people think with their hearts and minds. Motivation doesn’t have to be altruistic for this to work.

Coach People to Be Flexible

Being flexible and adaptable is critical to becoming a successful communicator. Technical folks are usually either of these. However, that doesn’t mean they can’t be, and it will serve them well in a dynamic landscape like cybersecurity. You can coach your people to be more agile with the right strategy. You’ll find tips and exercises to do this in my book.

Through exercises and the development of soft skills, your team can embrace flexibility. When they do, it can be a turning point in their success and performance.

Help Your Team Master Cybersecurity Soft Skills

Setting your cybersecurity team up for success depends a lot on their communication soft skills. If they hone and develop these, they’ll be better at their job and more engaged. It’s also a skill that can have a profound impact beyond their career.

There will be challenges in evolving people. The exercises, tips, and strategies presented in my book, The Smartest Person in the Room, can help. Get your copy today to start the journey.

Check Out The Smartest Person in The Room