soft skills

Cybersecurity Skills-Based Hiring: Why Tech Leaders Need to Shift Their Idea of ‘Qualified’

cybersecurity skillsIt’s no secret that the cybersecurity field has a talent shortage. Experts project that over 3.4 million jobs in the industry remain unfilled. The reasons behind this are numerous—burnout is churning people out, younger generations aren’t entering cybersecurity, and qualified candidates aren’t plentiful. The last one is worthy of discussion. As the industry evolves, so should the idea of “qualified.” To do this, organizations need to shift to cybersecurity skills-based hiring.

The Current Consensus on ‘Qualified’

So, what does being qualified mean to those hiring cyber professionals? In the State of Cybersecurity 2022 Report from ISACA, 55% of cyber leaders said applicants aren’t well qualified. They find people lacking in key areas, including prior hands-on experience, credentials, hands-on training, employer recommendations, degrees, and association memberships.

So, the question is—do these things demonstrate that someone will excel and thrive in cybersecurity? If you look further at the data from the study, the importance of what hiring managers seek doesn’t necessarily align with the skills they believe are most valuable. The most sought-after skills include hard and soft ones:

  • Soft skills of communication, flexibility, and leadership
  • Cloud computing
  • Security controls regarding endpoints, networks, applications, and implementations
  • Coding skills
  • Software development-related topics, such as languages, machine code, testing, and deployment
  • Data-related topics
  • Network-related topics
  • Pattern analysis
  • System hardening
  • Computing devices, including hardware, software, and file systems

Soft skills were at the top of the skills gap list. Technical aptitude is also vital, but just because someone has a degree or credential doesn’t mean they know how to apply them. Narrow-mindedness on this can actually lead to hiring “paper tigers,” who look great on paper but don’t have the aptitudes or abilities to be successful.

In an environment where hiring is competitive and challenging, it’s time to readjust your definition of qualified with skills-based hiring in cybersecurity.

What Is Skills-Based Hiring?

Skills-based hiring is an approach to recruitment that focuses on someone having specific competencies and aptitudes. It’s a new method that shifts the emphasis from traditional screening using education, credentials, and previous experience.

It seeks to look at someone holistically, considering their abilities, attitudes, and adaptability. Hiring based on skills makes a lot of sense for cybersecurity. A good example of this would be that an individual has proficiency in programming languages but doesn’t have a degree in computer science. Another example would be that a person has immense knowledge of cloud computing but not a certification.

Skills-based hiring also looks at potential candidates beyond their technical prowess. Since it looks at someone’s complete profile, you can also evaluate their soft skills, which are desperately needed!

Experts Are Adamant About Skills-Based Hiring in Cybersecurity

The push to hire based on skills is something that experts are recommending and urging. At a recent House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing, many were there to discuss the workforce shortages. Their advice—stop requiring college degrees. The group said that to strengthen the cyber pipeline, the Federal government needs to take the lead in skills-based cybersecurity hiring.

Companies that are sounding the alarm on cybersecurity deficits can take on this new way of hiring. They could even fund skill development when they see someone with potential. Those people could come from many different places—military veterans, people seeking to change careers, new high school graduates, and even internal folks interested in the field. If there’s passion, curiosity, and appeal, you can nurture that to develop the person.

Why Is Skills-Based Hiring the Future of Cybersecurity?

The future of cybersecurity looks a little stark for the good guys. If you don’t have enough skilled employees, you’re automatically more at risk. While you can close some gaps with automation, human-in-the-loop will always be a strong component of all cyber operations. If the field makes this needed progression toward skills-based hiring, the future looks more manageable and optimistic.

Skills-based hiring finds those you may overlook or discount. It also has much to do with cultural fit and someone’s ability to be agile and flexible. A college degree, experience, or credentials don’t necessarily demonstrate any of these things. Further, if you hire based on skills—hard and soft—you are more likely to retain that person long-term.

By using cybersecurity skills-based hiring, you can:

  • Discover people with talent and a growth mindset: When you focus on what someone can do and their range of attributes, you’re likely to find great candidates. They don’t fit the familiar mold, but that can be a good thing. If they have technical knowledge and possess a growth mindset, they could become superstars with some skill development and coaching.
  • Attract younger generations: Currently, only 12% of the cyber workforce is 34 or younger. It’s not sustainable, so the urgency to get Gen Z to give cybersecurity a chance is huge. This generation and those even younger have different expectations about work and may avoid cybersecurity because they believe it to be rigid, stale, stuffy, and unchanged. Skills-based hiring allows you to change this false narrative by emphasizing the importance of soft and hard skills. If you’re creating a culture around skills, it should also be one of transparent communication, collaboration, and continuous improvement. Gen Z will find this much more attractive.
  • Create equity in hiring practices: If you’re following the skills when you recruit, you’ll be able to streamline the process and ensure that candidates get the same treatment regardless of their resumes. It makes it more equitable as well. The cyber field has not always been accessible or friendly to all demographics. For example, women represent a small number of cyber professionals. If you reimagine how you hire based on specific skills, you may see more female candidates.
  • Develop people over time: Skills-based hiring is also an investment in your people. You make them part of your team with expectations and requirements. This could include technical courses, hands-on training, and soft skill development. With this approach, you are making it clear that you want the person to be accessible, and you will give them the resources they need to do so. Such a strategy improves employee satisfaction and retention.

With all this to gain, the next step is implementing skills-based hiring.

How Do You Shift to Skills-Based Hiring in Cybersecurity?

If you want to go in this direction, you’ll need to work on a few areas so you can recruit and hire smarter. It’s not a massive change if you’ve already been assessing skills over diplomas and certifications. It will, however, require you to eliminate old ways of thinking about cybersecurity.

It’s a cultural shift where you want to banish all the stereotypes associated with technical folks—they’re bad communicators and collaborators who only see the world of ones and zeros. Yes, people in technical fields tend to be more pragmatic and logical, but they often don’t deserve the other labels. Your job is finding people outside the box who want to evolve cybersecurity with you.

Here are some tips:

  • Redefine your job descriptions and requirements: Start by eliminating the need for a four-year degree and specific certifications. Instead, focus on core competencies, soft skills, personality, communication capabilities, and drive. If there are specific things the person needs to be proficient in, emphasize those, but don’t limit this expertise to having a degree or certification.
  • Look for internal talent: Internally posting new jobs is a typical step, but if you do, add some context about whom you’re looking for beyond technical skills. There could be some smart and capable people that want to move into cybersecurity but don’t know how to start. Create relationships with those folks and work out a plan to upskill and reskill them.
  • Use assessments to evaluate technical and personal skills: You need people to demonstrate they have the abilities you desire. You can assess them with different tests to understand how they’ll perform. Don’t limit this to only technical skills. You also want to know about their ability to communicate, lead, problem-solve, and think critically.
  • Get to know people during the interview process: This part of hiring can be challenging for you and candidates. They’re nervous, and you’re cautious. I urge you to get to know the person and their philosophy on cybersecurity and why they want to be in the industry. You can learn so much from someone when you ask their opinion and perspective. You’ll be able to recognize genuine interest and desire from these discussions.

Skills-Based Hiring in Cybersecurity: Keep Developing Your People

Hiring based on skills fits the field of cybersecurity well. After all, you want employees to be able to deal with a dynamic environment. When you hire this way, you’re likely to find people with the right mix of abilities who want to be there for all the right reasons. Once they are on staff, keep developing them with an emphasis on soft skills. It’s not an easy journey, but you can find lots of advice on how to do this in my book, The Smartest Person in the Room, which features the Secure Methodology™. It’s a seven-step framework for improving and building these capabilities in technical folks. Check it out by getting your copy today.

Reskilling and Upskilling Talent Can Help Shrink the Cybersecurity Skills Gap

cybersecurity learningOne of the most important topics in cybersecurity is the talent shortage. Reports and data back up the consensus that we don’t have enough people for all the jobs and that new generations aren’t entering the field. Further, CISOs and other cyber leaders have noted it’s one of their biggest challenges. Finding qualified people has become a barrier to building and evolving cyber resilience. The cybersecurity skills gap runs parallel with this, as many cyber professionals or aspiring ones don’t have the qualities employers want.

This cycle of shortages and gaps will continue, leaving organizations facing greater risk in cyber operations. So, what’s the answer? There is no quick fix to this dilemma. However, there may be something we’re all overlooking — reskilling and upskilling talent. Making this investment in people develops them into capable cybersecurity specialists who possess both the soft and technical skills a company needs to survive and thrive in the modern age of business.

What Are the Cybersecurity Skills Gaps?

Overall, we can look at the industry and see it’s woefully understaffed. The ISC 2022 Cybersecurity Workforce Study made headlines with its findings that over 3.4 million jobs in the industry remain unfilled. As a result, these organizations feel the consequences of straining existing resources, inability to conduct risk assessments, and greater risk.

It doesn’t necessarily mean there aren’t people who want to work in cybersecurity. Although, it’s hard to be too optimistic about younger generations joining the field, as millennials and Gen Z aren’t flocking to be cyber experts. In fact, less than 12% of the workforce is 34 or younger!

The bigger problem is the gap in hiring people who can hit the ground running. They aren’t meeting the expectations of those employing them, with 55% of cyber leaders stating applicants aren’t well qualified. So, what qualifications do they think candidates need? Here’s what they said, in order of importance:

  • Prior hands-on cybersecurity experience
  • Credentials
  • Hands-on training
  • Employer recommendations
  • University degree
  • Association membership

But how well do these things determine if someone can do the job? It’s hard to get hands-on experience or training without a starting point. Credentials don’t always equate to someone with the right skills. We’ve previously discussed the term “paper tigers” and how they don’t represent “quality.” Rather, paper tigers have all the right credentials on paper but don’t have the aptitude or ability to be successful cyber professionals.

A university degree can be the same as credentials. A four-year degree doesn’t make someone qualified, either. I would argue that expecting a college education is a problem in cybersecurity recruitment, which 52% of organizations require. There are many bright and capable people out there that you’re dismissing.

The Biggest Skills Gaps: Soft and Hard Skills

In the same research, cyber leaders also noted the biggest skills gaps:

  • Soft skills (e.g., communication, flexibility, leadership)
  • Cloud computing
  • Security controls (e.g., endpoint, network, application, implementation)
  • Coding skills
  • Software development-related topics (e.g., languages, machine code, testing, deployment)
  • Data-related topics (e.g., characteristics, classification, collection, processing, structure)
  • Network-related topics (e.g., architecture, addressing, networking components)
  • Pattern analysis
  • System hardening
  • Computing devices (e.g., hardware, software, file systems)

Soft skills, the number one cybersecurity skills gap, isn’t surprising. Without these capabilities, it doesn’t matter how technically gifted someone is; they’ll flounder and actually cause problems in the organization. When asked specifically what soft skills they find attractive, leaders said communication, critical thinking, problem-solving, collaboration, and attention to detail.

Developing these isn’t a priority for most credential or educational institutions. I suppose they think the working world will figure this out and help workers cultivate it. Except most aren’t, so the cycle of bad hiring continues.

All this data emphasizes that we’re at a crossroads in the industry. You do have control here to break the cycle with upskilling and reskilling, focusing on hard and soft skills.

Upskilling and Reskilling to Build a Better Pipeline of Cybersecurity Talent

The strategies and decisions you make today regarding recruitment and hiring impact the short and long-term. If you’re going to keep a pipeline running, you will have to look outside the normal parameters. Finding people passionate about cybersecurity and helping them become adept at it will serve you well. Here are some tips on how to implement this into your hiring plan.

Look for internal talent.

There may be people within your organization now wanting to pursue cybersecurity. They may be in a non-technical position now, but they have potential. Creating a mentorship program within your company could build this bridge. Encourage those interested in the field to express their interest and join the community. Assess them based on their soft skills and capacity to learn technical knowledge. If you find some great people to develop, the business could pay for specific courses to help them level up their hard skills. Once they have the basics, continue to support them through learning and training.

Evaluate your current entry-level staff and their gaps.

You’ve likely hired some entry-level positions as of late. You saw their potential and recognized their abilities, but you also knew things were missing. Those can include soft and hard skills. Building a relationship with them and understanding their motivations and career goals can inform whom to invest in with upskilling and reskilling opportunities. If you invest in them, they’ll feel valued and appreciated, which will go a long way toward cybersecurity retention.

Stop looking at only a resume.

A resume is a piece of paper with a quick summary of what someone has accomplished. It’s not their whole story. It’s too easy to reject resumes based on if they have the right keywords or phrases. Pay more attention to their abilities, aptitudes, and attitudes. How can you do this? Consider a short questionnaire that peels back the layers and gives you more insight. You may be passing up great candidates otherwise.

Develop every team member’s people skills.

The last piece of advice is to focus on people skills development. You may think it’s an impossible task, and getting people to change and grow is hard. I found it to be such a deficit in the field that I created the Secure Methodology™. It’s a seven-step guide that helps cyber leaders transform technical folks into excellent communicators, problem solvers, and collaborators. Here’s a preview of what each step entails and why it supports upskilling and reskilling.


We start with Awareness, which includes being cognizant of the self and others. When it’s absent, people don’t realize the impact of their behaviors, which can cause conflict and resentment. If you can move people into a state of awareness, they’ll have greater respect for others and think more intentionally about how they act.


fixed mindset does no one any good. Encouraging people to shift to one of growth is good for everyone. In this step, I recommend the 7 Levels Deep exercise. From this, you can understand motivations and why people act as they do, which can break the fixed mindset.


Acknowledgment starts with you and is an act of appreciation. When you create a culture where this exists, it will strengthen trust and confidence. It’s also about redefining cybersecurity culture from one where the expectation is that technical people know everything and can do everything. All that does is create burnout. People need grace and also need to know you can give it to them.


Communication is the number one soft skill for a reason — it’s the core of everything in life. If communication is poor, rude, non-inclusive, or nonexistent, you have breakdowns that elevate risk and animosity. In this step, you’ll be using activities to get to the root of communication, which is just as much about listening as talking. Creating a space where communication is expected, transparent, and honest could be the greatest upskilling you provide to someone.


Monotasking focuses on the details, another soft skill missing in candidates. If you’ll recall, in acknowledgment, we discussed how cyber professionals couldn’t do everything. So, with this step, you will introduce monotasking and blocking off time on their schedules to complete one thing without distractions. The result will likely be greater productivity.


In the Secure Methodology, cognitive empathy is the learning. It’s understanding someone’s feelings and perspectives and is key to communication and collaboration. Once people grasp how important this is in work and life, they often have “aha” moments and finally realize how critical it is to be open to the views of others.


Kaizen is a Japanese term that translates to “continuous improvement.” So, this step continues forever and can teach people how to be adaptable and flexible. They can continually improve soft and technical skills throughout their career.

Reskill and Upskill With the Secure Methodology

If you want to reimagine how your recruit, hire, and retain, the Secure Methodology is a vital resource. Reskilling and upskilling are possible with this framework. Learn more by checking out the Secure Methodology course today.

Does Your Cyber Team Have a “Bad” Reputation? Why Their Lack of Soft Skills Causes Friction

cybersecurity user experienceEverybody in cybersecurity has funny and unbelievable stories of users gone wrong. On the other side of the equation, users have their own stories that paint technical folks as rude and unhelpful. In either case, there’s a lot of stereotyping going on, but some of it is, well, true. What it amounts to is cyber teams having a “bad” reputation. Many consider technical folks to be arrogant, hostile, and condescending. If that’s the culture in your organization, it’s no wonder that people have little respect for them. In fact, they’ll do anything to avoid interaction with them, which often increases risk.

So, what can you do as a cybersecurity leader to broker peace between the two? While users certainly have some blame for the dynamic, much of it comes down to a lack of soft skills, causing friction and undermining relationships.

Why Your Cyber Team Has a “Bad” Reputation

One of the biggest reasons that cyber professionals earn their reputation is that many consider them a bottleneck. That’s because security must be a part of any major IT development or implementation. Often, the barrier they create isn’t their fault. Sometimes, cybersecurity isn’t in the initial plans, and then you get involved. To avoid such an impasse, your organizational culture regarding security has to, as well.

Security can’t be an afterthought. It needs to be a forethought, so you have to express this with the C-suite and leadership. When given a chance to have a seat at the table, your people must engage with the business side in a way that’s outside of their comfort zone. They have to be inclusive in their communication and explanation. Otherwise, they’ll posture and use jargon, making them seem like jerks and continuing the belief cycle that technical people are difficult.

A team’s reluctance to collaborate effectively is also a common problem. Cyber strategies and decisions don’t reside only with your team. You need input and support from others. As a result, cyber professionals must be cooperative when it comes time for new implementations and approaches to combat risk.

Key to this is their ability to define risk clearly with other stakeholders who aren’t experts. Your people are, and they have great technical knowledge. This intelligence often creates the desire to be the smartest person in the room. They may be, technically speaking. However, they have to be able to work with others to establish new strategies to protect the company.

While your people often don’t do themselves any favors in being likable, it’s not all their fault. Cybersecurity can be a scapegoat for missed implementation dates, backlogs, and failed digital transformation objectives. It’s easy for others to blame your team, believing them to be against innovation. They may hold some responsibility, but it goes back to cultural foundation issues about how the organization prioritizes and empowers a cyber team.

You have some control over how the company looks at cybersecurity, but you have even more so over your team. For the sun to set on the stereotype of cyber professionals being obstinate, your people must develop people skills.

Why Are Cyber Professionals “Bad” at Soft Skills?

So, why exactly do technical people often have gaps in soft skills? Is it something innate and unfixable? Absolutely not, and it’s a symptom of something bigger. There are many bright, highly communicative, and adaptable people in the field. Some require a nudge toward the right direction to be vulnerable and ready for change.

If you look at the industry and consider where the struggles exist in people skills, you can come to these conclusions:

  • They often think in black and white, while most everything lives in gray. When they lock into a mindset that there’s one right answer and many wrong ones, it impacts their perspective. So, they stick to the script even when factors change.
  • Technical folks often have insecurities and fears that they want to keep hidden. They believe not knowing everything is a weakness, but how could you possibly know everything? These feelings keep them from asking questions and engaging in dialogue with others.
  • Communication isn’t easy for them, especially if they can’t posture and use jargon. When they do, they alienate others quickly and live up to their reputation. Communication is the single most important skill a cyber professional can possess.
  • Cyber professionals also may lack awareness of themselves and others. They don’t see how their tendency to be aloof and overly technical prevents trust and cooperation. They also have a hard time understanding the perspectives of the business side. Without this awareness, they’ll continue to be outsiders.

Helping your team work through these flawed behaviors won’t be easy, but there is a way to do it with the Secure Methodology™. It’s a seven-step guide for cyber leaders to leverage to transform technical minds into ones with strong soft skills.

How the Secure Methodology Can Improve the Reputation of Cybersecurity

The Secure Methodology is a proven framework to cultivate technical folks into excellent communicators and collaborators. Next, we’ll review all seven steps with an introduction to how the lessons of each phase develop people skills.

Step One: Awareness

The first step is Awareness, which I mentioned earlier as a reason technical people can’t connect with others or themselves. When they lack Awareness, it creates a lot of blind spots, which impact communication and set the stage for more technical posturing.

Technical people have to be willing to open themselves up to new perspectives. You can foster this with coaching around communication and understanding their motivations. In this step, you’ll have access to exercises that move people outside of their comfort zone, opening their eyes to a wider world.

Step Two: Mindset

Mindset is next and builds on learnings from Awareness. Right now, many of your people likely have a fixed mindset, which keeps them from growing and evolving. Shifting to a growth mindset is what you want to accomplish. They have to open their minds to more possibilities beyond black-and-white thinking. This step features approaches to help people with reflection and accountability.

Step Three: Acknowledgment

Acknowledgment is a critical aspect of any department or industry. When there’s little positive acknowledgment, employees can become disengaged and resentful. In cybersecurity, the most common acknowledgment is negative. So, it’s this cycle of being fearful of any error, causing some to do nothing.

Acknowledgment must start with you. Positive reinforcement is vital, and you should do it publicly. It tells people what they do matters, and ensuring they understand how their contributions help the company can be key to their desire to be better team players. This step has activities to develop this through rapport and trust.

Step Four: Communication

Communication has its own step but is pivotal in every phase. Communication skills are necessary for any job, but cyber professionals have often gotten away with being bad at it. Technical folks need to learn how to communicate better within the team and with others who are technically adept.

Much of this comes down to the simplification of the message. They don’t need to give a monologue to express risks and threats. Coaching exercises in this step will promote creating an inclusive, shared language and active listening. Much of this involves reframing the interactions and reminding your people that others aren’t the enemy. Encourage them to stop hiding behind complex explanations and to strip communication down to informing others and asking questions.

Step Five: Monotasking

Aren’t technical professionals supposed to be great multitaskers? Unfortunately, many people believe this to be true, and multitasking has its place. However, monotasking is a necessity for improving people skills. When someone multitasks, there’s often a feeling of pressure, which can cause more mistakes.

Encourage your people to have specific monotasking periods in their day where they focus all their energy on one task. They’ll find they’re more productive with this kind of schedule. Challenge your team to practice this and block out distractions.

Step Six: Empathy

Empathy is a crucial step to transforming your cyber team. When your employees can put themselves in the shoes of others, the us vs. them mentality can fade away, and that’s necessary to eliminate their “bad” reputation.

Empathy, however, is something to develop. It’s not a natural part of being human. It requires them to care about what they do, the organization, and their colleagues. All the steps leading to this one have set the stage for empathy. If your staff can excel here, they’ll be the collaborators everyone needs them to be.

Step Seven: Kaizen

The final step is kaizen, which is a Japanese term meaning “continuous improvement.” Within the Secure Methodology, it’s the action of analyzing root causes. You can then uncover the real problems and work toward overcoming them. This step doesn’t end, as it’s a continuous state of adapting and evolving.

Rid Your Cyber Team of Their “Bad” Reputation

Now is the time to drive change in your employees so they can contribute more effectively. When they do, it’s good for security and their long-term job satisfaction. Take the first step by checking out the Secure Methodology course.

Do Different Industries Need Cyber Professionals to Have Unique Skills?

cyber security professionalBeing a cyber professional involves similar work, no matter the industry. There are many foundational practices and required skills that apply in every vertical. However, some cyber roles require specialized experience or attributes. In building your cyber workforce, this is something to consider. You don’t necessarily need to hire based on someone matching every line of your job description. Once they do come on board, development may need to happen, including technical and soft skills.

In this post, I’ll break down the unique skills cyber professionals need for specific industries and provide insight on how to support this development.

The Basic Skill Sets for Every Cyber Professional

Before we get into the details, let’s first look at the basic skill sets cybersecurity staff should have. Currently, there’s a significant shortage of cyber talent. In reviewing the 2023 cybersecurity workforce landscape, we know that over 3.4 million jobs remain unfilled. This gap is driving risk up and causing some organizations to hire in desperation. I’d encourage you not to do this because you’re likely to bring on more “paper tigers,” and those folks don’t have the skills you need. Rather, they only look good on paper, not in real life.

So, always go back to the basics of what a cyber professional should have to start. Here are the top skills for the buckets of technical and soft.

Technical Skills

Networking and system administration — these are the building blocks of maintaining the network infrastructure. Being proficient at this is the foundation for cultivating more technical skills.

  • Risk analysis. This is labeled as a technical skill because it’s about analyzing, preventing, and mitigating risk. It’s all about deciphering the impact of a breach. It’s like a hybrid of technical and people skills because people also need to have some soft attributes, including critical thinking, communication, awareness, and curiosity.
  • Incident response management. This process involves identifying and investigating security incidents, administering response efforts, and restoring systems. This skill is hard to teach in the classroom. Training is how most people learn this, starting with going through simulations.
  • Network security controls. Controls are a critical part of the security ecosystem. They include firewalls, antivirus and antimalware software, and intrusion detection systems. Cyber professionals should have a broad knowledge of these and how they provide protection.
  • Coding. For entry-level cybersecurity jobs, coding isn’t a requirement. As someone continues within the career, having coding skills can be helpful.
  • Cloud security. Most everything’s in the cloud these days, so understanding configuration and other components is critical to creating a robust security posture.

These are just a handful of the technical skills someone may bring to the table. People must have most of these to be able to do the job. Soft skills are equally essential to success.

Soft Skills

  • Communication. Nothing within your cyber team will drive up risk, like poor or nonexistent communication. Miscommunication is a leading cause of cyber failures, and you won’t build a world-class team without it. Keep in mind that communication involves speaking and listening.
  • Adaptability. Cybersecurity is a dynamic industry, and your employees must be able to roll with this. It’s often hard for technical people to be flexible because they crave certainty. Evolving this fixed mindset to be one that’s open is crucial for anyone to have long-term success in cybersecurity.
  • Curiosity. The more inquisitive someone is, the better they are at investigating and probing, which are necessary for the cyber field. These people love to learn and are eager to innovate.
  • Critical thinking and problem-solving. Along with curiosity, cyber minds must be excellent at critical thinking and problem-solving. It’s the nature of the job, and if someone has this, technical skill development is much easier.
  • Cognitive empathy. This type of empathy is the ability to understand someone else’s perspective and feelings. It’s also a choice to connect with someone and relies heavily on strong communication skills.

In looking at technical and people skills, these are all vital regardless of the industry. One thing to not get tripped up on in the skills discussion is someone’s hands-on experience. Yes, it would be ideal for new hires to have this, and it’s in demand from employers. However, those newly entering the field may not have this. If they are going to break into cybersecurity, they need to start somewhere. With the right coaching, training, and support, these people could become star employees.

Next, we’ll go through industries and what’s critical for cyber professionals to excel and thrive in these organizations.

Industry-Specific Cyber Skills

Let’s review the skills that are valuable by industry.

Health Care

Health care is an industry that embraces technology in so many ways. From electronic health records to medical devices to monitoring systems, health care depends on technology. However, it’s a really complicated vertical. There are compliance factors for data usage, legacy systems, an often-understaffed team, and extensive networks that keep growing.

Health care also has a huge target on its back. In 2022, the industry experienced a 74% increase in attacks. Multiple hospitals were the victims of ransomware, with devastating consequences that impacted operations and patient care.

As a result, cyber professionals in health care should work to attain some specific skills, including:

  • Becoming fluent in HIPAA compliance and guidelines
  • Honing knowledge of medical device cybersecurity
  • Understanding of IoT (Internet of Things) sensors, which often tie to medical devices
  • Aptitude in ransomware, as they are a hacker favorite when targeting health care

Along with these technical attributes, some people skills are critical. First, awareness and perspective can be useful for health care cyber professionals. Understanding the hacker, on the other side, can drive the development of new defensive and proactive strategies. Another is the ability to collaborate with technical and nontechnical personnel. There are many stakeholders in the health care technology space, and working together is a must to reduce risk.


Manufacturing’s pursuit of digital transformation and Industry 4.0 infused technology throughout this mature industry. Leveraging technology like networked equipment and IoT creates efficiencies for the vertical, drives decision-making based on data, and modernizes workflows. All this connectivity also means cyberattacks are more prevalent.

One of the biggest risks for this industry is legacy systems. Those entering cyber careers in manufacturing should be proficient in understanding such a structure. Having experience in decommissioning these systems, migrating data, or integrating them with newer technology will be valuable.

For people skills, cyber professionals in manufacturing should be effective communicators who are great negotiators. That’s because many in the industry need education and awareness about risk in general. Technical folks need to be able to make a case for more cyber controls and security while battling the business side that wants everything to go faster.


Besides health care, finance is the most targeted vertical. In 2021, it led all others. It’s another very appealing industry for hackers. Larger banking systems dedicate entire teams to this. Smaller community banks and credit unions have fewer resources but must manage the same kind of risk. So, what skills do financial cybersecurity professionals need to possess?

Like in health care, finance has compliance regulations, so familiarity with these is a good starting point. Identity and access management (IAM) knowledge is imperative too. Ransomware is trending up in banking, so skills regarding this help. Experience with app security will be key, as most financial institutions have consumer-facing apps.

On the soft-skill side, you’ll want excellent communicators who can deliver concise, clear, and timely information to all parties. Working well in a changing environment is another must-have because of the target on the back of banks. Critical thinking and problem-solving and the ability to collaborate effectively will also be great assets for your team members to have.


This industry doesn’t usually command the cybersecurity attention of others, but it should. Water and power have been adopting more and more technology. As a result, it’s received more attention from hackers. Usually, their motivation is to disrupt operations and cause harm versus seeking data for monetary reasons.

Utilities are highly regulated industries, so awareness of this and the regulations is critical for cyber teams working in the field. There are also many vulnerabilities in these systems as they move to digitization. As a result, cyber professionals will need expertise in migrations and legacy reconciliation. A solid understanding of utility frameworks and infrastructure would also be valuable.

These give someone a good baseline. Adding in people skills improves their capabilities. First, they’ll need the ability to work backward from an incident to dig into root causes and determine remediation. Being organized and effectively managing projects are attributes that matter in utility cybersecurity.

Developing Your Cyber Professionals: Skills That Always Matter

Certain industries do have specific needs for cyber professionals. The soft skills addressed above are often the most critical. They are transferrable as well. Building and developing these in your team takes time, commitment, and a strategy. You can start with the Secure Methodology™, a seven-step guide to transforming technical folks into excellent communicators and collaborators.

You can learn all about it in my book, The Smartest Person in the Room. Check out the Secure Methodology course, available now.

Cybercriminals Are Always Evolving Their Techniques; Your Cyber Team Should Too

cybercriminalsCybercriminals are persistent and determined. These are great qualities to have in a technical field, but for your organization, it means risk and threats are never static. They are always changing, evolving their techniques to exploit weaknesses and vulnerabilities. As a result, your cyber team must as well. You can’t use the same methods against new challenges.

While some of this upskilling is technical, much of it involves soft skills and developing the attributes that enable flexibility, proactiveness, and perseverance. In this post, we’ll review trends related to cybercriminals and their approaches and discuss ways to arm your technical folks with the right skills to win the cyber war.

Cybercriminal Trends

Cybercriminals diversify their attacks and find new avenues to pursue all the time. The trends in cybersecurity relating to their approaches offer some insights for cybersecurity professionals.

Vulnerable Entry Points Are Attractive Targets

The proliferation of IoT (Internet of Things) devices has been a monumental implementation for many industries. They collect data for various applications that deliver intelligence to organizations, including health care, manufacturing, and retail.

For all the benefits they bring, they are also the most vulnerable endpoints. Cybercriminals are becoming IoT experts and have infiltrated these devices and been able to transfer between them. It’s familiar ground for hackers to find out how to endanger security through something that helps businesses operate based on data-driven decisions.

The QR Code Comeback

Cybercriminals look for ways to use technology trends to plan attacks. QR codes have been around for some time and had a resurgence during the pandemic, including scanning them for menus. Advertisers use them in CTV (connected TV) and broadcast TV ads, prompting users to scan them while watching. A Super Bowl commercial in 2022 for Coinbase featured a QR code (and not much else). It was so popular that the site crashed.

Hackers follow consumer preferences and create malicious QR codes that direct people to fake sites.

Ransomware Keeps Adapting

Cybercriminals invested lots of time and energy into ransomware attacks in 2022. According to data, ransomware increased by 13% in 2022. Cybersecurity has great concerns over ransomware, as many organizations experience it regularly, some with dire consequences, such as disrupting healthcare delivery.

The attraction to this method is the money. Many businesses have paid the ransom to retrieve access to data. Even those with backups and mature cybersecurity defenses can be a victim. The adaptation of ransomware occurs as hackers attempt to breach networks.

Hackers Expose Multifactor Authentication Shortcomings

Multifactor authentication (MFA) has been a tenet of cybersecurity and access control. The premise is to require more than a password, but hackers have found ways around this. One example is an attack created by Lapsus$ and Yanluowang threat actors. It bypasses the MFA framework through spamming original account holders, referred to as MFA bombing, MFA spamming, or MFA fatigue. It’s worked successfully in incidents involving Microsoft and T-Mobile.

Phishing and Social Engineering Are So Sophisticated

The earliest days of phishing were almost comical in delivery. The misspellings and awkward phrases were easy to spot. That was long ago, and hackers are more advanced and sophisticated in social engineering efforts.

It hinges on manipulation and the receiver believing the hacker is truly someone else. More of this is happening at the business level, with employees receiving communications from leadership asking for help. This email spoofing to impersonate others has become very effective. Hackers also use multiple channels, including email, SMS, SIM jacking, and piggybacking.

There has also been an increase in the use of Google properties for phishing. Millions of people use Google Drive and Google Ads for business. Hackers are attempting to “share” documents, “tagging” in the comments of documents, or inviting you to access a Google Ad account. For many, it would seem a logical email to receive and click, and that’s what hackers are counting on them doing.

Cybercriminals Focus More on Smaller Fish

Most of the headlines about cyberattacks involve well-known companies. It’s more newsworthy since these can cause outages and downtime and impact millions. However, most hackers don’t put a target on these whales. Smaller fish are easier to penetrate, and many have valuable data. Small- and medium-sized businesses (SMBs) often have less robust cybersecurity protocols and may be dealing with being understaffed as well.

It’s an ideal scenario for hackers eager to infiltrate a network and take control. The result can be a data breach with the aim of selling these assets on the dark web or ransomware. SMBs are highly aware that they are a target but lack the resources to combat them in many cases.

Cybercrime as a Service Lowers the Barrier to Entry

A new phenomenon, cybercrime as a service, is another troubling hacking trend. Hackers are for hire, so bad actors no longer need technical aptitude. Rather, they can find a cybercriminal on the dark web to do their bidding. These groups operate like legit businesses in many ways, with developers and engineers.

Seeing the commoditization of cybercrime is a concern for tech teams. It’s increasing the number of attacks, and their sophistication is improving daily.

As you can see, hackers never rest on their laurels. They evolve their methods consistently to reach their goals. It’s the same approach the good guys should also take. Here’s how to keep pace with cybercriminals.

Keeping Pace with Cybercriminals; Cyber Professionals Must Adapt Too

Developing your team’s capabilities and expanding them should be a priority for you as a leader. Such a strategy involves both technical and people skills. Focusing on continuous improvement is a requirement to outperform today’s hackers. Here are some critical steps you can take.

Being Proactive versus Reactive

A lot of cybersecurity is reactive. It’s how you’ll respond to a threat or attack. All that’s necessary. You have to have a cyber resilience and contingency plan in place. It can often overshadow being proactive, which is something organizations find difficult.

The barrier to being proactive is not so much technical failures. Much of the time, it’s the people and the way they communicate, collaborate, and operate. Cyber professionals tend to think in black and white and crave certainty. There’s much fear around what they perceive as new territory, so they stay set in their ways. As a result, you incur more risk because there’s limited exchange of information or ideas.

To be more proactive, you’ve got to break down those silos and create an environment where communication and collaboration are a priority. You must be an example and find ways to hone these people skills through exercises and other activities. If everyone’s not on the same page, you’ll be stuck in reactive mode, which gives hackers an edge.

Creating a Cybersecurity Culture

cybersecurity culture, in this respect, alludes to the principles and values of your technical team. Building a team that can swiftly adapt requires healthy people skills, including communication, awareness of self and others, trust, a growth mindset, and empathy. It may seem daunting to pursue this, but it’s critical in the cyber war.

When these things are absent, your company increases risk. The environment may be toxic, with bullying, posturing, and disengagement. Any hacker would love to attack such an organization, so it’s critical not to be one of these!

Constructing and maintaining this culture requires several key elements:

  • Employees need to know that their contributions matter and how they align with the company’s goals and wins.
  • Encouraging the growth of each individual and acknowledging their improvements.
  • Continuous development of strong communication skills, including what people say, how they say it, and how they listen.
  • Removing self-centered thinking patterns and embracing cognitive empathy.

Emphasizing Innovation

Cyber professionals understand innovation, often more from a technical lens. That’s crucial, but a culture of innovation is where new ideas thrive. If you open up your team to operate this way, many great things can happen regarding security. One way to make it front and center is to define what innovation means to your team and discuss ways to sustain it over time.

There is often a misnomer about security being the downfall of innovation. That’s not true, and the two can work in tandem, such as in the framework of DevSecOps. There should be a constant link between security and innovation. It’s a continuous cycle of improvement that enables better results, which are easy to understand for technical folks.

Cybercriminals vs. Cyber Professionals: Winning the War

On the battlefield, cybercriminals and cyber professionals are at war. Cybercriminals have had many advantages, much of which are due to their constant evolution and adaptability. Keeping up with hackers involves cyber professionals doing the same thing.

With these tips, your team can forge ahead. You can find more advice and resources for this in my book, The Smartest Person in the Room, which features the Secure Methodology™, a seven-step guide to transforming technical people into better communicators and collaborators. Get your copy today.

Improving Cybersecurity Communication Skills: Why It’s More Than Just Being Articulate

Cybersecurity Communication skillsCommunication is a skill vital to every role in an organization. Without it, we make assumptions, and breakdowns occur in processes and workflows. It’s often the leading reason for dysfunction in a group. It has equal importance in cybersecurity. However, cybersecurity communication skills are often poor or nonexistent.

When communication fails, your cybersecurity provisions and safety nets can, too. It raises risk and creates distrust in the group. It’s also the most vital soft skill that organizations seek in hiring, according to a recent industry survey.

So, there’s no argument from the field that cybersecurity communication skills are critical. The problem is that most companies aren’t doing anything to develop it in their people. If they are, the training may be obsolete or ineffective, such as online learning classes. Can you really hone your communication skills by watching a video? The answer is likely no. It requires interactive exercises and a strategic approach.

Further, companies often put communication skills in a box that doesn’t apply to all facets. For example, being a great communicator isn’t simply about being articulate. Many technical people are. Yet, communication failures still occur. Communication is a multi-faceted skill that includes being aware of others and their perspectives, understanding nonverbal cues, being active listeners, and communicating to be inclusive (versus lots of jargon and tech-speak).

Communication is step four of the Secure Methodology, which is a seven-step guide I documented in my book, The Smartest Person in the Room. Its purpose is to help cybersecurity leaders transform their people with soft skills to work together more effectively to combat cyberattacks.

In this post, I’ll break down each element of communication and offer tips to develop those in your people.

Cybersecurity Communication Skills: The Four Facets

There are four components of becoming a great communicator as a technical professional. Consider all these when crafting a program that lifts soft skills.

Inclusive Language

Technical people have a reputation for talking in jargon that only “insiders” understand. They do this for several reasons. First, it makes them feel more confident and that they have control of the conversation. They feel comfortable with the geek speak as a nod to their superiority over all things cyber-related.

Using this language also means that others are less likely to call them out, which they secretly fear. If other people understood what they were saying about risks, threats, and solutions, they might receive more questions and requests for explanations. They would see this as losing “control” of the interaction.

Ultimately, this type of communication helps no one. Your technical people don’t get better at defining threats and solutions, so you don’t improve in that area. Also, they won’t be able to convey critical information to leadership, which could impact funding and resources. As a result, the entire organization suffers from greater risk exposure. These patterns are the hardest to break but pivotal because shared language leads to success.

Understanding Nonverbal Cues

A big part of communication is the things we don’t say. Body language presents context around what people say. Often, words don’t match these cues. According to Mehrabian’s 7-38-55 theory, most comprehension is via body language (55%). So, what does that mean exactly?

Focusing only on the spoken words can be an opportunity to miss the message. Ignoring body language as a part of communication causes communication breakdowns. When interacting with others, we need to pay attention to body language because it conveys more than words.

Body language can change suddenly in a conversation, and catching those clues is critical. When a technical person speaks to someone who isn’t, they often use a lot of jargon and acronyms. As the other party takes in this information, they may say little. The body language, however, may say more. They may become guarded or disinterested. This matters because your cyber professionals are talking to their clients (whether internal or external). If they shut down because they don’t understand what the person is saying, it’s not good for anyone. It causes silos between groups, and no one knows the biggest priorities.

There can often be inconsistencies between spoken words and body language. Facial expressions that seem opposite to what words are said or failure to make eye contact indicate the person isn’t comprehending the message. That’s not a good place to be with cybersecurity. This can happen between co-workers and with cybersecurity professionals and leadership.

Tone of Voice

Another aspect of Mehrabian’s 7-38-55 theory is tone, which is 38% of the communication bubble. Tone is the way you speak, which adds context to the words. There is a variety of different tones that people use. Here are some examples

  • Assertive: This tone represents a declarative approach where the person speaking is not amiable to moving their position. It’s often considered rude and curt and is usually counterproductive.
  • Respectful: The person speaking is careful with their words and does not let frustration or bias impact what they say. It can motivate others in the conversation to feel they are free to voice opinions or concerns.
  • Accommodating: This tone promotes collaboration and cooperation. It’s like respectful but even more non-threatening.
  • Dismissive tone: This tone of voice is harmful in that the person speaking is flippant about the situation and anyone else’s position on it. In this category, technical folks are posturing, often speaking quickly, believing no one else could understand.

We can all relate to sentences having different meanings depending on the tone. For example, the simple response of “I don’t know” could have many connotations. An assertive tone could communicate anger. If said dismissively, it could come off as sarcastic. On the other hand, if said with a respectful or accommodating tone, it could be a starting point to go deeper and find the answer together.

Tone interpretation can lead to assumptions, resentment, and disillusionment when negative. If positive, it can change how people respond and interact. It clarifies and conveys meaning.

Active Listening

The last component of cybersecurity communication skills is the ability to be a good listener. In many cases, people listen to prepare their response, either as agreement or dissension. That’s the first obstacle to overcome. Active listening is making a conscious effort to hear the words spoken and the tone to receive the message.

Becoming an active listener takes practice, and several techniques are valuable:

  • Pay attention to the speaker by giving them eye contact and removing distractions from the environment.
  • Illustrate you’re listening with body language gestures, such as nodding, smiling, having an open posture, and encouraging the speaker to continue with comments like “uh huh.”
  • Reflect on what’s being said by paraphrasing back to the speaker (“I’m hearing you say…), asking questions for clarity, and summarizing what you hear.
  • Allow the speaker to finish their points before you interrupt, as that only frustrates the person and creates a negative experience.
  • Be honest and open with responses, opinions, and other information in a respectful manner, even if you have differing perspectives.

Remember that your people will only improve if they take the need to change seriously and practice it consistently. Every conversation they have should include active listening!

Cybersecurity Communication Skills: More Tips and Tricks

Within each realm of communication, you now have a view of what impacts communication. Each aspect requires practice and work. Making this part of your organization’s foundation is crucial for your team to be cohesive. Here are some more tips to consider:

Encourage Transparency in Communication

Do you think your people are afraid to say things? Some avoid transparency to keep the upper hand, but others may be apprehensive because they’re concerned about questioning things. You want people to question stuff and look outside typical approaches. Thus, you’ll need to create a space to “question.” Show your employees that you appreciate and expect honesty. It can improve communication and trust levels.

Lead by Example

How are your communication skills? Do you need to practice what you preach? You have to be the ultimate example to your staff. As they see you leading as a strong communicator, they’ll realize that you are taking this seriously, and it can immediately begin to improve rapport in the group.

Ask Them to Consider Perspective

When technical people communicate with others outside the field, they should keep in mind their perspective. They should think about what this person’s role is in cybersecurity. Is it to support the team? Provide funding? Manage risk? Have visibility into the threat landscape. From perspective, your employees can better manage tone in conversations. What they say will mean different things to different people, and making these adjustments drives better communication.

Communication Is the Most Vital Skill to Develop

Throughout my book, I harp on communication. The emphasis on it is deliberate because it’s where most things go off the rails. In the book, you’ll find exercises, tips, and techniques to develop your staff into effective communicators. Read it today to get started.