My starting point is a survey published by the Society for Information Management in 2020.¹ SIM is an established professional organization whose members are Chief Information Officers of their respective firms. According to surveyed members, the most important soft skills are as follows:

CIOs Rate Importance of Soft Skills for Cybersecurity Professionals

Some points regarding this list: if you don’t report to the CIO, your boss’s list might be different.² The majority of CISOs do report to the CIO. Secondly, the list applies to IT staff generally, not just security professionals. The priorities can and do change depending on your exact role.

Finally, if you have these skills you should promote them on your resume and social media profiles, just as much as your technical certifications. You should have in mind backup evidence as to how and where you demonstrated the skill, since most soft skills don’t have hard certifications.

Another point relates to communication skills, both written and oral. Neither is in the above list, although both were listed in earlier surveys. I believe that communication skills represent a “meta skill”, necessary for any of the skills listed.

You can check out my blog post on the importance of communication, or my interview with Jeffrey Brown, Connecticut State CISO.

What if you don’t have the skills listed here? Time to continue reading. I will discuss four here as they apply to information security. Then you can create your action plan to improve your own skill level.

Soft Skills Needed for Cybersecurity

Let’s look at “critical thinking”, “strategic thinking”, “systems thinking” and “emotional intelligence”. In later blog posts, I will look at the other seven skills.

Critical Thinking

“Critical thinking” is something that everyone wants, but few can define clearly. In my mind critical thinking means starting with the result you want to achieve and mapping out a logical path to that result. In the case of cybersecurity, the result is protecting business assets and processes.

That’s it. Anything you do should support that end goal. If not, it can be eliminated. We can apply Ray Dalio’s first principle³: #1 think for yourself to decide what you want, #2 decide what is true and #3 what you should do to achieve #1.

Strategic Thinking

I can’t say enough about the importance of this in achieving cybersecurity success. Too often, daily tasks (incidents) can consume all your waking hours. You must devote resources to improving the security program AND be able to demonstrate these ideas to management.

You first need to attain broad exposure to your organization. Second, you need to put your observations together in an original manner. Next, you will need marketing skills to get your point of view across. Thinking is not enough; you must sell your concepts to the organization.⁴

Systems Thinking

This is a skill that CISOs have personally told me they look for in new hires. If you “patch” security vulnerabilities in one part of the organization, are you creating holes elsewhere?

Complex security protocols or software may look good on paper, but will human errors facilitate new vulnerabilities? The entire system must be secure and those who can see this will be more valuable to the organization.

Emotional Intelligence

One of the best posts I have heard on this topic was Alex Stamos’s talk at 2017 BlackHat. It’s worth listening to the former Facebook CISO’s talk in full.

As he says: “As an industry we have a real problem with empathy . . . We have an inability to put ourselves in the shoes of the people we are trying to protect.” So, this skill may well rate at the top for successful security practitioners.

Do not fall into the trap of thinking that the users are the problem.

Soft skills can easily be more valuable to you than technical skills, depending on where you are in your security career. At any point, they will be essential to successful implementation of your security program.

Make sure you allocate time and energy to developing these skills in parallel with your technical acumen.

Quinnipiac’s online MS in Cybersecurity provides students with the skills to be successful in this field. Industry-experienced faculty will guide students to be proficient security defenders that are also business savvy.

For more information, please visit Quinnipiac’s MS in Cybersecurity program.

¹ Leon Kappelman, et al, “SIM IT Trends Study”, 2020 (requires SIM membership).

² Leon Kappelman, et al, “Skills for Success”, Communications of the ACM, August 2016.

³ Principles, Ray Dalio, Simon & Schuster, 2017.

⁴ “How to Demonstrate Your Strategic Thinking Skills”, HBR, Nina Bowman, September 2019.