Cybersecurity is often viewed as a technical and complex field. Few realize, however, that cybersecurity also focuses on how people work and the way they think.
"No matter what background you come from, you'll have skills and knowledge that are hugely valuable to cybersecurity," said Jessica Barker, co-CEO and co-founder of cybersecurity consulting group Cygenta.
In her book, Confident Cyber Security: How to Get Started in Cyber Security & Futureproof Your Career, Barker discusses the human nature side of cybersecurity and offers advice on how individuals with little or no security experience can enter the field.
With all of Barker's accolades -- she was named one of the U.K.'s 20 women to watch in cybersecurity by SC Magazine and Cygenta was awarded Eskenzi PR's 2020 Best Awareness Campaign -- one might assume she has always had a passion for cybersecurity. However, that's not the case. Barker entered the field with a humanities background in sociology, politics and urban regeneration.
Combining the human side of security with technical skills helps security professionals better detect and mitigate emerging threats, Barker said. While technical skills are still important, it's the "professional skills" -- what Barker refers to soft skills as -- that can help those without a traditional cybersecurity background break into the industry.
The following excerpt from Chapter 13, "Pursuing a cyber security career," of Confident Cyber Security explores some of these professional skills. Uncover five key personal attributes and qualities sought out by employers, along with other skills that may be top job qualifiers.
What do employers want?
For many of us running companies and hiring individuals, we are not looking for a specific degree, qualification or certification. Of course, if it is something you are motivated and inspired to do then that's great, and hopefully you'll have seen some of the benefits outlines in the sections above; but if someone tells you that you need a piece of paper to work in cyber security, they are the wrong person tare the most important when it comes to working in this field. Some of the most important attributes include:
- Your ethical and moral code: Working in cyber security, you are often in a position of trust and so it is important that those working in the industry have a strong professional set of ethics. We are often exposed to confidential, personal and sensitive information and it is imperative that we treat that with respect and afford it the privacy and security necessary. Cyber security professionals operate in highly trusted roles, seeing where organizations and individuals are vulnerable, and so you need to be trusted not to take advantage. For example, an ethical hacker performing a penetration test on a banking website may discover a vulnerability that could, technically, all them to siphon off some money; this individual cannot profit from that discovery outside of their legal contract.
- Curiosity: It is often the case that the best way to identity a vulnerability is to be curious. This spans across all areas of cyber security, from technical ('I wonder what happens when I type this code there?') to physical ('This CCTV camera looks a bit off. Does it actually cover the safe door?') to human ('No one is using the right procedure to email confidential information. I wonder if it's too complicated or we haven't communicated it as a well as we could?'). Being curious about the way things work, or don't work, is a great personality trait for a cyber security professional.
- A desire to learn: This does not have to be learning in any kind of formal way (I don't mean you need to love textbooks!), but as the field of cyber security is constantly shifting with new technology, new vulnerabilities and new forms of attack and defence, it is beneficial if you enjoy staying informed and, even more so, if you have a knack for putting together information from different places or disciplines.
- An acceptance that you don't know everything (and that's ok): At the same time as having a desire to learn and drive to acquire more knowledge, you will benefit from acknowledging that you don't have all the answers when it comes security, that it is a very wide field and people from different areas of security will have knowledge that can inform and enhance your understanding. An open mind is crucial in cyber security, so that you can see problems from other people's points of view and consider solutions that might not have been immediately obvious to you. It is easy to get overwhelmed in security and to believe that everyone else knows more than you and you never know enough, because the field is so wide and fast-paced. At the other end of the scale, there is a danger that people become entrenched in their own narrow area of expertise and over-estimate their value compared to other people. Develop resilience in the face of this: seek more knowledge and refine your skills but stay open-minded to learn from other perspectives. Resist the Dunning-Kruger effect, the cognitive bias in which people over-estimate their intelligence to be higher than it actually is. Cyber security is a multi-faceted problem, which requires input from different people and areas of expertise.
- Empathy: Cyber security is about listening and understanding, putting yourself into someone else's shoes. For example, this can be listening to people in a business to understand what their valuable information is, how they work and why some security rules might be really difficult for them to follow. It might also be listening to people about their personal cyber security and understanding that the 'perfect' technical solution is not going to work for them, and that you need to find them a solution they will actually engage with. As a cyber security professional, I would love it if everyone would use a password manager, but I need to understand that they might not be accessible enough for some people.
These personality traits can all be developed, and demonstrating them will be appealing to prospective employers. There are other skills you can hone, too:
- Situational awareness: This is a baseline for anyone wanting to enhance their level of security. Situational awareness often comes down to observational skills, having an understanding of what is happening around you and the potential impact of that. Ask you questions such as: Has my company identity pass been swiped from by bag? Am I speaking about confidential information in a public place? Is someone tailgating behind me when I enter the office?
- Spotting patterns: As a cyber security professional, you will often have to identity what 'bad' or 'unusual' looks like, which means knowing what 'good' or 'normal' looks like. Noticing patterns is a skill that benefits those working in offensive security (for example, if you are going to simulate an attack on an organization, being able to spot some abnormal code or a break in their physical perimeter is going to be crucial to your success) and those working in defensive security (for example, if you are analysing internet traffic coming into an organization's network, identifying unusual traffic is a must).
- Communication skills: Whatever role you have in cyber security, it is likely that you will need a level of communication skills. This will vary from the skills needed to communicate well with your team members about the project you are working on, needing to explain technical issues in a report that is going to people that don't have the same level of technical knowledge as you, to needing to explain to colleagues why some security rules are important and not just there to be a blocker or something they seek to work around.
This extract from Confident Cyber Security by Jessica Barker is ©2020 and reproduced with permission from Kogan Page Ltd.
About the author
Jessica Barker is an award-winning leader in the human nature side of cybersecurity. Barker is co-CEO and co-founder of Cygenta, a cybersecurity consultancy group working to raise security awareness, behavior and culture in organizations. She was named one of the top 20 most influential women in cyber security in the U.K. and awarded as one of the U.K.'s Tech Women 50 in 2017.