Five hard truths about soft skills in cybersecurity

Five hard truths about soft skills in cybersecurity

Robert Wood

We train. We research. We pontificate. We read. We do so much to cultivate the technical skills that go into cybersecurity. You see it at every level, penetration testers sharing tools and WAF bypass tips. CISOs share experiences implementing certain strategic initiatives or tools they've found work well.

This kind of information sharing and skills development is significant. However, we continue to see a disproportionate lack of focus on soft skills and their development in cybersecurity professionals at all levels. Why is that?

Paradoxically, these skills are way more challenging to develop. These skills aren't as deterministic as code or log analysis. There are not as many trusted resources to turn to for support in our field. This article breaks down some hard truths about the importance of soft skills for all of us.

Hard truth # 1: people are complex, and this is a people business

Soft skills, as defined by the corporate world, include a vast array of competencies, from communication to adaptability. They are the antithesis of the clear-cut, objective, hard skills that rule the tech universe. As Peter Drucker aptly stated, "The most important thing in communication is hearing what isn't said." Finding what isn't there is not an easy task.

Other things like negotiation and collaboration aren't deterministic. You can do the same thing twice and receive two vastly different results. Why? Because people aren't binary. Soft skills can be developed and matured, but they cannot be carried out in the same methodic way as their counterpart technical skills.

Hard truth #2: emotional intelligence is like a hidden firewall

At the core of soft skills lies emotional intelligence (EQ), a term popularized by authors like Daniel Goleman. In cybersecurity, high EQ equates to understanding the human factor in security protocols—the tendency to err, overlook, and trust. Unlike coding, which is learned from books and practice, EQ is gleaned from introspection and social interaction, a process that is less straightforward and far more intricate.

Emotional intelligence is also present in all interactions you'll have. If you're tuned into others, it's incredible how much more understanding there is. If you're not tuned in, you might say all the right things, but you still get shut down.

Hard truth #3: communication is a cryptic art

Adam Grant points out in his studies, "Good communicators make themselves look smart. Great communicators make their audiences feel smart." The latter is a skill that many technical experts struggle to master. There's a cultural force in cybersecurity around the demonstration of technical aptitude.

We recite research on blogs and at conferences. We get very detailed about the way exploits or specific security controls work.

This kind of communication is one way; it's very lecture-oriented. It's also not very good at helping your audience feel smart and that they're a part of something.

Hard truth #4: change is constant, and we must be able to adapt

If there's one thing that is constant and predictable in cybersecurity, it's change. Adaptability isn't about the hard pivot and changing course. It's about the agility to navigate through all of the mess, the threats, the budgets, the people, and change what's needed and drop what isn't. Sometimes, it's about changing your mindset about revisiting an "old idea or belief. This is harder than you'd think considering dynamics like the Dunning Kruger effect, a unique phenomenon whereby those without a lot of competence in an area have a tough time realizing their own shortcomings or knowledge gaps. Adam Grant's fantastic book "Think Again" discusses revisiting old mindsets in great detail and is worth a read.

Hard truth #5: the journey is a largely invisible one

Developing soft skills is often a silent, personal journey, lacking the clear milestones that accompany technical training. As Drucker says, "We can't manage what we can't measure." And yet, developing soft skills is essential for managing the incalculable—human behavior. There's also not the same level of options for training and education. There's no CISSP for your negotiation skills or your storytelling abilities.

Concluding thoughts

The undervalued soft skills are, ironically, the toughest to crack. In a field like cybersecurity, where the technical know-how is tangible and revered, the abstract nature of soft skills becomes even more pronounced. That's why we started this site. Just as we encrypt our data, we must decode the complexities of soft skills, developing them with the same vigor we reserve for our technical defenses. They are the yin to our technical yang.