Professional development

Top 10 skills security professionals need to have

Rodika Tollefson
August 1, 2021 by
Rodika Tollefson

The shortage of information security talent gives infosec professionals a strong advantage in the job market, and those looking for new employment don't have to wait long to find it. Recent research by ISC2 found that 20 percent of those pursuing a new job are receiving multiple contacts per day from recruiters, and another 33 percent are receiving contacts at least once a week.

Of course, a healthy job outlook doesn't mean you're guaranteed to snatch your next dream job. One of the major challenges employers have is finding not just candidates but qualified candidates. You still need to show that you have the skills for the job and that you're the right fit in the organizational culture.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Technical skills are the most important in this industry until you get hired up the ladder into senior-level jobs like chief information security officer. However, even at the entry and middle levels, a few soft skills are necessary — so don't think you'll be working somewhere quietly in a corner without interacting with anyone all day.

Here's a list of some of the top hard and soft skills that can help information security professionals succeed.

Hard skills that are in Demand

Security analysis

A broad array of skills, security analysis includes understanding both security and the specific business with its unique problems. As part of this skill set, you'll need to know how to use security tools strategically to monitor various systems and conditions, identify gaps and recommend ways to minimize the attack surfaces.

According to the ISC2 research on hiring and retaining security talent, security analysis is by far the skill industry professionals use the most: 62 percent said it was their most commonly used skill.

Penetration testing

As hackers exploit vulnerabilities to infiltrate networks and systems and data breaches continue to break records, intrusion detection has become one of the key areas of focus for organizations. More and more organizations hire penetration testers, or ethical hackers, to identify those vulnerabilities and to probe their information systems for exploits that attackers may find.

While penetration testing is its own specialty, many other jobs (such as security analyst and information security engineer) will also often require intrusion detection and penetration testing skills.

Secure application development, or DevSecOps

There's a growing trend to incorporate security into DevOps. DevOps are cross-department teams that are coming out of their silos to integrate software development and software operations. As the next step from there, DevSecOps is an emerging industry trend, particularly among large enterprises that need agile and rapid deployment for the applications they're building.

Gartner forecasts that DevSecOps practices will be embedded into 80 percent of rapid-deployment teams by 2021. By comparison, only 15 percent were using DecSecOps in 2017.

Incident response

Once a security incident is identified, it may take a team of different infosec practitioners and other departments to mitigate it. Many companies have an incident response plan that outlines the steps, and the security team contributes to both creating that plan and executing it when the time comes.

Incident response is a multifaceted skill that draws knowledge from different areas of information security and requires a solid understanding of not only the IT ecosystem but also the specific business and its sector.

Cloud security

Recent research by The Enterprise Strategy Group and the Information Systems Security Association found cloud skills in the top three skill areas where organizations saw a shortage. While cloud computing has matured significantly in the past few years, security remains a challenge, especially as workloads continue to be moved to the cloud.

To see proof of the cloud-security challenge, you only have to look as far as incidents like the 2017 Deep Root Analytics' massive records exposure of U.S. voters. What some have dubbed at the time as the "motherlode of all leaks" was due to a somewhat simple AWS database misconfiguration.

Data science and analytics

Many cybersecurity vendors are adding behavior-based analytics, machine learning and other big-data tools into their products, from firewalls to antivirus programs. They need data scientists who can create new algorithms and models. Information security professionals who have backgrounds in data science and analytics are going to see a growing demand for their skills.

Important soft skills

Customer service

Information security professionals are problem solvers, so they should expect to be communicating with the people whose problems they're trying to solve. Customers may be either internal, such as heads of other departments, or external, such as clients the company serves as a vendor.

In a high-stakes situation, like a security incident, diffusing tension among stakeholders and working under high pressure will be part of the job. It helps to put yourself in your customer's shoes and understand their pain points.


Going hand-in-hand with customer service, communication is a universal skill that just about any profession requires. For a security professional, top communication skills are necessary for a variety of scenarios, whether you're deploying a new security product, troubleshooting issues or trying to educate other employees about good cyber-hygiene.


In an organization that values a security-focused culture, the IT team doesn't work in a silo. You may need to partner up with either your IT peers or coworkers from other departments to solve security problems. In a CompUSA survey, half of the business and IT executives interviewed noted teamwork as a top skill.

Curiosity and passion for learning

There's never a dull moment for the information security team, and things are constantly evolving, from threats and vulnerabilities to the adversary's tactics. It helps to be naturally curious and question how and why things work, and a passion for learning will both satisfy that curiosity and help you stay ahead of threats.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


As those in the industry like to say, information security is a "cat-and-mouse game"— if you want to be in the lead, you'll have to keep learning. There are plenty of resources that make learning easy, from online courses and certifications to industry organizations and conferences.


Rodika Tollefson
Rodika Tollefson

Rodika Tollefson splits her time between journalism and content strategy and creation for brands. She’s covered just about every industry over a two-decade career but is mostly interested in technology, cybersecurity and B2B topics. Tollefson has won various awards for her journalism and multimedia work. Her non-bylined content appears regularly on several top global brands’ blogs and other digital platforms. She can be reached at