Top 10 skills security professionals need to have
The shortage of information security talent gives infosec professionals a strong advantage in the job market, and those looking for new employment don't have to wait long to find it. Recent research by ISC2 found that 20 percent of those pursuing a new job are receiving multiple contacts per day from recruiters, and another 33 percent are receiving contacts at least once a week.
Of course, a healthy job outlook doesn't mean you're guaranteed to snatch your next dream job. One of the major challenges employers have is finding not just candidates but qualified candidates. You still need to show that you have the skills for the job and that you're the right fit in the organizational culture.
FREE role-guided training plans
Technical skills are the most important in this industry until you get hired up the ladder into senior-level jobs like chief information security officer. However, even at the entry and middle levels, a few soft skills are necessary — so don't think you'll be working somewhere quietly in a corner without interacting with anyone all day.
Here's a list of some of the top hard and soft skills that can help information security professionals succeed.
Hard skills that are in Demand
Security analysis
A broad array of skills, security analysis includes understanding both security and the specific business with its unique problems. As part of this skill set, you'll need to know how to use security tools strategically to monitor various systems and conditions, identify gaps and recommend ways to minimize the attack surfaces.
According to the ISC2 research on hiring and retaining security talent, security analysis is by far the skill industry professionals use the most: 62 percent said it was their most commonly used skill.
Penetration testing
As hackers exploit vulnerabilities to infiltrate networks and systems and data breaches continue to break records, intrusion detection has become one of the key areas of focus for organizations. More and more organizations hire penetration testers, or ethical hackers, to identify those vulnerabilities and to probe their information systems for exploits that attackers may find.
While penetration testing is its own specialty, many other jobs (such as security analyst and information security engineer) will also often require intrusion detection and penetration testing skills.
Secure application development, or DevSecOps
There's a growing trend to incorporate security into DevOps. DevOps are cross-department teams that are coming out of their silos to integrate software development and software operations. As the next step from there, DevSecOps is an emerging industry trend, particularly among large enterprises that need agile and rapid deployment for the applications they're building.
Gartner forecasts that DevSecOps practices will be embedded into 80 percent of rapid-deployment teams by 2021. By comparison, only 15 percent were using DecSecOps in 2017.
Incident response
Once a security incident is identified, it may take a team of different infosec practitioners and other departments to mitigate it. Many companies have an incident response plan that outlines the steps, and the security team contributes to both creating that plan and executing it when the time comes.
Incident response is a multifaceted skill that draws knowledge from different areas of information security and requires a solid understanding of not only the IT ecosystem but also the specific business and its sector.
Cloud security
Recent research by The Enterprise Strategy Group and the Information Systems Security Association found cloud skills in the top three skill areas where organizations saw a shortage. While cloud computing has matured significantly in the past few years, security remains a challenge, especially as workloads continue to be moved to the cloud.
To see proof of the cloud-security challenge, you only have to look as far as incidents like the 2017 Deep Root Analytics' massive records exposure of U.S. voters. What some have dubbed at the time as the "motherlode of all leaks" was due to a somewhat simple AWS database misconfiguration.
Data science and analytics
Many cybersecurity vendors are adding behavior-based analytics, machine learning and other big-data tools into their products, from firewalls to antivirus programs. They need data scientists who can create new algorithms and models. Information security professionals who have backgrounds in data science and analytics are going to see a growing demand for their skills.
Important soft skills
Customer service
Information security professionals are problem solvers, so they should expect to be communicating with the people whose problems they're trying to solve. Customers may be either internal, such as heads of other departments, or external, such as clients the company serves as a vendor.
In a high-stakes situation, like a security incident, diffusing tension among stakeholders and working under high pressure will be part of the job. It helps to put yourself in your customer's shoes and understand their pain points.
Communication
Going hand-in-hand with customer service, communication is a universal skill that just about any profession requires. For a security professional, top communication skills are necessary for a variety of scenarios, whether you're deploying a new security product, troubleshooting issues or trying to educate other employees about good cyber-hygiene.
Collaboration
In an organization that values a security-focused culture, the IT team doesn't work in a silo. You may need to partner up with either your IT peers or coworkers from other departments to solve security problems. In a CompUSA survey, half of the business and IT executives interviewed noted teamwork as a top skill.
Curiosity and passion for learning
There's never a dull moment for the information security team, and things are constantly evolving, from threats and vulnerabilities to the adversary's tactics. It helps to be naturally curious and question how and why things work, and a passion for learning will both satisfy that curiosity and help you stay ahead of threats.
What should you learn next?
Conclusion
As those in the industry like to say, information security is a "cat-and-mouse game"— if you want to be in the lead, you'll have to keep learning. There are plenty of resources that make learning easy, from online courses and certifications to industry organizations and conferences.
Sources
- 10 critical security skills every IT team needs, CIO.com
- 4 most in-demand cybersecurity skills, CIO.com
- Hiring and retaining top cybersecurity talent, ISC2
- Top 8 cybersecurity skills IT pros need in 2018, Dark Reading
- 10 things to get right for successful DevSecOps, Gartner
- GOP data firm accidentally leaks personal details of the nearly 200 million American voters, Gizmodo
- Cybersecurity plus data science: The career path of the future?, TDWI