TL;DR
Spend enough time in the cybersecurity world and you’re bound to notice that the same topics tend to get talked about over and over again. While specifics may vary depending on your particular niche, chances are you’re tired of hearing people go on about cloud security and its challenges, how to avoid ransomware attacks, or the latest trends on social engineering. And I’m pretty sure no one wants to hear anything more about AI.
But what cybersecurity topics aren’t getting the attention they deserve? With so much changing in the security world so quickly, I figured that there had to be a handful of subjects that could use some more publicity — whether because they’re taken for granted, they’ve been forgotten, or they’re just outright ignored. To help uncover these, I tapped the expertise of two of our Cybrary mentors: Joseph White and Rob Goelz. Their insights ranged from career advice more people should be giving to recommendations more organizations should be paying attention to.
So here’s what you should know.
Communication skills are just as important as security certifications
The image of the antisocial computer geek crouched in his basement office, sending off ornery emails to his ignorant colleagues, is almost a cliche at this point. But it has nevertheless helped perpetuate the idea that anyone involved in computers doesn’t have much of a need for social skills. As long as you know how to fix an issue, nothing else matters.
But in cybersecurity, nothing could be further from the truth. “You are selling something that is almost always perceived as an impediment to business,” said White. Of course, he quickly clarified, it obviously isn’t, but that’s how many executives often think of security — as something of questionable value that may place unnecessary obstacles in front of the organization. Because of this, competent cybersecurity professionals have to be able to communicate not only the need for proper security, but the value of it as well. They have to sell it.
Communication skills are also essential when it comes to the day-to-day work of securing an organization. After all, while building robust security networks and remaining vigilant against possible threats is important, much of cybersecurity comes down to simply convincing people to follow protocols. “You have to embrace others and be embraced by them so that your security programs are a success,” said Goelz. “Making your message well known, that's one of the soft skills people really need to have. Communicating something in a way that someone else can understand it.”
White underlined this point, emphasizing the need for patience and empathy: “You are often dealing with people during some of the worst days of their lives — something got hacked, something got destroyed, something isn't working — so you've got to be good with people. People skills are absolutely critical.”
Generalists often have an advantage over specialists
Although it may be true that security experts who can claim expertise in a speciality area (such as penetration testing, security architecture, or some other field) can often demand higher salaries, that doesn’t necessarily mean that you need to pursue a speciality from day one. In fact, you may not even need to begin in cybersecurity at all.
“It really is helpful to be incredibly well-rounded in security because you're going to end up touching pretty much everything in the organization,” said Goelz. While larger organizations may have teams dedicated to networking security or threat hunting or SOC, most small organizations will require their cybersecurity professionals to do a little bit of everything. And unless you already have some experience in various fields, not having these skills can put you at a serious disadvantage. Said Goelz, “Really doing security means you touch everything.”
But what does it actually mean to become a generalist? Goelz suggested starting in an adjacent field, such as IT, then taking on the work nobody else wants — “like patching.” From there, you could continue building on that knowledge, offering to help out in different areas so that you can continue to build up your knowledge. And if you happen to be at an organization that will pay for your training, be sure to take advantage of that.
“You can build your portfolio of security experience really in any role,” emphasized Goelz, “provided that you're willing to do the legwork and are willing to put in the time and effort to make that happen.” But if you are, you’ll be seen as the person who can get stuff done at the organization. And that can put you in a position of leadership arguably faster than a strict focus on a speciality.
More people should be focusing on governance
It’s no secret that certain fields in cybersecurity aren’t searching around for new applicants. Everyone wants to be a part of a Red Team or work as an engineer, but what about governance and compliance? While it may not be seen as the most desirable part of cybersecurity to be in, this field is no less critical.
“Governance is such an underrated field,” said White. “It’s probably one of the most important functions for the top. While it’s okay if a lot of good security comes from the bottom up, your security program is not going to survive if there is no top-down support.” In particular, White stressed the need to have more technical people in governance roles, not just “human checkboxes.” This way, you could not only identify the steps that would make an organization compliant, but you would also be able to go and implement them yourself.
“I understand the frustration around compliance — an auditor or ‘expert’ who comes in and notes a problem but has no idea how to get you across the finish line,” he said. “Identifying where the problems are doesn’t help if you have no solutions. So I really do get why folks dislike it.” But if you can combine technical expertise alongside governance and compliance knowledge, you will be able to bring an immense amount of value to an organization.
Let’s start talking about what everyone else isn’t
Cybersecurity is a big industry, as well as one that is constantly evolving. So while it may be tempting to focus only on the few topics that tend to stay the most popular, it’s our belief that staying ahead in this industry means always being on the lookout for opportunities no one else is talking about. It doesn’t matter if you’re just getting your career started, want to switch things up mid-career, or need to hire within your own organization — the recommendations our experts gave here can give you a path forward.
And, of course, we have plenty of courses to help you stay on track. Browse through our catalog or request a demo for your team to start accessing our extensive curriculum — including our knowledgeable Cybrary mentors.
