Emotional intelligence, resilience and the ability to integrate well with a team are among the most critical soft-skill qualities that a security professional can possess – and such attributes can make you a very valuable hiring candidate, according to a panel of experts Monday at the 2021 RSA conference.
The panelists spoke in a session that examined some of the key results from ISACA’s 2021 State of Cybersecurity report, released earlier this month. According to this study, 56% of more than 3,600 surveyed security professionals identified soft skills – including communication, flexibility and leadership – as one of the biggest skills gaps among today’s cyber pros, up by four percentage points from last year. Knowledge of security controls was a distant second at 36%. (Participants were allowed to give more than one answer).
Indeed, a lack of soft skills is among the reasons that hiring organizations struggle to successfully locate and recruit well-rounded job applicants in the security field, the speakers explained.
Panelist Caitlin McGaw, president of executive search/recruiting firm Candor McGaw, Inc., said CISO these days are particularly interested in emotional intelligence – "being able to understand and manage your own emotions in order to effectively communicate, emphasize with others as well as to resolve conflicts."
McGaw said one CISO she recently spoke with said “he’d take emotional intelligence any day over certification.”
“Not that certifications are irrelevant, but it’s just that it’s so much harden to train emotional intelligence and enthusiasm rather than the hard skills sets," she continued.
Resilience – the theme of this year’s RSA show – is another important attribute that often shows up in the form of optimism, persistence or grit, McGaw continued. It’s all about “continuing to push through even when you face challenges – because cybersecurity can be a frustrating business ,things can go terribly wrong. And people have to be able to... get back on the horse and get going to solve those huge problems."
McGaw suggested that aspiring cyber professionals could acquire or hone their soft skills by joining student organizations or volunteering to teach computer literacy or coding in a local community.
Fellow RSA speaker Gregory Touhill, president of AppGate Federal, director of the CERT Division at the Software Engineering Institute and former U.S. CISO, also emphasized the ability to work with alongside others as well as to flexibly adapt to various situations.
“We say that cybersecurity really is a team sport, because you've got to work along a wide range of skill sets in order to have an effective risk management program for your cyber environment,” said Touhill, also an ISACA board member.
“Having those soft skills – the communications, the empathy, the grit, the perseverance, the ability to work as a team, and… flexibility and adaptability – that's a collection of skills that leaders need to nurture,” he added. “And often you may get a new employee that is not necessarily fully experienced in those areas. But as a leader, you've got to help those folks gain those skills and nurture them along the way.”
But if soft skills are so important, should CISOs, team leaders and HR managers be doing more to change their hiring practices in order to take this into account?
On the plus side, McGaw said that job descriptions are increasingly “folding in bullets around the soft-skill attributes that companies are looking for.”
However, “something that continues to be problematic is the search for the ‘purple squirrel’ – the aspirational job description which tends to rule out too many people, women in particular, McGaw continued. “Women in particular, they don't see a really strong correlation between the skill sets that they possess and those listed on the job description [and] will often be discouraged from applying.”
That's why it's key for hiring authorities to truly understand what kind of candidates, and what kind of skills best suits the job they are trying to fill. The secondary skills can always be taught later.
Indeed, there are lots of ways to spot soft skills in job candidates during the interview process, according to Touhill. "Does he or she have the ability to go out there and be dynamic and embrace new challenges? Do they have a willingness to learn? Are they eager to better themselves? All of those things," said Touhill. "It's very difficult in a resume to push forward those type of things but candidates can really [help themselves] by demonstrating the potential for growth, the willingness to extend beyond just the job description."
There are many different paths that can lead to a job in cybersecurity, noted Touhill, who said some of the best people he hired when he was with the military were people who served as Air Force security police officers. Touhill also said people in information management tend to understand IT culture and possess the added technical skills to do very well in the cyber field, as do former auditors and controllers.
McGaw added that people with marketing, public relations, engineering and logistics backgrounds also have skills that translate well to cyber. "The key thing is to have a welcoming culture... and working with diverse populations as well that are underrepresented in security," added McGaw.
Touhill and McGaw presented alongside session moderator Jonathan Brandt, ISACA’s information security professional practice lead.