I have spent the past 30 years working in various cybersecurity roles. It has been a great career and I have worked on many fascinating projects with truly diverse backgrounds across the globe. Most of the people I have worked with over the years did not study cybersecurity in college. Even today, I have found that most of the best cybersecurity professionals came into the industry from different and diverse pathways. In fact, I started off my adult life as a paramedic. I majored in biology and business before moving into information technology as a network administrator.
Only after working a few years as a network administrator (with some security responsibilities) did I decide this was a good fit for me. My employer at the time supported training and I was able to get various certifications and more intense training. I decided to pursue a more formal education in information technology and cybersecurity, so I went back to college and eventually earned a bachelor of science and master of science in computer engineering and information technology. During this time, I also started accumulating certifications. My first cybersecurity certification was Certified Ethical Hacker (CEH) in the early 1990s. This started me down a path of eventually earning nine different cybersecurity certifications.
During the 1990s and even decades later, academic institutions did not typically do a good job preparing students for a career in cybersecurity. Even today, many cybersecurity graduates lack common skills needed to successfully become a cybersecurity professional.
So, what type of person will do well and thrive in the cybersecurity world? I am commonly asked this question and often reflect on the types of people who I have seen do well over the years. The second question I am asked, very often, is should my son, daughter, or other relative or friend “get into” cybersecurity. Is this a good profession for young people?
I will answer the second question, first. Yes, cybersecurity is a great profession for young adults! Cybersecurity professionals are in demand and the demand is growing each year. In fact, I cannot think of many areas more exciting, in demand, and lucrative, than cybersecurity. Every company, organization, and entity must have some degree of cybersecurity, and budgets have grown considerably in recent years. Cybersecurity breaches are at an all-time high. Ramifications of bad cybersecurity methods can cost organizations millions of dollars. Penalties and fines can bankrupt organizations that do not provide adequate security and protections, especially where confidential data is concerned.
Nowadays, every company or organization needs a cybersecurity department to protect its network and data from threats. Cybercrime Magazine estimates there will be over 3.5 million cybersecurity job openings in the US alone by 2025, and there is no sign of this trend slowing down in the future.
Now, what type of person should think about cybersecurity for a career? What type of person thrives and excels? The answer to this question is a diverse and multi-faceted individual. Let us look at the facets I believe to be important:
Needed Personality Traits for Cybersecurity Professionals
Integrity: A person with integrity is someone with strong character who is not prone to dishonesty, cheating, lying, stealing or other moral shortcomings. This is especially important in the context of cybersecurity, where a lack of integrity from an employee or even a department can lead to a huge security breach.
When it comes to the security of your company’s network, any weak link or vulnerability can result in a breach. No one is safe. Everything must be implemented, maintained and administered properly, 100 percent of the time, without exception. There can be no shortcuts.
As a cybersecurity professional, you are in a position of trust so you must have uncompromising ethics and integrity. During our daily jobs, we are often exposed to confidential data, learn of vulnerabilities and flaws, see configurations that were poorly designed or implemented, and learn of issues that, if leaked to the public, could be devastating to organizations and their financial security. I have known some very smart and skillful people over the years who had momentary lapses in integrity, and quickly found themselves unemployed and unemployable.
Good communication skills: Cybersecurity in today’s world is very much a team effort. In fact, cybersecurity requires a concerted effort from everyone in the organization. In incident response, the most important aspect of managing a cybersecurity incident is good communications. The same is true when trying to maintain a secure working environment and managing daily tasks with other cybersecurity team members. A cybersecurity professional who is not a good communicator will not last long in today’s fast-moving and rapidly changing world. When a cybersecurity professional has the desired communication attributes, the end-users at the organization will be more likely to adapt your policies and procedures, and adhere to best practices in preventing and reporting incidents.
Scientific curiosity: Most of the knowledge required for our profession is not taught in school. A lot of the needed knowledge is learned on the job, building defenses and conducting investigations. A good cybersecurity professional must stay up to date with threat intelligence, threat actor trends and new types of technologies. In fact, you must be constantly learning new skills and techniques, or you will quickly be passed by others. Cybersecurity professionals in the 2020s are constantly attending training, getting additional certifications, and attending workshops and conferences.
Adaptability: Things change extremely rapidly in the world of cybersecurity. We rarely speak of anything that happened more than two or three years in the past because, very quickly, it becomes irrelevant. Threat groups and actors rapidly change their tactics. Vulnerabilities are found by the thousands every year. Technology changes just as rapidly. In cybersecurity, the people who perform best are generally adaptable to rapid and constant changes.
Detail-oriented: A cybersecurity professional must be very meticulous. You simply cannot forget about the small things. You must be able to balance multiple projects, multiple incidents and triage on the go. You must be able to track and maintain multiple workflows while staying organized and concise. You must be able to move and act rapidly, under fire, while maintaining a clear and concise work strategy. A cybersecurity professional must be able to parse through hundreds, if not thousands, of logs, and detect even the smallest irregularity.
Calm and rationale: Security incidents do not happen too often in a cybersecurity professional’s career (unless you are like me and work for a cybersecurity company), but they will occur. Remaining calm in these extremely stressful situations prevents further mistakes and chaos. Keeping your mind clear will allow quicker action and interpretations, and resolve issues in a more timely fashion.
Innovation: This quality is essential in a cybersecurity career for two reasons. Threat actors are constantly improving their tactics, techniques and procedures. They are penetrating networks in minutes, whereas it took weeks or months just a few years ago. Threat actors are innovative. They spend time and money on research and development. They hire bright and innovative people. Therefore, cybersecurity professional must be more innovative and cutting-edge. Cybersecurity professionals must be able to “think outside the box” and make decisions quickly to prevent damages or data loss in their networks. Cybersecurity professionals must be able to predict movements and plan to thwart highly sophisticated threat actors.
Learning ability: After innovation comes the ability to rapidly learn new technologies and defenses. This is paramount in such a rapidly changing cyber world. You must be able to learn new innovations rapidly as these technologies constantly bombard the cyber world. Not only must you have the ability to quickly master new technologies and skills, but you must also have the desire to do so. Thinking back over the past 30 years, I can hardly remember a time I was not working on some new skill, taking courses, working on certifications, studying for tests, or even taking courses and programs at universities. In my mind, if you are not doing this regularly, you will soon find yourself out of a job because your coworkers will be! Stagnation in learning can be fatal in the cybersecurity profession.
Passion: All cybersecurity professionals must be passionate about cybersecurity and their role within the organization. Protecting your network, data and people can be extremely rewarding. Even though someone may have the knowledge and technical skills to be a cybersecurity professional, without the passion, I doubt they will thrive and perform in an acceptable fashion. If you want to work in cybersecurity, it must be because you have a genuine passion for safeguarding your network and digital assets.
Math and science skills: The perfect cybersecurity professional must be able to solve problems using data and analytic skills. Having at least some level of expertise in programming is also a particularly good attribute. Cybercriminals are increasingly sophisticated in their attacks. Cybersecurity requires individuals who are highly technical and value evidence-based, rapid decision-making.
Business acumen: A good cybersecurity professional must understand the big picture. The most fundamental aspect of most cybersecurity mission statements is to protect the business. This includes the data, applications, software processes, cloud infrastructures, trade secrets, intellectual property and confidential information for your company or organization. To do this, you must know the business. Business strategy drives much in cybersecurity. To build a good defense, you must know what you are defending and you must be able to prioritize your projects based on what is most important to the business and your business strategy. In cybersecurity, we often discuss business impact analysis, business continuity and disaster recovery. We plan how to keep the business operational, even if some of our digital assets are not available. Having good business acumen is essential when you work in cybersecurity.
Skeptical: “Trust but verify” should be our official motto! A good cybersecurity professional doubts many things. We are always looking for a means to verify what we see and read. Examples could be an error message or a piece of software telling us it has quarantined a file because it is malware. A good cybersecurity professional would not just believe the message from the software and move on; they would go to the quarantine folder and look for the file.
To get ahead of the game in cybersecurity, and prevent attacks, a good cybersecurity professional must have the ability to think like a threat actor. We are always suspicious, always a little paranoid about what is going on, because in a world of constant threats, not being suspicious and paranoid can be dangerous.
Responsive: Incidents occur very quickly; you do not always have time to react like you did a few years ago. We routinely see threat actors penetrate networks, exfiltrate and encrypt data, and more, in as little as 20 or 30 minutes. Things can go wrong quickly, but a cybersecurity professional must be able to respond with precision, making surgical-like cuts. These days, ideally, cybersecurity professionals preplan and design decision points before they occur. We often use automation and artificial intelligence to do this. If “ABC” occurs, then “X” happens immediately. Additionally, in cybersecurity, you must be able to respond 24/7/365. While we have on-call personnel, sometimes it is “all hands-on deck.”
In conclusion, a good cybersecurity professional often comes from a remarkably diverse background. I have seen many great cybersecurity professionals that majored in completely different fields of studies. Remember, I originally majored in human biology. No matter what type of background a person has, if they have most of the aforementioned attributes, they can have a long and rewarding career in cybersecurity.
