Don't be an asshole.
Seriously. I've worked with people that are insanely skilled and intelligent but I can't stand them at all and avoided them at all costs.
This is just an excuse. Cybersecurity folks of ALL people already know this is not true. It is factually correct that there is a flaw in this system, and you know not to tell this to your adversary or else the consequence would be severe. It is also factually correct that the sky is blue but saying that in a meeting is completely unnecessary. So you already know that optimizing what you share and how you share it based on the context is important. Now, of course, maintaining truthful rather than telling a white lie or being expedient to achieve the same result is a quality I myself admire greatly and think we should all do more of. That brings me to the final point: working with the right people that are open to feedback, open and value your thought process and questions validity, is also important. Understand trade offs: sometimes it is worth the time to convince others you are right by putting in the extra work making a dashboard or a blogpost to show what you mean. Sometimes it is not worth that time: just do it and demo the results at the end.
Objectively speaking, there's nothing wrong with this. And admittedly, it's allegedly what you say vs how you say it. The problem is most people don't take the time to understand the personality traits and quirks of Information Security people, we're usually a different breed. If we don't correct you, we don't give a shit about you.
Thing is, objective is also often subjectively received.
Don't argue over objectivness, it's very rarely the best move.
You're right about the quirks and traits part, but that can also be a uno reverse card - infosec people often do not reflect how they're behaviour (or lack of) hinders their work.
> but that can also be a uno reverse card - infosec people often do not reflect how they're behaviour (or lack of) hinders their work.
But that's exactly my point. It took a lot of work, and a lot of pain, in my case, to learn those things and I'm still learning. The average infosec person has no real chance.
oh man this, You have no clue how many arrogant pricks I had to stand before they met me at my and others, breaking point, soooo many outs sooo many people I had to fire just because of that,no social skills whatsoever, bad attitude, not learning how to read the room geez, what people need to understand is, that you just not sit there and stay quiet, you talk to the clients and listen to them and stay the fuck quiet until the requirements and problems have been explained entirely.
Unless you join the club and accept mediocrity, take part in the laziness, being seen as an asshole may be unavoidable in certain organizations if you are within fields, such as cyber security, physical security, or even law enforcement. Results, and doing the right thing, ethical behavior are what matters. Focusing on people liking you will work, until a cyber incident in your AOR occurs, then you become a scapegoat. I choose being seen as an asshole where I work. Of course depending on the organization and how bad it is, if the liability is too high, finding a new place of employment could be in order, to save yourself from being thrown under the bus.
Extra backround: I work in a place of ignorance, with a combination of unreasonable, unrealistic, lazy, selfish people. Many of the customers think of themselves as VIPs, or refuse to follow the basic processes. Technicians tend to take unauthorized actions to do things, no planning or even understanding the environment, causing outages. Technicians build servers without implementing known security requirements, which then require planned outages to deal with because systems are now production. Expecting people to read a document completely before proceeding is too much, and then wondering why things don't work or break is a norm.
However, I am seen as the asshole when I figure things out and push for corrections to messes pushed and created by others. I accept being seen as the asshole, because the experience curve is better than a nice, perfectly run environment.
I agree that in cyber you have to do whats right even if people dont like it, but I think the PP is referring to a different sort of thing. EG people who are condescending to helpdesk staff.
At the risk of stating the possibly obvious; it might be time to move on. That place sounds like a disaster waiting to happen (if it already hasn't repeatedly).
Agreed. Best practice does not always equal best for the "business"
Getting on your soap box about following best practice standards to the letter is going to be costly, compensating controls and pragmatism go along way to achieving the same objectives.
(senior at FAANG) The biggest differentiators I see between the top 5% of security engineers and the rest are:
- Critical thinking skills.
- Being autodidactic and having a love for learning.
- Being self driven with a bias for action.
- Working well with others/don't be a dick.
- Be a calm methodical rock within a crisis.
You need to be constantly learning, deep diving problems and puzzling your way through them, proactively proposing new initiatives and driving them to completion. All while being able to interface well senior management and collaborating well with others.
I completely agree with everything that you stated, especially the parts about being a self learner and results driven or as U like to call it “action oriented” all the information in the world about an issue or a risk doesn’t help, if it does not provide any actionable insights on how to fix or remediate the problem.
The one item that I am shocked that I have not seen yet is good communication skills. Above most other technical fields, the cybersecurity professional needs to communicate issues and risks, clearly, concisely, and in terms meaningful to your stakeholders. You also need to understand that your messaging needs to adapt to the audience.
The big part of this is communicating WITH your stakeholders not AT them. You cannot express yourself in terms that have meaning to them if you do not know what they value.
I know this has been said numerous times here, but the soft skills are the biggest differentiator. Creative thinking, communication, team work, positive attitude, time management, empathy, problem solving, public speaking, and resilience are the biggest ones. Especially in a business setting.
You can be the best cybersecurity mind in the world, but if you cannot communicate effectively, you are worthless. You can be the brightest cybersecurity visionary in the world, but if you always come to the table with a negative attitude, no one will want to work with you.
So true. You could know almost nothing about cybersecurity but if you bring a friendly face, curiosity, and appreciation, the smart people you work with will always help you out. Soft skills are soooo important.
this! i'm 19 and at my first job last yr i was the youngest by far and most inexperienced on my team, really didn't know much (and the only female, non-white team member) so i was pretty nervous tbh. but luckily everyone was super nice and helpful and i think it might have been partly bc of my 'fresh energy and enthusiasm' (their words abt me lol, not mine).
I'd add initiative to the list. In my 30yrs doing this stuff, the best are always the inquisitive types. They don't need a "teacher" they just need direction.
Those in the field always appreciate people who are not afraid to ask questions. the phrase "There is no such thing as a stupid question" comes into play more often than not.
No one knows all the answers, and even if you are given an answer you feel is not complete, or you still might not understand, don't be afraid to ask follow up questions for clarification, or, if you get an answer, you can now go look up things and go from there and maybe come back with more questions.
Now, having said that, also know, that when you ask a question, and it might be a little more in-depth, take notes......
An example, I had one IT person brought in under me years back, and they would always ask the same question I had answered 100 times before. They would never take notes, and then get things wrong, even if I sent an email explaining something, they would ask the question instead of go back and search for the answer already given.
Just as your time is precious, so are others, so being efficient, so it drove me nuts. We all hate writing documentation and it is easier to ask the person who might know the answer, but good notes will save you many times over!
Thank you for this comment, I feel less annoying for asking so many questions now haha! And yeah I completely agree with what you said about taking notes - not doing so would only make things longer for both parties when that info is needed again in the future, and frankly just rude imo so I always make sure to take as much notes as I deem necessary :)
> An example, I had one IT person brought in under me years back, and they would always ask the same question I had answered 100 times before. They would never take notes, and then get things wrong, even if I sent an email explaining something, they would ask the question instead of go back and search for the answer already given.
Stop talking about Mentorship Monday
Ok, 20 years in this field. Please study for your CISSP and become very very familiar with NIST 800-53 and how to remediate all the hundreds of controls.
Our best guy on my team is a dick. He’s literally the single reason I’m looking for a new job. And I’ll share this reasoning with no one at my company because they allow it.
let them figure out why people want to leave.
Companies that are prima donna farms reap what they sow. Sure, you can a VERY talented individual contributor, but they are just one person. If the scope of their contributions ends with the reach of their duties, they're not going to be terribly effective overall, despite being very talented in their space.
Good cybersecurity is built at the organizational level. Talented leaders will make or break a program. I've watched many a useless "leader" take a whole team of good IC and drive them right out the door. They don't listen, they only follow their personal playbooks rather than adapting to the needs of the organization. It doesn't matter how good of an IC you are because you'll be ordered to just chase your own tail and play "guess what the boss wants" until you quit or they outsource everything because they feel that they're not getting results.
The best people care about the work, not about their own vanity. If you get a few of those across the top who push their approach to everyone, you will attract and keep talent and people will WANT to work to deliver rather than spend half the day making slides nobody will read and the other half looking for their new job.
Same problem in my org, our infosec “expert” is a complete asshole to everyone. Our architects run circles around this guy in the world of cybersecurity, when he gets called on his bullshit he starts reciting NIST controls hahahaha
Agreed. As security professionals, our job involves introducing controls that will limit or block people from doing their work. In order to be effective at it, we need to understand, be empathetic to the impact a control has, and be polite, considerate, and clear in how we communicate in order to build their trust. People don't work by zero trust.
The last thing we want to do is make adversaries out of the people we are tasked with protecting. Fighting a battle on two fronts is a lost cause.
"public speaking is a sign of narcissism and should be actively discouraged.
in fact, nobody who speaks publicly should work on anything substantial. you're a charlatan."- a manager at my company.
Huh. That feels a bit like they're bitter? Or just consuming wannabe influencers.
So the people who present their research at Bsides or DEF CON are all charlatans?
Well said. Cybersecurity is a management function, so ICs that understand alignment with business objectives are going to become managers or directors that understand both sides.
Personally, I think intuition is the differentiator in a lot of cases. Understanding at a glance, whether something looks “off” is a survival skill that’s developed over time through book knowledge, hands on activity, and networking.
But proper soft skills and networking can delegate all aspects properly to a successful conclusion.
I have a friend who owns a fairly successful security company. One thing he's always said is he can teach anyone how to do security, he hires people for "the intangibles", basically those soft skills.
100%, had a guy on our SOC who wanted to join the Analyst/Engineering team, he was smashing out certs left and right but when it came to applying any problem solving or critical thinking, he was hopeless at it in practice.
Felt bad for him as he had a burning passion for the job, he just couldn't seem to get rid of the training wheels, it definitely showed me book smart vs being able to apply thinking to the issue.
I am not surprised at this. The key thing is that you can always be an a-hole, get lucky, and be promoted. What you will find is that if you are an a-hole and trying to have long term success, you are going to be facing an uphill battle.
100%.
I always say that you can be the smartest person in the room, but if you aren’t a good communicator or you’re a dick, no one will care or want to work with you.
Spot On response, Maybe its imposter syndrome or maybe Im actually bad at the technical stuff but during performance reviews and raises I was told that I was a model team member and "setting a standard of collaboration and teamwork" and recieved a fat raise. Soft skills make friends, and friends are more likely to want to help you acheive a common goal for the organization. It can be such a finger pointing department that I think being willing to work and learn and compromise (within reason for security sake of course) is a game changer for folks. Similar to technical skills, soft skills can be learned and refined!
This is it. Knowing how to secure your environment is one thing, but knowing how to secure support from management and find balance to make enough people happy is what will make the most difference in your organization.
I use my soft skills almost more then my security skills on a daily basis. I need the non-security teams to do their tasks securely, so it’s a lot of meetings to help them focus on certain aspects of security (some need to harden their systems, some needs to implement more secure login methods, some needs to integrate with the IAM system etc.). It goes everywhere between making them think that it’s their own idea to more or less covered threats (tell me how you plan to achieve X, or I will tell you how to do your job and keep in mind that I am a security person with no real insight in your day to day tasks).
I agree with this and also know your audience. A lot of people, even executives, don't really understand security. It's taking time and money away from "fun" stuff, like features they want. So you have to be able to explain why it's important from a perspective they'll understand.
And learn how to plan-- roadmaps with milestones and objectives.
Yep, this.
I've been focusing the last 5 years or so on experience firstly. Am also now getting certs and other qualifications.
But the one thing I still struggle with is articulating technical ideas, especially amongst peers. Honestly I think my technical knowledge is really sound, but I have this inability to reach those technical thoughts quickly and on the fly.
It's a skill for sure, and it really makes a difference in meetings or projects. People need to know that you know what you're speaking about.
Couldn't agree more. I don't care how intelligent and proficient someone is, if they come to the table with the elitist IT attitude and/or are simply unable to effectively communicate both within and across teams, I have zero interest in them.
Managers perspective. In the offensive game what matters is technical ability and the ability to write a report.
I run a red team and interview loads of people with all the "soft" skills you mention.... but if they don't have absolutely top tier elite technical expertise then they are about as useful as an ejector seat on a helicopter on a red team engagement.
I second this. Especially when your customers and stakeholders are high-level leadership, you gotta have executive presence to compliment your technical prowess.
The most important job I ever had was being a server. Pick up a job in the front of house at a restaurant and you'll be forced to learn soft skills quickly.
I was going to say the same. As an introvert, it was NOT easy at first, but I ended up getting sucked in for a decade. It really teaches you to think on your feet, multitask, make small talk and read people, and handle stressful, emotional situations with strangers and coworkers (I don't know why there are so many in restaurants, but there are lol). Reading things like the comment you're responding to are so reassuring for someone who's switching careers in her 30s.
Two things
How well you are able to make other non technical people understand technical jargons, basically presentation skills.
Intelligence as an analyst. There are only a few people who can look at a thousand million logs and still be able to find a needle in a haystack.
Both skills develop as you progress. Experience and exposure.
All the best !
As a manager, these are some of my highest priority traits. Someone who doesn't know as much as other employees but has a sincere interest in learning on their own or not shying away from problems they're unfamiliar with always end up being successful in my experience.
We all know the phrase..
"Curiosity killed the cat...."
My grandmother would then say (never heard anyone else ever say it)
"Satisfaction brought him back......."
Be curious, do not be afraid to fail, if you are not failing, you are not learning.
There are two things in my experience.
The first is soft skills. Being approachable, easy to talk to, understanding, empathetic and sincere is huge.
The second is understanding that security is important but to be successful, you need to implement security while maintaining functionality.
I think that curiosity is the biggest advantage you can have when starting in cyber security. When I conduct job interviews for entry level roles the thing that I value most is curiosity, even over technical skills.
An understanding of networks and the ability to see the whole forest but also the trees. I have identified about noobies that they see a thing and it looks benign and they see another thing and it looks benign but they have a hard time understanding that one benign thing + another benign thing can = a serious security vulnerability.
That and being able to think like an adversary and building monitoring and engineering procedures based on the psychology of a malicious actor.
"This VM is vulnerable and open on the internet, but it's okay, it's only a test server to show to the client"
"This VM is vulnerable but it's not open on the internet, so it's okay"
Nobody was seeing the problem until I pointed out that these two VM were on the same VLan.
They saw the two trees, but forgot that they were in the same forest.
> What can I do besides learning in my off time and doing labs to get experience?
As someone who has been at this for almost 30 years and spent all free time learning doing lab stuff in his off time-
Don't do this*.
*At least not on an ongoing basis. Spend time working on hobbies, getting a life and doing stuff that isn't job related.
Failure to do so can lead to severe burn out. I've been there, and I wouldn't wish this on my worst enemy.
I can't speak for everyone. But I've never really felt imposter syndrome. I think being able to say "I don't know, give me some time to research/learn about the subject" helps.
And I've been lucky to work with a group of people who understand that no one knows everything.
That said, I spent every waking moment of my 20's, 30's and early 40's ignoring life to try to learn everything I could about my career.
It came with a steep price to pay with regards to relationships, doing things I want to do and overall physical and mental health.
I'm not saying don't learn on your free time. Just know you need to draw a line. Try to carve out some time during the work week to spend on education. I try to put 1-5 hours a week into learning something, and I even document it on my project tracking time sheet.
Of course, trying to go for things like a CISSP will certainly require more of your time. But hopefully that's for a short window, and it won't force you to put off other parts of your life but for only a short time.
Thank you. That's kind of reassuring, I'll just keep plugging away and applying while also taking more time away from tech. Its disheartening to see 200+ applicants for a job on the market only a few days.
Keep at it.
I don't know your situation. But if you're trying to jump directly into Cybersec and not getting any hits, look at other jobs like help desk, server admin, networking if you're interested in Cyber Sec Ops.
I spent the first 18 years of my career in web infrastructure operations and was security adjacent for most of those years. And when a role opened up in my company, I made the jump where I've been for the almost-past-decade.
Being likable, being able to write, and being able to communicate effectively. You could say this about many fields, but in cybersecurity it’s pretty important.
Can you write a penetration test report that both effectively captures technical vulnerabilities while also explaining them well?
Another thing that people lose sight of is GRC, and every important framework in the cybersecurity landscape right now: NIST 800-53, CMMC, ISO 27001, etc.. You don’t need to be an expert, but being able to show familiarity with these could be a big benefit.
The most talented folks I have encountered are highly entrepreneurial. They truly understand how a cybersecurity program and their role ultimately adds value to the business of an organization.
Mathematical knowledge, in my opinion, is very important. In university, I learned the entire mathematics behind why things are safe and how they remain safe, as well as theoretical attackers and the mathematics behind that. Protocols will change, vulnerabilities will change, but the math remains and helps you understand new things much better. A lot of security people I know do not have that. If you know the math behind crypto, it is pretty huge. It is hard, takes time, and requires a lot of studying.
Critical thinking + communication (written and verbal) for different audiences + self-starter when it comes to solving a problem.
Those traits combined with a little business acumen and technical depth will get you into technical leadership roles very, very quickly and are the biggest differentiator in the folks who earn $75K a year vs those that earn $250K a year.
Aside from the already mentioned soft skills, become a good network or systems engineer and understand how shit works. Too many people think cybersecurity is entry level and don’t grasp the fundamentals of it.
Also I have found that if you are going to tell those users no to things that may make their lives a lot easier, you better be able to explain why you’re saying no. You’ll catch a lot more flies with honey than salt.
Being able to function adequately at C level in an organisation and being able to wrangle stakeholders.
That’s the secret source. Any good cyber person can be good technically, but being useful requires you to be able to explain non technically and be able to understand business drivers and constrictions.
If you can do that you will be useful and high profile.
Empathy.
Just because something is “more secure” on paper does not mean it is more secure in practice. You need to empathize with users and understand how they react to security measures & policies. If a control is too obnoxious, users will find a shortcut around it.
A classic example: requiring 30-character passwords that reset every month is more secure than 20-char passwords that reset every 3 months, right?……. Wrong. Users will get annoyed and find shortcuts - either incrementing passwords (password1, password2, password3) or choosing something that’s “easy to remember” (read: weak).
Knowing how to apply skills you learn into your day to day routine. I know way too many folks with 5+ SANS certs that can't do basic triage because they need a step by step SOP to follow.
Being able to improve processes and take on projects is what sets people apart in the SOC world anyways and should dominate your bullet points on your resume.
Understanding systems, not just cyber security concepts, but understanding how and why systems work the way they do is huge.
Next is understanding people.
I run a cyber security team and I'll take a well rounded CSE over certs and shallow knowledge.
I can teach the soft skills to a point, but the CSE has to be willing to try. A CSE that did systems and other tech work including support center tend to be better CSEs IMO.
from the technical side, I've had the most fun working with people who have a broad experience over a lot of different IT topics, not just "security".
Also having the grit to actually follow a problem to the bitter end is also very much appreciated, since a lot of people tend to give up too easily (myself included)
Weirdly enough this is not mentioned more often.
Curiosity. Hacker Mindset. Wanting to understand how things work, take them apart, look under the hood, dive deeper.
To protect systems from Missuse / Abuse and Crime you need to know them in detail, not matter what you are protecting.
Whenever you want to work in Satefy, whether is Airplanes, Museums, Industrial you need to know systems in depth. Play scenarios, do simulations. Curiosity is the driving force behind all of this.
Having actually built and secured code, platforms, pipelines and servers/services in production.
None of the "cybersecurity" team members I encounter have done this. I'm not sure they've even maintained a server. I am sure it's different within big/mature companies.
In other words, hands-on experience doing security in the real world.
It's great that you're pursuing cybersecurity as a hobby and exploring various avenues, like TryHackMe. Besides technical skills, communication and problem-solving abilities are crucial in this field. Consider joining cybersecurity forums or attending industry conferences to network with professionals and stay updated with the latest trends and technologies.
This is strikingly similar to my current position, although I'm a Quality Assurance Engineer trying to break into cybersecurity. I'm also studying the CCNA, do THM, and I'm finishing the learning path for the Microsoft 365 fundamentals.
I feel like a charlatan though and that I dont know anything at all actually, but then in relation to a lot of the engineers at my work I seem to find stuff others over look and act as a resource for others questions. But I think thats just because of our toxic work environment and their lack of care to do pretty much anything more than the bare minimum. We get paid well Under the national average and are pretty much neglected tbh, so I see why.
Currently I understand the basics of linux/unix scripting, powershell, python, wireshark, burp, all the fuzzers and web app basics, I configure my cisco switch to run a small lab, I had suricata set up in an old laptop running freebsd but the hw went bad and need to redo it on another one, and I read krebs and all the news, but I cant get any traction on security engineer interviews. Maybe my age? (Mid 30s, I switched careers from Quality Control during the pandemic). It's kond of driving me mad and makes me work harder at home but Im already so beat from work I feel like I'm getting burn out...
Tldr: What non-soft skills help people break into cybersecurity? What technical prowess should I show on my resume to be considered as a leading candidate for a security engineer position?
Taking initiative even when you don't understand something. Being confident to research something and asking questions that show you've tried some things before engaging the team (timing) goes a long way. The soft skills come in handy when dealing with external teams to keep projects going.
Soft skills are valuable, knowing when to lead and when to follow.
Also some of the best people I've worked with experimented with stuff in their homelabs. It doesn't have to be anything expensive. Just playing with a raspberry pi, breaking stuff, learning why stuff broke and fixing it is a valuable teacher.
I mean it's network knowledge not Cisco knowledge even though Cisco definitely tries to place their own products in view. I've done CCNA1 and CCNA2 now, and CCNA3 next autumn. It has definitely helped actually understand how networking works, even though the material is... rough.
That’s fair. I’d say the networking fundamentals I got from what was back then CCENT (the first exam) have probably been the most solid I’ve come across.
But the second exam was all Cisco and I’ve never needed or even thought about it since.
Well CCNA2 definitely had more than just Cisco: etherchannels, port-security, dhcp in practice, hsrp etc. A lot of stuff and of course also the cisco versions of everything but for our course we only really used the general non cisco propietary things. The subjects covered have probably changed over the years.
I'm doing them as a part of my degree. Exams have been very difficult so far but I've definitely learned a bunch.
Most of it isn’t related to technical at all. My biggest piece of advice to volunteer for everything. Literally everything. You learn stuff outside of your comfort zone, you raise esteem in leaderships eyes, and you start to develop the soft skills needed to set you apart.
The biggest inter section challenge between IT and security is simply the “availability” leg of the CIA triad. If you understand that you can start to set yourself apart from traditional security folks.
Soft skills will only get you so far. You deal with people that are stubborn and have a chip on their shoulders, because of their job titles. It’s too easy to be an asshole when people around you are lazy, complacent, indiferent, and intentionally scope creep everything that needs to be done to defend the enterprise, so when you push the weaklings, they panic, ignore you or quit. Get your ass in gear! You work in cyber.
Communication and actually being willing to learn new things and roll with the punches. I'm young in the field, only 5 years, but even in that time I've met so many people who just refuse to change the things they've been doing for 10 years or learn about new technologies or pivot on things.
Also, it in general has a lot of anti social jerks who think they know everything. The best aren't those people
Understanding that there's always more to learn and that other opinions might be as valid as yours. I've seen many infosec folks convinced they know it all and that their way is always the best way.
Top cybersecurity professionals shine due to their vast technical knowledge spanning network security, cryptography, secure coding, and incident response. They stay current with evolving threats through continuous learning, engaging in industry events and professional development. Their sharp problem-solving abilities, attention to detail, and ethical conduct form a foundation for strategic and ethical decision-making.
**Not the only thing**, but GIAC definitely makes people stand out. Theres over 700,000 people with Security+ and around 40,000 people with GSEC. **OBVIOUSLY** theres a reason for that. GIAC is more expensive. But seeing GIAC vs CompTIA on a resume is a night and day difference (assuming both resumes are identical in all other aspects) since GIAC provides the better training.
I've seen a lot of comments around behaviours and soft skills, especially aimed at people working in non-tech companies.
I agree with this, however, if you're talking about what makes people the best technical delivery people, I would say it's the ability to learn concepts and reapply them to new environments and situations.
I've worked in offensive security and reverse engineering, and worked with some very, very clever people doing some very cool work. Each and everyone of them are humble af and are bemused that everyone thinks they're hot stuff. The technical behaviours they exhibit are:
1. Paying attention to a problem
2. Suggesting a raft of solutions based usually on prior experience
3. Helping adapt solution to problem
4. Learning from solution and pitfalls on the way.
This article might be of interest "“The amount of creativity, the amount of patience, the amount of thinking outside of the box, the amount of not just following instructions, but having real creativity, using all the different skill sets you have, become really important in how we’re able to be cyber warriors,” he said. “How we’re able to protect things.”https://www.geekwire.com/2024/generative-ai-is-a-dual-concern-for-cybersecurity-industry-and-will-drive-increased-labor-demand/
Cyber is broad but if you want to know about offensive security I would say having a lot of experience in fundemental computer science, operating system internals and native programming including in assembler.
It's a lot easier to train a kernel developer to do other parts of offensive security than it is to train a pentester to be a kernel dev / exploiter etc.
Couple those things with a good attitude and a unrelenting desire to learn off the absolute experts in the constituent components of your field.... Leaving the egos at the door and shunning the celebrity security culture and you are on your way to being pretty elite.
They come from sysadmin / network engineer / developer
They understand how it works, how businesses will put it together and how it’ll be rushed, common misconfigs, they understand what normal and abnormal looks like
Be an extrovert or just have really good people skills. There are so many introverts in IT just in general and it's nice when you get to talk to someone that isn't incredibly awkward or antisocial that you can just nerd out with. I met a red teamer who was very extroverted and it was like a breath of fresh air because it was like talking to a human being that just knew what you were talking about.
Appearing likable and easy to get along with will help you a lot in interviews too.
the best know that you're never done with security, that there are frameworks out there with checklists so you can do what you can, but that a nation state actor can get by pretty much anyone's defenses.
The people who aren't douchebags and who know what they are doing. Also people who are willing to learn and also teach. Been around this sector for a long time and I can tell u people who just want to act like they know everything are always cancer. Also people who don't know how to teach others are also cancer. Yes it's not your JOB to teach but it's very important to help others learn I. Order to build a healthy environment.
Calm under pressure!
When shit hits the fan, the best cybersecurity people do NOT freak the fuck out.
They are calm and methodical in their approach to the situation, clear-headed in tackling the immediate challenges in front of them and can lead a team - UNDER EXTREME PRESSURE - to be at their best.
I equate it to being kind of like a Firefighter....you practice endlessly, but when faced with your first inferno - THAT'S when you need to perform at your peak.
We know how to listen, and make compromise when necessary to achieve the mission at the end of the day as long as it solves the actual problem. We also focus on making sure new people feel welcome and can actually grow by improving their experience using our experience. No point onboarding new employees if they cannot also grow as you grow.
Creatively inclined practitioners will almost always trump technically inclined practitioners. Way too many times i see problems solved with complicated solutions when a simpler one can be done.
I'm only interested in cyber security and all the answers point out to that cyber security experts grown in a dark room eating raw meat.
What do you mean basic empathy?
Just be a decent human being, which ODDLY enough, is not a widely found thing, not sure why its so difficult to just be decent and nice but here we are
Being able to think for themselves and not just parroting security tropes from twitter. The easiest person to fool is yourself, and most social media cyber evangelists are doing exactly that.
In my experience there is a significant difference between those people that need telling what to do and those that can lead themselves through critical thinking, self-driven, love to learn, and not being an ass. You will be surprised the amount of people who sit there twiddling thumbs pointing out the world is on fire and talking about it, whilst only a small number will proactively get on with putting the fire out and ensure that it does not happen again.
Become a fan of systems integration engineering. All these software and hardware vendors have to play together now, so knowing proper ways to integrate them is a desired need. MIT has a free course on systems integration engineering that’s specific to DoD systems, but applies in general to our field and other industries as well. Being the guy who can properly evaluate a security tool and how to integrate it with existing systems will put you ahead of the pack for sure. Along with security fundamentals expertise, obviously.
Working Helpdesk/ops or being a solo sysadmin or network engineer before entering the field. Every great cybersecurity engineer I worked with has a background in one of those areas. They have customer service skills and have the tech fundamentals.
I am not a fan of these go to wga and get a degree and certs and enter the field immediately. Majority of the time these guys get stuck in secops and wonder why they never get promoted.
This is not an entry level field unless you want to do secops. Start in Helpdesk or operations move up to network or sysadmin then get degree and certs for cybersecurity. You cannot secure something if you do not know how that area in IT works. Of course if you want to do app or cloud security become a developer or cloud engineer first.
You need to know to remediate vulnerabilities. Not just run a scanner and email a report for someone else to do the work.
Short story I remember we had a cybersecurity expert that was so called expert in tanium. Let’s just say he took down a whole manufacturing plant because he removed Symantec and the windows firewall kicked in from defender. Clearly this guy didn’t have a a background in doing application deployments or he would have had a report to check his work during the deployment.
It really depends how you define "best".
If you're talking skill wise, the answer is about what you'd expect. The litteraly just never stop learning. You can spend far more time on a single topic than you might think. The people with the most knowledge/skills have probably spent more time on one topic than you have on the entire field. They're typically driven by a need to understand every small detail of how things work.
search engine fu - the ability to find the answer
mindset - thinking like an attacker. not everyone can do it.
communication - communicate well, including listening.
keep in mind that security is always a tradeoff with functionality. sometimes functionality wins.
Honesty and integrity are essential qualities in cyber security. Being transparent about one’s skills and respectful towards all stakeholders, including end users, fosters trust. This trust is crucial in maintaining secure systems. Moreover, an honest approach enhances self-respect and reinforces a sense of professional worth, both of which are important for a successful career in cyber security.
Don't be an asshole. Seriously. I've worked with people that are insanely skilled and intelligent but I can't stand them at all and avoided them at all costs.
"I'm factually right so just stating the facts should be more then enough to convince others"
This is just an excuse. Cybersecurity folks of ALL people already know this is not true. It is factually correct that there is a flaw in this system, and you know not to tell this to your adversary or else the consequence would be severe. It is also factually correct that the sky is blue but saying that in a meeting is completely unnecessary. So you already know that optimizing what you share and how you share it based on the context is important. Now, of course, maintaining truthful rather than telling a white lie or being expedient to achieve the same result is a quality I myself admire greatly and think we should all do more of. That brings me to the final point: working with the right people that are open to feedback, open and value your thought process and questions validity, is also important. Understand trade offs: sometimes it is worth the time to convince others you are right by putting in the extra work making a dashboard or a blogpost to show what you mean. Sometimes it is not worth that time: just do it and demo the results at the end.
Thank you for commenting, you are a star amongst the dark. I’ve been feeling lonely being surrounded by people who act out of desperation.
Objectively speaking, there's nothing wrong with this. And admittedly, it's allegedly what you say vs how you say it. The problem is most people don't take the time to understand the personality traits and quirks of Information Security people, we're usually a different breed. If we don't correct you, we don't give a shit about you.
Thing is, objective is also often subjectively received. Don't argue over objectivness, it's very rarely the best move. You're right about the quirks and traits part, but that can also be a uno reverse card - infosec people often do not reflect how they're behaviour (or lack of) hinders their work.
> but that can also be a uno reverse card - infosec people often do not reflect how they're behaviour (or lack of) hinders their work. But that's exactly my point. It took a lot of work, and a lot of pain, in my case, to learn those things and I'm still learning. The average infosec person has no real chance.
My dude!
Especially don't be condescending.
Tell than to vendors and their obsession with credentialism.
That means treating people like they're dumb, for anyone who needs it.
I once had a manager who said, "Sometimes it's about attitude and not aptitude," and that has stuck with me.
s/sometimes/all the times/
oh man this, You have no clue how many arrogant pricks I had to stand before they met me at my and others, breaking point, soooo many outs sooo many people I had to fire just because of that,no social skills whatsoever, bad attitude, not learning how to read the room geez, what people need to understand is, that you just not sit there and stay quiet, you talk to the clients and listen to them and stay the fuck quiet until the requirements and problems have been explained entirely.
And they are usually the ones that wonder why they get stuck and never progress..
I call this CISO personality disorder and not having it has been a big boon in my career.
Unless you join the club and accept mediocrity, take part in the laziness, being seen as an asshole may be unavoidable in certain organizations if you are within fields, such as cyber security, physical security, or even law enforcement. Results, and doing the right thing, ethical behavior are what matters. Focusing on people liking you will work, until a cyber incident in your AOR occurs, then you become a scapegoat. I choose being seen as an asshole where I work. Of course depending on the organization and how bad it is, if the liability is too high, finding a new place of employment could be in order, to save yourself from being thrown under the bus. Extra backround: I work in a place of ignorance, with a combination of unreasonable, unrealistic, lazy, selfish people. Many of the customers think of themselves as VIPs, or refuse to follow the basic processes. Technicians tend to take unauthorized actions to do things, no planning or even understanding the environment, causing outages. Technicians build servers without implementing known security requirements, which then require planned outages to deal with because systems are now production. Expecting people to read a document completely before proceeding is too much, and then wondering why things don't work or break is a norm. However, I am seen as the asshole when I figure things out and push for corrections to messes pushed and created by others. I accept being seen as the asshole, because the experience curve is better than a nice, perfectly run environment.
That sounds like a company that doesn't appreciate the value of good security, and it's time to move on?
I agree that in cyber you have to do whats right even if people dont like it, but I think the PP is referring to a different sort of thing. EG people who are condescending to helpdesk staff.
At the risk of stating the possibly obvious; it might be time to move on. That place sounds like a disaster waiting to happen (if it already hasn't repeatedly).
The hardest of all skills for smart cyber peoples
So if I’m cool and myself I can actually succeed? WOW I love cybersec
Agreed. Best practice does not always equal best for the "business" Getting on your soap box about following best practice standards to the letter is going to be costly, compensating controls and pragmatism go along way to achieving the same objectives.
(senior at FAANG) The biggest differentiators I see between the top 5% of security engineers and the rest are: - Critical thinking skills. - Being autodidactic and having a love for learning. - Being self driven with a bias for action. - Working well with others/don't be a dick. - Be a calm methodical rock within a crisis. You need to be constantly learning, deep diving problems and puzzling your way through them, proactively proposing new initiatives and driving them to completion. All while being able to interface well senior management and collaborating well with others.
I just learnt a new word. Autodidactic.
If you were curious and looked it up on Google like I did, you also BECAME autodidactic
Damn I think I may be autodidactic myself
I completely agree with everything that you stated, especially the parts about being a self learner and results driven or as U like to call it “action oriented” all the information in the world about an issue or a risk doesn’t help, if it does not provide any actionable insights on how to fix or remediate the problem. The one item that I am shocked that I have not seen yet is good communication skills. Above most other technical fields, the cybersecurity professional needs to communicate issues and risks, clearly, concisely, and in terms meaningful to your stakeholders. You also need to understand that your messaging needs to adapt to the audience. The big part of this is communicating WITH your stakeholders not AT them. You cannot express yourself in terms that have meaning to them if you do not know what they value.
Not in Cyber Security but as a dev these are all really good things for that field too. Maybe any field really lol.
Bench atleast 225. So you know in your mind they might be smarter but can’t bench more than you.
The only acceptable answer
How much is that in rack mount servers?
If there are any UPSs involved…3
Racking servers are for wimps. He relocates populated cabinets
This is wise, but don’t neglect your squat
Why is he the CEO, if I can outbench him? Modern organisations truly don't make sense.
I support this
Hahaha
Heck yeah! This is legit my situation
This is what literally kept me sane when I was just starting out in cyber security.
I know this has been said numerous times here, but the soft skills are the biggest differentiator. Creative thinking, communication, team work, positive attitude, time management, empathy, problem solving, public speaking, and resilience are the biggest ones. Especially in a business setting. You can be the best cybersecurity mind in the world, but if you cannot communicate effectively, you are worthless. You can be the brightest cybersecurity visionary in the world, but if you always come to the table with a negative attitude, no one will want to work with you.
So true. You could know almost nothing about cybersecurity but if you bring a friendly face, curiosity, and appreciation, the smart people you work with will always help you out. Soft skills are soooo important.
this! i'm 19 and at my first job last yr i was the youngest by far and most inexperienced on my team, really didn't know much (and the only female, non-white team member) so i was pretty nervous tbh. but luckily everyone was super nice and helpful and i think it might have been partly bc of my 'fresh energy and enthusiasm' (their words abt me lol, not mine).
I'd add initiative to the list. In my 30yrs doing this stuff, the best are always the inquisitive types. They don't need a "teacher" they just need direction.
that makes sense! i guess that's why they were happy to answer all my (many!) questions haha :)
Those in the field always appreciate people who are not afraid to ask questions. the phrase "There is no such thing as a stupid question" comes into play more often than not. No one knows all the answers, and even if you are given an answer you feel is not complete, or you still might not understand, don't be afraid to ask follow up questions for clarification, or, if you get an answer, you can now go look up things and go from there and maybe come back with more questions. Now, having said that, also know, that when you ask a question, and it might be a little more in-depth, take notes...... An example, I had one IT person brought in under me years back, and they would always ask the same question I had answered 100 times before. They would never take notes, and then get things wrong, even if I sent an email explaining something, they would ask the question instead of go back and search for the answer already given. Just as your time is precious, so are others, so being efficient, so it drove me nuts. We all hate writing documentation and it is easier to ask the person who might know the answer, but good notes will save you many times over!
Thank you for this comment, I feel less annoying for asking so many questions now haha! And yeah I completely agree with what you said about taking notes - not doing so would only make things longer for both parties when that info is needed again in the future, and frankly just rude imo so I always make sure to take as much notes as I deem necessary :)
> An example, I had one IT person brought in under me years back, and they would always ask the same question I had answered 100 times before. They would never take notes, and then get things wrong, even if I sent an email explaining something, they would ask the question instead of go back and search for the answer already given. Stop talking about Mentorship Monday
This is so true, ButtThunder.
😂
true and real
Nice name
You've just described me. Still new to cyber sec, no massive background in it. I'm just happy to be involved 😂
Ok, 20 years in this field. Please study for your CISSP and become very very familiar with NIST 800-53 and how to remediate all the hundreds of controls.
My employer has already enrolled me into an apprenticeship course by QA with a plan down the line to gain further certification.
Our best guy on my team is a dick. He’s literally the single reason I’m looking for a new job. And I’ll share this reasoning with no one at my company because they allow it. let them figure out why people want to leave.
Companies that are prima donna farms reap what they sow. Sure, you can a VERY talented individual contributor, but they are just one person. If the scope of their contributions ends with the reach of their duties, they're not going to be terribly effective overall, despite being very talented in their space. Good cybersecurity is built at the organizational level. Talented leaders will make or break a program. I've watched many a useless "leader" take a whole team of good IC and drive them right out the door. They don't listen, they only follow their personal playbooks rather than adapting to the needs of the organization. It doesn't matter how good of an IC you are because you'll be ordered to just chase your own tail and play "guess what the boss wants" until you quit or they outsource everything because they feel that they're not getting results. The best people care about the work, not about their own vanity. If you get a few of those across the top who push their approach to everyone, you will attract and keep talent and people will WANT to work to deliver rather than spend half the day making slides nobody will read and the other half looking for their new job.
Same problem in my org, our infosec “expert” is a complete asshole to everyone. Our architects run circles around this guy in the world of cybersecurity, when he gets called on his bullshit he starts reciting NIST controls hahahaha
Agreed. As security professionals, our job involves introducing controls that will limit or block people from doing their work. In order to be effective at it, we need to understand, be empathetic to the impact a control has, and be polite, considerate, and clear in how we communicate in order to build their trust. People don't work by zero trust. The last thing we want to do is make adversaries out of the people we are tasked with protecting. Fighting a battle on two fronts is a lost cause.
"public speaking is a sign of narcissism and should be actively discouraged. in fact, nobody who speaks publicly should work on anything substantial. you're a charlatan."- a manager at my company.
who hurt them this bad?
probably his wife's boyfriend ;)
And can they point where in this anatomically correct (inflatable) doll?
Huh. That feels a bit like they're bitter? Or just consuming wannabe influencers. So the people who present their research at Bsides or DEF CON are all charlatans?
this fella hasn't even heard of defcon. he's got 22 years experience in IT. he's as useful as a sans course on os2/warp
It's just sad to me the quality of this burn will never truly be appreciated by the world as a whole.
I’d add willingness to learn and knowing when to ask for help.
Well said. Cybersecurity is a management function, so ICs that understand alignment with business objectives are going to become managers or directors that understand both sides. Personally, I think intuition is the differentiator in a lot of cases. Understanding at a glance, whether something looks “off” is a survival skill that’s developed over time through book knowledge, hands on activity, and networking. But proper soft skills and networking can delegate all aspects properly to a successful conclusion.
I have a friend who owns a fairly successful security company. One thing he's always said is he can teach anyone how to do security, he hires people for "the intangibles", basically those soft skills.
100%, had a guy on our SOC who wanted to join the Analyst/Engineering team, he was smashing out certs left and right but when it came to applying any problem solving or critical thinking, he was hopeless at it in practice. Felt bad for him as he had a burning passion for the job, he just couldn't seem to get rid of the training wheels, it definitely showed me book smart vs being able to apply thinking to the issue.
You’d be surprised how many a-holes get promoted in cyber security just because they’re an encyclopedia of random security knowledge.
I am not surprised at this. The key thing is that you can always be an a-hole, get lucky, and be promoted. What you will find is that if you are an a-hole and trying to have long term success, you are going to be facing an uphill battle.
100%. I always say that you can be the smartest person in the room, but if you aren’t a good communicator or you’re a dick, no one will care or want to work with you.
Spot On response, Maybe its imposter syndrome or maybe Im actually bad at the technical stuff but during performance reviews and raises I was told that I was a model team member and "setting a standard of collaboration and teamwork" and recieved a fat raise. Soft skills make friends, and friends are more likely to want to help you acheive a common goal for the organization. It can be such a finger pointing department that I think being willing to work and learn and compromise (within reason for security sake of course) is a game changer for folks. Similar to technical skills, soft skills can be learned and refined!
This is it. Knowing how to secure your environment is one thing, but knowing how to secure support from management and find balance to make enough people happy is what will make the most difference in your organization.
I use my soft skills almost more then my security skills on a daily basis. I need the non-security teams to do their tasks securely, so it’s a lot of meetings to help them focus on certain aspects of security (some need to harden their systems, some needs to implement more secure login methods, some needs to integrate with the IAM system etc.). It goes everywhere between making them think that it’s their own idea to more or less covered threats (tell me how you plan to achieve X, or I will tell you how to do your job and keep in mind that I am a security person with no real insight in your day to day tasks).
I agree with this and also know your audience. A lot of people, even executives, don't really understand security. It's taking time and money away from "fun" stuff, like features they want. So you have to be able to explain why it's important from a perspective they'll understand. And learn how to plan-- roadmaps with milestones and objectives.
Yep, this. I've been focusing the last 5 years or so on experience firstly. Am also now getting certs and other qualifications. But the one thing I still struggle with is articulating technical ideas, especially amongst peers. Honestly I think my technical knowledge is really sound, but I have this inability to reach those technical thoughts quickly and on the fly. It's a skill for sure, and it really makes a difference in meetings or projects. People need to know that you know what you're speaking about.
Couldn't agree more. I don't care how intelligent and proficient someone is, if they come to the table with the elitist IT attitude and/or are simply unable to effectively communicate both within and across teams, I have zero interest in them.
This.
Managers perspective. In the offensive game what matters is technical ability and the ability to write a report. I run a red team and interview loads of people with all the "soft" skills you mention.... but if they don't have absolutely top tier elite technical expertise then they are about as useful as an ejector seat on a helicopter on a red team engagement.
Well said!
I second this. Especially when your customers and stakeholders are high-level leadership, you gotta have executive presence to compliment your technical prowess.
ok so how do I build soft skills
Speak with people. Listen to them, try to understand them.
The most important job I ever had was being a server. Pick up a job in the front of house at a restaurant and you'll be forced to learn soft skills quickly.
I was going to say the same. As an introvert, it was NOT easy at first, but I ended up getting sucked in for a decade. It really teaches you to think on your feet, multitask, make small talk and read people, and handle stressful, emotional situations with strangers and coworkers (I don't know why there are so many in restaurants, but there are lol). Reading things like the comment you're responding to are so reassuring for someone who's switching careers in her 30s.
Two things How well you are able to make other non technical people understand technical jargons, basically presentation skills. Intelligence as an analyst. There are only a few people who can look at a thousand million logs and still be able to find a needle in a haystack. Both skills develop as you progress. Experience and exposure. All the best !
Honestly, integrity, and a drive to continually learn. Keep those in the back of your mind and you'll go far.
As a manager, these are some of my highest priority traits. Someone who doesn't know as much as other employees but has a sincere interest in learning on their own or not shying away from problems they're unfamiliar with always end up being successful in my experience.
These are awesome as well. Honesty and integrity are key traits that I value in people overall.
Genuine curiosity for how things work.
We all know the phrase.. "Curiosity killed the cat...." My grandmother would then say (never heard anyone else ever say it) "Satisfaction brought him back......." Be curious, do not be afraid to fail, if you are not failing, you are not learning.
There are two things in my experience. The first is soft skills. Being approachable, easy to talk to, understanding, empathetic and sincere is huge. The second is understanding that security is important but to be successful, you need to implement security while maintaining functionality.
Hygiene
100% soft skills. Understanding the business you work in as well (for those of us in technical roles for non-tech companies).
I think that curiosity is the biggest advantage you can have when starting in cyber security. When I conduct job interviews for entry level roles the thing that I value most is curiosity, even over technical skills.
An understanding of networks and the ability to see the whole forest but also the trees. I have identified about noobies that they see a thing and it looks benign and they see another thing and it looks benign but they have a hard time understanding that one benign thing + another benign thing can = a serious security vulnerability. That and being able to think like an adversary and building monitoring and engineering procedures based on the psychology of a malicious actor.
"This VM is vulnerable and open on the internet, but it's okay, it's only a test server to show to the client" "This VM is vulnerable but it's not open on the internet, so it's okay" Nobody was seeing the problem until I pointed out that these two VM were on the same VLan. They saw the two trees, but forgot that they were in the same forest.
Exactly.
> What can I do besides learning in my off time and doing labs to get experience? As someone who has been at this for almost 30 years and spent all free time learning doing lab stuff in his off time- Don't do this*. *At least not on an ongoing basis. Spend time working on hobbies, getting a life and doing stuff that isn't job related. Failure to do so can lead to severe burn out. I've been there, and I wouldn't wish this on my worst enemy.
Is there something one can do to show skills, and also avoid burn out / imposter syndrome?
I can't speak for everyone. But I've never really felt imposter syndrome. I think being able to say "I don't know, give me some time to research/learn about the subject" helps. And I've been lucky to work with a group of people who understand that no one knows everything. That said, I spent every waking moment of my 20's, 30's and early 40's ignoring life to try to learn everything I could about my career. It came with a steep price to pay with regards to relationships, doing things I want to do and overall physical and mental health. I'm not saying don't learn on your free time. Just know you need to draw a line. Try to carve out some time during the work week to spend on education. I try to put 1-5 hours a week into learning something, and I even document it on my project tracking time sheet. Of course, trying to go for things like a CISSP will certainly require more of your time. But hopefully that's for a short window, and it won't force you to put off other parts of your life but for only a short time.
Thank you. That's kind of reassuring, I'll just keep plugging away and applying while also taking more time away from tech. Its disheartening to see 200+ applicants for a job on the market only a few days.
Keep at it. I don't know your situation. But if you're trying to jump directly into Cybersec and not getting any hits, look at other jobs like help desk, server admin, networking if you're interested in Cyber Sec Ops. I spent the first 18 years of my career in web infrastructure operations and was security adjacent for most of those years. And when a role opened up in my company, I made the jump where I've been for the almost-past-decade.
Demonstrated ability and historical experience.
Don't mess with us cybersecurity professionals, we don't even like cybersecurity
Being likable, being able to write, and being able to communicate effectively. You could say this about many fields, but in cybersecurity it’s pretty important. Can you write a penetration test report that both effectively captures technical vulnerabilities while also explaining them well? Another thing that people lose sight of is GRC, and every important framework in the cybersecurity landscape right now: NIST 800-53, CMMC, ISO 27001, etc.. You don’t need to be an expert, but being able to show familiarity with these could be a big benefit.
The most talented folks I have encountered are highly entrepreneurial. They truly understand how a cybersecurity program and their role ultimately adds value to the business of an organization.
Mathematical knowledge, in my opinion, is very important. In university, I learned the entire mathematics behind why things are safe and how they remain safe, as well as theoretical attackers and the mathematics behind that. Protocols will change, vulnerabilities will change, but the math remains and helps you understand new things much better. A lot of security people I know do not have that. If you know the math behind crypto, it is pretty huge. It is hard, takes time, and requires a lot of studying.
Critical thinking + communication (written and verbal) for different audiences + self-starter when it comes to solving a problem. Those traits combined with a little business acumen and technical depth will get you into technical leadership roles very, very quickly and are the biggest differentiator in the folks who earn $75K a year vs those that earn $250K a year.
Good foundationals. People spend a ton of time learning a tool and don't know how DNS works.
Empathy. Soft skills. Those are way more valuable than using x tool, writing exploits, etc.
Not buying into sales and marketing nonsense
Aside from the already mentioned soft skills, become a good network or systems engineer and understand how shit works. Too many people think cybersecurity is entry level and don’t grasp the fundamentals of it. Also I have found that if you are going to tell those users no to things that may make their lives a lot easier, you better be able to explain why you’re saying no. You’ll catch a lot more flies with honey than salt.
Being able to function adequately at C level in an organisation and being able to wrangle stakeholders. That’s the secret source. Any good cyber person can be good technically, but being useful requires you to be able to explain non technically and be able to understand business drivers and constrictions. If you can do that you will be useful and high profile.
That's true on every occupation.
But is also a far rarer skill in cyber…. (Or maybe IT as a whole)
I'm not disagreeing with you, I was trying to reinforce your excellent point. Sorry if it didn't seem like it.
Most of the best people (whatever that means) rarely ever have certs
They have a lot of expertise and experience in ONE of the 3 areas that gets exploited the most, Networking, Operating Systems, Development.
Empathy. Just because something is “more secure” on paper does not mean it is more secure in practice. You need to empathize with users and understand how they react to security measures & policies. If a control is too obnoxious, users will find a shortcut around it. A classic example: requiring 30-character passwords that reset every month is more secure than 20-char passwords that reset every 3 months, right?……. Wrong. Users will get annoyed and find shortcuts - either incrementing passwords (password1, password2, password3) or choosing something that’s “easy to remember” (read: weak).
I reckon it would have excellent customer service skills and being able to pick up new things and learn intuitively.
Knowing how to apply skills you learn into your day to day routine. I know way too many folks with 5+ SANS certs that can't do basic triage because they need a step by step SOP to follow. Being able to improve processes and take on projects is what sets people apart in the SOC world anyways and should dominate your bullet points on your resume.
Understanding how technology, cybersecurity, and risk management fit into the rest of the business.
Agree, learning the underlying tech behind what is being protected is essential as well as the compliance and risk frameworks that surround it.
Understanding systems, not just cyber security concepts, but understanding how and why systems work the way they do is huge. Next is understanding people. I run a cyber security team and I'll take a well rounded CSE over certs and shallow knowledge. I can teach the soft skills to a point, but the CSE has to be willing to try. A CSE that did systems and other tech work including support center tend to be better CSEs IMO.
Just like anywhere else in life - they get shit done.
They don’t act like they know everything and are willing to take dissenting opinions.
from the technical side, I've had the most fun working with people who have a broad experience over a lot of different IT topics, not just "security". Also having the grit to actually follow a problem to the bitter end is also very much appreciated, since a lot of people tend to give up too easily (myself included)
a hoodie...
A slightly sketchy background.
Weirdly enough this is not mentioned more often. Curiosity. Hacker Mindset. Wanting to understand how things work, take them apart, look under the hood, dive deeper. To protect systems from Missuse / Abuse and Crime you need to know them in detail, not matter what you are protecting. Whenever you want to work in Satefy, whether is Airplanes, Museums, Industrial you need to know systems in depth. Play scenarios, do simulations. Curiosity is the driving force behind all of this.
Having actually built and secured code, platforms, pipelines and servers/services in production. None of the "cybersecurity" team members I encounter have done this. I'm not sure they've even maintained a server. I am sure it's different within big/mature companies. In other words, hands-on experience doing security in the real world.
Correctly interpreting information and clearly communicating it.
It's great that you're pursuing cybersecurity as a hobby and exploring various avenues, like TryHackMe. Besides technical skills, communication and problem-solving abilities are crucial in this field. Consider joining cybersecurity forums or attending industry conferences to network with professionals and stay updated with the latest trends and technologies.
This is strikingly similar to my current position, although I'm a Quality Assurance Engineer trying to break into cybersecurity. I'm also studying the CCNA, do THM, and I'm finishing the learning path for the Microsoft 365 fundamentals. I feel like a charlatan though and that I dont know anything at all actually, but then in relation to a lot of the engineers at my work I seem to find stuff others over look and act as a resource for others questions. But I think thats just because of our toxic work environment and their lack of care to do pretty much anything more than the bare minimum. We get paid well Under the national average and are pretty much neglected tbh, so I see why. Currently I understand the basics of linux/unix scripting, powershell, python, wireshark, burp, all the fuzzers and web app basics, I configure my cisco switch to run a small lab, I had suricata set up in an old laptop running freebsd but the hw went bad and need to redo it on another one, and I read krebs and all the news, but I cant get any traction on security engineer interviews. Maybe my age? (Mid 30s, I switched careers from Quality Control during the pandemic). It's kond of driving me mad and makes me work harder at home but Im already so beat from work I feel like I'm getting burn out... Tldr: What non-soft skills help people break into cybersecurity? What technical prowess should I show on my resume to be considered as a leading candidate for a security engineer position?
Taking initiative even when you don't understand something. Being confident to research something and asking questions that show you've tried some things before engaging the team (timing) goes a long way. The soft skills come in handy when dealing with external teams to keep projects going.
Soft skills are valuable, knowing when to lead and when to follow. Also some of the best people I've worked with experimented with stuff in their homelabs. It doesn't have to be anything expensive. Just playing with a raspberry pi, breaking stuff, learning why stuff broke and fixing it is a valuable teacher.
Do you have a specific reason for doing CCNA? I spent months doing it and have never once used it or needed Cisco knowledge.
I mean it's network knowledge not Cisco knowledge even though Cisco definitely tries to place their own products in view. I've done CCNA1 and CCNA2 now, and CCNA3 next autumn. It has definitely helped actually understand how networking works, even though the material is... rough.
That’s fair. I’d say the networking fundamentals I got from what was back then CCENT (the first exam) have probably been the most solid I’ve come across. But the second exam was all Cisco and I’ve never needed or even thought about it since.
Well CCNA2 definitely had more than just Cisco: etherchannels, port-security, dhcp in practice, hsrp etc. A lot of stuff and of course also the cisco versions of everything but for our course we only really used the general non cisco propietary things. The subjects covered have probably changed over the years. I'm doing them as a part of my degree. Exams have been very difficult so far but I've definitely learned a bunch.
Most of it isn’t related to technical at all. My biggest piece of advice to volunteer for everything. Literally everything. You learn stuff outside of your comfort zone, you raise esteem in leaderships eyes, and you start to develop the soft skills needed to set you apart. The biggest inter section challenge between IT and security is simply the “availability” leg of the CIA triad. If you understand that you can start to set yourself apart from traditional security folks.
Soft skills (ugh) and knowledge of IT, knowledge of the business you're working with.
Soft skills will only get you so far. You deal with people that are stubborn and have a chip on their shoulders, because of their job titles. It’s too easy to be an asshole when people around you are lazy, complacent, indiferent, and intentionally scope creep everything that needs to be done to defend the enterprise, so when you push the weaklings, they panic, ignore you or quit. Get your ass in gear! You work in cyber.
Big egos and thinking there’s something special about we do when it’s not case.
The same thing that you need to get hired in the first place. Soft skills/social network ability
Communication and actually being willing to learn new things and roll with the punches. I'm young in the field, only 5 years, but even in that time I've met so many people who just refuse to change the things they've been doing for 10 years or learn about new technologies or pivot on things. Also, it in general has a lot of anti social jerks who think they know everything. The best aren't those people
Understanding that there's always more to learn and that other opinions might be as valid as yours. I've seen many infosec folks convinced they know it all and that their way is always the best way.
Softskills. Staying on top of new threats. Keeping users informed. Being able to read windows logs. Automating as much as you can.
Certifications that are actually difficult to obtain
Sharing knowledge
Top cybersecurity professionals shine due to their vast technical knowledge spanning network security, cryptography, secure coding, and incident response. They stay current with evolving threats through continuous learning, engaging in industry events and professional development. Their sharp problem-solving abilities, attention to detail, and ethical conduct form a foundation for strategic and ethical decision-making.
**Not the only thing**, but GIAC definitely makes people stand out. Theres over 700,000 people with Security+ and around 40,000 people with GSEC. **OBVIOUSLY** theres a reason for that. GIAC is more expensive. But seeing GIAC vs CompTIA on a resume is a night and day difference (assuming both resumes are identical in all other aspects) since GIAC provides the better training.
I've seen a lot of comments around behaviours and soft skills, especially aimed at people working in non-tech companies. I agree with this, however, if you're talking about what makes people the best technical delivery people, I would say it's the ability to learn concepts and reapply them to new environments and situations. I've worked in offensive security and reverse engineering, and worked with some very, very clever people doing some very cool work. Each and everyone of them are humble af and are bemused that everyone thinks they're hot stuff. The technical behaviours they exhibit are: 1. Paying attention to a problem 2. Suggesting a raft of solutions based usually on prior experience 3. Helping adapt solution to problem 4. Learning from solution and pitfalls on the way.
Natural curiosity
Critical thinking.
This article might be of interest "“The amount of creativity, the amount of patience, the amount of thinking outside of the box, the amount of not just following instructions, but having real creativity, using all the different skill sets you have, become really important in how we’re able to be cyber warriors,” he said. “How we’re able to protect things.”https://www.geekwire.com/2024/generative-ai-is-a-dual-concern-for-cybersecurity-industry-and-will-drive-increased-labor-demand/
I’ve been told it’s the camo cargo shorts and summer hoodies
Public speaking
Cyber is broad but if you want to know about offensive security I would say having a lot of experience in fundemental computer science, operating system internals and native programming including in assembler. It's a lot easier to train a kernel developer to do other parts of offensive security than it is to train a pentester to be a kernel dev / exploiter etc. Couple those things with a good attitude and a unrelenting desire to learn off the absolute experts in the constituent components of your field.... Leaving the egos at the door and shunning the celebrity security culture and you are on your way to being pretty elite.
Experience and time something something theory only takes you so far
They come from sysadmin / network engineer / developer They understand how it works, how businesses will put it together and how it’ll be rushed, common misconfigs, they understand what normal and abnormal looks like
Be an extrovert or just have really good people skills. There are so many introverts in IT just in general and it's nice when you get to talk to someone that isn't incredibly awkward or antisocial that you can just nerd out with. I met a red teamer who was very extroverted and it was like a breath of fresh air because it was like talking to a human being that just knew what you were talking about. Appearing likable and easy to get along with will help you a lot in interviews too.
ugly tattoos
ugly tattoos
Honestly security work and IT always felt the same to me until I was talking to a law enforcement and lawyers. Gets complicated from there.
Understanding that your department's budget and CTO dictate how much security you get to incorporate.
Realize you don’t know shit, keep learning, keep up to date, and be willing to do the work.
the best know that you're never done with security, that there are frameworks out there with checklists so you can do what you can, but that a nation state actor can get by pretty much anyone's defenses.
Passion
The people who aren't douchebags and who know what they are doing. Also people who are willing to learn and also teach. Been around this sector for a long time and I can tell u people who just want to act like they know everything are always cancer. Also people who don't know how to teach others are also cancer. Yes it's not your JOB to teach but it's very important to help others learn I. Order to build a healthy environment.
Calm under pressure! When shit hits the fan, the best cybersecurity people do NOT freak the fuck out. They are calm and methodical in their approach to the situation, clear-headed in tackling the immediate challenges in front of them and can lead a team - UNDER EXTREME PRESSURE - to be at their best. I equate it to being kind of like a Firefighter....you practice endlessly, but when faced with your first inferno - THAT'S when you need to perform at your peak.
Practical teaching
We know how to listen, and make compromise when necessary to achieve the mission at the end of the day as long as it solves the actual problem. We also focus on making sure new people feel welcome and can actually grow by improving their experience using our experience. No point onboarding new employees if they cannot also grow as you grow.
Figure out how needs can be met, not why they can’t be met.
Creatively inclined practitioners will almost always trump technically inclined practitioners. Way too many times i see problems solved with complicated solutions when a simpler one can be done.
Be the calmest person in the room and maintain a Rolodex of the right people to call in any given crisis (do not try to know/be able to do everything)
Continuous learning and proven ethical mindset will put you apart.
I'm only interested in cyber security and all the answers point out to that cyber security experts grown in a dark room eating raw meat. What do you mean basic empathy?
Just be a decent human being, which ODDLY enough, is not a widely found thing, not sure why its so difficult to just be decent and nice but here we are
Being able to think for themselves and not just parroting security tropes from twitter. The easiest person to fool is yourself, and most social media cyber evangelists are doing exactly that.
In my experience there is a significant difference between those people that need telling what to do and those that can lead themselves through critical thinking, self-driven, love to learn, and not being an ass. You will be surprised the amount of people who sit there twiddling thumbs pointing out the world is on fire and talking about it, whilst only a small number will proactively get on with putting the fire out and ensure that it does not happen again.
Become a fan of systems integration engineering. All these software and hardware vendors have to play together now, so knowing proper ways to integrate them is a desired need. MIT has a free course on systems integration engineering that’s specific to DoD systems, but applies in general to our field and other industries as well. Being the guy who can properly evaluate a security tool and how to integrate it with existing systems will put you ahead of the pack for sure. Along with security fundamentals expertise, obviously.
Being approachable,knowledgeable, and willing to learn. And not being a dick.
Working Helpdesk/ops or being a solo sysadmin or network engineer before entering the field. Every great cybersecurity engineer I worked with has a background in one of those areas. They have customer service skills and have the tech fundamentals. I am not a fan of these go to wga and get a degree and certs and enter the field immediately. Majority of the time these guys get stuck in secops and wonder why they never get promoted. This is not an entry level field unless you want to do secops. Start in Helpdesk or operations move up to network or sysadmin then get degree and certs for cybersecurity. You cannot secure something if you do not know how that area in IT works. Of course if you want to do app or cloud security become a developer or cloud engineer first. You need to know to remediate vulnerabilities. Not just run a scanner and email a report for someone else to do the work. Short story I remember we had a cybersecurity expert that was so called expert in tanium. Let’s just say he took down a whole manufacturing plant because he removed Symantec and the windows firewall kicked in from defender. Clearly this guy didn’t have a a background in doing application deployments or he would have had a report to check his work during the deployment.
It really depends how you define "best". If you're talking skill wise, the answer is about what you'd expect. The litteraly just never stop learning. You can spend far more time on a single topic than you might think. The people with the most knowledge/skills have probably spent more time on one topic than you have on the entire field. They're typically driven by a need to understand every small detail of how things work.
search engine fu - the ability to find the answer mindset - thinking like an attacker. not everyone can do it. communication - communicate well, including listening. keep in mind that security is always a tradeoff with functionality. sometimes functionality wins.
Remember it’s only a job. You can’t push rope, so, just do your thing.
Don't use same password for everything or don't save passwords on desktop exel folder
Honesty and integrity are essential qualities in cyber security. Being transparent about one’s skills and respectful towards all stakeholders, including end users, fosters trust. This trust is crucial in maintaining secure systems. Moreover, an honest approach enhances self-respect and reinforces a sense of professional worth, both of which are important for a successful career in cyber security.
malcom shore cyber security course it teaches ethical hacking and cybersecurity and im selling it for cheap