Soft Skills for Information Security Professionals — Notes

Photo by Campaign Creators on Unsplash

Today’s article is a collection of my notes while attending the LinkedIn course entitled “Soft Skills for Information Security Professionals”. It is the last of 12 courses in the “Become an IT Security Specialist” learning path. The course is divided into 5 sections which are:

• Technical Skills and Soft Skills.
• Communication is Key.
• Don’t Be Afraid To Dig Deep.
• Keep Learning.
• Big Picture Thinking.

Technical Skills and Soft Skills

Soft skills are highly important in Info Sec as security professional are required to be able to discuss the technical terms with non technical audience varying from managers to end users. Security professionals rely on their emotional intelligence to understand their peers, discover what motivates them and work with other team members to achieve what is the best for everyone involved.

As a security professional you’ll find yourself trying to teach end users about how to use email, the Internet, and mobile devices securely. You’ll also find yourself engaged in conversations with other technical professionals, negotiating the right balance between your goals and theirs. You’re going to be speaking with managers and directors and C-level execs about why all this security stuff you’re proposing really matters.

Core soft skills are:

• Communication is key.
• Don’t be afraid to dig deep.
• Keep learning.
• Big-picture thinking.

Communication is Key

No matter who is the person you are talking to, make sure you know your audience. Knowing your audience and their interests makes it easy to find common grounds. Finding that start point where both your interests align, will make it easier for both of you to achieve your goals. Understanding human behavior is as important as understanding technical concepts. Find what motivates your audience whether it’s financial incentive, recognition, completion, …

Engage in the InfoSec community to round up your knowledge. Ask questions, share your successes and discuss your challenges, it can go a long way. Meeting up with InfoSec professionals will enrich your knowledge and give you the opportunity to help others too.

Don’t Be Afraid To Dig Deep

Do your research to know what solution will be approved by management while it’s the best solution for your organization challenge. Know your organization’s priorities to keep them in mind while crafting your security proposal in order to make it resonate with leadership.

While analyzing your security challenges your should:

• Ask the right questions.
• Collect the related data.
• Sort your findings.
• Summarize your analysis.

When writing your reports make sure to know your audience, why would they care about your findings and how to explain it to them in their language.

Keep Learning

There is a method when troubleshooting a problem, called the 5 whys. The concept is you keep asking yourself why did the problem happen a total of 5 times or 5 levels.

Curiosity, problem-solving and creativity should be encouraged to help improve the process. Encouraging employees to figure out how to break the process will improve the ways we use to protect it.

Teaching is the highest form of understanding. Taking the step to teach other people what you know helps you further understand the concept and identify your weaknesses. This means that you know your blind spots and you have a chance to address your shortcomings.

Big Picture Thinking

Understanding the risk at hand helps you plan ahead. Understanding the vulnerabilities in your system and what possible threats that can use those vulnerabilities will encourage your to find solutions to your weaknesses.

It is important to think strategically. Getting things done is important but what is even more important is seeing the big picture. Strategically thinking is about identifying the purpose of the adapted solution and the reason why it is the solution of choice. A strategic thinker will help point out to the right direction to correct a problem.

Effective security is about enabling organizations to do what they’re trying to do. It’s about minimizing disruption, it’s about reducing risk. Standards are those controls you’ve decided are important to your organization. Frameworks take the big picture view of all the things you could be doing in your security program, providing you with guidance based on years of research. Regulations are a lot like frameworks with one pretty significant difference. Frameworks are voluntary, regulations, not so much.