Robert (ANZ): I agree with James; in many ways, it has been the perfect storm. Cyber-attacks are increasing in number and sophistication every year. The potential damage to businesses has grown, along with the size of fines for non-compliance in many sectors. And then you add the impact of COVID-19 to the mix! As businesses were forced to work remotely and shift business models online, cybercriminals sought to make the most of the crisis.
 

Edmond (Asia): As well as the impact from the pandemic, in Mainland China, the increase has also been driven by the Government stepping up on personal data protection over the last two years. Companies have been increasing their cyber security capabilities to meet these regulations – hence driving more demand for those professionals.

 

2. What are the most in-demand jobs and skills in cyber security right now?

3. What soft skills are needed to work in cyber security? And do you think these will change in the future?

Edmond (Asia): At junior levels, being enthusiastic and thinking out of the box is required as you will need to be analytical and have the interest to explore any abnormal activities, as well as countering any threats. And those in senior roles in Asia will often need to communicate, report and influence overseas or global stakeholders in order to get approval to implement certain measures locally.

Miguel (North America): I’d say that the required soft skills are already changing in security – especially for those in senior positions. In the last year or so we’ve seen a much greater emphasis on those roles being business-facing, collaborating regularly with non-tech stakeholders. It’s no longer a case of hands-on-keyboard; you need to be working with various business owners and groups. That means if you’re working on the risk side of security, you’re not just working with your risk team, but also with HR, Legal, IT application and infrastructure. You will need to be aware of what these teams are working on, and the projects coming into the business, so you can ‘police’ that activity. Even in engineering roles now, as programs mature, you could be creating policies and processes, but having to work with and delegate configuration to another team. So, the importance of cross-functional team integration, and being able to influence and build relationships with those teams, is becoming more and more apparent. James (UK&I): Similar to what Edmond spoke about, in the UK and Ireland, the soft skills required are different depending on your seniority level. As a graduate, the main thing employers are looking for is someone that is enthusiastic and willing to learn. At this stage, soft skills might vary; you could be confident and have strong communication skills, or more reserved with quiet attention to detail. It really doesn’t matter, because there’s an avenue for all types of people within cyber. Then, as you move up the seniority ladder, the importance of your soft skills increases. At this stage, influencing skills are essential, rather than the ability to understand code. You need to be able to articulate risk to a board of non-technology specialists; decrypting what is often complex technical processes into something simple to understand. For example, the likelihood that Risk X could happen, with the current level of exposure, is… And if we do Y, the risk reduces to… This is a CISO’s (Chief Information Security Officer) primary function – they are the security figurehead for the business.

Episode: Jessica Nemmers, Chief Security Officer, Elevate 

4. So, does a senior cyber security job always entail people and stakeholder management? Or are there non-people management senior technical roles, that don’t require those influencing and relationship building soft skills?

Miguel (North America): I agree, in every aspect of senior positions there will be stakeholder engagement and management. Security touches all aspects of your business, so the more senior you become, the higher the expectation will be for you to work, engage and influence other key leaders around you when implementing new processes and policies across the business.

5. On the other hand, what technical skills are needed to work in cyber security?

Miguel (North America): A foundational level of IT experience and knowledge is always going to be required to work in cyber. If you’re working on the technical side (such as in engineering, security operations, identity and access management, or security architecture), you need to know about network and servers. And with the digitalisation push, you need a good understanding of web and business applications too – as these are the types of things you’re protecting. If you work on the functional side of the business (such as compliance, risk, and governance), you need a foundational knowledge of various levels of compliance, frameworks, and controls. Even in a compliance or risk role, you need a high-level understanding of information systems – but you won’t need in-depth technical knowledge, like writing a command in Windows server, for example.

6. Are there any traditional routes cyber security professionals can take to develop these technical skills?

James (UK&I): Within risk roles, such as Risk Engineers, Analysts or Advisors, most people begin in broader IT, perhaps as a Business Analyst, before moving into security. Whereas in a ‘pure cyber’ role (a more technical focus, such as security architecture or access management), an understanding of networks or network architecture is a must. Because fundamentally, cyber protects the business network. Networks are a lot more complicated now than they once were. It’s no longer simply a case of having a box in a server room, with all employees working in the same office, connected to the same LAN. Now, there are operations like Microsoft Teams that are cloud supported, and not owned by organisations. So CISOs right now will be exploring how they can secure Teams, highlighting that no matter what your seniority, it’s essential to know networking.

7. And finally, how can cyber security professionals future-proof their careers?

Robert (ANZ): Stay up to date, not just with technology, but with trends and methodologies. James (UK&I): Never stop upskilling. Cyber is always changing and evolving at a rapid pace. Professionals in this arena are always learning and upskilling, whether its self-taught or through formal accreditation. Look out for which tool or technique is most popular right now – or being tweeted about the most! – and learn all about them/how to use them. There are all kinds of sources for finding this information, whether that’s Twitter, events and meet-ups, news from associations like OWASP, and advisory boards. Miguel (North America): Keep up and adopt the new; don’t let yourself get left behind. It’s the same with any other tech sector – there’s always something new, whether that’s a new product, process, vendor, or concept, so don’t get stuck in one avenue. Keep on top of things and you’ll never get left behind.

 

Author

James Milligan
Global Head of Technology at Hays

James Milligan is the Global Head of Technology at Hays, having joined in 2000. In his role, he is responsible for the strategic development of Hays' technology businesses globally.