The 2021 Cybersecurity Workforce Study collected survey data by the International Information System Security Certification Consortium (ISC)2 from 4,753 professionals working with organizations of all sizes and found an additional 2.72 million are still needed worldwide.
But cybersecurity is not just a collection of technical skills or product knowledge. A combination of hard and soft skills is needed as these professionals are expected to see the "big picture" and to adapt to the changing nature of these threats, for instance, cryptography in the quantum age.
In cybersecurity, as in every professional discipline, hard skills require general knowledge and field experience, which in turn provides a foundation for more specialized knowledge and experience.
General technical knowledge includes an understanding of and experience with IT areas such as operating systems, communication protocols, network architecture, and common programming languages such as C++/C#, Java and Python.They also need a general working knowledge of current cybersecurity solutions such as multifactor authentication, network and endpoints detect response, security information and event management, security operations center and zero trust architecture.
A Sun Tzu proverb has it that "know the enemy and know yourself, and you can fight a hundred battles with no danger of defeat."Cybersecurity professionals, by imagining themselves as attackers of their own systems, can identify gaps where they know they will need to defend or improve.
Gaining IT and security-specific certifications can further demonstrate technical knowledge in a systemic approach.Some certifications, such as Certified Information Security Manager and Certified Cloud Security Professionals by (ISC)2, emphasize theory and may be best suited to prospective consultants looking to specialize in cybersecurity management or organizational security. Others, such as Offensive Security Certified Program and Certified Ethical Hackers, are more focused on the technology and practice.
Regardless of specialization, all organizations expect practitioners to have basic cybersecurity and IT knowledge covered by all certifications like Certified Information System Security Professionals by (ISC)2 or national certifications like China Information Security Evaluation Center's.It is not enough to be good at analyzing an organization's security and vulnerabilities; practitioners also need to win trust from organizations by communicating the vulnerabilities coherently to various stakeholders and clearly outlining possible solutions.
Soft skills are the "X factor" for practitioners. They are also crucial to achieve good cohesion within a security team.Whether it's working in or leading teams, presenting proposals or analyzing results in meetings, or attending industry conferences and other events, being able to communicate clearly and read the room often dictates your level of success.
As well as solid communication skills, essential soft skills encompass everything from critical thinking and stress management to commitment, flexibility and teamwork.Practitioners with a reputation of being difficult to work with, who don't listen to the client, or who turn in work that isn't professional will find it difficult to practice.
Cybersecurity is anything but stable or predictable. At its heart are people.It will be the practitioners, with both hard and soft skills and experience, who will defend and save our critical digital assets, not technology or products.
Dr Jolly Wong is a policy fellow at the Centre for Science and Policy,University of Cambridge
