The skills you need for cyber security career success

James Milligan, Global Head of Technology at Hays

What technical and soft skills do cyber security professionals need right now? How can you develop and learn the relevant skills to boost your employability? How can you future-proof your career?
I recently spoke to some of our cyber security recruitment experts from around the world to find out the answers to these questions, and many more. In this blog, you can read insights and advice from:

1. Over the past year, we’ve seen a huge increase in demand for cyber security professionals. What has driven this increase?

James (UK&I): There are a multitude of factors as to why the demand has increased – for example, the rise in digitalisation among organisations, and the ever-increasing security threat. This threat was already growing pre-pandemic, but is now an even greater risk due to widespread remote working. While many employees work from home, accessing company data from various locations, the confidentiality, availability and integrity of data is compromised. In fact, PwC found that the majority of data leaks among global organisations from January-May 2020 occurred after 23rd March (the start of the first UK lockdown).
So, I think the key driver of this increase in demand is the rise in cyber criminality. Other avenues of criminal activity have dropped, with COVID-19 restrictions forcing people to stay at home. And as a result, the adoption of cyber criminality and its usage has increased exponentially. Therefore, security professionals are hugely in-demand right now.
Robert (ANZ): I agree with James; in many ways, it has been the perfect storm. Cyber-attacks are increasing in number and sophistication every year. The potential damage to businesses has grown, along with the size of fines for non-compliance in many sectors. And then you add the impact of COVID-19 to the mix! As businesses were forced to work remotely and shift business models online, cybercriminals sought to make the most of the crisis.
Edmond (Asia): As well as the impact from the pandemic, in Mainland China, the increase has also been driven by the Government stepping up on personal data protection over the last two years. Companies have been increasing their cyber security capabilities to meet these regulations – hence driving more demand for those professionals.

2. What are the most in-demand jobs and skills in cyber security right now?

James (UK&I): In the UK and Ireland, the demand is for Operational Security (SOC and SIEM) and Cloud Security professionals. Also people with SecDevOps and penetration testing skills are in high demand, and there is increased recognition for the CompTIA Security+ certification. Miguel (North America): We’re seeing high demand for Application Security, Cloud Security, Security Operations Centre (SOC), and DFIR (specifically Live IR and Post Breach Forensics) professionals.
Edmond (Asia): Both Cyber Security (Governance, Risk and Compliance) and Security Operations personnel are hot in demand here, as always. However, with the constant emerging technologies, there has been an increase in Security Engineers to cover Cloud Security, Application Security, Security Architecture, and Threat Intelligence.
Robert (ANZ): With lockdowns having eased in Australia and New Zealand and hybrid working becoming the new norm., the need for robust identity policies and practices has been made a priority. We have seen a big increase in Staff and Customer Identity Specialist jobs to meet this demand. As organisations also look to diversify their cloud portfolios, we have seen an ongoing demand for Cloud Security Engineers with Azure and GCP experience.
Across Europe: Key skills in demand in France, Spain and Germany are: architecture, infrastructure management, IAM platform implementation, and security consulting.

3. What soft skills are needed to work in cyber security? And do you think these will change in the future?

Robert (ANZ): The actual soft skills may vary from role to role. However, as business and tech roles merge, there is an increasing weight attached to communication skills, particularly the ability to influence. According to a study by IBM, human error is a major contributing cause to 95 per cent of all breaches, therefore cyber security professionals will always need the ability to influence and engage with staff and non-security personnel.
Edmond (Asia): At junior levels, being enthusiastic and thinking out of the box is required as you will need to be analytical and have the interest to explore any abnormal activities, as well as countering any threats. And those in senior roles in Asia will often need to communicate, report and influence overseas or global stakeholders in order to get approval to implement certain measures locally.
Miguel (North America): I’d say that the required soft skills are already changing in security – especially for those in senior positions. In the last year or so we’ve seen a much greater emphasis on those roles being business-facing, collaborating regularly with non-tech stakeholders. It’s no longer a case of hands-on-keyboard; you need to be working with various business owners and groups.
That means if you’re working on the risk side of security, you’re not just working with your risk team, but also with HR, Legal, IT application and infrastructure. You will need to be aware of what these teams are working on, and the projects coming into the business, so you can ‘police’ that activity. Even in engineering roles now, as programs mature, you could be creating policies and processes, but having to work with and delegate configuration to another team.
So, the importance of cross-functional team integration, and being able to influence and build relationships with those teams, is becoming more and more apparent.
James (UK&I): Similar to what Edmond spoke about, in the UK and Ireland, the soft skills required are different depending on your seniority level. As a graduate, the main thing employers are looking for is someone that is enthusiastic and willing to learn. At this stage, soft skills might vary; you could be confident and have strong communication skills, or more reserved with quiet attention to detail. It really doesn’t matter, because there’s an avenue for all types of people within cyber.
Then, as you move up the seniority ladder, the importance of your soft skills increases. At this stage, influencing skills are essential, rather than the ability to understand code. You need to be able to articulate risk to a board of non-technology specialists; decrypting what is often complex technical processes into something simple to understand. For example, the likelihood that Risk X could happen, with the current level of exposure, is… And if we do Y, the risk reduces to… This is a CISO’s (Chief Information Security Officer) primary function – they are the security figurehead for the business.
Miguel (North America): Overall, there are two different paths you can take in cyber security – which fit both personality A and B types. But as you move up into a more business-facing role, whether that’s as a CISO or BISO (Business Information Security Officer), your core role is managing the business’s understanding and knowledge of security.

4. So, does a senior cyber security job always entail people and stakeholder management? Or are there non-people management senior technical roles, that don’t require those influencing and relationship building soft skills?

Robert (ANZ): Senior cyber roles do not have to entail people management. People management is one career path option, but many choose to remain tech subject matter experts. Inevitably though, as you become more senior, regardless of role, you will need the ability to influence.
Miguel (North America): I agree, in every aspect of senior positions there will be stakeholder engagement and management. Security touches all aspects of your business, so the more senior you become, the higher the expectation will be for you to work, engage and influence other key leaders around you when implementing new processes and policies across the business.

5. On the other hand, what technical skills are needed to work in cyber security?

Robert (ANZ): The required technical skills can differ from role to role, but at the very least you should understand patching, firewall and proxy management, as well as a basic understanding of at least one programming language.
Miguel (North America): A foundational level of IT experience and knowledge is always going to be required to work in cyber. If you’re working on the technical side (such as in engineering, security operations, identity and access management, or security architecture), you need to know about network and servers. And with the digitalisation push, you need a good understanding of web and business applications too – as these are the types of things you’re protecting.
If you work on the functional side of the business (such as compliance, risk, and governance), you need a foundational knowledge of various levels of compliance, frameworks, and controls. Even in a compliance or risk role, you need a high-level understanding of information systems – but you won’t need in-depth technical knowledge, like writing a command in Windows server, for example.

6. Are there any traditional routes cyber security professionals can take to develop these technical skills?

Edmond (Asia): Traditionally, we see candidates from infrastructure and network backgrounds moving into more technical cyber security roles.
James (UK&I): Within risk roles, such as Risk Engineers, Analysts or Advisors, most people begin in broader IT, perhaps as a Business Analyst, before moving into security. Whereas in a ‘pure cyber’ role (a more technical focus, such as security architecture or access management), an understanding of networks or network architecture is a must. Because fundamentally, cyber protects the business network.
Networks are a lot more complicated now than they once were. It’s no longer simply a case of having a box in a server room, with all employees working in the same office, connected to the same LAN. Now, there are operations like Microsoft Teams that are cloud supported, and not owned by organisations. So CISOs right now will be exploring how they can secure Teams, highlighting that no matter what your seniority, it’s essential to know networking.

7. And finally, how can cyber security professionals future-proof their careers?

Edmond (Asia): Continue to learn and get ahead with upcoming technologies, trends, products, tools, etc. You need to know what is available out there you can utilise and implement to protect against threats, as well as what is available out there for hackers to attack, so you can do as much preparation to prevent attacks. Once security has been breached, it is often too late. Prevention is the best defence.
Robert (ANZ): Stay up to date, not just with technology, but with trends and methodologies.
James (UK&I): Never stop upskilling. Cyber is always changing and evolving at a rapid pace. Professionals in this arena are always learning and upskilling, whether its self-taught or through formal accreditation.
Look out for which tool or technique is most popular right now – or being tweeted about the most! – and learn all about them/how to use them. There are all kinds of sources for finding this information, whether that’s Twitter, events and meet-ups, news from associations like OWASP, and advisory boards.
Miguel (North America): Keep up and adopt the new; don’t let yourself get left behind. It’s the same with any other tech sector – there’s always something new, whether that’s a new product, process, vendor, or concept, so don’t get stuck in one avenue. Keep on top of things and you’ll never get left behind.
If you’re inspired by the insights from Edmond, Robert, James and Miguel, and would like to learn more about building a successful cyber security career, look out for my next blog – How to get into cyber security.



James Milligan
Global Head of Technology at Hay

James Milligan is the Global Head of Technology at Hays , having joined in 2000. In his role, he is responsible for the strategic development of Hays' technology businesses globally.