Skip to content ↓ | Skip to navigation ↓

The cyber security field is booming, with demand for cyber security professionals far outpacing supply. This talent shortage has created an industry where pay is high and the options for job seekers are plentiful.

Yet there is also a shortage of cyber talent caused by a confluence of factors, including employers demanding too many required skills for job applicants.

“It can be difficult to find employees who possess all of the skills, experience and intangibles the job requires,” Keri Christman, manager of talent and culture for Rook Security, told TechRepublic.

This skills gap is compounded by the fact that the industry and threat landscape change and evolve so quickly that it can be difficult even for talented professionals to keep pace with new skills and demands. It’s without question a job seeker’s market, but it remains competitive because the requirements for the job are constantly increasing.

So, while job opportunities abound in the cyber security field, employers have set a high bar for applicants as they seek the right combination of skills, education and experience.

If you are considering a career in cyber security, it can be hard to know where to begin. First of all, how do you know if the field is right for you? What skills matter most to employers? How will you gain the skills necessary to compete in the job market?

To help you determine where to begin and what skill matters most, we decided to turn to the experts. We asked a handful of cyber security leaders with decades of experience in the field what they believed to be the most critical skills for cyber security professionals practicing today. Here is what they said.

Top Skills for Cyber Security Professionals

1. Critical Thinking

Richard Bejtlich, senior director at SplunkCIRT, and Jill Knesek, chief security officer at Cheetah Digital, both agree that critical thinking is one of the most important skills a cyber professional can possess.

“In my opinion, the most critical skill for a cyber security professional is critical thinking — or objectively analyzing an issue to form a judgment. For me, critical thinking is about understanding the ‘why’ and not just the ‘how’ so you can make good decisions and implement solutions that address the root cause of an issue and not just the symptom,” explained Knesek.

Jill Knesek, Cheetah Digital

Cyber security is an ever-changing world where the threat actors and threat vectors are constantly changing, as are the cyber threats themselves (malware, ransomware, privilege misuse, etc.). The ability to look at each event objectively and not just ask the first ‘why’ but the second and third ‘why’ to get to the root cause is an important skill in being successful in the cyber security field.

“My FBI background has also served me especially well in this field,” she continued. “I treat each issue, problem or incident like an investigation and ask the typical ‘who, what, where, when and how?’ to get an understanding of the situation — but it’s not until I ask ‘why’ that I truly understand how to prevent a future occurrence.”

Knesek has spent over 20 years in the cyber security field working in both internal and customer-facing roles. She served as a special agent for the FBI, for which she was assigned to the Cyber Crime Squad in Los Angeles and served as the case agent for several high-profile cases including the infamous Kevin Mitnick and Mafiaboy investigations. Today, she works as the CSO at Cheetah Digital, where she is responsible for providing enterprise-wide leadership across several disciplines.

Richard Bejtlich, SplunkCIRT

Echoing Knesek, Richard Bejtlich of SplunkCIRT, remarked, “Critical thinking is the single most important cyber security skill. Distilling a complex situation into its essential elements is key to mitigating digital challenges. Cyber security professionals must be able to observe the environment, challenge assumptions, create courses of action and execute operations. Critical thinking enables each of these steps.”

Since 1998, Bejtlich has defended Western interests from advanced digital intruders. He promotes network security monitoring solutions to help global organizations stay in business by detecting and responding to digital threats. Today, Bejtlich serves as senior director at SplunkCIRT.

2. Business Analysis Skills and a Hacker Spirit

David Balaban, Privacy PC

“Some people will argue that the most valuable skill of an information security specialist boils down to the ability to choose the right protection solution and the best tools in order to build and implement complex security systems. Others will say that an information security specialist should be a hacker in spirit, think as an attacker and know how to attack in order to implement effective protection mechanisms,” opined David Balaban, editor at Privacy PC and contributing author for The State of Security.

Ultimately, Balaban believes both of the above skills are secondary:

An IT security specialist should, first and foremost, be a business analyst. He should have a complete understanding of the business processes in the company and all the automated control systems being utilized. This will allow him to clearly break down the company infrastructure into subsystems according to their security levels, focusing on the entities that are critical for the business workflow.

“The second most important skill is the ability to communicate with management,” he continued. “Even further, an IT security specialist needs the skills of a psychologist. This will allow him to better understand his boss’ interests, priorities and pain points. An IT security specialist should be able to convince management of the need to allocate money for solving specific security tasks, which is actually a kind of art.”

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project, which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.

3. A Genuine Desire to Serve and Protect

Steve Morgan, editor-in-chief at Cybersecurity Ventures, explained that in his view the best cyber security professionals have a genuine passion for service.

“The most important asset for a cybersecurity professional is a true desire to serve and protect society, their homeland and their local community,” said Morgan.

The most important skill would be a knack for cat-and-mouse play. The best people in our field have a nature that is inclined to the pursuit and capture of an adversary. While that nature cannot be trained, it can be built upon by universities and the workplace. For those with this combination of moral character and catlike instincts, I would highly recommend a career in cybersecurity.

Steve Morgan, editor in chief, Cybersecurity Ventures
Steve Morgan, Cybersecurity Ventures

Steve Morgan is founder and editor-in-chief at Cybercrime Magazine and Cybersecurity Ventures. His blogs and articles can be seen at CSO, Dark Reading, Entrepreneur, Forbes, IDG and others.

Many of the top skills identified by these cyber security leaders are skills that can be learned and honed over time. One of the best ways to learn these skills and break into the cyber security field or advance a current cyber career is through higher education. In many cases, higher education can provide the opportunity to develop the skills required by leading employers today.


Patricia De SarachoAbout the Author: Patricia De Saracho is a Senior Marketing Manager with the University of San Diego where she supports several graduate degree programs including the Master of Science in Cyber Security Operations and Leadership (MS-CSOL) and the Master of Science in Cyber Security Engineering. Patricia is passionate about education and the role it can play in affecting positive change. You can connect with the University of San Diego’s cyber security programs on Twitter and Facebook.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.