Which non-technical skills are most important to a career in security?

As another school year comes to a close, I find myself reminiscing about the people I’ve interacted with over the last nine months, as they explored their interest in Information Security careers. I’ve had the privilege of interacting with quite a few exceptional students who will be exceptional assets to any companies that are lucky enough to attract them. While they all have excellent technical chops, there was something more that truly made them “sparkle”.

What is it these people had in common that made me feel that the industry would be so enriched by their presence?

• Thirst for knowledge This industry has a dire need for people who have an overwhelming drive to consume new information, to keep up with the never-ending flow of evolving threats. A superhuman ability to speed-read would be needed to stay totally updated on all the developments in all the various aspects of security. But the people who keep trying on a daily basis are the ones who’ll be the most valuable assets.

• Willingness to ask questions Because it’s not possible to know everything about every subject within security, most people who share our avocation will have some bit of knowledge that we don’t. The best way to get those nuggets of wisdom is to let other people be the expert for a moment while you ask them questions.

• Loving the work for its own sake Because there are so many new threats being discovered every day, it’s a rare luxury to be able to get lost in a long project. And you don’t often get a shiny plaque – or for most of us, even a product on a shelf – to point at as evidence of your hard work. Your vulnerability report or Business Continuity Management plan may be a thing of beauty, but it’s unlikely to impress friends and family members. The work itself needs to be its own motivation.

• Creative self-promotion Good security tends to be virtually unnoticeable: it’s often about the absence of onerous hurdles and major catastrophes. But it can be bad for job security to go unnoticed by the people in charge of allocating budget and paychecks. It’s imperative for you to find creative ways to exhibit to higher-ups how much the work your team is doing contributes to the success of the business.

• Communicating empathetically Security is a highly technical subject that stereotypically tends to be perceived as a brake on innovation. By understanding the needs of others, you can advocate processes or policies that improve protection while advancing business goals, and you can do it in a way that’s easily understood by people at all levels of technical expertise.

• The courage to break stuff It can be a daunting thing to risk bricking a brand new, expensive piece of machinery. But having something fail catastrophically within the confines of a lab is infinitely less horrible than having it happen “in the wild”. It is essential in many security disciplines to have the intestinal fortitude to poke at a thing until it breaks.

• Willingness to say no Being cognizant of security issues can cause you to have a serious Cassandra Complex. It’s entirely possible that you’ll speak empathetically and people will still make dangerous decisions. The folks who have career longevity in this industry are the ones who can buck conventional wisdom and clearly say “No!” when that happens. And if people still follow through with those questionable plans, good security people initiate backup plans to help mitigate the damage.

• The desire to help people This is still a very young industry that a lot of people don’t yet understand, and fewer still would think to pursue as a career. Someone who helps others learn about security or to find a job in InfoSec is a person who makes the Internet a safer place for all of us to work and play.

Working in such a fast-paced and demanding industry is not for the faint of heart. But meeting the next generation of passionate, polymathic security professionals, I know we’ll be in excellent hands.