Cybersecurity is regarded as a highly technical field that’s replete with expert certifications, renowned for those who can identify the next zero-day bug, and requires hard skills and practical know-how above all else.
But Robert Wood, the chief information security officer at the Centers for Medicare and Medicaid Services, wants to challenge some of those assumptions. The cybersecurity field now more than ever, he argues, needs people with soft skills like creativity, teamwork, and communications chops.
“My passion for this particular issue is about trying to help every cybersecurity professional across our field . . . to be more effective in their jobs, because ultimately we, the cybersecurity field, have to work through other people, other teams to get things done,” Wood said in an interview.
To help drive that effort forward, Wood and a colleague are publishing resources and other guidance through a “Soft Side of Cyber” initiative. The website just launched in December, although Wood said it’s something that’s been on his mind for years.
“It’s really about trying to bring awareness to the other half of skills that make a cybersecurity professional effective, impactful, valuable inside an organization,” he said.
Employees who staff security operations centers, for instance, need to be able to effectively communicate log patterns and potential cyber incidents to IT teams and others within their organizations, Wood said. Penetration testers need to find effective ways to tell others about bugs and potential exploits they discover, instead of just “dumping” them on someone’s desk, he continued.
The cybersecurity profession is shaded by a “brashness, a kind of arrogance,” Wood said, that shames users who click on a phishing link or companies for shipping software with a zero-day exploit.
Security teams can also drive the growth of “shadow IT” by being overly restrictive about introducing new tools into IT environments, leading employees to work around the system to use applications on their own.
“I believe it’s incumbent on us in the security field to take more ownership over how we how we create a more human-centered approach to cybersecurity and I don’t think we can effectively do that unless we empathize and unless we tap into these non-technical, soft skills,” Wood said.
Burnout in the cybersecurity field is also a prevalent issue, and the Soft Side of Cyber also advises security professionals to invest in themselves outside of work, while being wary of employers who shame them for doing so.
The challenges cybersecurity professionals face are largely uniform across federal agencies, contractors and the commercial sector, Wood said. But within government and its myriad complex organizations, soft skills may be particularly important, he added.
“Skills like navigating an organization and bureaucracy hacking, that kind of stuff, I think it’s going to be more applicable and omnipresent in the public sector, but not exclusively,” Wood said.
And for CISOs and other management officials like himself, technical knowledge is just a sliver of what someone needs to successfully lead a cybersecurity organization, Wood said. The Soft Side of Cyber framework will soon feature a “leadership” section geared toward CISOs with guidance on budgeting, strategy, hiring, contracting and other management issues.
“As we as a field continue to develop, I think we really need good managers, good people development,” he said. “It’s not only in how you engage and establish a culture or contribute to a culture. It’s how you assemble your team. It’s how you organize your team’s resources to go after and support your organization’s mission. It’s the way that we engage the vendor community. It’s all of that folded together, and you’re doing all of those things in support of solving a technology problem or swarming around some kind of data security problem, or cloud security problem, or whatever the technical element of the problem is. But at the foundation of all of it is the people, it’s the non-technical stuff.”
So far, the Soft Side of Cyber has published several blogs on issues like communication, as well as framework security professionals can use to develop their soft skills. Wood said the plan is to continue rolling out documentation, framework tools, and other resources.
They also plan to launch a live-streaming video series that debates popular security topics, like forensics or penetration testing. Wood said each episode will have one person taking the technical viewpoint on a given topic, while another will argue from the “human-centered,” soft skills viewpoint.
“So by intentionally creating an environment where we’re looking at things from different perspectives, contrarian perspectives, I feel like we’re going to be able to explore topics in this unique way that doesn’t really happen in other in other security settings, and other security conversations that are happening out there,” he said.