When Kathleen Hyde talks about cybersecurity leadership, she talks about breadth. “Training is going to teach you the technical skills you need, but employers also want to see somebody who has problem-solving skills, who has good communication skills,” says Hyde, who chairs Cybersecurity Programs at Champlain College Online.
In a recent national survey, Hyde’s team found strong support for cyber education: 68 percent of adults said that colleges and universities are well-placed to create solutions that address cyber threats. While much of that training will focus on specific cyber skills, Hyde says, educators and employers also need to train cyber leaders in the soft skills.
This theme is gaining traction among corporate IT leaders and those responsible for education and training. Cyber leadership increasingly requires going broad: Building a diversified set of technical skills and augmenting this with a solid grounding in general education and business topics.
“A couple years ago, cyber was all about certifications; it was all about the technical training. There seems to be a growing conversation about the non-technical training,” Hyde says. This may be a result of the evolving role of the cyber leader. “Today you have to be able to translate. You have to be able to talk to the employee who opened that email and shouldn’t have, and then you also have to be able to answer to your board.”
Corporate cyber leaders echo these themes.
“We want well-rounded professionals who understand a broad range of cybersecurity disciplines and who also understand the business side,” says Paige Adams, Group Chief Information Security Officer at Zurich Insurance.
Students in a newly-launched cyber internship program between Zurich and Harper College get technical training, but they also attend business and insurance classes alongside other apprentices participating in the general insurance career track.
Cybersecurity executives looking to develop their teams may face a high hurdle in trying to meet this accelerating call for greater well-roundedness.
Career progress, after all, typically is measured at least in part by the number of technical certifications one accumulates. Cyber degree tracks and professional training opportunities likewise are structured around the accumulation of additional technical skills and credentials.
How to broaden that experience? For those looking to climb the career ladder in cyber, and for cyber chiefs looking to build more effective teams, some say a possible fix lies in the liberal arts. Even leaders at certification body ISC2 suggest that a solid undergrad experience can do much to augment one’s cyber capabilities.
“There is an element in cyber that scoffs at the idea for formal education, but the fact is there is value in these programs,” says ISC2 Director of Cybersecurity Advocacy for North America John McCumber.
“Not everything can be solved with an algorithm. Rather than scoff at people who have taken liberal arts classes, we need to reevaluate the role of that kind of education. People need to build up their knowledge. Philosophy, art, the ability to understand the sweep and impact of history: Technology changes, but the problems mankind has to deal with pretty much remain the same,” he says.
It’s this same logic that drives Zurich to insist that interns experience multiple aspects of the business, beyond just the IT shop. “Cyber isn’t just a technology challenge, it’s also a business challenge, and people need to understand how our security decisions can have broader implications in a business context,” Adams says.
Juniper Networks CISO and IT Vice President Sherry Ryan attributes her success in security in part to her early experience on the marketing side. “It’s important to understand your organization’s business and its processes, priorities and dependencies,” she says. “This knowledge enables CISOs to make relevant, prioritized recommendations to protect what matters most to the organization.”
At the same time, top cyber players also need a broader understanding of the computer systems to whose care and feeding they daily attend. Colleges and universities can help with that.
“Before you can learn about security you have to know about operating systems, programming, distributed systems, networking,” says Dr. Giovanni Vigna, director of UC Santa Barbara’s Center for Cybersecurity.
“These things are not necessarily related to security, but they provide you with building blocks for addressing new security challenges as they arise,” he says. “More than just skills, we want you to have the meta-skill of being able to acquire new knowledge. Without that, you are just someone who uses tools, who knows what to click.”
This wide-reaching technical understanding is critical for those who manage IT security, says Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at IT provider AvePoint. “Understanding the intersecting and sometimes opposing obligations you may have, along with what can and cannot be automated, is incredibly important to not only cyber leaders’ organizations, but also to their own professional development,” Simberkoff says. “Regulators require that companies say what they do, do what they say and be able to prove it. If a company is writing policies that don’t reflect its reality, it is putting itself at risk.”
Just as individual cyber leaders must possess a diverse set of skills and experiences, the cyber workforce overall also needs to become more diverse. The narrative of breadth in cyber includes broadening the workforce as a whole.
ISC2 reports only 14 percent of cybersecurity professionals in North America are women, and many IT leaders see room for improvement.
Simberkoff suggests companies could enhance cyber training and education by implementing an internal social media platform where women in cyber can network. “Such systems are a great avenue for women to give and receive recognition for the value they add to their companies. Women should be proud to promote the importance of their roles and ensure leadership is aware of their work, as well as the work of their female peers,” she says.
Ryan likewise stresses the value of interpersonal relationships in helping to diversify the top tiers in cyber. “Staying connected to my network of cybersecurity professionals and engaging up-and-coming talent is another way I can help advance and promote our industry while getting fresh thinking on issues we’re all facing,” she says.
Hyde says educators also can help to move the needle.
“I find in talking with some of my students who are women that they lack confidence,” she says. Because many have been discouraged from pursuing technical careers, “they might not think they have what it takes. I think the biggest thing is to encourage them. I know it sounds very simplistic, but I really think that a lot of it comes down to encouraging women to just do it.”