How to become a Security Unicorn

Most important skills for cyber security

January 23, 2024

👋 Good morning!

Each week I provide an in-depth response to your questions about careers, building security teams, AI security, cloud security, and anything else you need support with. Send me your questions and I’ll do my best to provide actionable advice.

Let’s dive in!

Q: What are the most important skills for cyber security?

There are certain skills and attributes that create rockstars in this space. They aren’t one-trick-ponies, they are unicorns. I’m going to tell you how you can become one.

Why does our function exist? What is our role for? How does it support the overarching goals of the organisation? What internal and external factors influence my role?

Understanding the answers to these questions will illuminate the skills you need to be a top performer in this field. Cyber security teams exist to prevent bad things from happening and save the day when they do.

We all have unique roles to support this. And ultimately, we want to support the business in achieving its desired outcome, minimising disruption, preventing financial losses, and upholding the reputation it has built.

The below list generally applies to all. I encourage you to reflect on them and consider what you could elevate to take your career to the next level.

Unicorn Level

How do I become a ‘Cyber Security Unicorn’?

Put simply, this is someone who has mastered their domain of expertise and has an ability to apply that knowledge through a sound understanding of contextual factors. This includes industry dynamics, organisation dynamics, regulatory environment, threat landscape, and risk appetite of the organisation you’re serving. This ability is underpinned by high quality interpersonal skills and leadership qualities to drive positive outcomes.

Core

Domain specific:

  • When you join a security team, you will be aligned with a capability. There is an expectation for you to have skills in line with that role.

  • It could be security testing, threat intelligence, application security, GRC, incident response, architecture, whatever. It is your duty to master this craft and understand how the role-specific skills serve the wider team’s mission.

Coding:

  • There is a divide in our industry on this topic, due to the ability to perform a significant proportion of our roles without coding ability. However, you don’t want to be branded as a ‘paper architect’ or a ‘click-ops engineer’.

  • I strongly recommend becoming proficient with Python at a foundational level at least. You can take an introductory course for Python for free, there are countless courses available online.

  • This isn’t applicable to every role across security and becomes less relevant if you progress into managerial roles. However, being able to roll your sleeves up and get your hands dirty is a top-tier skill to possess.

Self-starter:

  • This is technically better placed in a section below, but I wanted to emphasise its importance by including it within ‘Core’.

  • Employers may offer support in terms of professional development, but it is your responsibility to allocate time for learning and skills development.

  • Having an ability to self-teach will reward you 10X in future.

Regulatory & Compliance

  • Frameworks: Familiarise yourself with NIST, ISO27001, CSI Benchmark, SABSA etc. This allows you to understand baseline expectations for a secure organisation at different levels of maturity and chart a path of improvement for your team.

    Tip: When making your case for a secure design or configuration, it helps to have policy and industry supported frameworks to reference when backing up your point.

  • Risk management: A top performer understands and supports the collaboration that must exist between first line and second line teams. Everything you do must be aligned with an organisation’s risk appetite.

  • Laws and regulations: every jurisdiction may have their own unique laws and regulations. Depending on where your organisation operates, it is your business to learn about and study all those applicable. This will impact the design of your solutions, the controls you seek to implement and the method you choose to approach things. Examples include: the EU General Data Protection Regulation (GDPR), UK GDPR, the Sarbanes-Oxley (SOX), and PCI-DSS.

    Tip: Form a list of all applicable laws, regulations and guidelines to you and your organisation.

Contextual

To do the job well, you need to understand the context you operate within. The world is complex and you can’t apply a one-size fits all solution to everything.

  • Organisation specific dynamics: every organisation operates in a unique way based on its structure, team dynamics, business goals, stakeholders, maturity and technologies. In every new role, one of your primary goals when your boots hit the ground is to get a grasp of these dynamics as they massively influence the usefulness and validity of your security guidance.

    Tip: Make a folder called ‘Org Dynamics’ and collect the above information. Build a profile on the history, inner workings and direction of the business.

  • Threat landscape: attack vectors, motivations, vulnerabilities. Only by understanding attack vectors, motivations and common attack types can you begin to think critically about building secure solutions. This understanding will allow you to provide guidance that follows a threat-led approach, which is extremely persuasive and effective.

    Tip: Explore and learn about MITRE ATT&CK and OWASP.

Individual

  • Communication: in every security role you need to effectively communicate with your peers, managers and leaders. This includes both verbal and written. Being able to make an argument, persuade a peer, influence a decision, or prove your value, often rides on your ability to articulate yourself.

    Tip: Seek opportunities as often as possible to practise your writing and presentation skills.

  • Collaboration: As security professionals, we often need to collaborate with our teams, other departments and sometimes vendors to achieve a goal. How well you can play with others and how much value you bring to the team will determine what opportunities you get picked for.

  • Risk management: Our world is a balancing act between risk and reward. Security doesn’t exist within a silo and a business’s primary goal isn’t to be as secure as possible. The best security professionals have a strong grasp of risk management, and provide security guidance in line with an organisation’s risk appetite.

  • Critical thinking: Every organisation is unique. We cannot simply apply a one size fits all solution for security. We need to be able to think critically, taking into account stakeholder requirements, technical competencies of the teams, technological capabilities and resourcing.

  • Attention to detail: In cyber security, details matter. We each need to perform our roles with confidence that we’re doing the best thing for our organisation, because the alternative can mean disaster. Stay curious, inquisitive and vigilant in your work.

  • Empathy: Implementing security can be a challenge and we depend on buy-in from across our organisations. Having empathy towards other teams’ challenges, frustrations and ways of working, will allow you to tailor your communications, improve collaboration and increase your chances of successfully embedding secure practises.

Leadership & Management

If you have ambitions to lead teams and manage large projects, there is a different bucket of skills that need to be mastered.

  • Inspire: How will you inspire your team? Being able to inspire others is crucial for effective leadership in any field, including cybersecurity. In the context of cybersecurity, inspiration plays a significant role in several ways, such as motivation and morale during challenging times, team cohesion when working with geo-graphical separated teams, or weathering a crisis management storm.

  • Strategy: Where are you going? The ability to inspire is complemented by strategic thinking. Effective leaders formulate and communicate clear cybersecurity strategies, aligning them with organisational goals. A strategic approach ensures proactive risk management, adaptability to emerging threats, and the development of robust security frameworks. And most importantly, give your team something to rally behind and strive for!

  • Persuade: Can you convince others of your vision? Persuasion is a crucial skill in cybersecurity leadership, especially when it comes to stakeholder buy-in for your strategy, obtaining budget approvals for security tooling investments, behavioural changes to improve the security culture, or negotiating security vendor agreements.

That’s a wrap!