Light Dark
September 25, 2019 By Lysa Myers 4 min read
CISO

If you look under the hood of modern security software, you will see a truly impressive feat of engineering. For at least the last three decades, the companies creating this software have been making impressive and truly innovative technology. Yet we still have security incidents that are growing in number and severity, such as the Equifax, Facebook and Yahoo breaches.

What cyber skills do we, as security practitioners, need to bring to the equation to continue improving products and protecting people?

5 Cyber Skills You Need on Your Team

While I feel confident that the technology aspect of security will continue to improve, it is the human aspect of security that we most need to address to meaningfully decrease the impact of cybercrime. The skills that will be most important in the industry as we move forward are those that address the way the general public uses security products.

Here are five cyber skills that will be essential for the future of security.

1. Understand How to Teach Security

Few people would argue with you if you stated that humans are the weak point in most security systems. Computers and connected devices are currently designed for ease of use more than they are designed for security. Security concepts can be complex, and recommendations for best practices are constantly evolving. As such, people need to be trained how to use devices safely.

Many businesses have little to no existing security training in place, and even in those that do, it may be suboptimal. Some companies cobble together their own educational materials without necessarily having much security or education expertise. Those organizations that choose ready-made security awareness training programs may not know how to determine which of these products are actually effective in helping employees prevent security issues.

This industry needs educators who understand current best practices for helping people learn, at least as much as they understand security best practices. Providing effective security awareness training will be a business differentiator in the coming years.

As more and more legislation requires businesses to have security training, more businesses will be required to purchase these services. The training programs that prove their utility as a cost-effective way to decrease the impact of security incidents will no doubt be highly sought-after.

2. Make Technology More Accessible

Most security practitioners will tell you that everyone needs to be protecting themselves online, and that we all need to be using some sort of security software. And yet, the products themselves are not always designed as if this were the case. There are millions of people who have issues making effective use of security products, including those with hearing or vision impairment, dyslexia, or colorblindness.

If customers have a hard time purchasing or using your products because your company has not designed for people with these needs, you’re simply leaving money on the table. This market segment is only growing more rapidly as the computer-using population ages. While many security vendors are more worried about adoption from the general public, those who come to market with effective and fully accessible products will have a major advantage over their competitors.

3. Improve Usability in Security Products

Perhaps because, historically, only the most technologically savvy consumers used security products, user interfaces in security products have been rather unapproachable for the average user. Successful user interface design is a mix of behavioral science, art and technology. This is an unusual intersection of skills, which is perhaps why it’s such a problem for so many technology products.

Good usability practices can greatly increase security and privacy all on their own. But improving usability in security products could also significantly improve adoption of these technologies. We can probably all bring to mind a product that we use that is truly a joy, because interacting with it is so natural and seamless. The more security technology can become a natural and painless part of people’s computing lives, the safer we all will be online.

4. Communicate Persuasively About Security Needs

There are certain things in life that are not fun, but totally necessary, such as paying taxes, getting a medical checkup or flossing your teeth. The consequences for not paying taxes tend to come swiftly, so most of us are pretty diligent about taking the time and effort to make sure they get done in a timely fashion. Until we hit a certain age, getting a checkup and flossing our teeth seem like things that are fairly low-consequence if we’re not as diligent as we should be. Many of us put these things off until the consequences scare us into action.

Security best practices, for most people, are a bit like flossing. Most of us know we should, though some people may not be totally clear on how important it is or how to do it properly. A growing number of us are having experiences with the consequences of a lack of security, but the message still does not seem to be sinking in.

While companies may not usually hire security practitioners explicitly for their ability to communicate persuasively, this skill is absolutely essential to getting the job done. If you’re the person who saves a company from a costly breach or embarrassing vulnerability because you managed to persuade the right people to allot the time and resources to fix problems — and appropriately communicate your success — you’re more likely to have a long and fruitful career in this industry.

5. Behave Ethically to Avoid Causing Harm

Because security practitioners deal with sensitive information and powerful tools, ours has always been a very trust-based industry. In most areas of this industry, behaving ethically has always been crucial to gaining the good reputation that’s needed to get a start. Now, we need ethics that go further than not directly causing harm to others; we need ethics that look forward and avoid introducing products or features that may harm others in the future.

Technological developments are never neutral, they are intended to cause change. Often, they’re meant to cause disruptive levels of change. Indeed, the current market demands we move fast and break things. But we’re starting to see how harmful and damaging that mindset can be. It may seem like a ridiculous idea to slow down enough to get a broader perspective and consider the potential ramifications of new features, but to be successful in the long term, we need to do exactly that.

Moving Into the Future of Security

The nuts-and-bolts level of security technology is rather impressive: Products are incredibly innovative and constantly improving. But there is only so far we can go to reduce cybercrime with these impressive and powerful tools. Much like the full power of computers was not realized until they evolved from complicated and massive machines into devices we willingly keep in our pockets, a sea change will not happen with security until the concepts and devices can be made a seamless part of our daily lives.

 |  |  |  |  |  |  | 
Lysa Myers

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature