Cybersecurity is an incredibly complex industry. With every passing month, online threats evolve and proliferate, forcing cybersecurity specialists to constantly keep their skills up to date. And that’s not just technical skills—it’s increasingly clear that, in order to succeed, cybersecurity specialists can also benefit from more diverse skillsets, including the ability to think outside the proverbial box.
Take Daniel Clayton, vice president of global services at Bitdefender, who views the cyber battlespace as an international theater without borders. Understanding other cultures and languages can help cybersecurity professionals like Clayton better put themselves in the shoes of an attacker. If they can understand those attackers’ motivations and methods, they can better anticipate what might happen next.
“Analytical thinking is key to understanding how we will be attacked, what those attacks might look like and how we can put controls and capabilities in place to thwart them,” he said. “Adversaries come from all walks-of-life, occupations and skill diversities, and that means security teams should be made up of an equally diverse group of individuals who don’t necessarily fit the cyber stereotype.”
Clayton has worked as an interpreter, an analyst, an interrogator, and an intelligence report writer, building security and intelligence operations on both sides of the Atlantic and in both hemispheres. He has lived, worked and studied in countries all over the world, including Russia, Germany and Afghanistan.
“We live in an increasingly global world so breadth of experience that we gather, opens our minds to different approaches to handle various situations and environments,” he said. “My own experiences in diverse roles [have] given me a stronger capacity to seek out and identify attributes within individuals that when brought together form highly effective cybersecurity teams.”
From Clayton’s perspective, cybersecurity is a growing and increasingly complex industry. These complex environments, and the tools used for monitoring them, drive huge amounts of data that must be managed, collated and analyzed. Good analysts are able to look through the eyes of an attacker and interpret data in ways that allow them to extract what will happen next.
“Each day there seems to be innovations or new platforms that makes our lives better, easier or more convenient; but each also brings a new set of risks that offset the rewards,” he said. “It’s is clear that these risks have to be managed, but it is challenging keep up with the disruptive nature of IT, never mind taking on the responsibility of securing it. There is no end to the different disciplines, skillsets and traits being harnessed to secure networks and infrastructure.”
Language and Culture
Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, said being multilingual has many benefits. Speaking multiple languages can enable collaboration and teamwork across global cybersecurity teams, for starters.
Second, possessing language and culture skills that align with adversaries in your threat model can improve research and investigations. For example, speaking Russian can be a valuable skill when investigating cybercrime and extortion threat actors.
“I have a U.S. Army intelligence background, so I've been able to leverage those skills throughout my career and specifically in my current work in cyber threat intelligence,” he said. “One word of caution when it comes to military backgrounds: Be careful not to have a disproportionate amount of veterans making up cybersecurity teams. Team members should have a wide array of backgrounds; too much of any one type can lead to groupthink resulting in conformity and poor decision making.”
He also noted that journalism can be an excellent foundation for a career in cybersecurity. “Journalists know how to investigate a story, they know how to evaluate sources, and they know how to meet deadlines,” he said. “All of these skills would complement a team very well.”
Holland said hiring managers must actively seek out diverse candidates; otherwise, they may never find their way into the recruiting process. “When it comes to university students, instead of just working with engineering and computer sciences schools, seek out arts and humanities students, work with the deans of these schools and make it known that you are seeking these backgrounds,” he said.
Security leaders should talk to HR leadership and let them know they require diverse candidates to be successful. Groups like the International Consortium of Minority Cyber Professionals (ICMCP) can help diversify the organization’s candidate pool.
Monti Knode, director of customer and partner success at Horizon3.ai, explained that while organizations want their security professionals to be practitioners deep in their industry, they also want them to be well-rounded and have outside interests. “Leaders must nurture and encourage outside passions and the curiosity to grow and learn,” he said. “When done right, you foster a dynamo where personal and professional interests feed one another.”
Other activities, even if they seem to have nothing to do with cybersecurity, can nonetheless show that cybersecurity candidates have the mindset to succeed at defending systems. “Crafting beer requires some of the same brainstorming, pattern-detecting and interpretation skills a security analyst uses to comb through logs; planning your backyard project or a four-course meal requires evaluation and decision-making just like configuration management and domain hygiene,” he said.
Most important, though, is the desire to be a life-long learner. “Some of the best nation-state coders, operatives, and ethical hackers deliberately decide to never settle and seek ways to test and verify their skillsets, always pushing themselves,” Knode said. “They are hungry, whether at a poker table or on a mountain hike, they embrace a challenge to their limits. Call it a skill or an attitude, it’s inherent and critical to a successful cybersecurity career.”