Organizations want non-security functions like IT operations, risk management and compliance to get more involved in cybersecurity, research has revealed.
A Tripwire survey of 315 IT security professionals at companies with over 100 employees conducted by Dimensional Research found that respondents were unanimous in believing that soft skills are important when hiring for their security teams.
The three most important soft-skill attributes cited were: Analytical thinker (selected by 65%); good communicator (60%); and troubleshooter (59%). Tied for fourth place was “strong integrity and ethical behavior” and “ability to work under pressure,” both selected by 58% of participants.
“The cybersecurity industry should not overlook the soft skills that are needed to build a strong security program,” said Tim Erlin, vice president of product management and strategy at Tripwire. “The reality is that today’s security pros need to go beyond technical expertise. Security practitioners need to be good communicators who can connect cybersecurity issues to business priorities, rally the rest of the organization to get involved, solve tough problems and handle sensitive issues with integrity.”
Respondents were also asked if the need for soft skills has changed over the last two years, and 72% said the need had increased. A fifth (21%) said that soft skills are actually more important than technical skills when hiring staff—a notable statistic in light of the fact that 17% said they expect to hire people without security-specific expertise over the next two years.
In addition, nearly all respondents (98%) believe non-security functions need to be more involved in cybersecurity in the future. Of those, 74% said IT operations needs to be more involved, 60% said risk management, 53% said compliance and 45% said legal needs to be brought into the fold. Other mentions included human resources (32%) and marketing (11%).
“With security-related regulations like GDPR on the rise, it’s unsurprising that respondents expect their legal and compliance teams to get more involved in cybersecurity,” said Erlin. “It’s become increasingly apparent that security is a shared responsibility, even for those without any technical cybersecurity experience. Employees from other functions can partner with their security teams to help them look at issues from different perspectives, help further the broader organization’s understanding of cybersecurity, and help enforce best security practices across the organization.”