Cybersecurity jobs: Key skills, certificates, and traits leaders want
Get expert advice from a top CISO on what cybersecurity hiring managers look for in candidates—from key skills to signs of leadership potential.
Sep 13, 2024 • 10 Minute Read
Are you interested in applying for an individual contributor (IC) or management role in cybersecurity? To find out what hiring managers are looking for, we interviewed Larry Trittschuh, a seasoned CISO and executive leader with over 25 years of experience spanning technology, operations, and services. Larry has been in cybersecurity since 2006, and as Managing Director and Chief Security Officer for Barclays Americas, he led a 500-member team overseeing cybersecurity, physical security, and resilience.
Let’s start with technical skills. Is there even a tick list for cybersecurity as a whole?
Not really. Cybersecurity is an incredibly broad field, so there isn’t a single set of “must-have” technical skills. Different roles require different skill sets, which means there's no universal checklist. But that’s actually good news—there’s likely a role that matches your existing skills.
For example, if you’re moving from a military or analyst background into cybersecurity, a career in cyber intelligence could be a good fit. If you have experience in relationship management or project management, you might find a place in third-party risk management or governance, risk, and compliance (GRC).
People with an audit or compliance background can also easily move into GRC roles. For those with highly technical skills, positions in detection and response are available, which could involve reverse engineering malware or understanding attacker tactics.
If you have an IT or help desk background, engineering roles, particularly in architecture, might be a strong fit. Additionally, cloud expertise is highly sought after in various areas of cybersecurity. All of this diversity is actually key to a fully functioning security program.
On top of this, what a hiring manager is looking for is going to depend on the company size and their focus. A smaller company with a less mature cybersecurity program is likely going to want someone who’s a Jack of all trades, whereas a larger company with a more established setup is going to want you to work in a more focused role.
To develop yourself, you should find the right company, program, and organization that will help you develop the skills you’re interested in nurturing as a professional, rather than fitting yourself to a particular mold.
What about certifications? Are there any you feel are “must haves” for cybersecurity professionals?
I would recommend all the certifications, whether they’re CISSP, CISA, CEH, PMP, or otherwise. Pursuing cybersecurity certifications pushes you to explore, learn, and stay current.
That said, I’m not someone who would say “I’m not going to hire this person because they don’t have the right certification.” You might have someone with several post-nominals after their name, but it doesn’t actually mean they have the ability to execute.
Rather than certifications, I value traits like someone being a self-starter, having a passion for cybersecurity, and being a good cultural fit. Most importantly, I look for people who can think as a risk person—they should be able to think about risk, and speak to it. All of this is more important to me than if someone’s got a Master’s degree or certification.
Are there any soft skills you feel are pivotal, or you would personally look for when hiring someone?
I think it depends on the specific role in question, and the level of the role. But in general, critical thinking is extremely important in security. It’s foundational to being able to be active in handling tasks rather than just reacting to something.
Systems thinking is a great skill to have. If you can think about all the different pieces and get your head around the complexity of a system, then that is going to help you thrive in cybersecurity. Thinking in terms of data—being able to interpret it and use it to make decisions—is also a valuable skill.
Communication skills are extremely important. It really sets you apart at a senior level, such as CISO and senior roles. Being able to communicate technical information in a way people understand, and not just scaring our non-technical peers away, is critical.
Continuous learning is a big one in cybersecurity, because you’re constantly learning about the latest threats and technologies, as well as from your own mistakes and the mistakes and successes of others in order to improve.
Influencing and relationship-building skills are also valuable. We’re beyond the point where we can just throw things to other departments as cybersecurity professionals and make it their problem. We need to be able to work with other teams collaboratively and productively.
Lastly, risk management and prioritization are part and parcel of cybersecurity. At the end of the day, there are a lot of risks to look out for, and a lot of technologies that could add value. Determining what the organization’s tolerance for risk is, and where to fill gaps in the security program is crucial. The sooner you develop those skills, the faster it accelerates your career.
How do you assess someone’s skills during the interview process?
It’s very hard in 30 to 40 minutes to get a complete picture of someone. The more you can pre-vet someone via networking or checking their references, the better. If the role requires it, we get them to conduct hands-on activities or homework assignments relating to the role competencies.
There are some people who interview really well because they can give you the right answer. To separate these people from those who truthfully have the qualities and skills in question, I ask a lot of follow up questions, like “When did you do this?”, “What was your role in the situation?”, and so on.
As soon as you begin to pull the thread, you start to understand the person’s real experience. It also gets them to demonstrate their communication skills in real time, and their ability to influence others—namely, the interview panel.
I also like to ask about times they’ve failed. This is important, because we all fail and miss things. I ask questions about what they feel they should have done differently, and what they’re doing differently moving forward.
How do you gauge a candidate’s commitment to continuous learning and staying updated with the latest cybersecurity trends?
First of all, you see it in their self reflection, and in the types of technology they’ve embraced. Applicants should be able to talk about their curiosity in learning new things, and how they’re staying current.
It’s certainly something that needs to continue beyond the hiring process, and as a leader, you’ve got to drive a culture of continuous improvement. There’s a flip side of that, in that people will sometimes self-select out if they’re not interested or are afraid of taking that journey with the company. At those times both the individual and leadership need to flag it, and see if it’s a matter for upskilling, or if it’s time for a change so both sides can be successful.
What qualities do you look for in candidates who might have leadership potential within the cybersecurity team?
The big difference between individual contributors (ICs), managers, and managers of managers is really the concepts examined in the book “Who Moved My Cheese?” The person who’s really successful as an IC is someone who can execute, and their Say/Do ratio is very high. However, when you become a people leader and then move beyond, the measure of success changes. I look for people who demonstrate the traits of the next level in leadership in their current role.
Success as a people leader
As a people leader, your success is suddenly reliant on executing through other people, so you’ve got to be good at empowering and motivating others, and making sure they’re held accountable. Empathy is crucial, because you can’t just tell people what to do with no regard for them as individuals. This doesn’t help you build up the influence that’s crucial to success in getting traction and growth.
If you’re not currently a people leader, I look for signs that a person has been able to influence others, even if they’re not direct reports. It’s actually harder to lead someone who’s not a direct report, and in cybersecurity you’re often working with a lot of contractors, consultants, and other business areas you need to get to execute outside of yourself.
Success as a manager of managers
At this level, your influence grows exponentially. There’s a greater focus on leading through example and being self-aware. For example, if you’re working 70 to 80 hours a week, you’re demonstrating to the team that this is the right thing to do. Likewise, if you’re responding to emails at 2am, you’re also communicating to teams that this is the expectation, and so you need to be conscientious about it.
For managers of managers, they need to demonstrate they’re aware of their weaknesses and how they hire to fill these blind spots. There’s a natural tendency as a leader to look at our strengths and not our weaknesses, and then hire someone like us. That’s exactly the wrong sort of person to hire, and you want a team that is diverse to be successful.
What are some of the challenges you’ve had with hiring for cybersecurity roles, if any?
There’s always challenges in hiring. But the three biggest ones are finding a culture fit, offering proper compensation, and finding a middle ground on working location.
Culture fit
When I look at a candidate, the most important thing for me is getting the right team on the bus. I don’t necessarily care what role you’re in or what the job title says. I’m hiring for the culture of the team and the company. This is all those qualities like passion, being a self-starter, and self-awareness.
This is where I think hiring has gone wrong – looking for specific technical skills or certifications, etc. – as success is often about finding the right cultural fit. And when hiring goes wrong, it’s not just wrong for the company or the manager, it’s wrong for the individual as well. I feel this is the piece that as a hiring manager you’ve got to focus on and worry about getting right.
Offer proper compensation
This comes down to working with the HR team to make sure the role is interesting and the salary package is good. One issue is once someone gets an entry-level position in cybersecurity, their year-on-year salary growth at typical companies is about 3%. If your HR team doesn’t understand the increased value with years of hands on experience, the staff you hired out of school will leave after two or three years because better opportunities exist elsewhere.
You need to be able to work internally to make sure people are compensated fairly and engaged—whether that’s bigger roles, different titles, more rewarding work and/or more money—to make sure you retain them.
Working location
People are often asking “Is it fully remote? Is it a hybrid? Is it in-office?” I think we’re reacting a little bit to the verbiage of things, and both candidates and hiring managers need to talk less about the labels and more about what’s the right balance for everyone.
The ‘professional shortage’ is not the real problem
I don’t think the shortage of cybersecurity professionals that people often report on is the real reason companies can’t find staff. I think if people don’t want to work for you, it’s because you’re either not paying enough, or something about the job or company isn’t interesting.
If someone says their hiring struggle is about there not being enough professionals, I feel they need to look internally at their structure, brand, compensation model, recruiting strategy, etc. before blaming the lack of talent.
What would be the one piece of advice you’d give people in order to succeed in cybersecurity?
Personalize success. Don’t let a system tell you what success looks like for you. For you, success might mean a high wage, a great title, loving the company or person you work for, spending lots of time with your family, or enjoying a low-stress job.
This is a very personal decision, and this should play into what sort of cybersecurity positions you apply for, and the skills that you develop. You shouldn’t see getting into cybersecurity or advancing in the field as going up a ladder, but as choosing the path that works for you.
Further learning
If success for you looks like going for the CISO role, we recommend checking out Larry Trittschuh’s article: “From Air Force pilot to CISO: How this security leader landed the top job.” Otherwise, you may enjoy reading these other articles on the Pluralsight blog:
- How to get into cybersecurity with no prior experience
- How to get a job at a major tech company
- How to get into tech with no experience: 12 tips and tricks
- Tech interview and resume tips to stand out and get hired
- The 10 most in-demand tech skills in 2024 (with skill tests)
- What are the best paying tech jobs to have in 2024?