soft skills SANS SecAwareReport 2018

In June we announced the release of the 2018 Security Awareness Report.  You can find an overview of the report in this blog post here.  For this week we are going to do a deep dive on one of the key findings, skills.  Specifically, what skills make a good Security Awareness professional?  If you are involved in security awareness, you want to know what skills or expertise are needed to ensure your program (and career) is successful.  Or perhaps you are looking to hire a new security awareness officer, what should you look for?  Turns out it's not technical skills, it's soft skills.  The 2018 Report found the most mature awareness programs had the most staff with soft skills such as marketing or communications.  In addition, the report found that the more time a person spent dedicated to awareness the more likely they have a soft skills background.  But why is this important, why are we seeing this in the data?

Turns out the more technical you are, the more likely you will assume others are like you in their knowledge and ability. The term is called Curse of Knowledge which is a fancy way of saying the more of an expert you are at something, the worst you are at communicating it. Most organization's have security teams packed with technical experts, they know the problems inside and out. The problem comes when these same technical experts are expected to engage their workforce and communicate what people should be doing and why. The issue then becomes not a lack of technical expertise, but a desperate lack of soft skills. Geeks are respected for many things, however communication is not one of them.   So, what makes a good Security Awareness professional?

People Skills: Simply put, this means you like people. Yes, you have to actually enjoy working with and talking to people on a daily basis. You have to engage and collaborate, you have to understand terms like emotion and culture, and you have to want to work with others. Security is packed with career paths where you can be highly successful and effective and not like people, this is not one of them.

Communication / Marketing Skills: A key part of managing human risk is engaging your workforce. To engage, you have to communicate in their terms. You have to sell WHY cyber security is important, then communicate the expected behaviors in a simple to understand format that anyone can follow.  Don't have these skills and are not sure where to start?  One of my favorite places to start are the books Made to Stick and Switch

Collaboration Skills: You will be working with a huge number of groups, to include Human Resources, Audit, Legal, Marketing and Communications, Leadership, Project Management, Accounts Payable, LMS and Help Desk teams and numerous other groups. This is why time and not budget is so important to successful awareness programs. You will spend most of your time interacting and coordinating the efforts of others, not working with technology.

As we have repeatedly learned from the BJ Fogg Behavior Model, behavior ultimately comes down to motivation and ability. And no where does this require a technical background. So if you have a technical background but want to get involved in awareness, start developing those soft skills.  If you want to find someone to lead your awareness program, go find someone with those soft skills such as Communications, Marketing, Teaching, Sales or Public Relations background. One of the best awareness officers I ever saw was an English major. And the fact that they do not have a technical background is not limitation but potentially an advantage. If they don't understand what you are communicating about cybersecurity, how do you expect your workforce to?