As the well worn stereotype goes, every great cyber security professional was coding by age 10… jailbreaking smartphones in high school… and getting their lulz pulling off practical joke hacks from the safety of a college dorm room.
True as some of this might be of the legendary Kevin Mitnick – known first as the world’s most wanted hacker, until he was arrested and became the world’s most famous hacker – his first big hacks actually relied more on social engineering than technical skills. That’s right, the mythical Mitnick, still recognized today as the world’s most infamous hacker, really made a name for himself with a silver tongue and a unique ability to simply trick people into giving him sensitive information.
We recently sat down with Erich Kron, an in-demand speaker with KnowBe4, a company partly owned by Mitnick himself, who also serves as its CHO – Chief Hacking Officer. Kron helped us better understand how the infamy and success Mitnick achieved thanks to that gift of gab hints at the fact that it takes more than technical skills alone to achieve greatness in the field of cyber security.
The Cyber Security You See On TV Is Dramatized
The tech-minded are naturally drawn to the cyber security field. As Erich Kron puts it, “Let’s face it: a lot of us who get into this field are very technical. That’s what we like to do – live behind a keyboard… We’re often times even introverted.” Kron told us that those in the cyber security community often find themselves dispelling the myth that this field is all about ethical hacking or red teaming. As Kron explains…
“Not everything is what you see on TV. There are definitely places where people are sitting behind a keyboard and they’re doing attacks or active defense, but there are also as many people of equal importance who are writing the policies that are setting things up to help the users not have issues.”
You don’t have to be a star coder or insane programmer to find your niche in cyber security. “Personally myself, I’ve always been very technical, but I’m also not the hacker type,” says Kron.
Kron’s forte was alwasy making strong access and identity management programs that are as easy as possible for non-technical people to use. It’s not as glamorous as what you might see someone doing on Mr. Robot, but keeping non-technical people from accidentally downloading viruses makes life exponentially easier for users and team members all the way up the chain.
That’s important, and it’s not something someone with a background in IT can necessarily do well. It requires a finely-tuned understanding of how someone with little technical experience interacts with the computer world. “That’s actually kind of a magic, quite frankly. Unfortunately it’s one that’s not noticed by a lot of people,” Kron reflects. “There are a lot of other areas in cyber security that are equally as important although not necessarily with the rock star glitz and glam.”
Soft Skills are More Important Than You Probably Think
We never thought we’d hear an experienced cyber security guy like Kron expounding on the benefits of anything non-technical. He explained that as you move up the ranks, you’re going to be working with senior people from other areas in your company. You’ll need to do things like run project proposals by your manager, or write funding requests for your company’s CFO.
“What that means is that you have to understand how to speak the language of these folks,” Kron says, and then chuckles saying that might even amount to using “some of that creative writing stuff that you always thought would be pointless, quite frankly.”
Some companies are even experimenting with cyber security apprenticeships. In 2015 IBM implemented a program that was based on scouting people for cyber security based on key traits, like being problem solvers and being able to work collaboratively on a team.
The philosophy behind this program is similar to what Kron is talking about. IBM is trying to identify the people who would be effective at writing budget requests for their project manager first, and then training them in the arts of cyber security second.
The fact that IBM is taking this long-term-investment approach hints at how important these soft skills are to achieving success in this field. And Kron agrees, encouraging up-and-comers to make it a priority. “Don’t wait until later to start developing those skills. Start working on them from the beginning.”
Kron says that as he moved up in his IT and security career, one of the things that surprised him the most was how much he ended up dealing with the people-side of things, as opposed to the keyboard.
“In the beginning I was a guy jamming firewall rules and, you know, dealing with that sort of thing. Architecture stuff. That was great. I still love that part. I’m essentially an introvert, but I’ve had to learn how to leverage my extrovert in order to accomplish some of the bigger things.”
He says that having good speaking, writing, and communication skills have been critical in both incident responses and improving companies’ cyber security infrastructure. “Being able to show how you plan on doing that, and which direction you’re going to take in order to accomplish some measurable goals has been something that I’ve had to learn to do.”
And as you move up in this field you’re only going to rely on your people skills more, not less. “I think you’ll find that over the years as you own this career, you’re going to find that you need to work on those communication skills and it’ll become more and more valuable as you move on.”