Does this sound familiar to you as a cybersecurity professional? You’ve uncovered a significant security issue within your organization and crafted a comprehensive technical report detailing how to address it. The problem is urgent—action needs to be taken immediately. There’s no reason why management shouldn’t take this seriously, right?
But when you present your findings to the executive team, their eyes glaze over. They want to understand how this issue impacts the business and the bottom line, yet your report is packed with technical jargon that leaves them confused.
As a result, your critical findings are sidelined because you couldn’t translate your technical insights into actionable business advice. Instead of seeing your project greenlit, it’s ignored entirely. You’re left watching essential security measures get delayed or scrapped altogether.
Does this scenario hit close to home?
Cybersecurity professionals often dedicate years to mastering technical skills—network security, cryptography, threat detection, and incident response, to name a few. While these are indispensable, there comes a time in every cybersecurity career when technical expertise alone isn’t enough.
The higher you climb in the industry, the more you’ll need to communicate with stakeholders who prioritize business outcomes over technical details. If you can’t bridge this communication gap, you may find yourself stuck, unable to move forward into leadership roles.
In this article, we’ll explore three key non-technical skills that every cybersecurity professional should develop. These skills will not only enhance your career but also help you effectively communicate the value of your work to those who control the budget.
1. Demonstrating the Return on Security Investment (ROSI)
The key question on the minds of those controlling the budget is simple: How do cybersecurity investments translate into tangible value for the company? Understanding and demonstrating the Return on Security Investment (ROSI) is essential.
A Real-World Example: Jack’s Story
Take Jack, a cybersecurity manager at a mid-sized healthcare organization. Jack is exceptional at his job, having implemented impressive technical solutions within the company. However, as budgets tightened, his job became increasingly challenging. Management began asking tough questions: If they approve a particular solution, how will this investment translate into reduced risk and financial value over the next three to five years?
While Jack had a solid understanding of risk management and could explain the potential dangers in terms of risks—like how a ransomware attack could disrupt patient care and lead to costly HIPAA violations—this was no longer sufficient. Management wanted to see the ROI of security controls in clear, financial terms.
Determined to adapt, Jack enrolled in an online business finance course to learn the basics of calculating ROI. He quickly figured out how to translate cybersecurity spending into measurable business value.
For instance, when pitching a new security tool, Jack no longer just highlighted the cost. Instead, he included a cost-benefit analysis, comparing the expenses of implementing security measures with the potential costs of a breach or regulatory non-compliance.
Consider the time when Jack proposed upgrading the company’s outdated firewall. The cost was $25,000, and Jack estimated that the new firewall would reduce the risk of a data breach by 50%. Based on industry averages, the cost of a breach could reach $500,000. With the new firewall in place, the reduced risk represented a potential savings of $250,000. Jack’s proposal to leadership read: “By investing $25,000 in a firewall upgrade, we can avoid the potential financial impact of a breach, saving up to $250,000.”
In another instance, after the company narrowly avoided a phishing attack, Jack seized the opportunity to highlight the ROI of a security solution. The phishing attempt was thwarted by an email filtering tool that had been implemented six months earlier at a cost of $10,000. Jack presented a report to the executive team: “Last week, we blocked a phishing attempt that could have compromised 10,000 patient records. The potential cost of this breach, including HIPAA fines and lost business, could have been $1.5 million. Thanks to our $10,000 investment in email filtering, we averted a potential $1.5 million disaster, representing a 150x return on investment.”
By learning to quantify the financial impact of cybersecurity measures, Jack became much more effective in communicating the value of his work in a language that management could understand and appreciate.
How to Develop Your ROSI Skills:
- Take Courses: Enroll in financial analysis or business metrics courses to gain a solid understanding of how to quantify cybersecurity investments in terms of ROI.
- Practice Cost-Benefit Analysis: Start incorporating cost-benefit analyses into your security proposals. Compare the costs of protection with the potential costs of a security breach.
- Collaborate with Finance: Don’t hesitate to seek help from your colleagues in the Finance department. You might be surprised at how willing they are to share their knowledge.
2. Mastering Effective Communication and Reporting
No matter how advanced your technical skills are, they won’t do much good if you can’t communicate effectively with non-technical stakeholders. Writing concise reports and delivering impactful presentations are crucial for translating complex cybersecurity issues into actionable insights.
A Real-World Example: Emma’s Journey
Emma, a cybersecurity analyst at a mid-sized company, excels at identifying threats and implementing technical solutions. However, she struggled when it came to presenting her findings to leadership—her presentations often left them confused or uninterested.
Emma realized that to advance her career, she needed to improve her communication skills, particularly with non-technical stakeholders. She started by revising her reports to remove technical jargon. Instead of writing “SIEM logs showed anomalous traffic,” she rephrased it as: “Our monitoring tools detected unusual activity that could indicate a security breach. We are taking steps to investigate and mitigate any risks.”
This approach made it easier for leadership to understand the issue without needing to grasp the technical details.
To further enhance her communication skills, Emma joined a local Toastmasters club, where she practiced public speaking regularly. Through these sessions, she became more comfortable delivering clear and concise presentations. She also started seeking feedback from non-technical colleagues on her reports and presentations.
One executive mentioned that they appreciated short, actionable insights. Taking this feedback to heart, Emma began summarizing her reports with a “key takeaways” section that included clear action items for leadership, such as: “To reduce our risk further, we need an additional $10,000 investment in advanced threat detection tools.”
Over time, these efforts helped Emma bridge the communication gap between cybersecurity and business, allowing her to demonstrate the true value of her work.
How to Improve Your Communication Skills:
- Writing Skills: Practice writing concise, jargon-free reports. Challenge yourself to explain technical topics in plain language. Consider having a non-technical colleague review your work and provide feedback.
- Presentation Skills: Attend public speaking workshops or join clubs like Toastmasters to improve your ability to deliver clear, engaging presentations. Focus on breaking down technical content into relatable stories and examples.
- Business Outcomes: In all communications, emphasize the business outcomes. Highlight how your work impacts revenue, customer trust, regulatory compliance, or risk reduction.
3. Excelling in Vendor Management and Negotiation
Most cybersecurity professionals will, at some point, need to work with third-party vendors, whether for purchasing security tools, contracting services, or managing ongoing vendor relationships. Understanding how to manage vendors and negotiate contracts is essential to ensuring the success of your security strategy.
A Real-World Example: Olivia’s Experience
Olivia, a cybersecurity project manager at a tech company, quickly learned that managing vendor relationships in cybersecurity can be far more challenging than anticipated. Her company began relying more heavily on third-party vendors for security tools, software, and consulting services. However, this shift brought about a series of frustrations—vendors missed deadlines, delivered subpar products, and failed to meet agreed-upon service levels. These issues directly impacted Olivia’s team’s ability to meet their security goals.
Realizing the importance of effective vendor management, Olivia decided to take matters into her own hands. She began by educating herself about the vendor lifecycle—from selecting vendors to managing ongoing relationships and conducting regular performance reviews.
Olivia attended a vendor management workshop, where she learned how to evaluate potential vendors, ensure they align with the company’s goals, and define clear expectations from the start. She became familiar with Service Level Agreements (SLAs) and how to hold vendors accountable to these standards.
For instance, when selecting a new security service, Olivia now requests detailed SLAs during the initial contract phase. She insists on including specific response times, uptime guarantees, and clear metrics for success. This ensures both parties are aligned and that the vendor understands the company’s performance expectations.
Understanding that negotiation is a crucial aspect of vendor management, Olivia took an online course on negotiation tactics. She practiced handling difficult negotiations, setting boundaries, and aiming for win-win outcomes.
Recently, when a vendor proposed a price increase for renewing a security software subscription, Olivia confidently negotiated the price down by highlighting her company’s potential for long-term business. She also secured additional support hours in the contract, ensuring her team received more value without incurring additional costs.
Olivia’s newfound negotiation skills saved her company thousands of dollars while improving vendor service, illustrating the significant impact of effective vendor management.
How to Enhance Your Vendor Management Skills:
- Learn Vendor Management Basics: Familiarize yourself with the vendor lifecycle, including selection, ongoing management, and performance review. Learn how to evaluate and negotiate SLAs.
- Practice Negotiation: Negotiation is a critical skill in vendor management. Consider taking online courses or reading books on negotiation tactics and strategies. Role-playing negotiation scenarios with colleagues can also be beneficial.
- Establish Metrics: When working with vendors, set clear key performance indicators (KPIs) and schedule regular check-ins to ensure they meet contract terms and deliver value.
Bonus
Here are the best books on career development:
- “What Color is Your Parachute?” – A classic guide for job seekers and career changers.
- “Lean In: Women, Work, and the Will to Lead” by Sheryl Sandberg.
- “Leaders Eat Last: Why Some Teams Pull Together and Others Don’t” by Simon Sinek.
Conclusion
As the cybersecurity field continues to grow, the demand for professionals who can bridge the gap between technical knowledge and business needs will only increase. By mastering the skills of effective communication, demonstrating ROI, and excelling in vendor management, you’ll position yourself for leadership roles and long-term success in the industry.
Good luck on your journey to becoming a well-rounded cybersecurity professional!
