These 3 Non-Technical Skills Will Take Your Cybersecurity Career to New Heights
Technical skills are not enough for cybersecurity career success
Let me know if this sounds familiar if you are a cybersecurity professional.
You find a major security issue in your company and prepare a detailed technical report on how to fix it.
The issue is urgent and needs to be fixed NOW
There is no reason why this should not be taken seriously by management
BUT .. when you present your findings to the executive team, their eyes glaze over.
They want to know how this issue affects the business and the bottom line, and your report is filled with jargon they don’t understand.
As a result, your critical findings are sidelined because you could not translate your technical findings into actionable business advice.
Instead of your project being greenlit .. it is ignored entirely.
Despite knowing the risk better than anyone, you could not convince management of the issue.
You are left watching critical security measures get delayed or shelved entirely.
Does this ring a bell ??
Cybersecurity professionals often spend years mastering technical skills like network security, cryptography, threat detection, and incident response.
While these are crucial to the job, there comes a point in every cybersecurity professional’s career when purely technical expertise is not enough.
The higher up you go in the industry, the more you need to communicate with stakeholders who care more about business outcomes than the technical details.
If you cannot bridge the communication gap and make them understand, you may find yourself stuck and unable to move forward into leadership roles.
In this article, I want to go over some key non-technical skills that every cybersecurity professional should focus on and some practical tips to help you develop them
1. Showing The Return On Security Investment
The people who control the budgets want to know one thing and one thing only.
How investments in cybersecurity translate into value for the company through Return on Investment (ROI)
Let me give you an example of a guy I know ( let’s call him Alex )
Alex is a cybersecurity manager at a mid-sized healthcare organization.
He is fantastic at his job and has implemented some awe-inspiring tech at his company.
However, as budgets got slashed in recent years .. his job got increasingly tougher
Management wanted to know if they approve X solution.. then will these security investments translate into risk reduction and financial value over the next 3 to 5 years ??
Now Alex has learnt risk management, so he knows how to translate stuff into risk language, like “A ransomware attack could disrupt patient care, cause significant reputational damage, and lead to HIPAA violations, costing the company millions.”
But that was no longer enough...
He now needed to show not just the risk but the ROI of his security controls.
Alex took an online course on business finance, where he learned the basics of calculating ROI.
He figured out how to translate cybersecurity spending into tangible business value.
For instance, when pitching a new security tool, he now includes the cost and the potential savings it brings through reduced risk.
He started by including cost-benefit analyses in his proposals, comparing the costs of implementing security controls to the costs of a potential breach or regulatory non-compliance.
For example .. he wanted to upgrade the company’s outdated firewall.
Instead of just stating the cost of the firewall .. he did the following:
The upgrade cost was calculated at $25,000, and it was estimated that the new firewall would reduce the risk of a data breach by 50%.
Based on industry averages, he estimated the cost of a breach could be $500,000.
With the firewall in place, the reduced risk translates into a potential savings of $250,000.
His proposal to leadership reads: “By investing $25,000 in a firewall upgrade, we can avoid the potential financial impact of a breach, saving up to $250,000.”
Another example of showing ROI was when the company had a close call with a phishing attack.
The security solutions Alex had implemented stopped the attack so he used the opportunity to show the ROI to management
He prepared a report for the executive team that outlines the incident:
“Last week, we blocked a phishing attempt that could have compromised 10,000 patient records. Based on the cost of breaches in the healthcare industry, this would have resulted in approximately $1.5 million in HIPAA fines, plus reputational damage and lost business.”
He then highlights that the phishing attempt was thwarted due to the $10,000 investment in an email filtering solution implemented six months prior. “Because of this tool, we averted a potential $1.5 million disaster, representing a 150x return on our initial investment.”
You can see how much better Alex became at highlighting these risks in a way that business can understand and appreciate.
How To Learn ROI:
Take courses in financial analysis or business metrics to understand how cybersecurity investments can be quantified in terms of ROI.
Practice presenting your security initiatives regarding the cost of protection versus the potential cost of a security breach.
Take the help of your colleagues in Finance .. you will be surprised at how much people are willing to share knowledge.
2. Effective Communication and Reporting
No matter how advanced your technical skills are, they won’t help much if you can’t communicate effectively with non-technical stakeholders.
Writing concise reports and delivering impactful presentations is crucial for translating complex cybersecurity issues into actionable insights.
A friend of mine, Sarah, has spent several years working as a cybersecurity analyst at a mid-sized company.
She is excellent at identifying threats and implementing technical solutions, but when she presents her findings to leadership, they often look confused or uninterested.
Sarah realized that to advance her career, she needed to become a better communicator, especially with non-technical stakeholders.
She started by reviewing the reports she sent to her leadership team and removing technical jargon from them.
Instead of using technical jargon like “SIEM logs showed anomalous traffic,” she now writes it as: “Our monitoring tools detected unusual activity that could indicate a security breach. We are taking steps to investigate and mitigate any risks.”
This helps her leadership team understand the issue without needing to grasp the technical details.
She also joined a local Toastmasters club to practice her public speaking skills.
Through regular practice, she became more comfortable delivering clear and concise presentations.
She also started asking non-technical colleagues for feedback on her presentations and reports.
One executive told her that they value short, actionable insights, so Sarah began summarizing her reports in a “key takeaways” section with clear action items for leadership, such as: “To reduce our risk further, we need an additional $10,000 investment in advanced threat detection tools.”
It took time, but these efforts finally helped her bridge the gap between cybersecurity and business, demonstrating the value of her work.
How To Get Better:
Writing Skills: Start practicing concise writing. When drafting reports, challenge yourself to explain technical topics in plain language. If possible, have a non-technical colleague review your work and give feedback. Tools like ChatGPT can great at giving you suggestions for writing better reports ( but please don't put your company data in it ! )
Presentation Skills: To improve your public speaking, attend workshops or join clubs like Toastmasters. Practice breaking down technical content into stories and examples that resonate with non-technical audiences.
Focus on Outcomes: In all communications, focus on the business outcomes. Highlight how your work impacts revenue, customer trust, regulatory compliance, or risk reduction.
3. Vendor Management and Negotiation
Most cybersecurity professionals will need to work with third-party vendors, whether it’s for purchasing security tools, contracting out services, or managing ongoing vendor relationships.
Understanding how to manage vendors and negotiate contracts can significantly impact the success of your security strategy.
Lets taken an example of a friend of mine ( Let’s call her Emily )
She is a cybersecurity project manager for a tech company.
Over the years, her company started to rely more heavily on third-party vendors for security tools, software, and consulting services.
She quickly realized that managing vendor relationships in Cybersecurity is way more challenging than she thought.
Her company experienced issues with vendors who missed deadlines, delivered subpar products, and did not adhere to agreed-upon service levels.
These frustrations directly impacted her team’s ability to meet security goals.
Emily understood that to ensure the success of her cybersecurity strategy, she needed to improve her vendor management and negotiation skills.
She took the initiative to learn more about the vendor lifecycle — from selecting vendors to managing ongoing relationships and conducting regular reviews.
She attended a vendor management workshop, where she learned how to evaluate potential vendors, ensure they align with the company’s goals, and define clear expectations from the start.
She became familiar with Service Level Agreements (SLAs) and how to ensure vendors meet these standards.
Now .. when selecting a new security service, Emily requests detailed SLAs during the initial contract phase.
She insists that these SLAs include specific response times, uptime guarantees, and clear metrics for measuring success.
By setting clear expectations up front, she makes sure that both parties are aligned and that the vendor understands the company’s performance requirements.
Emily also saw that negotiation is a key part of working with vendors.. something she was not very good at.
She decided to take an online course on negotiation tactics, where she learnt how to confidently approach vendor discussions and aim for win-win outcomes.
During the course, Emily participated in role-playing exercises, where she practiced handling difficult negotiations, setting boundaries, and pushing for better terms.
This paid off well recently when a vendor proposed a price increase for renewing a security software subscription.
She negotiated the price down by demonstrating that her company can provide long-term business.
She also negotiated for additional support hours to be included in the contract, ensuring her team got more value from the vendor relationship without increasing costs.
Instead of accepting the price hike, Emily’s negotiation skills saved her company thousands of dollars while improving vendor service.
Practical Steps To Learn:
Learn the Basics of Vendor Management: Familiarize yourself with the vendor lifecycle, from selection to ongoing management and review. Many cybersecurity contracts also come with Service Level Agreements (SLAs); learn how to evaluate and negotiate these.
Practice Negotiation: Negotiation is a key part of vendor management. Read books or take online courses that focus on negotiation tactics and strategies. Role-playing negotiation scenarios with colleagues can also be a helpful way to improve.
Establish Metrics: When working with vendors, establish key performance indicators (KPIs) and regular check-ins to ensure they meet the contract terms and deliver value.
Conclusion
As cybersecurity grows, the demand for professionals bridging the gap between technical knowledge and business needs will only increase.
If you can master communication, ROI, and vendor relationships, you’ll position yourself for leadership roles and long-term success in the industry.
Good luck on your career !