Over the past year, organizations have been eager to hire tech professionals skilled in generative artificial intelligence (A.I.), and they’re paying extraordinarily high salaries to do so. In cybersecurity, A.I. and machine learning skills are also in demand, but enterprises continue to need tech professionals with a wide range of hard and “soft” security skills going into 2024.
Recent data from the (ISC)2 Cybersecurity Workforce Study and other sources show that demand for cybersecurity professionals remains robust, even with layoffs hitting some organizations and economic uncertainty making companies rethink hiring.
A significant obstacle for many enterprises is finding tech pros with the skills that match their security needs. The ISC study, for example, finds that 28 percent of those surveyed believe that A.I. or machine learning (M.L.) are the skills most in demand for tech pros who want to advance their careers. An even larger percentage (47 percent) believe cloud computing is critical to career advancement.
Other skills of note include governance, risk management and compliance (GRC), security engineering and risk assessment, analysis and management.
While hard skills, certifications and experience certainly count, the (ISC)2 also asked about the most important qualifications for cybersecurity professionals seeking employment. The top response (38 percent of respondents) was strong communication skills, showing that soft skills also hold significant sway with hiring managers and security team leaders.
The fact that tech and cybersecurity pros must be good communicators demonstrates how much the field has changed and what companies want from their cybersecurity teams, especially heading in 2024.
“These improved skills are vital for creating a common ground where technical and non-technical individuals can work together effectively, leading to more efficient problem-solving and innovation,” said Michael Skelton, Vice President of SecOps & Hacker Success at Bugcrowd. “This also includes the ability to listen actively, ask clarifying questions and tailor the communication style to the audience's level of technical expertise. By focusing on these aspects, a security professional can become a pivotal figure in any organization, driving projects and initiatives forward with greater ease and impact.”
As 2023 comes to a close, learning which skills are in demand is critical for tech pros as they prepare for their next year, whether the goal is career growth, moving up the management ladder or exploring other options. Here are what several cybersecurity insiders and experts see as the top security skills for next year.
Cloud Knowledge: Why It Remains Crucial
While A.I. and machine learning are up-and-coming skills that many organizations need, the data from the (ISC)2 report reinforces that cloud computing knowledge remains important. Cloud-based applications are critical to the hybrid work environment. With attackers taking advantage of the vulnerabilities in the cloud, tech pros need knowledge of all aspects of cloud technology.
“In 2024, we will see new requirements for IT and cyber organizations to reach deeper into both hybrid cloud and legacy IT environments, with the goal of deploying automated cryptographic discovery and software composition analysis tooling,” Philip George, executive technical strategist at Merlin Cyber, told Dice. “Thus, requiring both traditional vulnerability analysis experience coupled with cryptographic vulnerability expertise.”
This focus on cloud and security can affect others within the organization, such as CI/CD developers who will need to build more security in applications.
“There will also be a need for cryptographic vulnerability analysts to work closely with cloud developers managing CI/CD pipelines to ensure that sound ‘Secure by Default’ principles focused on cryptographic modernization are incorporated into their pipelines,” George added. “This will ensure that traditional and cloud developers remain in high demand as they work to provide both software and cryptographic bill of materials and incorporate cryptographic agility for easier modernization efforts across hybrid and legacy IT environments.”
An understanding of the cloud and how the technology fits into the overall security theme is also vital for recent hires and those wanting to land their first jobs, said Ravi Pattabhi, vice president of cloud security at ColorTokens.
“An uptake in enterprises migrating to the cloud has multiplied since the beginning of the pandemic, and I expect this to continue in 2024,” Pattabhi told Dice. “Given this transformation, a better understanding of cloud security products that can secure hybrid and multi-cloud environments should greatly help new employees and recent college graduates have a leg up in DevOps and security admin teams.”
IAM Remains Key
Each year, dozens of breaches and other cybersecurity incidents are traced back to attackers targeting employees, compromising their identities and utilizing those stolen credentials. It’s one reason why understanding the tenants of identity and access management (IAM) is a critical skill for 2024.
“For too long, organizations have been managing identities rather than securing them, and recent data breaches make it clear that gaps in identity security are one of the most frequently exploited initial attack vectors,” Rob Hughes, CISO at RSA, told Dice. “It’s good that the industry has focused so much energy into multi-factor authentication (MFA), but we have to uplevel our Identity efforts and next focus on managing identities across the lifecycle, ensuring that only appropriate access is given, and protecting privileged accounts.”
By focusing on identity, tech pros can better understand an organization’s network and infrastructure, as well as who can access the applications and IoT devices living on those networks, said Pathlock CEO Piyush Pandey.
“For cybersecurity professionals, the top skills required to make this shift include the ability to do predictive access risk analysis across all the application systems in the enterprise and continuously monitor separation of duties risks and business process control conflicts,” Pandey told Dice. “They should have the ability to prioritize remediation efforts based on the quantified financial impacts of risks that have occurred or have the propensity to occur. This means shifting from purely technical configuration skills to having a business process-focused view and utilizing automation to understand how decisions about provisioning and monitoring access impact the risk management and financial outlook of the organization.”
Threat Detection Becomes More Important
As the number of threats that target networks increases (due to cybercriminals with ransomware attacks or nation-state actors), experts noted that understanding threat detection, along with vulnerability management, will be a sought-after skill in 2024.
“From a skills perspective, moving forward, we now must hire or train staff on skills related to data engineering, detection engineering, threat modeling, security research and automation engineering,” Chris Morales, CISO at Netenrich, told Dice.
Craig Jones, vice president of security operations at Ontinue, also placed threat detection within the top three skills needed in 2024, along with cloud security expertise and knowledge of security information and event management (SIEM) technology.
When it comes to threat detection, Jones told Dice that he is looking for tech pros who have “proficiency in identifying, analyzing and mitigating sophisticated cyber threats, including zero-day exploits and advanced persistent threats (APTs).”
By understanding how attackers work and adjust their tactics, techniques and procedures (TTPs), security leaders can harness skilled tech pros to build better teams.
“As the battleground shifts, a resilient defense that addresses the multifaceted challenges of identity-based attacks, generative A.I.-driven threats, and mobile device phishing is essential to secure the digital frontier and create greater focus on breaking the attack chain,” Patrick Joyce, global CISO at security firm Proofpoint, told Dice. “Organizations and security leaders will need to double down on establishing strong teams with multi-faceted talents to continually manage vulnerabilities, perform threat hunting in ever-more complex cloud environments and be able to quickly respond to anomalies and changing attack vectors.”
Soft Skills Matter
As cybersecurity becomes more critical to the day-to-day operations of most organizations, and as regulators increase their oversight over responses to various incidents, tech pros who can communicate effectively will be in increasing demand.
“The most critical skill needed in security in 2024 will continue to be effective communication,” Bugcrowd’s Skelton told Dice.
“Excelling in this area involves two key aspects: firstly, the ability to distill complex technical concepts into easily understandable terms for a non-technical audience; and secondly, the skill to bridge the gap between technical experts and non-technical stakeholders,” he added. “Mastering these communication skills can significantly advance a career in security, as it enables professionals to facilitate better understanding, collaboration and decision-making across diverse groups.”