One thing a cybersecurity manager should know | Guest Cicero Chimbanda

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377,500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience, drawing from multiple sources, to give you, cyberwork listeners, an analysis of the most popular and top-paying industry certifications. You can use it to navigate your way to a good-paying cybersecurity career. So to get your free copy of our Cybersecurity Salary Guide eBook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. Click the link in the description and download our free Cybersecurity Salary guide ebook. Your cybersecurity journey starts here. Now let's get the show started. So today, on CyberWorks Hacks, my guest is InfoSec skills author, cicero Chimbanda, and he talks about the role of cybersecurity manager in his skills path and on today's episode. So our hack is the one thing that Cicero wishes he knew about the role of cybersecurity manager before he became one. I'll leave it at that and let Cicero tell you his story, because it's a real good one. So I hope you'll keep it here for today's Cyber Work Hack.

Hello and welcome to a new episode of Cyber Work Hacks. The purpose of this spinoff of our popular Cyber Work podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight into how to utilize InfoSec products and training to achieve your work and your career goals. So for today's hack, I'm very pleased to welcome longtime friend and InfoSec instructor and collaborator, cicero Chimbanda. Now, cicero has been a guest on Cyborg several times.

Hopefully you've seen his past episodes. He specifically talks about the soft skills needed to be an effective cybersecurity manager and he has a skills path all about this. So I'm glad to have Cicero back for a series of hacks for cybersecurity managers and the security managers yet to come. Obviously, people who tune into the show a lot of times are looking for their future career. So, whether you're studying for your CISM certification or you're actively working as a security manager or just trying to accrue experiences that'll make you a great security manager, I hope you'll stick around for some insights. So first off, cicero, thank you for joining me today.

Thank you, chris, always a pleasure.

So, Cicero, one of our most expressed fears that our listeners have told us in spending months or years or maybe decades working and climbing towards a job that they've never done before but which they're sure is going to be their dream job is that they'll get to there and then they'll find out that the position is nothing like what they were expecting, or it has a lot of downsides that they hadn't thought of, and they're like how did I not know this? I spent all this time and all this effort. So, Cesar, my question for you is based on your own experience or the stories you've heard from security managers that you've helped train. What's the main thing about the job of security manager that you or they didn't know was going to be part of the job, but that they wish they had?

Well that's a great question and I certainly wish I had known what I'm about to share. The thing is psychology, one of the things that you'll find. You know, I grew up in the technical side. I was a developer and I did administration, and so I was very technical. But one of the things that I wish I had known and I'm glad I'm learning and always growing is the psychology of cybersecurity and the psychology of managing people knowing people, knowing your audience, knowing what motivates people, and so this is definitely something that one needs to understand.

If you are not a people's person, then you want to become a people's person. I'm not going to say don't go into it, because I think it's all about. It's a learning skill. So even if you're an introvert or somebody who just feels like you don't have a lot of people's insight, that's okay. There are a lot of books out there. So one thing, just real quickly there's five audiences that I would say you want to make sure you focus in this area.

The first one is your board or reporting structure. Who are you going to be reporting to Governance? So in this job, you will or you are going to sit in front of a board. So you need to understand individually what motivates individual people on the board, because they all have different agendas. So when you go and speak you have to understand the psychology of your board. Number two is your team, the different people. Some are motivated by job security, others are money, others are technical, they're just you know. So you need to understand your team, the psychology of your team. Then your internal clients. These are your employees. Social engineering is what the outside world uses to penetrate your company. People are the weakest link. So understanding the psychology of your organization internal client, then you have the customers right with the people who are using your product or services. That's outside your employees. Privacy is big, but also security.

So you need to balance what's the privacy and security line between? So, understanding the psychology, not the technical tools, the psychology. And then, lastly, which is very important in my job and your job, is knowing our adversary. Yes, the enemy, their psychology, what are they doing? What's the new front? We call that in our world TTPs, tactics, techniques and procedures. So, staying above and in tune with the psychology of your adversaries. So that's what I would say.

Yeah, so you're not just, you're not just thinking about the psychology or the mindset of your immediate team. You have five different sort of groups or you know subsets that you have to be sort of thinking in terms of. So you really do have to be kind of a multi-directional psychiatrist or, you know, mental problem solver. So I think that's a really good point. Now I want to talk obviously this is probably pretty universal across job roles of security manager. But you know, I know as we get into sort of these upper level positions, sometimes it's possible to sort of fine tune your job according to your, you know, areas of expertise or whatever. Is there a way, if there's certain parts of this that are really challenging to you? Are there ways to craft your position in a way that would make difficult parts of this job role more tolerable? Are there things you can sort of delegate and move around?

Yeah, you know, I think in terms of you know people will always be your weakest link when it comes to cybersecurity. We know this, and it's not a slight on the human element, it's just that's the nature of the beast. So I think the delegation piece is really one is you can't really delegate this area of the psychology. It's really you learning and it's you really going after understanding. And I love the book Seven Habits of Highly Effective People. I always quote that one of the habits was seek to understand and then to be understood, and so, really, as you approach the relationship of the people, that that you interact with is really try to understand and then and then at the back end, try to be understood. But, like you said, it is universal across all industries. You know, if you're an elf, your world will be much different than, for example, me, who's in the financial aspect or higher education. I work at a university as well, so the elements are completely different and so it's just a matter of really seek to understand and then to be understood.

Beautiful. So one last thing before we wrap up here, cicero what advice do you have to listeners who are keeping their eyes on the prize and working towards becoming a cybersecurity manager?

I would say, you know, attending workshops, conferences for the purpose is not only of learning the content that they're teaching or addressing, which is important, but really to meet people. Go to these conferences to really network. I would say there's three levels of networking when you go to these workshops or conferences, whether you're speaking at them. I know right now I get invited to speak at a few conferences. I try to at least try to do one, if I can. One is mentors. Go there, figure out who are individuals that have been in your industry longer. Maybe they're on the board. I just met some really good relationships. Last week I went at a conference and just you know, mentors. So that's the networking here from them.

What's going on then? Peers what are your peers facing? What are they? You know that I get more out of conferences, talk to my peers a lot of times and listen to speakers. I get more out of conferences talking to my peers a lot of times than listening to speakers. And then, lastly, mentees we got to remember that there are individuals that are trying to come up in your industry. So, taking somebody with you, meeting somebody that's younger, I would highly recommend professionals to partner up with students so that you can bring students, if you you can, to some of these conferences. A lot of conferences now are opening up sessions to students where they don't have to pay, so that's always good. So that's what I would say it's something that you can do.

Get to know your community. That's great. So, as I said at the top of the episode, cicero is a learning path on InfoSec skills. If you become an InfoSec skills subscriber or you try our 30-day free trial, you can check out his skills path on Cybersecurity Manager Soft Skills. So, cicero, tell our listeners what InfoSec Skills users would learn in that path and if you could give us a brief summary of what's in there.

Yeah. So again, the soft skills is one that we follow a model that's STTS Strategic Trust and Security. So it's strategic security, trust, regulatory compliance and then stability. But one thing I would say we also focus on cybersecurity careers. So when you listen to this course, we talk about two levels. There's the depth of cybersecurity, and depth equals your SMEs, which is subject matter expert. So if you want to become a SME in one area and you want to delve in deep in that, we will address what are some skills that you can build around that. But you don't have to be a SME to be a cybersecurity professional. You could be what I call the breath, a connector. This is somebody who may be a jack of trades but not necessarily a master of one thing, and you're able to connect the dots. You're able to connect the dots between other cybersecurity professionals or connect the dots between security and the business. Those are very good elements. You'll learn that.

Yeah, that's all awesome stuff and I've been looking through it myself and I've enjoyed it very much, so we're going to let you go here now, but, cicero Chimbana, thank you so much for providing our listeners with your management and leadership insight. I appreciate it. Thank you, chris, and, as always, thank you to everyone who is watching and listening to this episode. If you enjoyed this video and felt that it helped you, please share it with colleagues, forums or on your social media accounts, and hope you'll like and subscribe to our podcast feed and our YouTube page. Just type in CyberWorks InfoSec into any of those places and we'll pop up like magic.

There's plenty more to come for learners of all levels, including a few more hacks down the road between Cicero and I and cybersecurity managers to come, so if you have any topics that you want us to cover, just drop those in the comments below. They have been very helpful and until then I'm just going to say so. Long for now, and for myself and Cicero, we just want to wish you a happy learning. Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of these security roles, so you can choose your study with confidence. I'll see you there.