Category Archives: Cyber security

Do we get enough “soft skills” training in (CyberSecurity) our curricula?

Why are empathy, negotiation and communication skills considered as soft skills while they are one of the first skills sought after by hiring managers in security [1] ? When we use the term “soft skills”, is it not a way to look down at these skills, as if they were irrelevant?

But, let me start with 3 short stories…

Years ago, when I was still doing my internship as a clinical psychologist, I met a brilliant young boy in one of my first counseling session. This young lad refused to comply with his doctor orders mainly because the doctor wasn’t nice. Digging a bit into that story, it appeared that the doctor just gave his diagnostic and the prescription without any further explanation and was even a bit rude. By chance, at least in this case, this smart boy wasn’t always a good communicator himself and he recognized that, as for himself, not being empathetic, doesn’t mean the diagnosis and the treatment prescribed were wrong. So, he finally accepted to go for the best option for him and he decided to take his pills.

A few years later, I was planning to build an extension to my house. I hired an architect to whom I explained what I was expecting (an additional space for my office). The guy came back with a nice plan of an extension and a complete remodeling of my ground floor as he felt my living room was not at the right place. When I said it was not my priority, he insisted, and I finally decided to stop the contract because I didn’t feel I was heard.

The 3rd story is closer to home for security professionals as it happened to a young brilliant security professional working for a large company. After a couple of years working there, building an impressive set of skills, he asked to be more involved in the decision process, to be empowered, to get new challenges and some recognition. His management came back with a certification plan (he already had a few of the classic ones) and a career path. What he was expecting was an opportunity to make a difference, his advises to be considered and an involvement into the new strategic projects. As you may have guessed, he was disappointed, and resigned soon after.

Being a doctor in medicine requires a lot of technical knowledge and skills in order to perform an accurate diagnosis. But it also requires empathy and communication skills (that are often looked down as being “soft skills”) to ensure your patients will comply with the treatment and get better (That’s the end goal, isn’t it?).

Being a architect requires also a lot of creativity and technical skills. But what’s the point of drawing the plan of a house that doesn’t suit the owner?
Even more, why do companies promote technical expert to manager if they are not skilled to manage people?
But, even before that, why are “soft skills” training considered so futile by students and academic curriculum designers while they are so important for the success of most professions?

Don’t get me wrong, medicine school and architecture school offer communication and other “soft skills” classes but I never hear anybody failing due to these courses. While I witnessed many projects failing due to miscommunication issues and a lot of companies struggling to attract and retain their workforce due to average or even bad people management. And that is a big risk for companies nowadays. So, when this will change? Will companies have to put all their new hires through specific trainings to improve their “human” skills? It seems very expensive and very long (yes, it takes time to develop people skills, at least for most people), isn’t it? What do you think?

[1] See (ISC)² cybersecurity workforce study 2018 at

Your security maturity is low? Are you using your people the best way you can?

One famous saying attributed to Steve Jobs must be: “it doesn’t make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.”

It makes sense and security is no exception. How often do I see companies struggling to improve their level of security hiring external consultant while they have very talented and smart people capable of solving most of the issues… if you let them do it.

It might seem exaggerated but it is not so far from the reality. Your people may not have all the answers but they have likely solutions to a vast majority of your issues.

During lot of audit (or due diligence or GAP assessments), I interviewed managers and employees in order to get an idea of what works and what don’t in a company. Obviously, we check the incidents, the KPIs, the financial losses and all the possible indicators but its the discussion with the persons performing the jobs that give you the best insights. Rapidly, we can get a sense of where there is a bottleneck, a gap or an issue to fix. That’s normal, it is what we expect from external consultants. But what is often more surprising is that the same people are aware of the issues and have most of the time lot of ideas to fix them. It make sense as they are sometimes the persons suffering the most from these issues.

So, why are the issues still present? There is a lot of possibilities. One of the most common is the believe that the boss is always right (you know, rule #1). Hence, he likely know how to fix the problem, no reason to bother him with our stupid solutions. It creates blind spots. That’s probably why the space shuttle Columbia ended-up in ashes (see

Another possible reason is the difficulty of the people from the low level of the pyramid to talk the highest level’s lingo. Senior executives rarely want’s to have their hands dirty or to get involved in technical details or business processes considerations. I saw a few years ago a CIO meeting all the persons in its IT department (hundreds of people). Each meeting with a team gave him multiple hint on what was blocking or impacting the efficiency of his teams. And when you do, it’s easier to get the big picture and take the right decisions.

Another issue is the believe that the top management expect only green lights and positive outcome. “Failure is not an option” is a culture typically leading to failure. Also, sometimes, teams have opposed objectives, hence, they don’t work together to solves common issues but rather they fight each others or they continuously pass the hot potato. Not a good way to solve issues either.

A good and efficient security management, like any other corporate governance, requires an appropriate culture, fostering trust, empowerment, responsibility and so on. But these are more than words, they must be applied to be effective. bringing external consultants to fix internal issues is not always the best solution to improve your culture: it just send the message you don’t trust your team have the skills to do it.

You might want to try to express your expectations and discuss with everybody (or designated someone to do it) to figure out the best way to improve the situation. And if they need resources (what is likely the case) then maybe hire (external) people to reduce their current workload so they can start working on the changes.


Last tip: check your workforce’s skills… there’s sometimes people in your company who are doing work for which they are over-qualified and who could do jobs that could really provide you more added-value. Don’t look too far for your glasses, they might be on your nose.

Think about it.


With the US judge ruling against Google, will GDPR force European companies to leave the cloud?

You may have heard that the US federal Judge Thomas Rueter has ruled against Google in their refusal to seize personal emails of one of their customer to the FBI based on the fact that these data were stored in an European Data Center.

While in 2016, in a case against Microsoft, a federal judge ruled that US investigators could not force the company to hand over emails stored on a server in Europe (Dublin in that specific case).

Of course, there is much more at stake here than just access to one customer’s email. There is billions of dollars at stake here. Most companies and individuals in Europe are moving their data to the cloud. The biggest cloud services suppliers in the world are American based companies (Amazon, IBM, Google and Microsoft representing together around 50% of the market) and a large number of European companies are outsourcing their services to these vendors. However, the GDPR (the European General Data Protection Regulation, see also Wikipedia for an overview) requires a strong protection of our personal data (including our emails). As US and EU aren’t totally aligned on this matter, most European companies requires their cloud providers to store and process their data in European Data Centers in order to guarantee the European regulation will be enforced.

And now, this new ruling might jeopardize all that (or at least be the start of it). If the sole fact of having an American based company as a supplier can allow US to bypass the GDPR, would European companies still be allowed to use them to store personal data? Would we see European companies and individuals leaving Gmail, Google apps, AWS, Outlook and other related US based services for European based and owned companies? It would be a big mess… and maybe a huge opportunity for some European challengers.