The key to breaking into a high-paying cybersecurity job, as told by Obama admin cyber leader

Landing a job in cybersecurity can be fruitful—and rewarding. Many cybersecurity professionals bring home six-figure salaries, and leaders in the field can earn million-dollar paychecks. But there are currently hundreds of thousands of cybersecurity positions open in the U.S. 

The massive cybersecurity talent gap is largely a result of a lack of adequately or appropriately trained professionals. But companies must also better define their cybersecurity needs to secure talent, argues Jonathan Reiber, vice president of cybersecurity strategy and policy at AttackIQ. 

“There are a whole range of capabilities required in cybersecurity, from basic analyst skills to higher-level operational skills. I’m actually very confident in the country’s ability to meet those requirements over time,” he tells Fortune. “The challenge is much less to my mind about getting the right people hired—it’s more about what are the right jobs that we actually need.”

Reiber has seen the need for cybersecurity grow and evolve. During the Obama administration, he served as a speech writer and chief strategy officer for cyber policy in the Office of the Secretary of Defense. In those roles, he advised Pentagon senior leadership, other high-ranking defense officials, and President Barack Obama on all matters of national security policy. 

During that time, Reiber wrote the first and second National Cyber Defense Strategies for the United States in 2010 and 2015, working closely with the Defense Department and Intelligence Community. He also had a writing grant at the University of California—Berkeley, where he was a senior fellow at the Center for Long-Term Cybersecurity. 

Fortune sat down with Reiber to learn more about the needs cybersecurity companies have, the talent gap, and the type of education required for cybersecurity professionals today.

The following interview has been edited for brevity and clarity. 

Fortune: Tell me about the differences in cybersecurity concerns then vs now.

Reiber: The threats haven’t changed, the threat actors haven’t changed. What’s changed is the really transformative understanding of our national vulnerability in cyberspace brought about principally first by Russia’s interference in the U.S. election in 2016. That was a watershed moment for the public and the technology sector. And for the government to say, adversaries are looking for the weak underbellies—not just in our internet infrastructure—which we’d known prior to that, but that they were looking for underbellies in our society and ways to manipulate society and sow doubt and fear. And the interesting thing about what happened in 2016 was the social media companies provided this very weak underbelly because people would share unverified information. So disinformation became the hammer, but the scalpel was, in fact, still hacking. 

Since leaving government, I’ve focused on building technological capabilities and processes for organizations all over the world to improve their cybersecurity posture. At AttackIQ we do what’s called breach and attack simulation for automated security control validation. In cybersecurity we don’t focus on the adversary enough. We focus too much on things like compliance or regulatory standards that we’re trying to meet. That’s a rearranging of the deck chairs in a large way. Doesn’t actually prove to you that you’re ready. So there’s a process called penetration testing, which is kind of a strange phrase, but you’ll hire an outside firm to try and break into your defenses once or twice a year, at most.

And that’s not sufficient because if it only does it once or twice a year—people change, technologies change, things break down—you actually need to test once a week and some controls need to be tested every hour in some cases once a month. 

What is the importance of public-private partnerships in cybersecurity?

Often the government and the private sector have shared information about vulnerabilities that have been discovered. This is sort of a slower level process that existed before the real ramp in attacks, before the ramp in ransomware, before the Russian interference in the election, before there was more of a dawning awareness that cyberspace was a domain of military operations.

As the threat has gotten more serious, the government and the private sector have had to work together by combining the capabilities of the large platforms to remove actors from them, with the government’s abilities to do things like not just cyberspace op but also sanctions. 

A good case in point is when Russia invaded Ukraine, the first public-private actions that were taken were technology companies removed their services from Russia. The evolving nature of cyber of public-private partnership in cybersecurity can basically be said to deepen cooperation between companies and the government to share information, develop standards and best practices, design strategies, and then ultimately work together on combined voluntary operations to prevent hostile actors from conducting attacks in cyberspace.

What is your take on the cybersecurity talent gap? What are the most in-demand cybersecurity skills from your vantage?

The talent gap is something that I think a lot of folks when they first start working on cybersecurity like to think about and write about. There are roles that need to be filled, but we are going to be able to meet them. One of the things I’ve noticed is if you have cybersecurity capabilities, you will find a job. 

There are a whole range of capabilities required in cybersecurity, from basic analyst skills to higher-level operational skills. I’m actually very confident in the country’s ability to meet those requirements over time. The challenge is much less to my mind about getting the right people hired—it’s more about what are the right jobs that we actually need. 

If you think about risk, the most important thing to think about in cybersecurity is: What is my most valuable data? Have I protected that most valuable data? And am I prepared in the event that something goes wrong? Companies haven’t taken that approach to cybersecurity, and I think once they do, the question around the talent gap will begin to go away because we’ll be realigning the resources that we do have to focus on the most important problems. And that will lead to a reduction in risk.

How can companies evaluate the cybersecurity needs they have?

You should start by questioning what your most important mission is. If I’m a law firm, my most important mission is to be able to protect my client’s data. If I’m a retailer, my most important mission is to be able to protect my client’s credit card information. It’s often around protecting the data of the people that matter most. If you’re a logistics organization, it will be protecting the proprietary nature of the data around the logistics that I have. So you can then say, where is that information being stored? How is it being transmitted and what are the security controls that I have around it?

You have to make sure that that data has the appropriate levels of security around it. Ultimately, you need to make sure that that security works. 

What type of education should people entering the industry have?

I actually think the most important thing for people entering the cybersecurity workforce is to have a business education. If you want to rise up in cybersecurity, you’re not gonna do it in the way that you want if you just have a technical education. It’s far more important to understand the needs of the business. 

Getting an MBA is actually a very good strategy for becoming a leader in cybersecurity. If you want to become a chief information security officer, you need to understand what the interests of divisions within your company are. If I work for a meat packaging company, I want to know about logistics. I want to know about plastic. I want to know about delivery. And those things are the components that drive the information technology needs of the business.

If you understand that, then you can begin to empathize with the people in the business so that when you’re providing services—which is what you’re doing as a security professional—you’re doing so within the construct of success of the overall organization and the shareholders and everybody involved.

Too often, I think people in cybersecurity will fetishize the technology and not focus enough on the human skills required for success within an organization. The actual hard work of being in an organization is much more of the soft skills, I think. I would urge people who are learning in cybersecurity not to leave out that aspect of the work if they try and gain a full perspective on how to lead and be effective.

What about cybersecurity continuing education?

Our academy is free and you can enroll right now in specific areas of breach and attack, simulation, threat and form defense, other capabilities like that. There’s a lot of good pre-education out there. I really think getting out of just the cyber universe is incredibly important and having good writing skills. Ultimately I do think getting a master’s degree in something that’s not just about technology will be helpful.

What are important soft skills to have for cybersecurity?

The ability to empathize with people and to understand how to build teams. Oftentimes if you’re trying to affect change with a new technology or a new process or build a new team in a company—and that’s a lot of what cybersecurity involves—you need to be able to build alliances and you need to be able to lead. If you’re just focused on being an operator, which is fine, you want to be an operator like an analyst, SOC [security operations center] operator, then you want to learn how to lead other SOC operators and other analysts. That requires leadership skills.

If you want to be a leadership leader of the business, however, you need to expand your mentality far beyond security operations and include strategy and resources and budget and management and public affairs and all those different things. And that’s being a business leader. It depends on what somebody wants to do with themselves and their ambitions. I think no matter what, an ability to build alliances, an ability to build teams to empathize with people is all really important.

What advice do you have for anyone entering the industry?

You need to think about the field that you’re entering into less like an IT job and more like a national security job. And that can be very appealing, actually. It’s a blending of civilian life and technology and international politics because the government that has a role to play in cybersecurity companies, have a role to play regulators at the state level.

In order to succeed, teams have to achieve what I say is combat readiness. They have to be ready to defend themselves right now against the adversary and to achieve that kind of readiness requires thinking about the adversary, focusing on the adversary and preparing for the threats that are going to come.

See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as the doctorate in education programs MBA programs (part-time, executive, full-time, and online).