6 minute read 23 Sep 2021
How Irish CISOs can upskill to manage cyber storms and their aftermath

How Irish CISOs can upskill to manage cyber storms and their aftermath

By Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.

6 minute read 23 Sep 2021

CISOs need to embrace continual change as cyber threats continue to grow. To better manage risk, Irish cyber leaders must acquire some new skills and develop others.

In brief
  • Irish CISOs must understand the risks and impacts of the next wave of technology changes to stay ahead of the game.
  • People skills are essential for cyber leaders to address the evolving threat landscape, particularly in the local Irish context.
  • New security initiatives should consider automation of security controls and reporting from the outset.

The outbreak of the pandemic and the alarming rise in the number of sophisticated cyberattacks has brought the Chief Information Security Officers (CISOs) at the crossroads of disruption and transformation. The acceleration in adoption of new technology has heightened business risk and vulnerabilities. The EY Ireland Global Information Security Survey (GISS) 2021 finds that Irish CISOs’ business partnering ambitions have been undermined way more than their global peers’.

To manage cyber risk better and to strategise for business continuity amidst disruption, the CISO needs to acquire new skills and develop others. One of the most important skills for a CISO to have in the post-pandemic world is to establish teams that are open and approachable for the business. Ross Spelman, EY Ireland Cybersecurity Director and Lead, draws attention to how important people skills are for CISOs and what they can do to move security up the value chain.

Q. From the experience with your clients, how have you seen the role of the CISO change from about five years ago?

A. Reporting lines and the structure for security have changed significantly in the past five years as many are waking up to the reality that cybersecurity is an organisation issue, not just a technology problem. We see Chief Information Security Officers (CISOs) now reporting outside of the Chief Information Officer/Chief Technology Officer (CIO/CTO) and in more mature organisations directly to the CEO.

Q. What are the top four new skills Irish CISOs need to acquire as they prepare for a more strategic role in the organisation?

A. Focus of a modern CISO should be on establishing new and open communication channels and methods to support business enablement. Security by Design needs to be an enduring principle for all organisations where trust and transparency will be key.

Setting the agenda for the quantification of security risk in financial terms should be a goal of the CISO. This should be directly linked to security investment and measured and reported on a regular basis. Understanding and communicating the value of security investment for the business will significantly help to drive continual improvement and senior executive buy-in.

Embracing continual change will be critical for CISOs. The ability to enable the business to evaluate exciting technology innovations in an agile and secure manner could prove decisive for establishing trust. This will be critical from a cultural perspective to change any perception of security as a blocker to that of an enabler for the business. This will move security up the value chain.

Automation of security controls and reporting should be central to the objective of any new security initiative that a CISO drives. The days of the perimeter are long gone and this has been reinforced by the pandemic imposed “new ways of working.” The result is a shift from technology and data-centric security to a more user-centric security. This will require more sophisticated detective and preventative controls which have begun to emerge through the next wave of security solutions leveraging automation, Artificial Intelligence (AI) and Machine Learning (ML) techniques.

Q. With the evolving threat landscape and rise in ransomware attacks, what are the new upskilling areas for the Irish CISO?

A. Incident response can be confusing for many organisations. Many organisations struggle to strike a balance between roles and responsibilities and the overlap between business continuity plan (BCP) and disaster recovery plan (DRP), crisis management, resilience capabilities and even data breach response requirements.

Upskilling in incident response capabilities and preventative, detective and recovery controls will be a key focus for Irish CISOs to address the evolving threat landscape and the rise in local and global ransomware attacks.

CISOs should have a clear mandate and demarcation for their remit in responding to cyber incidents such as ransomware attacks. Having a predefined criteria for making decisions is key. Continually testing incident response capabilities is also critical to identifying weaknesses in people, processes, and technology capabilities.

Q. What should be the mix of soft and technical skills that the CISO should have? And, of the soft skills, which is the most important one for the CISO to have in the post-pandemic world?

A. A CISO should be continually plugged into technology developments, embracing technical skills across a range of established environments ‑ IT, OT, IoT and cloud in all forms. This, in addition to emerging technologies such as 5G, AI, ML and automation.

The CISO also needs to be in tune with the next wave of developments, particularly with quantum computing, which will have a seismic impact on technology environments in the not too distant future. The Irish CISO should be ahead of the game and understand the risks and impacts from this wave of change.

One of the most important skills for a CISO to have in the post-pandemic world is to establish teams that are open and approachable for the business.

The volatility and risk to the business introduced by new ways of working have meant that the end users could be the security team’s most valuable detective control. Keeping channels open and limiting attribution of blame will help to build trust and empower the users to report issues and maintain security.

Q. How important are people skills for security leaders, especially to build strategic relationships with the C-suite?

A. People skills are essential for a CISO. The days of the restrictive CISO are numbered as organisations have woken up to the fact that they need to be agile and reactive to keep pace with global change in business processes and technology to stay competitive.

Security is fundamental to protect the business. The security function though will not exist without the business. It is, therefore, important for the CISO to understand that they are there to serve the business and that building relationships in all directions is critical for them to do their job efficiently.

Q. To translate cybersecurity risks and language into business language what kind of skills should the CISO acquire?

A. Having predefined criteria for risk quantification, including the definition of financial impact, makes the job of translating cybersecurity risks into business language a lot easier. However, quantifying brand damage and potential future litigation costs can be very difficult.

The skill of quantifying and communicating risk should be combined with an ability to promote the value of security investment to deliver business value. Promoting security as a positive force will be a core skill for the modern CISO.

Q. What kind of skills shortages are there in cybersecurity teams? What steps should Irish CISOs take to build their team’s capabilities and skill sets?

A. The main skills shortages in cybersecurity teams are in the domains of:

These skills are difficult to recruit. Irish CISOs should expose their junior team members to these domains and even loan out to infrastructure or application teams for them to gain the basic skills to build upon.

From here, training will be key. No business is like your business. So, growing your own team skills should pay dividends if you invest in your people and stay competitive in terms of remuneration aligned to market trends.

Summary

With the move to more user-centric security, cyber leaders in Ireland need to stay plugged into technology developments. Having soft and technical skills in equal measure can help Irish CISOs contain volatility and risk to business introduced by new ways of working.

About this article

By Ross Spelman

EY Ireland Cybersecurity Director and Lead

Cybersecurity all-rounder. Industry speaker and lecturer. Technology enthusiast and frequent harbinger of cyber threat intelligence and trends.