Upskilling in incident response capabilities and preventative, detective and recovery controls will be a key focus for Irish CISOs to address the evolving threat landscape and the rise in local and global ransomware attacks.
Q. What should be the mix of soft and technical skills that the CISO should have?
And, of the soft skills, which is the most important one for the CISO to have in the post-pandemic world?
A. A CISO should be continually plugged into technology developments, embracing technical skills across a range of established environments ‑ IT, OT, IoT and cloud in all forms. This, in addition to emerging technologies such as 5G, AI, ML and automation.
The CISO also needs to be in tune with the next wave of developments, particularly with quantum computing, which will have a seismic impact on technology environments in the not too distant future. The Irish CISO should be ahead of the game and understand the risks and impacts from this wave of change.
One of the most important skills for a CISO to have in the post-pandemic world is to establish teams that are open and approachable for the business.
The volatility and risk to the business introduced by new ways of working have meant that the end users could be the security team’s most valuable detective control. Keeping channels open and limiting attribution of blame will help to build trust and empower the users to report issues and maintain security.
Q. How important are people skills for security leaders, especially to build strategic relationships with the C-suite?
A. People skills are essential for a CISO. The days of the restrictive CISO are numbered as organisations have woken up to the fact that they need to be agile and reactive to keep pace with global change in business processes and technology to stay competitive.
Security is fundamental to protect the business. The security function though will not exist without the business. It is, therefore, important for the CISO to understand that they are there to serve the business and that building relationships in all directions is critical for them to do their job efficiently.
Q. To translate cybersecurity risks and language into business language what kind of skills should the CISO acquire?
A. Having predefined criteria for risk quantification, including the definition of financial impact, makes the job of translating cybersecurity risks into business language a lot easier. However, quantifying brand damage and potential future litigation costs can be very difficult.
The skill of quantifying and communicating risk should be combined with an ability to promote the value of security investment to deliver business value. Promoting security as a positive force will be a core skill for the modern CISO.
Q. What kind of skills shortages are there in cybersecurity teams? What steps should Irish CISOs take to build their team’s capabilities and skill sets?
A. The main skills shortages in cybersecurity teams are in the domains of:
These skills are difficult to recruit. Irish CISOs should expose their junior team members to these domains and even loan out to infrastructure or application teams for them to gain the basic skills to build upon.
From here, training will be key. No business is like your business. So, growing your own team skills should pay dividends if you invest in your people and stay competitive in terms of remuneration aligned to market trends.
Summary
With the move to more user-centric security, cyber leaders in Ireland need to stay plugged into technology developments. Having soft and technical skills in equal measure can help Irish CISOs contain volatility and risk to business introduced by new ways of working.
