Tim Orchard at F-Secure explains why a narrow focus on technology skills is letting down the cyber security profession.
The practice of cyber security puts a great deal of emphasis on raw intelligence and logical skills. To recognise and counter security threats, practitioners must have a deep knowledge of IT infrastructure and attacker behaviour, as well as keen attention to detail and strong problem-solving abilities.
This narrow focus on the technical makes it easy to overlook the vital importance emotional intelligence – EQ – plays in any cyber security professional’s career and work. There are two sides to this: as users, us humans are very prone to simple errors and manipulation by attackers. There’s an awful lot of reading out there on Social Engineering. The second, arguably more important, use for EQ is in successfully dealing with and persuading users, decision makers and external stakeholders on the correct courses of action.
With so much of cyber security being centred on deeply technical issues, it’s easy to overlook this human element. The need to engage, persuade and convince is most evident in the CISO role, which so often acts as a bridge between highly technical security specialists and the rest of the business.
Recent research from F-Secure Countercept has found that the majority of CISOs recognise the importance of EQ and soft skills. Further, most are also aware that these capabilities have become increasingly necessary as cyber security plays an even larger role in business operations.
The growing importance of emotional intelligence
The role and responsibilities of the CISO have undergone continual evolution in recent years as both the security and wider business landscapes shift. External factors such as the massive shift in working practices required by the pandemic, the increased emphasis on data privacy, and the growing volume of cyber threats have all led to security playing a more prominent role. Cyber is no longer seen as a mere subset of IT. To better understand the demands of this evolving role, we asked CISOs from around the world about their experiences and expectations.
The growing importance of emotional intelligence was one of the key themes to emerge. Two thirds of respondents said they had a clear understanding of the need for EQ skills to facilitate communicating, empathising, and negotiating with others.
The biggest priority is effective communication with boardroom executives, some of whom have little or no security knowledge. CISOs can still be viewed as stereotypical techies, at odds with the norm in the boardroom. To overcome this, they must be able to translate complex technical issues into clear and concise business terms. As well as language choices, they must also be able to relate to senior decision makers who may have a very different set of business values and objectives.
EQ skills are also extremely important for any leadership position, and CISOs must be able to engage with, and motivate their security teams on a daily basis, as well as keeping up on a technical level. CISOs also play an important role in relating security strategy to the wider business, serving as a spokesperson when it comes to policies that affect user behaviour and business processes.
Our research also found that CISOs are spending more time with external communities. Two thirds of respondents said they spent significant amounts of time taking part in activities such as CISO roundtables. Involvement in the wider security community can help CISOs improve their knowledge and awareness of new threats and security strategies.
From regulation to the pandemic, responsibility is increasing
Expectations around the role of the CISO have shifted due to several major external factors. In particular, the wave of data privacy regulation sweeping the world in the wake of the European Union’s General Data Protection Regulation (GDPR) has had a major influence. Over half of respondents said they had seen a clear increase in their role’s responsibilities around regulation and privacy. While most larger organisations will have a data protection officer (DPO) for specific regulatory issues, the CISO has a key responsibility in applying security processes to keep sensitive data protected. It is essential that security strategies align with the wider enterprise risk management (ERM) framework being used across the organisation.
The events of 2020 have also resulted in an increased emphasis on business continuity planning (BCP), with CISOs responsible for developing and applying policies to safeguard the business. Most CISOs we spoke to have also put more focus on business impact analysis (BIA) to identify key business dependencies around technology and appraising the necessary security controls.
Stress is up, but so is job security
The increase in cyber threats, and particularly the disruption of 2020, have taken their toll on the wellbeing of security personnel. Most CISOs indicated they had seen increased signs of stress and burnout, although they were generally able to manage the impact. However, responses also indicated that human resources and occupational health teams should be undertaking a higher level of engagement with CISOs and their teams – although this is largely true across the wider organisation.
Despite the increased pressures and responsibilities of their role, nearly two thirds of CISOs stated they felt increased job security over the last year, while just over a third indicated they were considering either moving from their current position or leaving the security industry entirely.
While the task of securing an organisation in an increasingly hostile threat landscape is often an unenviable one, the overall attitude among CISOs appears to be positive about their role. The increased focus on EQ skills such as communication reflect the fact that CISOs are no longer seen as distant technical specialists, but as an integral part of the business operations, essential to keeping operations running smoothly and facilitating growth.
Where does this leave us as security professionals? For many CISOs and their teams, it would appear their jobs are now, on the whole, pretty safe – disasters aside. Cyber security specialists have become invaluable to many organisations over the last year, and if perhaps the importance of good cyber security was overlooked before, then it’s less likely to be the case now. Yet all of this recognition brings with it stressed teams, extra scrutiny and requests from one’s board and a full dance card for the year ahead.
Tim Orchard the Managing Director of F-Secure's industry-leading Countercept solution, and has over 20 years of experience in the technology and security industry. Tim specializes in Managed Detection and Response services, threat analytics, and technical-focused cyber-security consulting.
Main image courtesy of istockphoto.com