What is the most critical piece of information tech leaders need to understand about enhancing cyberskills within their teams to fortify defences against evolving cyberthreats? We asked three industry experts for their views.
Pierre Samson, CRO, Hackuity
CIOs now play an increasingly important role in driving strategic change within their organisations. They’re instrumental in shaping the direction of the company, not only through Digital Transformation projects but also through the advanced analytics and intelligence tools. These are transforming the way that we work, particularly in the era of AI, when organisations are navigating how best to leverage a new wave of tools, with the right privacy protections and security guardrails in place.
At the same time, as the cyberthreat landscape brings new challenges, they are responsible for ensuring that the skill sets and technology their organisation has in place are a match for ever more advanced and well-resourced adversaries. As their remit evolves, their focus must be on ensuring that their teams are providing the engine room for change and innovation – and nearly everything in the business relies on cybersecurity.
Long gone are the days when cybersecurity was viewed as a cost centre and the team’s primary function was to ‘keep the lights running’ and the bad guys out. Now, cybersecurity is more closely aligned with the business goals of the organisations. This is becoming one of the most critical areas that CIOs are spearheading.
It’s no longer just a technology function; cybersecurity requires a level of business acumen, and teams need to understand how to shape the performance of the business, with an eye to the future. The skill sets needed from their teams are core to enabling them to deliver on this, especially at a time when cybersecurity underpins many of the critical functions of the business. CIOs need to ensure that their teams are communicating the value that cybersecurity brings, in terms and a language that resonates with other business leaders.
They should be comfortable in how to present the value of cybersecurity beyond ‘security metrics’ – it needs to be demonstrated in real business terms particularly when budgets are under more scrutiny and demanding more justification.
Threats are changing faster than our defences – there are growing challenges in maintaining security given the ever-expanding attack surface. Meanwhile, many businesses are now incorporating AI into their processes. The skillsets of teams need to be constantly aligned with these to keep pace.
According to a report earlier this year, 42% of enterprise-scale organisations are actively using AI in their businesses, and a separate report cites that AI skills are currently the most in-demand skill for most enterprises.
While we can expect the security risks to increase as a result, innovations in AI will also help to offset the skills gap and by automating and simplifying routine, manual tasks.
AI could prove to be an ally in helping organisations to streamline essential business processes as the skills crisis continues to strain teams’ resources.
Gareth Pritchard, Chief Technology Officer at Sapphire
The question of how to make cybersecurity accessible and unobtrusive to the entire team – from intern to boardroom – is something that could occupy a CIO’s thoughts for days. No-one wants cybersecurity to be seen as another problem or ‘thing’ they need to think about on top of their already busy day jobs.
To embed cybersecurity within the business, and therefore make cyberskills development and assessment easier to manage, CIOs need to look at their organisation’s cultural identity and align their cyber communications and strategies accordingly.
But what do we mean by cultural identity? For every organisation, they will have a set of values and approaches that reflect and embody how the business wants to be viewed, both internally and externally. This binds everyone together, so everybody knows what is expected of them. By thinking about cybersecurity in the same way, and using the language, tone, style and values held by the organisation as the core for which to build communications around, the CIO will be able to enhance cyberskills across the business, not just in more traditional ‘technical’ areas.
A great example is the British Library. At the end of 2023, they were victim to a large-scale ransomware attack that compromised the majority of its online systems. Many organisations prefer not to share much information on an attack, only revealing what they must to the relevant authorities. Yet, from the outset the British Library have been transparent and open about the attack, what happened, and most significantly the learnings they have taken from the incident.
Now think about this in terms of what the British Library stands for. Its culture, and the purpose of the library, is all about sharing, maintaining and protecting access to knowledge for all. So, it makes perfect sense that in this scenario they would still embrace the need for sharing knowledge as it is second nature to them as part of their culture.
This is the position that CIOs should seek to reach – having all employees and departments fully embracing cybersecurity in a way that is in lockstep with their organisation’s corporate identity. Only then will we see employees engage with the continued development of skills to defend the organisation against cyberthreats. After all, each department will have a different level of maturity when it comes to cybersecurity However, each department plays an important role as security extends beyond just the IT team.
It is from this springboard that the CIO can then introduce some of the more well-known methods for enhancing cyberskills, such as gamification, identifying ‘security champions’ launching cross-functional projects, focus periods and sharing good practice. In my opinion one of the most important tools that can be deployed is active ‘fire drills’ and post-event debriefs so there is a continuous cycle of learning throughout the business. But none of this can be done if it doesn’t resonate with all employees and is a part of the culture and identity of the business.
Christine Bejerasco, CISO at WithSecure
When trying to enhance the cyberskills of their teams, it’s critical that CIOs do not underestimate the importance of flexibility and adaptability. Cybersecurity is an ever-changing landscape – technologies and threats are constantly evolving – and therefore how IT teams manage cyber-risk also needs to adapt. IT teams should be flexible to new tools, as well as constantly looking to improve their knowledge and understanding of cybersecurity.
Defence works best when you know who you are up against. While there is value in best practices such as the latest body of knowledge on how to secure certain assets, those quickly change when threat actors change their techniques. Therefore, CIOs should encourage their teams to understand threat actors, their motivations and their practices. This enables IT teams to prioritise the defences they need to deploy. Threat modelling exercises that are informed by the latest techniques, tactics and procedures can be a valuable exercise to continuously test an organisation’s cybersecurity muscles.
It is important to note that the physical and digital realms have converged. Therefore, threats can’t necessarily be bucketed into purely physical or purely digital. IT professionals will need to understand when threats change realms, what the implications of those are, and how to defend against them, regardless of whether they are physical or digital.
Every technology or service organisations add to their estate, increases the size of their attack surface. Therefore, CIOs need to ensure that the third parties they are working with share the same risk tolerance. Personnel who are evaluating these technologies will need to have an awareness of who the third parties are, in order not to significantly reduce an organisation’s security posture. This means teams must be able to assess the risks associated with new technologies and services and ensure they are working with third parties that share their risk tolerance.
It is also important to understand that being compliant does not necessarily mean being secure, and vice versa. This necessitates information sharing on regulatory, contractual, and certification compliance requirements beyond the context of cybersecurity. There may be an overlap in the requirements, but compliance details could be missed, and issues may arise even when the organisation’s security is good. This means teams must be able to understand the difference between compliance and security, and ensure they are meeting both requirements. Overall, CIOs should prioritise flexibility and adaptability to enhance cyberskills. Teams need to be able to change their knowledge and tools as the landscape changes, understand the motivations and practices of threat actors, adapt to new threats, assess the risks associated with new technologies and services, and understand the difference between compliance and security. By doing so, organisations can strengthen their defences against the rapid development of cyberthreats and ensure that they are prepared for whatever challenges may come their way.
