If you get into difficulty in a swimming pool, who do you want rescuing you? Someone who understands the rules on the sign at the entrance but who cannot swim? Or someone who is prepared to dive in?
Just as in water, if you are drowning in a cyberattack, theory is not your priority.
Companies are realising that they need to hire a new kind of information security leader – people who not only know the rules, but who also understand hacking, the criminal mind, and the value of creativity. Finding and attracting them will not be easy.
Many organisations get into trouble as a result of hacks and data breaches – crisis moments when operations go haywire and reputations hang in the balance. These often occur when risk and confusion are heightened in other ways – such as now, during the Covid-19 pandemic, when attacks have increased as hackers look to take advantage of this global crisis and the resulting surge in remote working.
Although it is invisible to the naked eye and does not produce smoke or fire, the online threat landscape is a battlefield where people exploit fear and fight over real assets through their computers.
Historically, businesses have entrusted security leadership to theoreticians rather than practitioners. The typical chief information security officer, or Ciso, has had a lawyerly quality: fluent in terminology, strong on policy and strict on checklists.
But this stereotype must change. No rulebook or college certificate can repel a hacker armed with the latest weaponised malware or free a system hijacked by a state-backed gang. A Ciso without a grasp of gritty detail is like a lifeguard who cannot swim.
What must the new generation information security leaders look like?
First, they will need outstanding technical facility – especially, in the dark arts of hacking. It is vital that a Ciso knows where attacks come from, how they spread through networks and how to stop them. They should believe that “attack is the best form of defence”. Good Cisos will be those who roll up their sleeves to meet threats head-on rather than sitting in wait.
Second, they will need to understand assailants’ motives. Classifying threats in neat typologies obscures the diversity of the characters behind them. Hackers try to infiltrate systems for all sorts of reasons – from the criminal to the moralistic. Some do it just for fun. Understanding why an attack could be perpetrated often provides clues to defence and resolution.
Third, they will need to be creative. Those who stick to case studies and guidelines will stumble when unfamiliar threats emerge. In some crises, tried-and-tested methods will work. In others, risky improvisation may be the only alternative to catastrophe. Future Cisos will benefit from a maverick streak based on lateral technical thinking.
On top of all this, ideal security leaders will need to function effectively in corporate environments. Communication skills are critical. As digital perils proliferate, high-level executives – or the C-Suite – will require a dynamic map of the changing terrain. The Ciso must provide this, translating complicated jargon into plain language so that bosses can effectively balance risk against cost.
Unfortunately for businesses, candidates fulfilling this description will be tricky to find.
For one thing, elite technical talent is dispersed. The internet has created a cosmopolitan community of hackers, programmers and coders. Controlling for economic development, the concentration of people with exceptional computer skills in a given place is generally proportionate to population size. But sometimes, a company will require unique abilities which are unavailable locally. Tapping into a fluid global marketplace to find exactly the right candidate is a challenge employers must overcome.
Moreover, below the surface, the internet has a confusing culture of anonymity. This anarchic quality is what attracts many people. But it also creates problems for would-be recruiters who, without the help of highly customised tools, can get lost in the murky world they are sifting through.
Perhaps the most important question is why an elite hacker with a non-conformist personality would want to work for a business at all.
On the face of it, our ideal future Ciso might find adjustment to a life of meetings, conference calls and regular hours quite difficult. But it is wrong to think that there is no overlap.
The practice of “ethical hacking”, in which companies actively seek skilled hackers to expose weaknesses in their systems, points to a potential solution.
Manipulating computer code is not inherently bad – and in fact, in many cases, it is useful and beneficial. It is the destructive consequences of hacking that are bad, and these result from unaccountability and malign motives. Most people who excel at hacking are not inherently opposed to working in corporate roles. It is just that many companies need a culture shift to make the most of their unorthodox talents.
The real challenge is therefore for companies to build a professional environment that appeals to the new generation of security leaders in the first place: by incentivising them to do what they do best for the right reasons, and not suffocating them within backward-looking work structures. This will take a new approach.
For companies in all sectors, the cost of installing the wrong kind of information security leader could be high. Those that have fallen victim to cybercrime even while the Covid-19 crisis rages around them have learnt this the hard way. But what are the benefits of doing it right? It could be the difference between sinking and swimming.
Nathan Swain is the chief information security officer at ADS Securities in Abu Dhabi