If you get into difficulty in a swimming pool, who do you want rescuing you? Someone who understands the rules on the sign at the entrance but who cannot swim? Or someone who is prepared to dive in?
Just as in water, if you are drowning in a cyberattack, theory is not your priority.
Companies are realising that they need to hire a new kind of information security leader – people who not only know the rules, but who also understand hacking, the criminal mind, and the value of creativity. Finding and attracting them will not be easy.
Many organisations get into trouble as a result of hacks and data breaches – crisis moments when operations go haywire and reputations hang in the balance. These often occur when risk and confusion are heightened in other ways – such as now, during the Covid-19 pandemic, when attacks have increased as hackers look to take advantage of this global crisis and the resulting surge in remote working.
Although it is invisible to the naked eye and does not produce smoke or fire, the online threat landscape is a battlefield where people exploit fear and fight over real assets through their computers.
Historically, businesses have entrusted security leadership to theoreticians rather than practitioners. Getty Images
Historically, businesses have entrusted security leadership to theoreticians rather than practitioners. The typical chief information security officer, or Ciso, has had a lawyerly quality: fluent in terminology, strong on policy and strict on checklists.
But this stereotype must change. No rulebook or college certificate can repel a hacker armed with the latest weaponised malware or free a system hijacked by a state-backed gang. A Ciso without a grasp of gritty detail is like a lifeguard who cannot swim.
What must the new generation information security leaders look like?
First, they will need outstanding technical facility – especially, in the dark arts of hacking. It is vital that a Ciso knows where attacks come from, how they spread through networks and how to stop them. They should believe that “attack is the best form of defence”. Good Cisos will be those who roll up their sleeves to meet threats head-on rather than sitting in wait.
Second, they will need to understand assailants’ motives. Classifying threats in neat typologies obscures the diversity of the characters behind them. Hackers try to infiltrate systems for all sorts of reasons – from the criminal to the moralistic. Some do it just for fun. Understanding why an attack could be perpetrated often provides clues to defence and resolution.
Third, they will need to be creative. Those who stick to case studies and guidelines will stumble when unfamiliar threats emerge. In some crises, tried-and-tested methods will work. In others, risky improvisation may be the only alternative to catastrophe. Future Cisos will benefit from a maverick streak based on lateral technical thinking.
On top of all this, ideal security leaders will need to function effectively in corporate environments. Communication skills are critical. As digital perils proliferate, high-level executives – or the C-Suite – will require a dynamic map of the changing terrain. The Ciso must provide this, translating complicated jargon into plain language so that bosses can effectively balance risk against cost.
Job interview with candidate in modern office
Unfortunately for businesses, candidates fulfilling this description will be tricky to find.
For one thing, elite technical talent is dispersed. The internet has created a cosmopolitan community of hackers, programmers and coders. Controlling for economic development, the concentration of people with exceptional computer skills in a given place is generally proportionate to population size. But sometimes, a company will require unique abilities which are unavailable locally. Tapping into a fluid global marketplace to find exactly the right candidate is a challenge employers must overcome.
Moreover, below the surface, the internet has a confusing culture of anonymity. This anarchic quality is what attracts many people. But it also creates problems for would-be recruiters who, without the help of highly customised tools, can get lost in the murky world they are sifting through.
Perhaps the most important question is why an elite hacker with a non-conformist personality would want to work for a business at all.
On the face of it, our ideal future Ciso might find adjustment to a life of meetings, conference calls and regular hours quite difficult. But it is wrong to think that there is no overlap.
The practice of “ethical hacking”, in which companies actively seek skilled hackers to expose weaknesses in their systems, points to a potential solution.
Most people who excel at hacking are not inherently opposed to working in corporate roles. It is just that many companies need a culture shift to make the most of their unorthodox talents
Manipulating computer code is not inherently bad – and in fact, in many cases, it is useful and beneficial. It is the destructive consequences of hacking that are bad, and these result from unaccountability and malign motives. Most people who excel at hacking are not inherently opposed to working in corporate roles. It is just that many companies need a culture shift to make the most of their unorthodox talents.
The real challenge is therefore for companies to build a professional environment that appeals to the new generation of security leaders in the first place: by incentivising them to do what they do best for the right reasons, and not suffocating them within backward-looking work structures. This will take a new approach.
For companies in all sectors, the cost of installing the wrong kind of information security leader could be high. Those that have fallen victim to cybercrime even while the Covid-19 crisis rages around them have learnt this the hard way. But what are the benefits of doing it right? It could be the difference between sinking and swimming.
Nathan Swain is the chief information security officer at ADS Securities in Abu Dhabi
Milestones on the road to union
1970
October 26: Bahrain withdraws from a proposal to create a federation of nine with the seven Trucial States and Qatar.
December: Ahmed Al Suwaidi visits New York to discuss potential UN membership.
1971
March 1: Alex Douglas Hume, Conservative foreign secretary confirms that Britain will leave the Gulf and “strongly supports” the creation of a Union of Arab Emirates.
July 12: Historic meeting at which Sheikh Zayed and Sheikh Rashid make a binding agreement to create what will become the UAE.
July 18: It is announced that the UAE will be formed from six emirates, with a proposed constitution signed. RAK is not yet part of the agreement.
August 6: The fifth anniversary of Sheikh Zayed becoming Ruler of Abu Dhabi, with official celebrations deferred until later in the year.
August 15: Bahrain becomes independent.
September 3: Qatar becomes independent.
November 23-25: Meeting with Sheikh Zayed and Sheikh Rashid and senior British officials to fix December 2 as date of creation of the UAE.
November 29: At 5.30pm Iranian forces seize the Greater and Lesser Tunbs by force.
November 30: Despite a power sharing agreement, Tehran takes full control of Abu Musa.
November 31: UK officials visit all six participating Emirates to formally end the Trucial States treaties
December 2: 11am, Dubai. New Supreme Council formally elects Sheikh Zayed as President. Treaty of Friendship signed with the UK. 11.30am. Flag raising ceremony at Union House and Al Manhal Palace in Abu Dhabi witnessed by Sheikh Khalifa, then Crown Prince of Abu Dhabi.
December 6: Arab League formally admits the UAE. The first British Ambassador presents his credentials to Sheikh Zayed.
December 9: UAE joins the United Nations.
Infiniti QX80 specs
Engine: twin-turbocharged 3.5-liter V6
Power: 450hp
Torque: 700Nm
Price: From Dh450,000, Autograph model from Dh510,000
Available: Now
Classification of skills
A worker is categorised as skilled by the MOHRE based on nine levels given in the International Standard Classification of Occupations (ISCO) issued by the International Labour Organisation.
A skilled worker would be someone at a professional level (levels 1 – 5) which includes managers, professionals, technicians and associate professionals, clerical support workers, and service and sales workers.
The worker must also have an attested educational certificate higher than secondary or an equivalent certification, and earn a monthly salary of at least Dh4,000.
The Federal National Council is one of five federal authorities established by the UAE constitution. It held its first session on December 2, 1972, a year to the day after Federation.
It has 40 members, eight of whom are women. The members represent the UAE population through each of the emirates. Abu Dhabi and Dubai have eight members each, Sharjah and Ras al Khaimah six, and Ajman, Fujairah and Umm Al Quwain have four.
They bring Emirati issues to the council for debate and put those concerns to ministers summoned for questioning.
The FNC’s main functions include passing, amending or rejecting federal draft laws, discussing international treaties and agreements, and offering recommendations on general subjects raised during sessions.
Federal draft laws must first pass through the FNC for recommendations when members can amend the laws to suit the needs of citizens. The draft laws are then forwarded to the Cabinet for consideration and approval.
Since 2006, half of the members have been elected by UAE citizens to serve four-year terms and the other half are appointed by the Ruler’s Courts of the seven emirates.
In the 2015 elections, 78 of the 252 candidates were women. Women also represented 48 per cent of all voters and 67 per cent of the voters were under the age of 40.
• Supports military aid for Ukraine, unlike other eurosceptic leaders, but he will oppose its membership in western alliances.
• A nationalist, his campaign slogan was Poland First. "Let's help others, but let's take care of our own citizens first," he said on social media in April.
• Cultivates tough-guy image, posting videos of himself at shooting ranges and in boxing rings.
• Met Donald Trump at the White House and received his backing.
Priority access to new homes from participating developers
Discounts on sales price of off-plan units
Flexible payment plans from developers
Mortgages with better interest rates, faster approval times and reduced fees
DLD registration fee can be paid through banks or credit cards at zero interest rates
LAST 16
SEEDS
Liverpool, Manchester City, Barcelona, Paris St-Germain, Bayern Munich, RB Leipzig, Valencia, Juventus
PLUS
Real Madrid, Tottenham, Atalanta, Atletico Madrid, Napoli, Borussia Dortmund, Lyon, Chelsea
Real estate tokenisation project
Dubai launched the pilot phase of its real estate tokenisation project last month.
The initiative focuses on converting real estate assets into digital tokens recorded on blockchain technology and helps in streamlining the process of buying, selling and investing, the Dubai Land Department said.
Dubai’s real estate tokenisation market is projected to reach Dh60 billion ($16.33 billion) by 2033, representing 7 per cent of the emirate’s total property transactions, according to the DLD.
