Escalation of cyber-attacks is, by now, an old story. But last year’s digital assault on the region was particularly destabilising for the thousands of enterprises trying to deliver operational continuity amid unprecedented social disruption. The United Arab Emirates (UAE) saw a 250% year-on-year increase in incidents in 2020. Any doubt that this was linked to our new normal was dispelled by the nation’s cybersecurity chief, who cited lockdowns and our movement to a “full online life” as major causes.
On the frontlines, as always, are teams of beleaguered security professionals. To make matters worse for the region, sufficiently trained threat hunters have become all too rare. Skills gaps persist, despite a growing need, and the rise of the chief information security officer (CISO) has done nothing to address the shortfall. Indeed, technically minded CISOs are being called upon to step outside their logic-infused comfort-zones and become talent shepherds, inspiring and shaping the next generation of cybersecurity professionals. And they are having to develop new skills to do so.
People are not robots, tools, equipment or numbers. Seeing a security team solely as employees with a basket of duties attached is a one-dimensional perspective that can be counterproductive. Understanding each individual ― their history, talents and propensities ― is the first step towards building a cohesive team that you can trust to make snap judgements in the dead of night when a cyber threat rears its head.
IQ vs EQ
Equipping those decision-makers with the right tools is, of course, a vital element. Formulating high-level policy is also helpful. But being able to predict how people will react in a critical moment ― how they will leverage technology and interpret policy ― can be just as important.
For years, we have thought of the war with bad actors as a battle of wits, a function of IQ. And in many respects, it is. But as the security function has moved into the boardroom, with the emergence of the CISO, so security teams have evolved. Now their leader is often a field-marshal in a war-room rather than a captain in the trenches. As the region’s threat landscape heats up, CISOs need to return to the trenches and develop their emotional quotient. They need to bond properly with their teams of threat hunters to build a squad of professionals that can react with efficacy.
One of the main problems in attaining this model is that a security specialist tends to be a loner, better resembling a bounty hunter than a soldier. When effective, such personalities are rightly promoted, but they often find themselves pushed into roles that require an extrovert at the wheel. The bounty hunter must transition to motivator, teacher, and performance-critic.
Plugging gaps
In the UAE, and across the Arab Gulf, there is a well-known skills gap when it comes to cybersecurity. Attraction and retention of security talent is keeping many an HR manager up at night. Emotional intelligence (call it “soft skills” if you prefer) among CISOs can play a significant role in retention because treatment of niche-skilled cybersecurity experts as faceless, functional components will demotivate them and lead to higher turnover.
So, the effective CISO must approach each analyst as an individual. They must discover how that analyst likes to work, what approaches they take to their roles, and how this may fit in with established policy. To make the most of a security professional’s skills, it is vital to find out how they feel about different policies and procedures, and work with them to introduce tools and workflows that make their lives easier.
Automation is part of this, but only part. The real goal is to shape the role so that the individual’s talents are harnessed to their fullest potential. AI is a potent tool capable of identifying around 90% of threats before they can do harm, but trained human professionals are needed for the remainder. The emotionally intelligent CISO must ensure each team member is prepared to recognise the hallmarks within data that warrant further investigation, and to take the wisest course of action if any threat is found.
People first
This is where the relationships the CISO has built will come into play. A hesitant team, for example, is one that does not have confidence in the support of leadership. But ensure them of your backing and security teams can act, and act soundly. And approachability will also make the CISO more likely to be the recipient of vital information. A non-technical employee is far more likely to approach a genial security head than an ornery one when that employee makes a mistake.
The environment built by soft-skilled security operatives is vital to the success of their organisations in the new digital era. Last year, enterprises across the GCC and beyond rushed to more complex environments to survive. The soft-skilled CISO will accept that mistakes are going to be made and that everyone is part of the solution.
