I was delighted to see a recent survey that young adults in the UAE are more likely to consider a career in cyber security  than their peers elsewhere in the world. While it is heartening that the world – and especially the UAE – is waking up to the issues and the skills we need, it got me thinking about how cyber security careers are developed and a gap that I don’t believe is being addressed.
In the course of my work, I regularly meet chief executives and C-suite directors to discuss their businesses and executive search needs – particularly in financial services. Over the last year or so, concerns over IT and security have become a running theme. And at the CFO Strategies Forum in November, there was considerable discussion around the role of CFOs in the face of automation  – which of course includes IT and cyber security.
The big gap that is not being discussed or addressed is communication.
An organisation may have all the latest technical expertise in the world, but in the end security comes down to the practices of thousands of individuals in the organisation. And if the IT team cannot influence and persuade those individuals to change their behaviours, the most expensive kit becomes useless.
Let me give a practical example of where I see the weakness.
Last summer the world was hit by Wannacry ransomware attacks in 150 countries and this included attacks on many hospital trusts in the NHS in the UK. After an investigation by the UK government, a report by their National Audit Office concluded the NHS was vulnerable to attack ‘because cyber security recommendations were not followed ’. A former chairman of NHS Digital blamed the attack on lack of time and resources but also ‘frankly a lack of focus, a lack of taking it seriously’ in keeping up with cyber security improvements.
But while the hospitals are being blamed for ignoring the advice, no-one seems to be challenging the people giving the advice and their ability to explain, persuade and influence the hospitals that these issues are serious. Rory Cellan-Jones, the BBC’s technology correspondent, added his own commentary to this story, “To be fair, the Department of Health had developed a plan – it was just that it had not been properly communicated or tested in the NHS trusts”.
For me, perhaps the most depressing element of this story is that at the end of last year, NHS Digital announced £20m investment to ‘boost its ability to support the NHS with digital security’ in response to the attacks. This money is to be spent on
- A monitoring service analysing intelligence and sharing guidance, advice, threat intelligence and remediation to relevant contacts in health and care
- On-site data security assessments for NHS organisations, to enable them to identify any potential weaknesses and to get the best value from local investment
- Specialist support for any NHS organisation which believes it may have been affected by a cyber security incident
- Ongoing monitoring of NHS Digital national systems and services
As far as I can tell, NHS Digital was already doing all this – to a lesser or greater extent. The reason the hospitals were attacked was not because there hadn’t been assessments or advised of the risks and even what they needed to do (some basic patches added to Windows 7) – it was because they hadn’t implemented the advice they were given.
So what will change? What needs to change?
I believe we need to redefine what cyber security means. Do a Google search and you will see definitions around ‘body of technologies … to protect networks, computers, programs and data from attack’. What we need to recognise is that technology is not enough on its own. You must have great communication and influencing skills alongside the technical ability.
Just as we agreed at CFO Strategies Forum that CFOs must be great communicators to be effective, so we need cyber security experts who are also great communicators. They must be able to understand and influence human behaviour (everyone knows they should have different passwords and change them every month – how many do?) and find solutions to human frailties – these are the weak links in cyber security.
And that means those who are creating courses for the next generation of cyber security experts – such as Khalifa University of Science and Technology and Raytheon’s Cyber Academy which carried out the survey I mentioned earlier – must include skills in communication and influencing behaviour as much as focusing on technical skills. This also applies to those leading national policies such as Omar Bin Sultan Al Olama – recently appointed the country’s first Minister of State for Artificial Intelligence  at the age of 27.
As with most boardroom and leadership issues, the theory and the logic are nothing if you cannot bring people with you.