Future roles in information security

We identify the following major trends impacting the capabilities required from the workforce:

• Sophistication and dynamics of cyber attacks
• Machine learning and artificial intelligence
• Virtual identities
• Data
• Cloud
• Distributed hybrid environments
• New ways of working (DevOps, Agile, Scrum)
• Continuous software development
• War on Talent
• Regulatory and assurance (Integrated reporting)

These trends will demand other capabilities and therefor roles in the Cyberdomain; such as Cyber Attack Agent, Cyber Calamity Forecaster, Machine Risk Officer and Virtual Identity Defender, Data trash engineer, Cloud orchestration architect, Security vaccinator, Cyber talent magnet, AI auditor. To give you an idea about what those roles mean, we will give a brief explanation per role in the section below.

At the end we converge this into our vision of the role of the CISO. Our objective is not to be exhaustive but to give you some of the major trends based on our experience and external research reports and articles for HR firms like Egon Zehnder and Korn Ferry ^(2).

Due to the rapid changing threat landscape and the morphing actors it becomes hard to keep up with this knowledge and translate that into actions. The Cyber Calamity Forecaster will reveal overlooked possibilities and expose unexamined assumptions about the cyber world. The ideal candidate will provide analytical, advisory and technical expertise and analysis related to global cyber activities by assessing the current and predicted cyber environments and geopolitical developments in order to issue cyber products, alert bulletins and forecasts. But this Calamity forecaster requires three major new capabilities that now should be combined into one role.

In current day network security, vigilance with respect to arising new threats and attack vectors is becoming ever more important. Rapid detection, risk assessment and preventive or mitigating measures is gaining prominence.

In order to face this problem, cyber threat agents or SOCs rely on a vast body of reports of newly detected (or suspected) threat avenues that are reported in public sources: newsfeeds, mailing lists, twitter streams, forums, etc. A considerable amount of non-public sources is offered as well: for-pay vendor threat bulletins, announcements in closed channels. This forms a growing challenge, which is a specific instance of the ‘firehose’ data problem. A lot of data is available. Beforehand, its veracity is never beyond doubt. Moreover, it is not guaranteed to be structured in such a way that (semi) automated processing is easily enabled. And with many data sources potentially shedding light (potentially from different perspectives) on issues that share an underlying coherence, discovering the relation between reports from various sources is an important enterprise. Also of note is the fact that data sources are lingual, with a wide range of potential source languages. Many are in English (of varying quality), but far from all; and one should never exclude the possibility that a highly relevant and urgent report could be published in Russian, Korean, Chinese, German, French (etc.) first.

Given the size (‘firehose’) of the data stream, the scalability problem arises; a high level of automation is called for. With this problem field in mind we define three related capabilities:

1. Assessing Data Source Quality
2. Intelligent Correlation, Relevance and Risk Determination
3. Automation of Data Source Handling Process Flow and directing that to target audiences in a presentable and actionable format.

Based on the gather threat data the Calamity forecaster can do trend analysis on sectors (finance, retail, manufacturing), countries, platforms (Microsoft, Oracle etc), environments (Industrial plants) etc. This role becomes more and more important since the majority of the people does not see the trees in the wood anymore.

The role of Machine Risk Officer will be essential in developing new trust mechanisms and imagining new risk-benefit approaches for working with intelligent machines. The employee in this position will define roles and responsibilities between humans and machines and set the rules for how human counterparts should handle machine-caused wrongdoing.

The role of Cyber Diplomat will be essential for managing stakeholders and regulators and finding collaboration and allies with other public and private companies and government. The reason why wars are won is by having the right allies and enough allies. Going to war without them is a receipt for failure as history learns in times of amongst others Napoleon and Hitler.

The employee in this position will form strong alliances and influence the external world about the opinion of the entity itself.

In the role of the Security Pusher, you’ll be expected to analyze every situation where customers have contact with clients’ brand or business, qualify the emotions involved and then propose a subscription strategy to fulfill them. The job requires investigating, tracking, shaping and proposing the decisions to ensure cyber risks are dealt with in line with the risk appetite and in alignment with customer behaviour. This requires frequent interaction with customers, stakeholders and parties involved into delivering services into the value chain to operate effectively. This role emerges in managed security service providers and integrators that have certain liabilities towards their customers if security advisories are not being followed up by companies.

As a Cyber Attack Agent/SEAL, you’ll form part of a new Special Operations division within the SOC, tasked with developing, undertaking and leading the cyber deterrent program. As a key member of this team, you will assist in developing, and in wartime delivering, strategic cyber offenses against adversaries’ infrastructure and public and private sector systems. To be considered for this critical role, you must display an excellent track record of cyber hacking, “grey-hat-focused” software development or distributed denial of service attack experience. Cyber attack agents/seals will need to operate as an effective and highly nimble team, collaborating closely with each other, as well as with the NCSC’s cybersecurity teams.

In the role of Data Trash Engineer you’ll apply analytical rigor and statistical methods to data trash in order to guide decision-making, product development and strategic initiatives. This will be done by creating a “data trash nutrition labeling” system that will rate the quality of waste datasets and manage the “data-growth-data-trash” ratio. This role is needed to avoid obese data collection by organisations and to adhere to GDPR regulatory requirements such as data retention schemes.

The Cyber Philosopher will keep the discussing about the balance between humanity and machines alive, to prevent “Judgement Day” from happening.

The AI Auditor will form an independent opinion about the integrity of the AI. This auditor will be part of a governmental institute that audits without asking and without any financial incentives. As we will learn in the future, the Auditor can no longer be part of a commercial organization.

The Security User Experience (SUX) Designer is an expert in building security within products and services and not giving them an unfriendly experience. This is caused by the way security has been designed is integral part of the product or service which results in a perfect balance between ease of use and a more secure and safe experience. In a world where it becomes unknown who can be trusted, trust will become essential for the business strategy.

For these future roles you need educated talent. Many learning and certification programs already developed are a complete wood of trees to many HR professionals or recruiters. See figure below:

Figure 1 Overview of all Security related certifications⁽³⁾

For the HR professional it becomes more and more complex to destill the talent from the amateurs. You simply cannot judge on a certification alone, one needs to seek deeper into intrinsic motivations and personal capabilities. This seems an open door but in Information security it is hard for a HR professional how good someone actually is in a certain domain.

Lee proposes in the article on “seeking the Purple Squirrel” to opt for an open job description “Desired Experience” ; “Security is a rapidly evolving space, made up of numerous different technologies, and no single person is expected to possess every characteristic on this list. A curious mind, an ability to think about the rules and how to break them, and a willingness to learn are the most important traits we look for. If you have some of the following and are willing to learn more of them, we want to hear from you.”

Despite enormous progress in the industry, the race for talent and the looked out to the Purple Squirrel⁽⁴⁾, data and information inaccuracy remains an enormous challenge for many organizations. This is evidenced by inadequate detection rates and slow response times to attacks. The main root causes for this insufficiently configured security tools and many point solution is the lack of craftsmanship. But the stakes are high. An inadequate and seemingly weak response to breaches can trigger a negative impact on the company’s perceived value and potentially of its share price. This information rarely trickles down to operational teams. I firmly believe that– according to a recent report by Wakefield Research and Deloitte⁽⁵⁾ this is the main reason why half of the CISOs want to outsource their SOC and get more ‘bang for their buck’.

I see the role of the CISO expanding to ‘economist’, ‘talent magnet’ and ‘orchestrator’ with a clear vision of how to address the pitfalls at the three organizational levels.

Economist because the CISO needs to rely on detailed, reliable source data to determine the cyber risk level in the context of all other risks. And explicating and selling to the board the ‘biggest bang for the buck’, based on facts and figures.

Talent magnet because of the ongoing ‘war’ on security talent that anchors risk and security leadership, craftsmanship and ownership to continuously ‘sharpening the saw’ and streamlining the operation; and finally to demonstrate reasonable assurance over the Information and Cybersecurity function from bottom to top. This means the CISO needs to lead and influence the hiring process of top-notch staff that are capable of vaccinating and positively influencing risk and security owners – talent that is capable of engineering KRIs and KPI mechanisms into the technology and processes.

Hence the necessity to also forecast future roles as described in this section, that can emerge quickly.

Orchestrator because ‘third-party risks’ are the biggest risk for platform-based business models working in a large eco-api-based-system that require clear, predefined indicators to monitor the cyber performance over multiple environments (from left to right). This means that the CISO needs to architect and orchestrate the security of the entire chain, so that he or she gains full visibility on the effectiveness of the security controls⁽⁶⁾.

With our executive master's programs at Antwerp Management School, we develop professionals that are well equipped to face the challenges of this fast changing digital world and to take on the roles I described in this article.

References:

[1.] L. Zuzkin, J. Lopez, E. Weiss Kaya en A. Smallwood (2018), „Cybersecurity readiness trough workforce development,” in Navigating the digital age, Tim Dempsey, 2015, pp. 307-311.

[2] Cognizant, „21 More jobs of the future; A guide to getting and staying employed through 2029,” Cognizant Center for the future of work, London, 2018. & J. Cummings, „Building a cyber savvy board,” in Navigating the digital age, Korn Ferry, 2018, pp. 313-318.

[3] https://www.reddit.com/r/cybersecurity/comments/e23ffz/security_certification_progression_chart_2020/

[4] Lee, M. (2019) ISACA Journal; Stop Looking for the Purple Squirrel: What’s Wrong With Today’s Cybersecurity Hiring Practice

[5] Wakefield Research and Deloitte Report on The future of cyber survey 2019, polled 500 C-level executives who oversee cybersecurity at companies with at least $500 million in annual revenue including 100 CISOs, 100 CSOs, 100 CTOs, 100 CIOs, and 100 CROs

[6] K. Bittianda, S. LaCroix en C. Patrick, „Evaluating and attracting your next CISO: More sophisticated approaches for a more sophisticated role,” in Mavigating the digital age, Egon Zehnder, 2018, pp. 319-323.