Channel Islands Information Security Forum (CIISF)

View Original

Do you need technical skills to work in Cyber?

Do you need technical skills to work in Cyber? Our chairperson Dave Cartwright tackles this questions in August 2023’s article.

Like many people who work in cyber security, I was originally a mainstream IT bloke. Computing Science degree, service desk, IT writer, IT manager, CTO, head of IT operations, and so on. Then in the mid 2010s I joined the “dark side” and moved into cyber security.

Has my technical background helped me in my cyber security role? Heck yes. At the disappointing end of the spectrum, on a handful of occasions my technical knowledge has helped me cut through techies trying to bluff about how hard something is, or that yes, the firewall/switch/router/whatever is securely configured according to the company standard. At the more pleasant and acceptable end of things, though, I’ve been able to help the IT team fight their corner by confirming to the Risk/Compliance/Executive team that security problem X really is non-trivial to fix and that the time and cost really will be as the IT people are claiming.

Have I needed technical skills, though? I would argue probably not. Yes, they’ve been very helpful in a range of circumstances, but I’ve met plenty of senior security professionals who are very successful in their jobs despite being non-technical. So how have they managed it?

Simple: the technical stuff I mentioned a couple of paragraphs ago is just part of the story, but there’s another step that needs to be taken after the technicalities are understood. Take the example above where problem X has a specific time and cost impact if we’re going to fix it. All we’ve done is establish a few facts, and those facts came from the IT team in the first place – the security guy is simply saying: “Yeah, that sounds about right”. But these facts need to be formulated into some kind of risk quantisation, because what we care about is: do we need to fix it, how much of it do we need to fix, by when, and what’s the residual risk we can live with. That decision is above the pay grade of the security manager or CISO – it’s a risk decision, not a security one, to be made by those who hold the budget and the ultimate accountability.

The technical security person’s role in the examples I’ve mentioned highlights the core element that we require in an organisation: trust. If a non-technical CISO can rely on the IT manager, CTO, CIO or equivalent, they shouldn’t need a great deal of technical knowledge. Yes, I’m a huge advocate of security people having a solid grounding in the basic technicalities, but that’s primarily so they understand the basics of the concepts they’re reading or hearing and aren’t spending half of every meeting asking stuff like: “What’s a VPN?”. And yes, I’m sure many people reading this have seen cases where an IT manager has turned a horror story into a “nothing to see here” picture of good news for the CISO and the executive team. But the problem here isn’t that the CISO is non-technical (and the solution should be self-evident) and the inevitable outcome is that the horror story comes to light eventually, and probably far too late.

So no, you don’t necessarily need to be technical to be in cyber. Of course, in all but the smallest cyber team it’ll be necessary to have some people who are into the tech elements rather than the corporate, compliance or risk sides of things, but they will often (usually?) be in the minority. What you do need, however, is an excellent relationship with all the relevant parts of the organisation, and for that relationship to be one of mutual trust, openness and honesty.

Because when something goes pear-shaped, the joined-up organisation stands the best chance of dealing with it – no matter the level of technical capability of most of the cyber team.