Advances in automation, machine learning and artificial intelligence affect all areas of expertise – and cyber security is no exception. In cyber security, these advancements have enabled the delegation of time-consuming tasks such as manual threat detection and analysis to machines, freeing up the human workforce to focus on threat forecasting, cyber security strategy and governance. Dr. Nathalie Weiler – CISO at SwissSign – believes that the role humans play in cyber security has fundamentally changed and with the role, the skills required by the workforce have changed as well.
“After completing my PhD and post-doc in network security at Zurich’s Swiss Federal Institute of Technology, ETH, I realised that I didn’t want to pursue the classic academic career path of hopping from university to university. More importantly, I was most interested in the practical applications of cyber security. So in parallel to my post-doc, I co-founded a technical consultancy company, where we ran projects in secure IoT activities and building security protocols for multi-media devices.
While I was organising a conference for peer-to-peer networking at ETH, I got the opportunity to connect with many people in the industry. An architect from Credit Suisse approached me for a one-time project addressing a network security issue they were facing - I ended up working with that bank for twelve years, immersing myself in so many fulfilling and interesting projects.
There is no area in cyber security that I didn’t get involved with in my time at the bank. One day, a head-hunter approached me and asked me to join Avaloq to build up their security governance team and frankly, the position with Avaloq came at the perfect time for me; I was ready for the next big challenge of my career. So I took the position and stayed with Avaloq as their CISO for three years. Now, I’m excited to continue my journey as the CISO at SwissSign.”
The shifting frontier: cyber security skills yesterday and today
In the early days, the role of cyber security professionals was mainly to protect IT infrastructure and data. The role was reactive in nature: when a threat appeared or a risk materialised, it was all hands on deck to eliminate it as quickly as possible. Therefore, deep technical knowledge of IT infrastructure was in high demand.
Today, cyber security has expanded to include third parties, cloud environments, mobile devices and everything in between. Global digitalisation and the IoT have also shaped cyber security needs since these opened up a myriad of new opportunities that cyber criminals can - and do - exploit. It is therefore important for cyber security teams to have a broad range of skills to cover all of these environments and threats. In addition, with an increasingly common understanding that cyber incidents are inevitable, anticipating what attackers are going to do before they do it is key. Employees with the foresight and ability to think like attackers are the ones that will provide the most value. Nathalie puts it candidly:
“Attackers will not always use a hammer to get in. They are constantly developing different skills, tools and approaches, so it’s important that we stay ahead and think like them.”
With visibility all the way to the top of organisations, persuasion has also become an essential skill to master. Nathalie reflects on the importance of her consulting background in helping her implement her cyber security program:
“I wouldn’t be here if I didn’t have a consulting background. As a CISO, you need to be able to convince many different stakeholders to secure funding and get buy-in. Half of my success is based on how persuasive I can be.”
As money and resources are always finite, Nathalie articulates the importance of adopting a risk-based and pragmatic approach:
“You need to be able to get your ideas across, taking into consideration the uncertainty.”
Looking to the future
Solutions in use today will undoubtedly become less effective at some point in the future, and since no solution can be completely secure, security professionals need to be able to embrace failure as part of the process. As a result, Nathalie argues that nowadays, the field has demand for professionals with various backgrounds but with a common trait:
“We need people who can look further into the challenges that they’re presented with and see the big picture. We need people who understand why they need to do things in a certain way and can actually see the implications of their actions on business processes.”
As our lives continue to get more interconnected, the needs of the cyber security workforce will continue to evolve. There will always be new cyber security threats lurking on the horizon and regardless of how the field evolves in the decades to come, Nathalie believes that having the right attitude is essential:
“You need to break out and recognise that it’s a journey. It’s important to take your time with each problem and remember that threat actors will always come up with new methods of attack.”