Organizations globally are grappling with the impact of constant technological changes and the need to keep up with the ongoing evolution of cybersecurity capabilities. This is directly impacting individuals already working in the industry, as well as the skills that companies seek when hiring for their next incident responder; governance, risk, and compliance (GRC) specialist; and SOC analyst.
AI, automation tools drive change to some cybersecurity roles
Experienced head of IT and cybersecurity Sameera Bandara tells CSO one of the biggest factors driving a shift in the skills that companies are looking for in cybersecurity professionals, especially in the last two years, is the increasing prevalence of AI and automation tools. In fact, the Tines Voice of the SOC report found nine out of 10 security teams are automating at least some of their work.
“Vendors like Microsoft and other security vendors like Splunk and CrowdStrike, they’ve basically introduced AI into their tool sets, which then negates the need for let’s say, a security analyst to have a certain skill set, because instead of them having to do the hard yards, they can essentially get the tool to do that for them,” Bandara says. Some of those skills that he refers to are coding and scripting skills. “Things that previously needed a Python script can now be queried using natural language due to vendors integrating AI into their tools,” he says.
Experiencing this change first-hand has been Datacom’s senior cybersecurity analyst David Vaughn who describes how his role has changed “significantly” in the last two years. “In the past, my work was focused on identifying and responding to cyberattacks,” Vaughn tells CSO. “With Datacom operating at the forefront of cybersecurity, my role has advanced to incorporate more proactive threat hunting. I now spend a significant amount of time actively searching for threats to our organization, both internally and externally; implementing behavioral-based and anomaly use cases compared to more standard signature-based use cases; and more automation with the introduction of security orchestration, automation and response (SOAR) platform.”
Vaughn adds that access to new automation tools has also meant a reduction in triage and response times, as well as an increasing opportunity to focus on more strategic and complex responsibilities. “We’ve seen the nature of the industry shift from a reactive to a proactive approach and this should be reflected on a personal level. I no longer wait for threats to happen before I take action,” he says.
Some of the specific skills Vaughn believes he’s had to acquire over the last couple of years to keep pace with the changes in his role include learning how to query, create reports, and use playbooks; new query languages such as Sentinel KQL to create effective detection rules; new tactics and techniques that threat actors use; and the ever-expanding introduction of AI tools.
Automation has allowed Darktrace APAC analyst technical director Oakley Cox to move away from mundane tasks. He tells the work is traditionally very binary and knowledge-based decision making, and very repetitive. “But now, leveraging AI, it has that wider context and understanding and makes that decision for you. It then allows you as a human analyst to take a step back from the knowledge side and instead focus on hypothesis testing and investigate methods on fewer alerts to only focusing on important alerts.”
How the GRC specialist role is evolving
Like the emergence of any new technology, there are pros and cons. Bandara warns that while AI can be used for good, it can also be used to create new attacks and further risks, which all cybersecurity professionals need to be aware of. “If you have a governance, risk and compliance specialist and they have a particular project that comes onto their in-tray to do a risk assessment, they previously wouldn’t have had to consider AI-based risks. For example, if an employee is using an open AI platform to generate a bid or somebody copying and pasting company IP onto ChatGPT,” he says.
Off the back of these new considerations, KordaMentha cybersecurity executive director Tony Vizza believes GRC specialists are increasingly playing a greater advisory role to companies. “I think there’s an increasing realization that the world of cybersecurity is very much like medicine because if you are not well, you go to a GP…but the GP won’t be the person that knows everything, they will send you to a specialist or send you in for a scan or a blood test,” he says. “Their job really is the consultant, so to speak, that coordinates the different specialties of medicine, and then comes back to you with the results and says this is what you need to do…yet within the realm of medicine, there’s a whole ecosystem of people who specialize in different areas…we’re seeing in the world of cybersecurity that it’s exactly the same.”
Vizza explains that in the past, people who worked in GRC would typically be called by the very technical people who would say “you don’t understand the tech” while the GRC people would “say you don’t understand the tech won’t fix everything”. “I think we’re starting to see that actually you need both.”
GRC specialists need to be equipped with some legal knowledge to be able to successfully advise organizations on the design of governance plans and frameworks and best cybersecurity practices, for instance. Recognizing this need, Vizza, a GRC specialist himself, is finishing up a law degree. “Over the last couple of years, from a GRC perspective, we’ve seen a requirement that you need to understand the regulatory space, beyond ‘it’s a Privacy Act issue’. You’ve got to explain when you’re working with organizations specifically how it’s going to impact them if they have a data breach,” he says. “You don’t need to be a lawyer, but you do need to have enough understanding and really be across that legal and regulatory landscape.”
Incident responders now need good communication skills
It’s not just GRC specialists who are expected to be handing out advice. Incident responders, typically valued for their technical skills, are finding themselves increasingly interacting directly with customers. According to David Ulcigrai, CyberCX senior managing investigator of digital forensics and incident response, incident responders are being required to brush up on their oral and written communication skills. “What we’re noticing is the customer doesn’t necessarily want to wait for somebody to review an email or review a report before it goes out, and that’s what it used to be, we’d come in do the investigation, find some results and then we would give them a written report at the end,” he says.
“Now, the customer is more involved and wants to know more during that process, so everybody has to respond, everybody has to be available to pick up the phone and have a conversation. My background was heavily technical, and technical people aren’t necessarily the best communicators to make things simple. But it is a learned skill, so that’s what we’re trying to focus on now.”
What CISOs should look for when hiring
When looking for new hires, Ulcigrai, whose background is in military airfields, says he’s always on the look for technical people with an ability to learn. “I don’t necessarily care what technical stream you’ve come from…as long as it’s somewhere in that cyber realm or technical realm, especially in incident response…but now I’m also keen on when people are talking to me, just listening to what they’re saying and are they able to explain to me whatever the topic is in a way that I can get it because that’s becoming more important from that communication piece,” he says. “You know, five or six years ago I would’ve taken that technical expert. Now, if I had one position and I had somebody who may not be as strong technically but can communicate, I would probably take the latter.”
Cisco Australia and New Zealand Director of Cybersecurity Corien Vermaak agrees that hiring people with soft skills in addition to technical skills is becoming more favourable. “I would look at an engineer or analyst that can take stakeholders on a journey as to what’s happening with this breach, versus going into a deep hole of technical discussions and losing them because remember…sometimes the engineers working on it or the SOC analyst gets pulled up into the forefront and they have to report on data,” she says.
These professionals have to communicate the challenges, the problem statement, they also have to communicate and formulate plans, says Vermaak, so they need to have that critical thinking, planning, problem solving, communication, and technical writing that the industry lacks. “So, anybody who can showcase to me that they’ve got richness in their soft skills around the technical or academic qualifications will always rank higher through an interview process.”
Cross-skilling has become more important in the cyber sector, particularly while it continues to be plagued globally by the ongoing skills shortage. “Because we do not have the correct amount of resources, I’m seeing leaders be very creative [in how they recruit]. In my team, I do the same because there are so many different fields that can bring richness to a role, I really think outside the box when I look at a candidate. I see that a lot across the industry,” Vermaak says. “I had a chief information security officer in Western Australia say to me he has this massive skilling problem and went to the nurses’ association and hired retired nurses that can’t nurse for medical reasons, and he reskilled them. I’ve had another CISO say to me, we’re on a drive for mums returning from extended parental leave.”
Ultimately, the narrative of how companies hire cyber professionals is changing; it’s no longer just about the skills they already possess but also how open they are to learning new ones. “I want to attract people with an altruistic notion that wants to fight crime — but in a non-gory way — that wants to be part of the solution, that wants to do critical thinking and problem solving,” Vermaak says. “Because once you find those people, the rest doesn’t really matter. You know they will invest in skills [and] they will develop themselves, and that’s what we’re up against.”