Online scams surged during Covid, forcing us all to learn more about the risks of hacking and fraud. Just pick up your phone and your texts, emails and even Twitter messages will almost certainly contain some kind of alarming, urgent message designed to get you to click on that link.
Many of us have fallen for them and either lost money or had our data compromised or stolen. For companies, the stakes can be huge and, as scammers and hackers become more sophisticated, they’re investing in cybersecurity like never before.
Of course, there’s no cybersecurity without cybersecurity experts, and the number of courses available is ramping up.
We caught up with experts from ICT firm Huawei, professional services firm EY, and Skillnet, which helps businesses in Ireland to upskill and retrain staff.
Jaap Meijer is chief cybersecurity and privacy officer at Huawei Western Europe. Carmel Somers is human capital strategist with Technology Ireland ICT Skillnet. Carol Murphy is EY Ireland consulting partner and head of technology risk.
What type of qualifications do cybersecurity experts have and how has this changed in recent years?
Jaap Meijer: Typically, the industry recognises most commonly the well-known cybersecurity professional qualifications from recognised certification bodies. But the industry is evolving [and] as the number of cybersecurity jobs outweighs the number of qualified professionals, companies in recent years have become more willing to take on individuals with a keen interest in cybersecurity, but have no formal qualifications, to train and support their qualification journey.
The opportunities in the sector educationally range extensively from apprentices, college courses, undergraduate degrees, masters for those with prior and no prior cybersecurity understanding, online self-paced courses, and professional development courses and certifications.
Carol Murphy: Cybersecurity specialists have a wide variety of backgrounds, depending on their area of speciality.
The cybersecurity field now covers several areas. It requires people who have expertise in performing risk assessments on processes and systems, and then securing those systems and processes to protect an organisation, its IT infrastructure and its data.
In order to avail of the career development opportunities in cybersecurity, a third-level qualification in the fields of IT, networking, business information systems, law and technology or computer forensics is recommended.
Cybersecurity threats and the IT landscape are constantly evolving, so this is a field suited to people who are committed to continuous learning. Most cybersecurity specialists will complete certifications in relation to recognised industry standards or regulations and security products throughout their career. Communication skills and the ability to understand business processes are key components of this career path.
Almost all of the third-level institutions in Ireland offer courses in the cybersecurity field.
Carmel Somers: Across industries there is continued demand for cybersecurity skills and, to some degree, we are also seeing some divergence in need, from pure technical cyberskills such as penetration testing, intrusion detection and network security to business-related cyberskills in the areas of risk, compliance and governance.
What does a cybersecurity specialist do?
CM: Cybersecurity specialists have expertise in a variety of areas; for example, guiding the development of secure IT architecture, securing cloud implementations, securing web-hosted applications, performing risk assessments on IT environments, providing assurance in relation to compliance with industry standards, regulations or legislation, delivering secure coding in software development and understanding vulnerabilities such that they can be analysed and remediated.
These specialists also work to respond to cybersecurity incidents and to deal with the post-incident response and remediation to analyse how the threat materialised, how the attack was carried out, to determine how the organisation and its ecosystem has been impacted so that they can manage the incident and support the organisation to recover.
In addition, cybersecurity specialists will identify the lessons learned for an organisation, and support and advise in relation to any resulting legal or regulatory implications.
Preventive cybersecurity activities include penetration testing to identify vulnerabilities, war games or simulations to train IT teams in incident response and providing business leaders with an understanding of cyberthreats.
What does the industry need?
JM: People with technical and skilled backgrounds who are able to communicate complex threats and systems to non-technical professionals, in order to convey the need and urgency in dealing with cyberthreats and attain the support of their board. The need remains in the industry for highly technically skilled staff in the areas of penetration testing, cybersecurity architects, security engineers and ethical hackers, but there is also a need for non-technical roles such as security awareness trainers who can engage employees across an organisation into changing their mindset to cybersecurity and threats.
What sort of courses are available?
CS: On the technical side of cybersecurity a broad range of programmes are available covering an extensive spectrum from formal Master of Science in Cybersecurity to Fit apprenticeships and everything in between.
A relatively new and somewhat unique programme is Cyber Skills led by Munster Technological University in collaboration with University College Dublin, University of Limerick and Technological University Dublin, providing pathways and micro-credentials to address skill shortages and may be ideal for someone working in the area or a related area who can grow cyberskills at their own pace by building a stack of recognised micro credentials.
In addition, programmes such as Future in Tech, a free one-year tutor-led programme with a cybersecurity analyst pathway is for those who are unemployed and looking to grow the skills needed for a career in cybersecurity. Information on cybersecurity education programmes in Ireland can be found on CyberIreland.ie.
On the business side there are a number of providers offering programmes in the area of cybersecurity risk, compliance and governance. ICTTF (International Cyber Threat Task Force) is one such company with programmes aimed at helping business leaders understand the risk and threat landscape so they can take the appropriate steps to protect their businesses.
Then there is industry-based cybersecurity certifications which organisations look for when hiring into cybersecurity roles such as Certified Ethical Hacker (CEH), Certified Information Security Manager (CISM), CompTIA Security+, and CISSP (Certified Information Systems Security Professional), to name a few.
Any advice to someone interested in cybersecurity as a career?
JM: I always say that privacy and security have become fundamental parts of our modern-day life. If you can play a role in that field, whether in a technical or a supporting role, it is an incredibly valuable position you will have in helping to secure society. It can be contract management, governance, commercial. In the “old world” you would have a role in an organisation and you could, for example, be an engineer.
Nowadays you need to be able to put on three different hats; not just functional, but also “how does it impact privacy? Are the data streams secure? How is physical security guaranteed?” If you manage to think in this way and find this interesting, the world is at your feet.
Find the right course for you at CyberIreland.ie/course-finder
Advice from the top: Sean Morris, chief technology officer at TitanHQ, one of Ireland’s most successful and fastest-growing indigenous cybersecurity product companies
“Most of the experienced people I know have no explicit cybersecurity qualifications. This is a discipline where on-the-job experience across multiple technology domains and a good deal of general learning around cybersecurity has been the main prerequisite for entry.
“It’s a fast-moving space, so even with qualifications, there’s an onus on everyone to keep learning continuously about new tactics, techniques and procedures being used in the field. Most professional cybersecurity certifications have been in existence for only 15-20 years, and despite the high premium in the market for these, the uptake has been relatively low. Right now there are just over 150,000 people worldwide with a CISSP certification. This is a drop in the ocean compared with the industry demand.
“For me, the big three [most useful qualifications] are CISSP, CompTIA Security+ and CEH. Large companies can have the luxury of appointing a CISO (chief information security officer) with an extensive cyberteam behind them, but for smaller businesses, having an IT leader with the backing of a CISSP qualification is an ideal set-up to start managing risk effectively.
Cybersecurity has never been more important as a skillset. Increasing threat levels to businesses, complexity of the technology landscape, the recent move to more remote and hybrid working models, use of SaaS (Software as a Service) platforms and many other factors are creating a huge demand.
“Requirements for businesses to meet security standards for cyberinsurance [are] also driving a lot of requirements on companies that require cybersecurity skills and a deep understanding of what good defences, education, systems and processes look like. As such, there are opportunities at virtually every level in the cybersecurity domain.”