Authors, Julien Gibert, Executive Director, PageGroup and Martin Dion, Vice President of EMEA Services, Kudelski Security
According to the Michael Page Swiss Job Index, there is a record demand for IT developers. Between June and July 2018 the demand for such positions increased by +18.5%. This compared with a decline of -4.9% in all jobs advertised in Switzerland over the same period. Based on the frontline experience of Kudelski Security and Michael Page, we outline four key ways of attracting and retaining talent in this market:
- Provide Projects where They will learn and grow
Projects are the key drivers for attracting and keeping talent – not salary. Developers like to work on new tools. They want projects where they can learn and grow and preferably influence the choice of technology. Developers like change more than most other professionals. They typically work on an 18 month – 2-year framework and are totally connected, via various IT communities, about where the next interesting projects are on offer. For this reason, employers need to communicate the benefits of their projects e.g. in terms of technology, project management and potential people management skills advancement. They also need to stay close to their developers, show them that they are interested in their career progress, ask them what they would like to work on next and let them know that there are new projects available for them – but not so far from the end of a project that they lose focus.
- Be Flexible
Flexibility is a key driver to attracting and keeping talent in this field. The ability to organize their time is extremely important to developers. Employers need to be flexible with working hours as well as location. This includes allowing them to work on weekends rather than certain weekdays, enabling them to work from home and being prepared to have them work from different locations. For example, if they’re based in Zurich and don’t want to move to Geneva, then that needs to be accommodated. Given demand exceeds supply for developers in Switzerland, employers also need to be prepared to relocate talent from wherever they are.
- Compromise on Skill Sets
If a candidate has 80% of the skills required for a job and is willing to learn, then be prepared to make them an offer. Skills in this field are quickly outdated and good candidates will have 2-3 offers at any one time. So employers need to find them when they are available and quickly make them an offer. Job descriptions with too many criteria will significantly reduce the chances of filling such a position.
- Look beyond the IT profession
Recognize that certain roles can be staffed by professionals outside of the IT/development field. For example, when a financial institution is building a new tool, they need people who understand the business. These roles are typically known as “business analysts” and are filled by people from other disciplines (e.g. finance, HR, sales) who understand the business and like IT projects. On the consulting side, lawyers with IT practice backgrounds have also proved successful because they are typically good at negotiating and communicating the risks and benefits with clients. So be prepared to look to people who understand your business, can deal with business partners and clients and have a cultural fit to the organization and project team.
The shortage of developers will only become more pronounced in Switzerland in the near future as demand grows and the supply cannot be met from the Swiss workforce or graduating institutions. It is therefore important to remember that we are not Silicon Valley with a huge number of developers and be prepared to follow the 80/20 rule.
Artificial intelligence (AI) is being discussed quite a bit, in fact, maybe the term is used too much. After all, it means different things in different situations, and vendors are using the term particularly loosely to tie into a hot market and hopefully sell more product. When it comes to information and cyber security – a realm so vital to a company’s reputation – there’s a need to see through the hype and ask the questions that really matter.
For starters, to me, the main question is not whether AI will find its way in our daily life, but what will it mean to us as cybersecurity professional? What are the security risks when adopted by various business lines for different purposes? What are the benefits to our profession? And what are the risks of not considering the opportunity of AI to help us do our job better – or of failing to monitor closely what the business will use it for?
Like so many technology disruptions, AI will change part of the business landscape and it will also shape our own cybersecurity backyard. The logic is implacable, when there is a business opportunity, there are investments to be made and AI presents potential across many aspects of our modern life.
In its simplest essence, AI perceives and processes information from its environment and can use incomplete data to maximize the success rate of completing certain tasks. As you can guess, I just described tons of activities that we as human do every day in the medical, financial, industrial, psychological, analytical and military sectors.
At the moment, I don’t think we should overly focus on its potential to replace cognitive beings. Instead, we should appreciate that AI can leverage broader data input, discover patterns we can’t easily distinguish and is capable of sorting and matching data much faster than we can. Moreover, it never gets tired and can work 24×7. Ultimately, this will result in potentially better and faster decision making, where emotions or artistic sense might not be the primary quality by which we measure output.
That said, all of AI is not “rosy,” and when matched with robotics, it can be the stuff of nightmares. AI comes with challenges, and while it can autonomously trigger actions based on an algorithmic logic, the logic must be flawless. If not, it will create a lot of “mistakes” and very fast. The necessary algorithms rely on data, hence input quality must be tightly controlled, otherwise, garbage-in, garbage-out, right? So, it’s imperative organizations decide what should and shouldn’t be automated, and it’s an approach that needs to be validated by humans first. AI strategy done well can effectively address a skill shortage, but done wrong and with a “set and forget” mentality, it’ll backfire.
Still, keep in mind that AI can also reflect some of the flaws of its creator. Because humans come with their fair share of challenges, let’s focus on two examples.
Trust, either the lack of or too much of it, can make AI react in a way we did not foresee. Sometimes, emotionless decision-making might be best, sometimes not. The more AI we create, the more we will need to deploy a transposable trust model for this community to interact with each other. After all, in the AI world, there is often little-to-no space for human interference if you want to capture its full benefit.
Transparency is another issue. As a society, we are not ready to entrust to machines many of the things we currently make decisions on – and security is a particularly sensitive area. Without transparency and accountability of the AI, how can we start tackling the notion of responsibility when something goes wrong? And, we must consider at what point will use of AI be mandatory under certain conditions? Will tomorrow’s doctor be personally liable for not using an AI and misdiagnosing potentially cancerous cells construction? As happens with humans, what if the physician simply failed to update a codebase?
It’s no secret that there’s is a lack of qualified security personnel today. That said, I feel it is our responsibility to explore ways to use AI as soon as possible in order to remove any item from our task list that can be automated. As a rule of thumb, I think of the Pareto Principal – AI should do the 80 percent of the job so we can focus on the 20 percent where human interaction and decision-making is a must.
Pareto likely never saw this coming, yet, the formula applies to our profession. AI could allow us to free up time and deliver more value with the same salary cost structure.
And believe me, we will need time because part of that 20 percent will be required to analyze the new business risks of using AI in the real world, one fraught with real and increasing security challenges.
Author: Martin Dion, the Vice-President, EMEA Delivery (Information Assurance & Managed Security Services) at Kudelski Security
Data protection, privacy, and innovation are part of our DNA at Kudelski Security. We work with some of the largest national and international organizations in the private and public sectors to address their toughest cybersecurity issues. Like every other company that deals with the personal data of EU residents, we needed to review our existing global data protection policies and practices to ensure that they are in line with the requirements of the General Data Protection Regulation (GDPR). Our own GDPR compliance implementation program provided us with some surprises and insights. Based on our own experiences, here are the six key lessons that we learned.
1. IT and Security can’t do This on Their Own: Establish a Business-Wide Project
GDPR is not just an IT or cybersecurity issue. It potentially affects all areas of the business and carries significant risks for which the executive team will be ultimately held responsible. This includes, for example, fines for breaching the GDPR of up to 4% of total annual worldwide turnover or €20,000,000, whichever is greater. We established a project team sponsored by a member of the executive team and comprising all areas of the business including legal, risk and IT to factor in their own constraint and contribution to the project. We also found, that as the project progressed, the team members composition needed to evolve to meet the different requirements of each stage. The planning and analysis stages required different skills and experience compared with the implementation stages which required, for example, more IT architects and developers.
2. Engage the Executive Team and Build GDPR Awareness
Accountability is a critical element of GDPR. In order to obtain buy-in from the key stakeholders, from the start, we held training workshops which included our executive teams. These sessions covered the top ten topics that GDPR aims to address through to addressing how our organization needed to adapt, for example, with GDPR compliance and data protection. As a result, we achieved a shared understanding about the importance of our GDPR project and expected behaviors, established clear roles and responsibilities around the project as well as obtaining buy-in for gaining the necessary project resources.
3. Appoint a Data Protection Officer as Soon as Possible
Data Protection Officers (DPOs) must be appointed if an organization conducts large-scale systematic monitoring or processes large amounts of sensitive personal data. The sooner you appoint this person, the easier your GDPR journey will be – all other things being equal. They know the data inventory, the data flow, how the data is used (e.g. harvested or manipulated) as well as any gaps. As the GDPR progresses, their importance will increase. They provide the link to the supervisory authorities and are the “go to” people for advice on Privacy Impact Assessments, which must be implemented when organizations conduct large scale or risky, processing of personal data. So it is essential to work closely with them at the beginning of the project, through implementation and in the business-as-usual phases.
4. Review your Business Processes: But don’t get Bogged Down
Reviewing your business processes is an essential part of GDPR readiness. We partner with many organizations to protect their networks. We need to map with the business process accurately, so we don’t extract data we don’t need to. Whether it’s for our own purposes or when working with our clients, we focus on three fundamental questions; What data do we need? Who and why do we need access? What’s the risk and is it worth it? This helps us focus our resources and to avoid a common problem encountered in many organizations; over-investing in a bottom-up approach to process and data flow mapping. While the intention is commendable, all too often data flow mapping exercises are undertaken in a manner that is too detailed and resources consuming, given the relatively limited scope required to develop a privacy register. Moreover, when building from the ground up, people tend to justify why they had this data in the first place instead of focusing on the endgame and extracting the absolute minimum necessary to achieve the result.
5. Establish New Rights along with New Processes: Avoid Being Overwhelmed
We learned that it is essential to consider the new data subject rights under GDPR alongside your business processes. Without this, there is a high likelihood of being overwhelmed when the “rubber hits the road”. New rights include the right to be forgotten, to see data and the right to object to profiling. We have to demonstrate to our partners that we are GDPR compliant in the way that we handle data before they provide any data to us. The reverse is also true. For example, if you harvested the data or share it, you need to ensure its protection through the lifecycle, both in and out of your organization.
We continue to work closely with our legal team as well as some of those issues are not yet entirely clear for many clients and partners. For example, where customers reside vs where they are regulated. In a data breach situation where significant proportions of your clients reside in Germany and France, what are the expectations of the respective regulators and should you report it only to your country regulator and let them run with the ball?
6. Expect the Best and Plan for the Worst: Prepare a Remediation Plan
The GDPR provides clear guidelines on what must take place in the event of a data breach. Once a breach is detected, you must notify the relevant supervisory authority within 72 hours. If there is a high risk to individuals, they might have to be informed as well. Our incident response team worked with our fusion center and many business counterparts to develop an incident detection and response process that can identify and respond to any breaches of personal data. Our focus, however, is on minimizing breaches and recovery before notification.
Over 80% of breaches occur from outside threat actors. Hackers are attempting to attack 24/7, so you need a system that is continually hunting for threats. This can only be achieved cost-effectively achieved by using a fusion (vs classical) system. Fusion systems, pioneered by Kudelski Security, make it the attackers’ problem not that of the company. The attacker knows that they have been detected, or will be detected, but they don’t see the decoy, so it not only slows them down, but the primary threats can be identified, and shut down faster than a traditional system is capable of achieving.
The GDPR process forced us to address issues that were not part of our original plans, and we see many clients and business partners, facing similar situations. Most importantly, for our business partners and us, it provided valuable lessons that we have incorporated into our business-as-usual processes and training programs. GDPR compliance is an ongoing process, and we advise our clients to focus on their core business and find the right partner to help them implement various aspects of GDPR, and give the project the support it requires from executive backing and resourcing.
This article was first published in German in Netzwoche, on May 15th 2018, and can be accessed via this link.
Starting in May 2018, if you operate an enterprise or deliver services to customers in Europe – even if you are not located in Europe – your organization must be compliant with GDPR.
If you decide not to comply with the requirements imposed by the legislation, the regulators will be able to slap you with a hefty fine that corresponds to 4% of your top line, up to 20 million Euros (25M USD).
There are many legal requirements related to how you should protect your data. These are detailed in 99 articles and you must get a grasp of them as soon as possible as some of them demand profound changes in the way you operate as a business and how your information system is currently designed.
It is worth mentioning as well that there will be budgetary impacts not only due to the compliance project but to the very fact of operating in a GDPR-governed world. As an example, in terms of headcount, you will have to hire and/or designate a Data Privacy Officer to oversee compliance in terms of operations and for all future projects that involve customer data. To speak plainly, it means that 100% of your projects will have to be assessed for GDPR exposure before you can move on with them. This is not optional; it is a mandatory requirement if your organization has more than 250 employees.
Here are five challenges will you will face:
- This is not an IT or a security project, it is a corporate and transversal project that will require a lot of input from the various system users, especially on the business side, as only they know if their systems contain regulated data. Moreover, without proper top executive sponsorship, this project won’t be easy to deliver on time; executive support will help ensure every team pitches in.
- You need to map where the regulated data are located across both the business and the information system. As an example, a non-specialist might not understand that applications are not self-contained or autonomous. These applications rely on multi-tiered sets of technology and systems that are on premise and in the cloud, within both your organization and those of your business partners, and are used to consult, transmit, display, query, transform, store, backup and replicate the data. In short, you need to map not only the data itself but also how it travels around, through its entire lifecycle.
- Once you understand the problem and the gaps, you need to figure out how to fill them. This is probably one of the challenges where there is a plethora of solutions available to you, should you be willing to buy them. Unfortunately, they don’t come cheap but they can save a lot of time if they are adapted to your specific technology context. Technology, like encryption proxies that will tokenize the data and anonymized specific fields in a transparent manner to legitimate users, can save many weeks if not months of software redevelopment.
- Once you have the plan, you need to procure both the technology and the expertise. It’s unlikely that your current team have all the required knowledge to implement it on their own. Even if they can, if they haven’t started, this is a huge project on top of everything else you already pay them to do. For many of our clients, developments were externalized in the past, hence, they don’t even have the in-house knowledge of the application to fix this. At the risk of stating the obvious, the sooner you are done with the 3rd challenge, the more time you will have left to fix the situation.
- Manage an important cultural change. GDPR is not only about the information system, it is actually a lot about how we work with the data our customers provide us with. The way people have been working up to now will be impacted. There will be frustration, and unless you’re a large EU organization that has already had similar challenges before GDPR, it won’t be as simple as it was to continue to work ‘as is’. Do not underestimate people’s resistance to change.
The good news is that you are not alone and you are not the first organization to face this challenge. There is a lot of best practice and technology readily available, but you better hurry up because this is not a 3-month project that you can wing, by plastering 3 pieces of software on top of your existing system.
Much like the state of California, the European Community is taking GDPR very seriously. Actually, much more seriously than our American friends, as they regulate how you protect the data, not only obliging you to “disclose” when there is a breach – and you are in for more than a slap on the wrist if you don’t meet your legal obligations.
Should you want to learn more on how we can help you, please do not hesitate to reach out to us.
Martin Dion (CISSP/CISM)
VP EMEA Service Delivery