As Founder and Chief Strategist at CyberSC, Dominic Vogel holds a proven track record within cyber security across a multitude of industries (financial services, logistics, transportation, healthcare, government, telecommunications, and critical infrastructure). Dominic actively participates in the Vancouver security community and is a well-respected cyber security expert for appearing on media news outlets across North America and Internationally on BBC World News. He focuses much of his energy on providing strategic security leadership to technology start-ups and small/midsize businesses to proactively solve their cyber risk challenges. He strives to provide practical cyber security advice to his clients and actively turns the security consulting world upside down. Now, enjoy the full interview below.

1. Firstly, thank you for taking part in this campaign, Dominic. How did you first get involved with information security? Could you share a project or inspiration with us that prompted your involvement?

Really appreciate the opportunity to share my story with you! I read Information Security Magazine when I was in University and I found it fascinating. I pursued a career in information security right after graduation

2. Based on your experience, what are the 3 most important non-technical traits cyber security managers and leaders need to possess to be successful? 

Empathy first and foremost. Every great leader needs to be able to lead with empathy. If they cannot connect with their people on an empathetic level their team will not be successful. The next one would be active listening. Great leaders are active listeners and not advice monsters. They resist the urge to lead through constant advice-giving; instead, they rely on actively listening. The third one is relationship building. Leaders that are able to build trusted meaningful relationships with people outside of the IT/security team are able to elevate the security function in their organization

3. What are the security skills that will be in demand in 2022? 

Cloud, cloud, cloud. Having security experience with Azure and AWS is incredibly in-demand and that demand is growing rapidly. Knowing how to securely set up Azure and AWS, best practices, and secure configurations is a major plus!

4. What advice would you share with information security leaders and CISOs when it comes to communicating an ROI for security investments to other stakeholders?

I am not a big fan of trying to make an ROI case for security investments. Instead, I believe focusing conversations around risk management and empowering business opportunities (and how that affects bottom-line revenue) are more powerful narratives that resonate with business and other non-technical executives. If investing in cyber security empowers your organization to be able to sell its platform/widget/service faster/quicker than your competitor that serves as a critical advantage

5. How many times per year do you believe the cyber security training for employees must occur? 

Training needs to move beyond the traditional “once a year” format. That approach is very checklist/compliance-driven. It doesn’t really lead to positive behavioral change. I find that taking the continuous “drip” approach – perhaps every two weeks a short 1-minute cyber security awareness video is sent to employees. That continuous drip approach is cumulative. That is then combined with monthly phishing and quarterly “longer” video sessions and forums for asking questions. The focus needs to be on achieving more positive security outcomes more frequently

6. What significant changes do you see occurring within the information security market over the next 3 to 5 years? 

Mass consolidation on the vendor side. I think we are going to see some security megacorps arise in the coming years. The job market is extremely favorable right now – if there’s a career to pursue information security is definitely one to get into!!

7. Our last question: What has been the most important security lesson you have learned in 2021 through your work in information security? 

Doubling down on vendor risk/third-party risk/supply chain risk management. Rigorously assessing the security capabilities and maturity of your key vendors is rapidly becoming a key component of an effective cyber security program. This is an area that more organizations need to double down on and expand.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.