Dr. Richard Browne:

It may feel like a short period of time but it does not feel short to me unfortunately. In many ways, we are really only getting warmed up. We have a lot of work in the bank, which is invisible but will become apparent in the next while. I make that about 11 questions but I will answer the Cathaoirleach's very reasonable question as well.

From the outset and going back to 2017, we discussed and got the consent of the Department of Public Expenditure and Reform to create specific grades for the NCSC. Those grades are linked to Civil Service salary grades so they are the normal Civil Service grades but they are specifically designed to be slightly more remunerative than general Civil Service grades. We have also had some flexibility in the past on salary bands so we have been equipped with a lot of flexibility and some baked-in generosity, which is at least partly the reason for our success.

On secondees and the potential for the Defence Forces officer to come back, only one officer has come back so far. He went out with very significant skills in the area and he came back with even more. He has come back into the centre of the CIS core where without giving away anything unduly secret, he is centrally involved in its work around cyber defence and implementing the report of the Commission on the Defence Forces so it is working exactly the way it should. Remember that we had access to this individual all the time he was there. We interacted with him and shared information and he was able to help us with various things. His successor is equally good and is already centrally involved in that. Ms Woods was out there last week for the flag raising and is going next week for a steering committee meeting so we are very heavily involved with the Estonian process.

Regarding legislation, about which the Cathaoirleach asked a very sensible question as well, legislation in our space is particularly complex because it touches on everything. It touches on issues like data protection, human rights, access to information and privacy - all those very significant, complex and important issues - which means that in our case, legislation takes longer. We have a firm commitment in the 2019 strategy for primary legislation. The reason it has taken so long is because NIS2 has come and now we have to do the two together. We then have to do a piece of certification flowing from the EU Cybersecurity Act 2019, which is not an Act and is not really about cybersecurity, but we have to do that too so we are putting a lot in one piece of legislation, which is why it will take a little bit of time. Much of the work on our area is done so we are waiting for the NIS2 stuff to come together in the background.

The 2019 EU regulation requires member states to have a new system in place to deal with certification. Much of this is around things like 5G and cloud. A really significant piece of European work on cloud computing is coming that we will be centrally involved in implementing. We have a newly established team to do that.

There is a question about the type of skills we need in cyber. Two issues flow from the Senator's next question. One is the role of boards while the other is the type of skills we would like to see. We work with a number of entities, including the Institute of Directors, which has a piece coming with our assistance on what boards need to know about cyber. We also have some more public-facing work coming in the next while that will frame aspects of this. I would also point out that NIS2 explicitly requires boards of management - boards in a commercial sense of organisations - to be directly responsible for the cyber security of their organisation. That will cover more than 2,000 entities in the State so those that really matter will be captured by this. To be very blunt, there is nothing like a binding legal requirement to really focus people's attention on the subject.

Regarding skills, I am very much aware of the work Senator Craughwell is doing with a number of different educational entities. We have developed, rolled out and tested a junior cycle short course on cyber and we are now in the process of finding a feature that will become public in the next while.

Skills present a very challenging issue in cybersecurity because the field is so diverse. Cybersecurity is not just about ones and zeros or the hoodie-wearing geeks who can do that binary stuff. It is a much broader set of issues. Leaving aside the ops team, our resilience team has people with backgrounds in compliance. They are essentially IT auditors, for want of a better term. We have people whose focus is on risk management. We have people whose focus is on managing and engaging with entities that may be at risk and working with them to help their systems get better. We have people who perform exercises for a living. It is a much more diverse field than just ones and zeros, but if you do not have those, you cannot do anything. We started with our ops team for that reason. If you cannot do the math, you are at nothing in cybersecurity. You need a diverse set of skills. I agree entirely with the Senator that expecting everyone to arrive in cybersecurity with a master's degree in software engineering, networking or whatever it might be is unwise and unnecessary. We did some work with Skillnet. Its programme has the full range of skills and courses available, from diploma certificates all the way up to PhDs. That is the answer. You do not go after everyone in the world at 18 years of age and try to get them to do science degrees. You go after everyone from 15 or, ideally, 12 years of age all the way up to people in their 60s to ensure that everyone in the workplace has access to the appropriate level of skills and challenges.