Professor Thomas Acton:

I thank the Chair and Senator Craughwell. I am with the University of Galway. I agree with everything Professor O'Shea and Dr. McSweeney have just said. If there was ever a topic where we are all on the same hymn sheet, this is certainly one. We need to take a national view of this, and in fact an all-Ireland view.

Coming on stream for us in Galway are two new masters programmes in cybersecurity and the content is cybersecurity-focused. We have the horse blinkers on it. We have a highly technical master's programme in adaptive cybersecurity and we have a business risk management perspective - Senator Craughwell mentioned the crisis management perspective - coming from our business school on cybersecurity. We can take numbers into these programmes and they typically tend to be people coming out of graduate degrees seeking employment pathways in a particular area with a technical background. They tend to be people who will then go out into industry and find themselves taking a number of years to creep up the ladder into positions where they can have significant managerial impact. In that sense, therefore, it is too slow. We produce really capable graduates but we need what Mr. Hyland mentioned as well, namely, the faster-track, skills-based delivery. That feeds into an holistic approach to skills development.

It is almost as if we are back in the 1970s and somebody is asking whether we want to hire the computer person. We are sort of at that point. If we look back now we might say that would have been a good idea and we should have hired as many as possible. This area in cybersecurity needs to become the default thinking for our management, company organisations and behaviours. We have little time in which to do it because the threats are becoming more magnified and far cheaper. That is the key thing. They are so cheap. Ransomware is so cheap, so available and is increasing in frequency. When we look at what some nefarious groups seek to do around cyber, it is incredibly fundamental and basic. All they do is try to pin down three different things. They will try to pin organisations that deal with sensitive information and this helps explains why our health and education systems get hacked. The second one is organisations that have computing systems constructed over decades, such that there are different systems there with some weaknesses in them. Again, we see this across our health services, organisations like our schools, third level education and Government. The third bit that forms a good target is organisations that operate with tight operational budgets. In a sense, that is very worrying because these are the three common denominators that draw attacks like a magnet.

We have our programmes coming on stream and Professor O'Shea has programmes on stream. A core point she made with which I strongly agree is that we are seeing the proliferation of content around cyber that is pretending to be cyber, but actually is not. It is not core cybersecurity skills development, which is what we need to focus on. We need to do it holistically across Ireland and beyond just Ireland as a nation.