New Mandatory Standards for Government Cybersecurity Chiefs Approved by Ukrainian Cabinet

Updated Qualifications for CISO Roles in Ukraine

On May 22 at 12:20 PM, Ukraine's government introduced revised qualifications for Chief Information Security Officers (CISOs) in state agencies, stemming from Law 4336 and its associated regulations. Under Part 3 of the newly added Article 5¹ of this law, the State Special Communications Service (Derzhspetszviazok) is tasked with providing methodological guidance on standard requirements for both cybersecurity units and their leaders. It is crucial to note that the specific educational and experience criteria for CISO candidates are not outlined directly in Law 4336 itself, but rather in Cabinet of Ministers Resolution No. 1516. This distinction is key for professionals navigating the new framework.

Education and Experience Prerequisites

Clause 106 of Article 14 of the Law "On Derzhspetszviazok" (as amended by Law 4336) empowers the agency to oversee the professional qualification system. According to the procedure established by Resolution No. 1516, a CISO candidate must hold a higher education degree in one of the following fields:

• Information Security Management (under the "Security and Defense" domain)
• Specializations in "Information Technology" (with priority given to "Cybersecurity and Information Protection")
• Electronics, Electronic Communications, Instrumentation, and Radio Engineering
• Information and Measurement Technologies
• Automation, Computer-Integrated Technologies, and Robotics (under the "Engineering, Manufacturing, and Construction" domain)
• Public Management and Administration (under the "Business, Administration, and Law" domain)

The standard experience requirement is at least 3 years in a relevant field. These experience thresholds are defined in professional standards and methodological recommendations, not within Law 4336 itself. It is important to emphasize that

"These are not 'requirements of Law 4336,' but rather requirements of Procedure No. 1516 and Order No. 798," note representatives from SHERIFF CYBERSECURITY.

"Such precision in wording reduces the risk of objections during inspections."

Consequently, the updated qualifications for CISOs in Ukraine's state authorities, defined under Law 4336 and its subordinate acts, aim to elevate professional standards in the cybersecurity field.

Enforcing these new CISO requirements represents a significant step toward strengthening the reliability and security of government information systems. This move is expected to bolster defenses against cyber threats, a pressing concern given today's information security challenges. By mandating specific education and work experience, the regulations are designed to cultivate a more skilled workforce capable of effectively countering threats and safeguarding data. These changes could also enhance public trust in state institutions' ability to protect sensitive information.