Tom Gamali, Group CISO for a leading Middle East organisation operating across seven core business sectors, speaks to Intelligent CISO about the organisation’s ground-breaking partnership with Vectra AI and how this has enabled increased network visibility. He also outlines the company’s strategic priorities when operating with security top of mind.
As a leader in International Trade and Development, what are some of the key cybersecurity concerns in your industry and how do you approach these?
The landscape has changed. Back in the day infrastructure was in a server room so was easier to guard as the international regulations around cybersecurity and data privacy weren’t there.
The supply chain has also changed, so there’s a lot of moving parts. Now, everyone wants to be digital. We’ve seen what happened during COVID and how organisations were resilient during this period, requiring heavy emphasis on digital enablement. So we’re currently seeing these vectors changing or becoming more prominent, which transforms the entire landscape in terms of cybersecurity.
There are a lot of external factors involved, regulation being one. We’re also looking at services coming into the supply chain and the dependency on the supply chain. Companies with technology dependencies also form part of the supply chain so it’s a much harder environment to guard against cyberattacks – in some cases we have no direct control over their environments. It’s also becoming a more regulated environment where we’re now seeing almost every country jurisdiction that we operate in with its own cyber regulations, its own privacy laws.
What are your strategic priorities when it comes to your business approach in terms of operating with security top of mind?
Business engagement is important. I think the modern CISO is someone who is considered a business enabler – someone who can sit around the table with the business, understand what they’re trying to do and be part of the solution in terms of delivering that with the resilience and controls in place which allow the business to operate. There’s a relationship that’s needed with the business. It’s not an IT-centric function.
In terms of cyber prevention, the world has changed slightly. When we consider this from a cyber prevent, detect and respond perspective, we focus on the following: endpoints; network; cloud; and people. I look at those four pillars and that determines my approach. It’s a more holistic approach and I think if you focus well on those four pillars, you have the best chance of maintaining a good cyber posture within your organisation.
How would you define cybersecurity success and how does Vectra AI play a part?
‘Cybersecurity success’ – that could be referring to a company that hasn’t been hacked, hasn’t had any cyber incidents or one that has done what it considers to be correct and has positioned the organisation well in order to either defend or detect and respond to a breach.
For me, one of the key areas of focus is post-breach. You want to feel that the company has done everything possible to A) have potentially prevented it or B) in the manner that it has detected and responded to that attack. Detection is now more important than prevention. We cannot close every hole in our security posture. The nature of software technology services, third-party dependencies, means that there’s always going to be some exposure and that’s what I refer to as the ‘security gap’.
We can build preventative controls right up close to that gap. But there is a gap in between detection and response within the organisation and the manner in which it responds is important. It’s important post-breach to be able to say, ‘we’ve been able to detect and respond in a timely and appropriate manner as an organisation’. You don’t want to be in a position where you’re questioning whether you had all the preventative controls and then discovering that you didn’t. You also don’t want to be in a position where your response is poor. The goal is to come out of an incident feeling that the organisation couldn’t have done any more on the preventative side.
Why did you decide to work with Vectra AI on this occasion and what results have you seen so far?
We wanted a platform that provided as much network visibility as possible. This wasn’t something we wanted to install on a finite number of servers. We wanted something that was able to look at the entire traffic coming in and out of our network or going in and out of our cloud. We knew that the anomaly detection, the use of Machine Learning, would add value in terms of that visibility and vast amounts of data and being able to identify the needle in the haystack – the tiny anomalies and below-radar activities which aren’t detected by traditional systems.
We conducted pilots with three leading companies, Vectra AI being one of them. We looked at the results which demonstrated the gap in our visibility platform in terms of our monitoring platform. We can’t see this on our traditional monitoring platforms and therefore we could see activities and movements which are actionable. What we also liked was that the findings of the POC were potentially very good.
Secondly, the Machine Learning and AI within the platform meant that it was doing a lot of noise reduction, a lot of efficiency gain, from events or alerts to high fidelity alerts or actionable alerts. You could see hundreds of thousands of events, but only 10 or 12 real actionable high-fidelity alerts. That’s the real value add for us.
The Vectra AI platform improves our overall level of assurance and acts as a second layer of security monitoring. We are using an MDR service which allows for the two layers; there’s now two sets of eyes looking at slightly different vectors, monitoring our organisation through different lenses. The fact we know that all the traffic is passing through it and being monitored is something I find quite comforting.
What initial cyber challenges were you facing as a company and how have you worked with Vectra AI to overcome these?
In today’s market there are a lot of security vendors in operation. Therefore, there are an abundance of requirements from a cybersecurity framework. This big marketplace with lots of different tools can get quite complex and we wanted to raise our assurance level in terms of a detection and response capability, using something which would add the best return on investment.
Rather than going out and buying a few different products, when we evaluated where it’s best to spend money and get the best return in terms of assurance, that’s when we started looking at these MDR solutions and that’s where Vectra AI helps us. Vectra AI is a tool or platform that we’ve got in our infrastructure which provides a significant amount of assurance in terms of our strategy.
From a network perspective, Vectra AI really solves our strategy. One of the problems we had was monitoring everything and it has the ability to look at vast amounts of data and really give you the alerts and insights needed to solve the problem.
One of the things we considered is how we can leverage AI technologies, such as Machine Learning, automation etc., to help solve our cybersecurity issue. Human beings are great for emotional-driven decision-making processes, but not so much when it comes to looking at thousands if not millions of bits of data. That’s why AI adds value and then human beings roll with the product.
How has the rate of Digital Transformation in the Middle East been a catalyst for the increasing number of cyberattacks and how does Vectra AI help companies such as yours to tackle this?
In the Gulf – predominantly the epicentre of our operations – the change is rapid. The Kingdom of Saudi Arabia is now in the top two or three countries in cybersecurity in terms of capabilities and maturity and it has worked extremely hard over the last five to 10 years to get to this point. There are also other GCC countries up there in the same bracket.
Everything is becoming digital here in terms of services, companies and partners we work with. A large amount of traffic is therefore entering and exiting the network. The tool is able to see this coming in and from our perspective it’s able to cope with the digitalisation and the enablement we’re seeing in this region. I don’t consider that a challenge in terms of growth as these types of products are designed to scale.
With your extensive experience in the cybersecurity field, what key trends have you seen over the past few years in this region and what do you expect moving forward?
The regulatory compliance on data is coming. Data privacy and data residency is becoming a significant factor. We’re seeing the regulations on cybersecurity that were predominantly with financial services sectors, now being extended across other sectors such as telcos, the listed companies and in fact, any kind of private company of significant operation are now being mandated to meet those same cybersecurity requirements that were initially placed on, for example, regulated entities.
This is good from a CISO perspective because it means they have a regulator that’s going to support the type of targets they need to achieve. Those regulations are very strict in terms of the controls you need to have in place and timeframes when reporting incidents. There’s definitely an adoption of the historic frameworks now for all entities.
How far has this partnership enhanced your cyber-resilience strategy and what does the future hold?
It’s one of the best investments from an assurance perspective. When you look at a single investment and what it does, it’s very difficult to find investments similar to Vectra AI – it’s almost a ‘plug and play’ type technology – put it on the egress and you’ve got a very high level of visibility of everything. This is from a broad perspective of cyber breach, lateral activity and activity going on inside the network that shouldn’t be there. That’s typically what this tool gives you. From an investment perspective, it buys you a lot of assurance. You need as much activity visibility as possible and it’s a key aspect.
Moving forward, I think that the ability to carry out extended detection and response is definitely going to play a part. I see a lot more Machine Learning and AI being integrated, along with being able to carry out more automated responses as we transform and less emphasis on the operators having to deal with that type of thing. I believe automation and response will be included in the response.