How CISOs can reduce risk

How CISOs can reduce risk

Cyberthreats are increasing in volume and complexity across the Middle East. To be ahead of the game, Chief Information Security Officers (CISOs) need to continuously review their cybersecurity processes and practices to ensure that adequate and effective systems are in place. Dr Erdal Ozkaya, Regional Chief Information Security Officer, Standard Chartered Bank, with more than 20 years of experience in cybersecurity, gives Intelligent CIO Middle East personal insights and tips for fellow CISOs in the region on how to create a safer business environment in their organisations.

The role of chief information security officer (CISO) is not what it was five or 10 years ago. According to those who find themselves in the role today, that’s not necessarily a bad thing.

In the past, it used to be that chief security officers (CSOs) were over-glorified IT security administrators, babysitting the firewalls, arguing with software vendors over botched antivirus signature updates and cleaning spyware off of infected laptops and desktop PCs. True, that’s still the role some CSOs in Middle East region find themselves in, but for the majority the responsibility has shifted to looking at the big picture and designing the programme that balances acceptable risks against the unacceptable.

In an ideal world, today’s CISO hires someone else to handle all those technical security tasks. Of course, the question is whether you can inspire them to do what you once had to do or if you’ll turn them off with an attitude of superiority.

Talk us through the role of a CISO and how you see enterprises in the Middle East protecting their digital assets?

Being a CISO used to be a hard core cybersecurity role, however, the function of the CISO involves much more business leadership and risk management. Today, a CISO must be able to help executives at C-suite level to understand risk as it is about bits. CISOs in any enterprise organisation in the Middle East must-have skills to be able explain security for non techies, build and maintain critical relationships and communicate at both senior and operational levels. Soft skills are critical to evangelising security initiatives and celebrating wins, which need to be expressed as business outcomes.

Cybersecurity is gaining importance due to the increased number of cyberattacks and the huge losses that victims are reporting. However, in many organisations the implementation of cybersecurity comes as a consequence of a threat or an attack. Organisations can decide to mount reactive, proactive and operational cyberdefences, or a combination of the three depending on financial capabilities and levels of exposure to threats. Having a CISO will go through the three types of approaches to implementing cybersecurity and help the organisation to choose the optimal cyberdefence strategy.

A CISO usually spends his or her time dealing with cyber-risk, security operations,

data loss and fraud prevention, planning, buying and rolling out security hardware and software, identity and access management, programme management such as analysing security needs by implementing programmes or projects that mitigate risks, regular system patches, investigations and forensics, and governance depending on the organisation regulations.

What are some of the best ways to foster an atmosphere of innovation within big organisations in the Middle East?

Everything starts with having and building a team which can relay, a team that can take ownership of ‘client problems, a team that can benchmark against the best. As a leader, CISOs prime focus should be to create a culture of innovation and build effective teams, which can focus on the work that needs to be done. We need to embrace experimentation and risk as well as listen to the teams we build and challenge as necessary. If you can empower your team with a leadership that inspires and values them, the innovation fostering atmosphere will eventually manifest itself.

In Middle East the banking and financial services sector is huge, yet offerings don’t really seem to have evolved beyond basic services online. What are some of the key things you would say to banks and financial services firms on how to build the atmosphere of innovation? How do you change that culture within the banking and financial services sector in the Middle East?

This might have been the case before the COVID-19 pandemic, but now I am seeing many banks speed their Digital Transformation to be able to serve their customers with the best experiences. As I am in touch with many CISOs in the Middle East region, I can gladly say that all banks are doing their best to offer their customers the best security services, together with innovative offerings around the core banking products and services. For sure some do it better then others.

What are some of the security challenges when you got emerging technologies like Internet of Things, Artificial Intelligence, Machine Learning, etc not very standardised but big organisations in the Middle East are adopting these technologies?

Every medallion has two sides. While technologies like Internet of Things, Artificial Intelligence, Machine Learning bring many benefits for sure, the technologies that are deployed in any enterprise environment and are not properly secured can pose many risks to an organisation. I am sure most people in the regional IT industry will remember the big Internet of Things DDOS attack that happened just last year. Using the emerging technologies or any other technology as is, not taking care of cybersecurity can make you as the CISO and your organisation pay a huge bill like loosing credibility, customer trust and of course money.

The role of a CISO is evolving with more C-level and business line executives getting involved in making IT and technology purchasing decisions and formulating the overall IT strategy for the business. How hard is it for a CISO to get the correct support from its peers?

Earlier I alluded to the fact that CISOs must-have skills to be able to explain security for non techies, build and maintain critical relationships, and communicate at both senior and operational levels. Soft skills are critical to evangelising the agenda and celebrating wins, which need to be expressed as business outcomes. The CISOs who can develop those skills can ‘sell security’ to their peers and other business line executives.

To be very honest, all those cyberattacks that are happening regularly are making our job a bit easier as well to get the right support. It’s all about building the right cybersecurity strategy for the whole organisation.

A cybersecurity strategy is a plan for managing organisational security risk according to a defined risk tolerance for the organisation to meet the business and organisational objectives and goals. In addition, the cybersecurity strategy shouldn’t be focusing being secure as possible, but on being secure as necessary and for that to happen, you must balance security investments to keep security assurances strong.

Once you do that then you also need to understand the ‘threat actor factor’. Sophisticated attackers will only choose avenues that they can exploit successfully. If you look for weakest links, know your vulnerabilities and try to not have any misconfigurations, minimise the human error and have good vendors to trust you should be okay and this will build even more confidence on getting the right support from the business as well as the IT teams.

How are enterprise organisations building the next generation of IT leaders in the Middle East?

There is a unique trend that is being witnessed world over in the job market. While the overall number of jobs in different industries is rising, the technology industry is seeing one of the highest rates of job growth. In some countries, it is expected that by 2020, the number of IT jobs will outweigh the supply of people with skills to take them up. It is evident that the world is leaning more toward technology and that this is opening up opportunities for those skilled in different technologies. Therefore the future is more promising for those that invest time to learn IT skills today.

Human resources departments are having to deal with the scarcity of tech skills in the Middle East market. While this is bad for recruiters, it is good news to people that pick up essential tech skills. There are many mitigating factors that are making IT professionals become quickly accepted into the market. I believe there are different paths that someone can take in their IT career. While most careers in IT are good, there are some that are limited or might face sudden death in the near future as well. Therefore, caution must be taken when choosing the right path in the tech industry.

Senior IT mangers such as CIOs and CISOs need to focus on having the right talent throughout their organisations, while having the responsibility to build strong leaders well-positioned for success now and in the years ahead.

Effective IT leadership needs talent that is upskilled and participation from all in the Middle East tech sector. How are you overcoming the “what is in for me” problem, especially in the cybersecurity space?

As members of a digital, networked society, we shouldn’t simply be aware of our problems. Rather, we should be fixing them. We often fail to do that, though, choosing instead to just accept bad outcomes rather than addressing their root causes.

This is completely understandable when you think about the fact that security problems often seem insurmountable. What can we as individuals do, even if it’s just to protect our own personal information? There are too many points of failure, too many factors that are out of one person’s hands.

So rather than struggle independently with rudimentary tools and limited help from others, the most logical choice is to shift our focus and embrace a new standard: a culture of cybersecurity. To put it another way, we need a collective effort to share valuable security knowledge, strategies, best practices and more with our fellow digital citizens. If we want effective cybersecurity, we all have to play a part.

There’s some truth in saying that laziness is a key element of human nature, but that excuse is too simplistic and dismissive. It’s not that we can’t be bothered to exercise due diligence, it’s that we haven’t been properly motivated. “What’s in it for me?” is a fundamental unspoken question of cybersecurity-one that demands our attention.

When we cast blame on average users for failing to regularly change their many passwords across many different sites and systems, we seem averse to understanding why they’ve failed to do so. Only when it is too late, when users’ own identities are stolen, do they acknowledge the importance of such a security practice.

What impetus did they have to incorporate this practice sooner, though? Too often, they’ve simply been told what to do without truly understanding why they need to do it.

The key to fostering this culture is substance. One of the most substantive ways to inspire others to be proactive is to get them to relate to the situation. People often fall into the trap of thinking about their computer use too abstractly, as if what they do online is far removed from the actual real-world consequences. To get them to understand the gravity of their digital actions, we need to get them to shed this outdated mode of thinking.

How should big organisations in the Middle East be guiding customers on their journeys of providing smart, innovative and dynamic online services in various industry verticals as they rollout their Digital Transformation strategies?

There are so many innovations happening, especially in the last decade. These innovations, digital services and operations are raising the competitive bar in every sector. It is the leader’s job to capture the opportunity by embracing a new operating model that dramatically improves the digital customer experience. I will refer here back to the word strategy. While a cybersecurity strategy can help your organisation to stay secure, having a Digital Transformation strategy will help your company to empower end-user customers. If you can leverage a multiple challenge approach to distribute a customised, consistent content and engage your customers, you will be in a strong position to not only make them feel good, but you can be rest assured that they will come back because they have liked the experience.

How has the COVID-19 pandemic raised the whole issue of security as most companies have been forced to have their employees work remotely exposing their company IT infrastructure to vulnerabilities and possible cyberattacks?

I am sure most people saw the awesome caricature which was shared everywhere on various social media platforms. In the caricature, there was a question asked “Who is leading your Digital Transformation?” In a multiple choice answer format, the following were listed as possible options: CEO, CIO, CISO and COVID-19. Of course the correct answer was COVID-19. The point of the caricature was that because of the COVID-19 pandemic, the whole question of IT security has been put back into the spotlight at corporation and individual level.

As most people and organisations are aware, the COVID-19 pandemic is and will be used by cybercriminals to try to scam people out of their money, data and to gain access to IT systems and networks of organisations. While companies have had to embrace working from home, here is what everyone should be doing:

Exercise critical thinking and vigilance when you receive phone calls, messages and emails

Exercise caution when opening messages, attachments or clicking on links from unknown senders.

Be wary of any requests for personal details, passwords or bank details, particularly if the message conveys a sense of urgency

If in any doubt of the communicator’s identity, delay any immediate action. Re-establish communication later using contact methods that you have sourced yourself

Let me repeat, Cybersecurity is everyone’s job, but as a CISO, it’s your job to monitor and enforce your employees’ cyber hygiene, implement multi-factor authentication, keep your software and operating systems updated, keep up your data loss prevention controls, use a Virtual Private Network (VPN), put your security operations on guard, keep employees informed about threats, use strong and unique passphrases and of course being aware and creating a community that can speak up.

How do you see the role of CISO evolving in the next two to five years in the Middle East?

As pointed out earlier the CISO role has changed a lot in the last decade and I am sure it will evolve in the near future. As organisations move to the cloud business model, some services are outsourced to managed services providers (MSPs), and channel partners. With technologies like Machine Learning and Artificial Intelligence getting broader enterprise wide adoption and acceptance, the impact of this technology maturity will also see the CISO role adjust in the Middle East market.

Browse our latest issue

Intelligent CISO

View Magazine Archive