Building Effective Cyber ResilienceMiddle Eastern CISOs Discuss Critical Steps
Building an effective cyber resilience strategy requires implementing the right controls and using a collaborative approach, a panel of experts from the Middle East said at the RSA Conference 2021.
The panel on ‘Building Cyber Resilience-Considerations for CISOs’ was moderated by Tamer Charife, partner, Risk Advisory, Deloitte.
Abeer Khedr, information security director at National Bank of Egypt, noted: "The constantly evolving threat landscape is targeting the banking sector owing to its digital innovations. And as a result, CISOs need to go beyond the checklist approach and ensure controls are effectively designed and operational in achieving the required resilience."
Enhancing Security Programs
The panelists discussed how to enhance security programs to support business goals.
"Creating a cyber hygiene culture is very critical for CISOs, particularly taking into account the people, process and technology components and in particular a collaborative mindset to speak the common language that is key to thrive in these challenging times," said Dr. Reem Al-Shammari, digital transformation leader of corporate solutions and digital oil fields, Kuwait Oil Co.
To build an effective cyber resilient program, "CISOs need to be ready to … think like an adversary and anticipate disruptions as a first step and make the attack expensive and difficult for the threat actors by constantly revisiting their technology control stack," said Arwa Alhamad, cybersecurity enablement director, Saudi Telecom Co.
"We have been stacking technology for years to get service out as soon as possible, which is the debt we need to pay now by reviewing the security of existing systems," Alhamad said.
Biju Hameed, director, technology infrastructure and operations for Dubai Airports, said CISOs need to consider three components to build an effective resilience program: cybersecurity, risk management and enterprise resilience.
"To achieve the required cyber resiliency, it is imperative for them to communicate, collaborate and contextualize the risks and threats of the organization and be able to build rapid recovery program which is possible only by empowering the various functions," Hameed said.
Egypt Bank's Khedr added: "An effective defense-in-depth strategy to implement programs to spot control failures and minimize the impact of incident impact will help in establishing better resiliency."
Supply Chain Threat: Role of Technology
Experts believe that supply chain attacks form the most significant threat for most enterprises in the current situation. It is a question of trust that you have with the partners in building the necessary resiliency.
Khedr rightly says that the SolarWinds attacks, which stand testimony to the supply chain attacks, resulted from a failure at multiple levels. She says CISOs need to establish a good communication process and continuously monitor the command servers and detection controls and revisit the applied controls to avoid such attacks.
STC's Alhamad points that about 78% of the attacks that the sector witnessed, two-thirds have been due to third-party vulnerabilities. "While it is not a viable proposition not to work with third-party vendors, CISOs need to work on a mitigation plan by understanding the risk appetite of the organization and build appropriate controls," she says.
Dubai Airport's Hameed says the CISOs need to redefine the rules of engagement with their partners as intelligence is taking a bigger role. "While emerging technologies is no longer a definitive perimeter in preventing such threats, organizations need to adopt concepts of virtual augmentation and virtual reality and embed artificial intelligence and machine learning as necessary to derive the attack patterns, which is one way to respond to such attacks."
To make one's enterprise cyber resilient, CISOs need to use the increased role of RPI, machine learning, while automating and orchestrating with time and sequence of the sensitive tasks, as a self-response or self-healing initiative, says Hameed.
In my experience, I have seen enterprises deploying Quantum computing, 'zero trust' framework, and AI and ML for certain product operations and research functions to detect threats that go a long way in building cyber resilience, says ALShammari.
Leadership and Collaboration
The panel says CISOs need to focus on leadership and collaboration, the critical factors in establishing business resilience, supported by matured technologies.
Alshammari speaks her experience at Kuwait Oil Company about how a CISO is given the charge of business transformation and responsible for securing the businesses.
"We as CISOs need to re-engineer the process and change the mindset to do the walk the talk with the top management and building the trust within the organization," says Alshammari.
Alhamad says the key challenge for CISOs is communication who live in an illusion that the matter is communicated and fail to see a big picture, internal strategy, or organization's financial agenda.
' Failing to communicate to the leaders about an incident would impact how the incident is handled, which could be worse than the impact of the incident itself," says Alhamad.
The panel recommends CISOs drive the threat information sharing process with a robust collaborative approach that helps in raising defenses against attacks.
Hameed advocates measuring and defining the people, process, and technology, and aligning with OT is critical as it plays a bigger role in identifying risks and clearly articulating the context for a collective outcome, which helps build resiliency.