Information security is changing rapidly. Security incidents are occurring more often and with increased financial or reputational impact. At the same time, resources for security and IT remain nearly constant. How do we do more with less, how do we govern in a rapidly changing environment? How can we be more in-tune with the needs of the business and make security a driver of change rather than a box to check?
With a packed agenda, including two specialised roundtables covering the banking and finance, and aviation and logistics sectors, the half-day conference provided attendees with insightful and valuable information that is vital to proactive security measures in the regional enterprises.
The event was kicked off by Sudhir Menon, Senior Manager, Product Marketing and Security, Etisalat, who gave the audience practical tips on developing a credible security strategy to combat the new breed of threats.
“The motivation and sophistication behind attacks have changed, and there is a paradigm shift in the security landscape. For CIOs, there are many challenges from increased sophistication to lack of budget to maintaining security and integrating multiple systems from multiple vendors. To deal with these challenges, you need to bring security to the board room and go back to basics,” he said.
Ahmed Baig, Manager, Information Security and Compliance, DWTC, gave a lowdown on how exactly the threat landscape is changing in his presentation. “In the past decade, attackers targeted companies at random, but today the identification mechanisms have changed; they know exactly who they want to attack. And many compromised organisations realise that they have been attacked only after 6 months.”
The evolving role of CISO as a C-level executive, who needs to strike a balance between technology and business needs, was also a hot topic of discussion at the conference. Biju Hameed, ICT Security Manager, Dubai Airports, put matters into perspective and said there are three Cs to corporate infosec intelligence – collaboration, correlation and communications. “There is a necessity for people in specific business lines to start talking to each other. Contextualising information within the organisation itself is important from a security viewpoint and focus is shifting to applications and people,” he added.
In the wake of many highly-sophisticated, targeted attacks in the region, Middle East organisations are paying much more attention to data leakage prevention. It’s something that business and IT must work on together. This hot topic was tackled by Illyas Kooliyankal, CISO, ADS Securities.
“To start with the data leakage process, there needs to be a holistic approach based on a risk assessment – cost and benefit analysis. You need to understand existing security architecture and create use cases. You need to get the right people on board, define the right approach – not IT or information security requirement – but business value,” he said.
Developing an incident management plan, and ensuring that it aligns to the organisation’s goals and needs, as well existing policy and compliance regulations, can be a daunting task for security professionals. Hariprasad Chede, Senior Manager, Information Security, National Bank of Fujairah, gave attendees practical tips on incident handling, and said, “Information flows between people through organisations and networks in much the same way that water flows through a metropolis. You need to be able to access and trust the information you need. If information doesn’t flow and is not fresh, we need to flush it out. When an incident happens, trust your technical leaders and do not second guess technical decisions.”
The in-depth presentations were followed by a panel discussion on the evolving threat landscape and steps to a proactive security strategy. With the ever evolving threat landscape and changing nature of attacks, panellists agreed unanimously that there is an urgent need for enterprises to rethink their defensive postures.