To many, Naimish Shah’s job title may seem a foreign concept. Emirates NBD’s Vice President of Enterprise Architecture, Information Security and Innovation has to balance two key top-line agendas which are in constant conflict with one another.
Security and innovation. One is about limiting the threat of toxic hazards to an organisation, the other about taking calculated gambles for contemporary business performance. Risk versus reward.
Naimish Shah’s role may seem a paradox to some. The concepts of security and innovation appear to be at complete odds with each other, but Emirates NBD’s senior management team have decided to entrust him with the stewardship of both. How does he marry the pair? “We think combining the leadership of the two portfolios achieves a certain balance,” he says. “My security hat won’t let us take undue risk, so if the innovation aspect of our work goes wrong, the buck stops with me. It’s certainly a unique structure, but it achieves an effective, transparent compromise.”
Although Shah is in no doubt that he has the backing of Emirates NBD’s senior management, he nonetheless concedes that his role brings a number of inevitable challenges. “There is always one question that I dread when dealing with key stakeholders,” he says. “’Are you secure?’ has no easy answer. You can’t tell them we are or aren’t, or that we don’t know, so all I can ever say is that there’s no such thing as 100 percent guaranteed security. There are always unknown factors, but the best we can do is be prepared in our processes, response capabilities and in the skill of our team, as well as having effective mitigation plans where we are ready to kill the chain. It’s important to remain calm in these situations.”
In spite of the tight security net that Shah casts, he is nonetheless alarmed at what he perceives as widespread complacency in the region. “People fall into the trap of looking at past statistics regarding security breaches in the Middle East – which are reasonably favourable,” he says. “This is totally misleading. The reality is that security attacks are inevitable and we are not as well prepared as we need to be. Data from more developed markets, such as the US, Europe and Asia-Pacific is an indication of what is to come here. We need to use that data to take a proactive approach.”
With the Middle East – and the UAE, in particular – having come on in leaps and bounds in terms of overall infrastructure development in recent decades, Shah believes it is only a matter of time before full-scale assaults hit home. “The UAE is still yet to fully feature in the limelight,” he says. “This country has become a hotspot – a trade and travel hub that is the Middle East and North Africa’s equivalent of Singapore – and along with the Expo 2020 announcement and all the other progress the country has made, it has become a honeypot for attackers.”
The impending threats that the region stands to face have convinced Shah that IT security must be taken more seriously by executive figures. “We don’t believe that the senior management of most organisations – especially banks – view IT security as a topline agenda topic. They should,” he says. “We believe that security is as important as digitalisation; security enables digitalisation, and digitalisation will power businesses in the near future. They are two inextricably linked pillars.” However, Shah remains optimistic that the role of the CISO is bound to gain prominence in the coming years. “I certainly think the CISO will become an adviser to the CEO across industries. In the last three or four years within Emirates NBD, Information Security has had a seat within the steering committee, and the information security committee has become a mandatory monthly meeting.”
In order to keep his staff on their toes in their security-related work, Shah insists on a mindset of ‘productive paranoia’. “Complacency is a CIO’s worst nightmare,” he says. “There may not be a panic or a fire right now, but it’s safest to always think something is wrong. Shallow waters run deep. I always say to my team that on a daily basis, they need to think like hackers – to consider the moves they would take, or would have taken in any given situation.”
As the IT security industry faces a worldwide shortage of end-user professionals, Shah is determined to ensure his team remains mentally fresh in order to keep up their motivation and vigilance. “It’s easy for bright security pros to get bored when they sit in front of a screen for eight hours and nothing happens,” he says. As part of his innovation work, Shah encourages his employees to think outside of the box. “We tell them to focus on creative solutions around ten percent of the time. We want them to think of new concepts and objectives in terms of processes and technology; ideas for new implementations in our department. We make an effort to retain staff by giving them the right training and job motivation. I believe the culture within Emirates NBD is a big factor in our employee retention.”
In terms of fulfilling his innovation mandate, Shah is driving initiatives on several fronts for Emirates NBD, including in retail and corporate banking and the company’s operations. The company is also aligning with the UAE’s upcoming Innovation Week, due to take place from 22nd to 28th November. “We’re planning our Innovation Day for the occasion,” he says. “We’ve created a platform for employees to pitch a prototype for an idea to our IT panel. The top three ideas will be implemented.”
Shah also believes that Big Data is will inevitably impact his role, and will force new approaches. “In the next three years, the Internet of Things and the vast amounts of data, will necessitate proactive mitigation,” he says. “It will need a combination of passion for the industry and the right mindset – productive paranoia.”