Sam Olyaei, senior principal analyst and conference chair, Gartner, discusses how security and risk strategies have evolved in the digital age.
How is the security landscape different today as compared to two years ago?
Today, we are seeing increase complexity in the security landscape. This is because there are currently more tools, threats and cyber-attacks in the market. In addition, there is now much more malice in the attack landscape. Years ago, hacking was more about learning but now it has been weaponised for political and financial gains. New and different kinds of attacks have been emerging since late 2017. We’re seeing more financially motivated attacks and a big uptick in damaging ransomware.
In terms of changes in the landscape, the transition to cloud continues, bringing new opportunities as well as challenges. While this evolution has made a significant impact in the Middle East, many business leaders have been hesitant to adopt a cloud first strategy due to privacy and security concerns. Over time, resistance to cloud adoption has diminished especially with the opening of multiple data centres by the Tier 1 CSPs, but cloud security remains a big concern due to visibility issues.
Another issue that security leaders need to keep an eye on is the skills shortage. Business and IT leaders need to work on strategies to bridge the talent gaps within the organisation. CISOs will need to be proactive in that area through training, development, taking advantage of gamification and alternative means to upskilling their function.
C-level executives, especially those who are handling security and risk management roles, have also become more involved in developing cyber defence strategies. This is primarily due to increased regulations, which stipulate that business leaders should be held liable for cyber incidents.
Lastly, the topic of privacy is one that continues to ignite strong debates within the public and private sectors. The introduction of GDPR has opened the region up to scrutiny, unlike seen before, and more governments are starting to adopt data protection laws that seek to protect consumer information and other personally identifiable information. The GCC has unique complications due to the geographic and political landscape of the region, but ultimately it is no different. In the UAE, the government has introduced plans to have a data protection law by the end of 2020, and soon the Kingdom of Saudi Arabia will follow, while Bahrain has had a formal data protection law in place for a number of years now.
Why do you think organisations remain vulnerable to cyber threats despite the emergence of advanced security technologies?
Security needs to be more focused on business problems and be part of the conversation earlier in the strategic planning process. Security teams are often still playing catch up, working to solve yesterday’s problems instead of laying the groundwork to secure the next digital initiative while it’s still in the planning stages.
In the digital age, security is everybody’s responsibility. Security and risk need to be integrated into the fabric of the enterprise. It’s not about being an alarmist or putting the brakes on innovation, but about improving communication between the business and security and risk leaders. It’s also about shifting the organisational culture to make security and risk core values.
How have risk management strategies evolved?
As organisations embrace digital technologies, they become exposed to all kinds of risks inherent to the endeavour.
Hence, we are seeing people’s perspective on risk is broadening. In the past, we used to view various risks in silos – technology risk, compliance risk, audit risk and operational risk. Today, we’re seeing a desire on the part of business leaders to take a more holistic approach to risk management. The idea is to clearly and defensively connect the risk elements to business challenges and do so in a practical way.
Many organisations should eye greater business resilience along with business continuity. They need to focus on developing strategies that will enable them to bounce back from a cyber incident rather than simply recovering from a disruption.
How can security and risk teams keep up with emerging technologies and digital business transformation?
It comes down to embedding security and risk awareness into the organisational culture. Today, speed and agility are critical. Organisations need to take a holistic approach to security and risk to be more adaptable and able to seize new opportunities.
Business leaders need a mandate, a strategy, a governance programme, an architecture of technologies, a catalog of formalised processes, and the right skillsets to be able to stay ahead of the curve when it comes to digital transformation.