GBM is the leader end-to-end solution provider, offering the region’s broadest digital solutions portfolio, including digital infrastructure, digital business solutions, security and services. In a detailed interview with Anita Joseph, Hani Nofal, Vice President of GBM Digital Infrastructure Solutions discusses the need for digital trust to underpin the security architecture of organisations. A Security Advisor exclusive.
In the context of today’s accelerated digital transformation, would you agree that security is the biggest challenge?
Yes, I’d say it is. Digital transformation does indeed bring in many security challenges, since data is growing exponentially, in both value and volume. In fact, data is the cornerstone of digital transformation, driving businesses to tap into its potential and use its power to compete in the changing marketplace. However, this process of digital transformation exposes data to greater security risks, and cyber criminals are keen to exploit its value through theft, fraud, ransomware and other kinds of cyber-attacks.
This is what gets organisations trapped in a “digital deadlock,” which keeps them from successfully transforming. So, organisations need to embrace opportunities for digital transformation, while keeping themselves, their data and their customers protected. How do they do it? The answer is, naturally, through effective cybersecurity.
However, designing and implementing a security strategy and architecture to meet the needs of data-driven organisations is easier said than done. Organisations in the region need to be fully equipped to meet the security challenges brought about by digital transformation.
It’s not just enough to transform, it’s important to transform securely-how is GBM helping companies in their digital transformation journey?
With the acceleration of digital transformation, organisations are leveraging technology to redesign customer and employee engagement, transform operations and adopt new business models to address rapidly changing industry dynamics and user needs. As organisations reshape themselves to adapt to the expanding digital economy, building resilience and trust into the digital experiences of customers, employees and partners is becoming increasingly critical.
There is a realisation now that security needs to be central to the digital architecture of the future enterprise to engender trust and resilience.
However, developing a digital strategy where security is “baked in” and not “bolted on” is challenging, and requires an understanding of risks across all facets of the enterprise and attention to building comprehensive security strategies to address them. At GBM, we help organisations build these security strategies.
In our annual security report last year, we found out that the top 5 focus areas for security initiatives were data security, secure remote access & connectivity, cloud security, identity & access management and endpoint device management. We have the capabilities and expertise to develop an integrated approach to all aspects of security for organisations: from creating a holistic data security outlook, simplifying cloud security, modernising network security, strengthening identity and access management, aiming for near-real time threat detection and response to securing the application lifecycle.
What is digital trust and what is security’s role in ensuring trust?
With work from home and hybrid business strategies gaining traction since the pandemic, the cost of a data breach increased by 9.4% during the past year in Saudi Arabia and the UAE. This resulted on average, a loss of $6.53 million per breach, in addition to business disruption and a negative brand image.
Digital trust is the confidence users have in the ability of people, businesses and governments to create a secure digital world. It creates a bond between customers and organisations that assures the customers that they will receive what they need for in a safe, secure and reliable manner. Organisations aim to gain digital trust from consumers and use this goal to digitally transform themselves and create greater confidence in security, safety, privacy and reliability among consumers.
Digital trust is built up over time based upon our actions, processes and, in the case of businesses, our ability to fully address the business risks that cyber threats bring with them.
Organisations need to include cybersecurity at the heart of the digital trust. This helps to ensure that the organisation is not avoiding security measures just to get their service or device on the market. By aligning the cyber security investments to the desired business outcome of trust-enabled commerce, we can more clearly understand the importance and value of our cybersecurity investments even if we have not experienced a hack.
It’s also important to highlight that the tools we invest in for security need to evolve from perimeter security, to one of distributed integrity, one component of which is the currently popular Zero Trust model – where we have a better understanding of high and low risk areas and can adjust our monitoring focus. Adopting the zero-trust model decreases the number of opportunities a hacker accesses secure content by limiting who has privileged access to different machines or segments of the network.
GBM’s Security Report 2022 which will be launched soon, dives deep into how security should be central to discussions on digital trust.
How does digital trust impact the wider society?
Digital Trust is the conversation that we need to be having across all levels of society, which includes individuals, businesses and governments.
There is a growing need to monitor critical assets and systems, better sense when unexpected activities take place and take the right type of action to respond to a full-scale breach before it can manifest itself. Achieving this trust requires a “partnership” between individuals, businesses and governments. In this cyberwar, the partners as a group are on one side, while the threat actors are on the other. We need to align the expectations of each partner and look carefully at what each of them require:
- Individuals have the desire to have instant online secure access to their favourite products and services
- Governments have the desire to protect their populations and commerce
- Businesses have the desire to profitably serve customers
Now, all three groups have roles to play in the goal of engendering mutual online trust that benefits all of society, whilst reducing the opportunities for threat actors to negatively impact any of us.
Let’s begin at the individual level. The pandemic forced many people to work remotely and many people used telemedicine for the first time. Similarly, the use of video conferencing apps skyrocketed. These changes brought many security risks that most people weren’t aware of. So, now, individuals should -more than ever- be careful about what they share online, especially employees have an extra fiduciary responsibility to ensure they do not become the threat vector for their employers. According to the GBM Security Report 2020, 66% of organisations found that managing identities and access of end users were a challenge, especially in multi-hybrid cloud environments.
For business users, the implication of a breach is more significant. Aside from the data concerns, there are significant operational and even potential life-threatening concerns to take into consideration. Recent research suggests that that one third of all organisations in the Gulf are experiencing revenue slowdown, in which case the costs associated with a breach could have a more negative impact. That’s why the digital trust concept is now more crucial than ever because organisations cannot afford to lose customer trust or fall victim to a breach.
Now let’s move to governments. They play an important role as facilitators of how data is governed to protect the rights of businesses and individuals, while driving economic growth and social good. The digital-first mindset of businesses and governments in the Gulf has also increased awareness about the way data is collected, processed, stored, shared and maintained. Over the last decade, there have been a number of new laws passed in the region to regulate data governance, like the DIFC Data Protection Law in the UAE and the Personal Data protection Law in the Kingdom of Bahrain.
What will 2022 bring to the Gulf region in terms of cybersecurity challenges?
Organisations are now seriously considering how they will respond to a cyber-attack or breach, whilst maintaining the trust of their community. They have reprioritised risks post the pandemic. In our security report we identified 8 key risks that radically shifted in priority for Gulf organisations. The top risks include growing end-user security risks, risk of cloud security breaches, growing identity risks, risk of data and service availability in distributed environments, risk of internal delays to incident response and data and privacy risks due to unsecured applications. These concerns are the main drivers of security investment focus areas which we uncovered in our report. Organisations are now planning to focus on data security, secure remote access, cloud security, identity & access management and endpoint device management on their investment plans, which are clear reflections of the risks reprioritised.
Data security tops the list of concerns, and for a very good reason. Traditionally, data management has been the role of the storage team, however this group have never been formally tasked with responsibility for the security of data. Likewise, the cybersecurity team has traditionally been responsible for securing systems, network and applications. We are at a pivotal point in data management and cyber security where organisations must decide where this responsibility lies. Mature data management is a complicated issue; hot, warm and cold data of varying degrees of business and compliance importance exist both on and off-premise.
For cybersecurity professionals, the move to cloud has revealed the need to consider data security, as well as some new legislations, but until recently this was never a focal point. This needs to change.
Concerns about remote access are well-justified. With many working from home or in a hybrid model, the network perimeter has evaporated and IT teams in many markets are having to manage the security of home networks to secure their own corporate ones.
For many the focus on endpoint as well as identity and access management could address not only the remote working concerns, but also cloud access and data security issues.
Ensuring only the legitimate users and devices are access data, with integrity, can help to resolve many of the risks faced by security and data management professionals.
What about the cybersecurity skills gap? Is it a concern for organisations in the Gulf too?
Absolutely. Finding the skills to address cybersecurity has always been a key challenge. GBM’s Annual Security Report 2020 mentioned that 64% of organisations in the region currently face challenges in addressing skill gaps. In the early days of IT security, the demands were very network-centric, with firewalls, VPN, and network monitoring occupying centrestage. Today, however, this is a highly data-driven discipline and the need to have strong data analytic and interpersonal interrogative capabilities are higher.
With many organisations observing millions of potential threat alerts daily, the ability to program the tools to identify the “signal” of a possibly malicious event from the “noise” created by networks and underlying protocols is becoming the key differentiator of a successful cyber defender.
Organisations in the GCC should transcend this by implementing a more proactive monitoring and response mechanism to mitigate potential security risks and including a Security Operations Centre (SOC) and a Security Incident and Event Management (SIEM) platform to tackle these challenges. More importantly, having a skilled and experienced IT security team is important to implement and operate such platforms successfully.
Therefore, there is heightened advocacy for working with Managed Security Service Partners-organisations who make cybersecurity their business, as such organisations can invest more into cybersecurity since it is their business. Clearly, the risk is not outsourced, but there are many tasks within the cybersecurity arena that should be outsourced. Managed Security Services are becoming a priority across Gulf.
What advice would you give organisations to ensure digital trust in security?
The explosion of online economic activity that began in 2020 is not slowing down. At the same time, cyber-attacks will not be slowing down, either.
There are two sides to this ongoing cyberwar: cyber criminals vs the targets. Cyber criminals are a well-funded, highly motivated set of conglomerates and cooperatives that share intelligence, tools, processes and best practices. They use cryptocurrency to successfully get paid, but hide their identities, have cybercrime-as-a-service offerings and are generally, extremely financially successful. The pandemic brought to this group a fresh set of new opportunities to make more money.
The targets unfortunately do not work together to overcome the enemy and act as individuals in this war. Their governments do what they can to protect them and their customers, but ultimately extract fines when the targets get hacked.
There are certain steps that should be taken to improve this situation:
- Government regulators should mandate the sharing of breach data – since we learn more from others mistakes then their best practices. Fines and regulation should focus on breach disclosure and adequate security controls being in place
- Enterprises must realise they are fighting a war against experts and need expertise to help – it cannot be won alone.
- Technology and service providers need to work with both groups as technical advisors, to help identify how best to implement and apply regulations, and how best to comply with said regulations.
Achieving these goals will be a journey, but if enterprises and governments don’t all agree on the direction we are to be heading, we will not be able to succeed.
As we can all imagine, cybercrime may never be eradicated, but we should be able to reduce the impact and burden to enterprises and individuals if we work together more effectively.
Zooming into the enterprise perspective, enterprise trust needs to embrace customers, employees and business partners.
The customer relationship is often more keenly focused upon, and clearly adhering to customer expectation towards data privacy and online security is more critical than simply complying with legislation – customers expect more than this.
Employees, who are the front line in any customer engagement, need to feel safe and secure in their working environments, which must translate into secure devices, identities, systems, and a simple way to ensure this remains so. Arduous security processes will create friction at an employee level which can leak into customer interactions.
Business partners are becoming more digitally connected and so ensuring an enterprise’s integrity within the industry supply chain is becoming a requirement these days.
All areas demand a robust risk management capability: understanding the risks to the enterprise and its connected ecosystem, understanding that not all risks are the same and applying the appropriate level of control for the identified risk.
Cybersecurity is rapidly evolving into a highly targeted, risk-based, practice that is also agile enough to respond to the changes in risk profile of an enterprise. Only by doing so can an organisation become capable of improving its scores in the cyberwarfare we are all engaged in today.