Over two thirds of bank chief executives (71%) in the Middle East could be at risk of losing their jobs because they are not managing cybersecurity risks effectively.
Research carried out by Dubai-based executive search and management advisory firm Metin Mitchell & Co shows that only 29% of Middle East banks with assets of more than $10 billion have a chief information security officer reporting directly to the chief executive.
This position, according to the firm, is a key sign that an organisation is taking and managing cybersecurity threats seriously.
More than a third (35%) of CISOs have no direct reporting line to any c-level executives.
The research was carried out by into 49 banks in nine countries, including Bahrain, Egypt, Jordan, Kuwait, Lebanon, Oman, Qatar, UAE and Saudi Arabia.
No country was an outstanding performer; 38% of Saudi Arabia’s banks had a CISO.
Metin Mitchell, founder of Metin Mitchell & Co, said, “If cybersecurity experts are to have any impact in a bank they need more than technical skills – they also need a strong voice and business skills. They must be able to communicate effectively to the CEO and the board on the risks to both the business and shareholder values. They must also have the required budget and the ability to influence decision-making to mitigate those risks.
“How many of today’s CISOs in the Middle East have the skills to do that? And more importantly, how many are empowered to do that and drive forward a multi-disciplined approach to cybersecurity? How well a CEO prepares, and how well their team deals with a cyberattack, will all determine whether a CEO keeps their job when the bank is attacked.”
ISACA governance expert, author and cybersecurity adviser to Metin Mitchell & Co Raef Meeuwisse explained the importance of CISOs reporting to the chief executive. “There is a shortage of cybersecurity skills,” he said. “In a market competing for resources, the best talent goes to the organisations that look most appealing to work for. Security staff are not like normal people. They are not interested in your sector, turnover or profit. They want to know if your organisation has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, is your CISO reporting to the main board – and in the case of financial services this would be to the chief executive.”