Security Advisor ME hosted its inaugural CSO Perspectives conference in Dubai, last month, bringing together thought leaders to discuss how information security leaders can work towards aligning current strategies with business objectives.
The threat landscape is evolving rapidly. As organisations continue to transform themselves in the digital economy they are met with increasing security threats across a new business and technology landscape.
On 28th October at the Grand Habtoor Hotel, JBR, Security Advisor held its inaugural CSO Perspectives Conference. Gathering CISO, IT/security manager, security strategist, risk and compliance specialists the conference served as a platform for addressing the latest information security challenges.
Jeevan Thankkappan, Group Editor, CPI Media Group, Technology, set the scene by putting the spotlight on one of the key questions most CISO and CSO have in their minds: “How do you fend off breaches in such a dynamic threat landscape?”
“2017 is already set to be one of the worst years when it comes to cybersecurity,” said Thankappan. “Earlier this year we have seen cyber-attacks like WannaCry and NotPetya disrupt multiple IT systems and businesses across the world. Unfortunately, as the threat landscape grows we have to accept that we haven’t seen the last of such incidents. This calls for IT, security and business leaders to be more vigilant and proactive in defending their systems.”
Thankappan then introduced the event’s keynote speaker, Saket Modi, cybersecurity expert, ethical hacker and international speaker; and CEO and co-founder of Lucideus Tech.
Modi started his presentation by demystifying people’s notion about hackers. “Hacking is simply about using a specific tool for another purpose and optimising its outcome. That applies to technology as well, as ethical hackers, we look into how threat actors might penetrate an organisation’s system and subsequently advise them how they can best manage or avoid cyber risks.”
However, he noted that it is undeniable that there are people in the IT landscape who use hacking to disrupt enterprises. “A recent study in the US highlighted that about 69 percent of people surveyed have fears about their personal accounts getting hacked.”
In this light, Modi said that this means IT security is no longer a pressing concern that’s just for CSOs. “This statistic shows that people are starting to become more aware about the risks that are out there,” said Modi. “With this in mind, it is now more important than ever for technology users to have a better understanding of the different technologies and solutions that they are utilising on a regular basis. At the same time, technology players and IT security leaders should look at this as an opportunity to educate and offer new innovations that will help today’s digital natives protect their data.”
He then conducted a live hacking demo, showing the audience how easy it is for potential threat actors to penetrate a device such as a smartphone. “Whenever we install applications onto our devices we give the owner or creator of that app permissions to access several functions or data in our phone,” said Modi. “As users, we must invest time and effort to know how our device works and how we can best secure the data we put in it. More than that, we have to keep in mind that we should learn to use such devices as well as the Internet with the assumption that everything can and/or will be hacked.”
Increasing advances in technology are blurring the lines between work and play, making it more apparent that information security within today’s organisations is no longer just an IT issue. Data is often viewed as a business enabler, making the subject of securing it critical for today’s businesses.
Irene Corpuz, section head, Planning and IT Security, Western Region Municipality, Abu Dhabi, in her presentation highlighted how and why it is imperative for enterprise leaders to understand that information security is a business issue.
According to her, to ensure that their data is secure, enterprises should be able to make risk aware decisions. “Information security should be a key element in any organisation’s risk management strategy and should, therefore, be aligned with business objectives,” said Corpuz.
But how can this be done? Corpuz said it is ideal for CISO/CSOs to set in place governance, risk and compliance policies. “More importantly, they should make sure that it is embedded within every aspect of the business as it impacts multiple functions within the organisation.”
She then reiterated that CISO/CSOs should be able to communicate security concerns or plans in such a way that business leaders understand. “At the same time, management leaders should also be involved in the planning of security or risk management strategies. While they not be able to build structures or systems themselves, they need to understand the process to make appropriate and informed approvals for potential initiatives.”
As with everything, preparation is key. But, what will happen if you’re already compromised? Incident management helps IT security teams identify, respond to, and mitigate these types of incidents while becoming more resilient and vigilant.
“It is not a linear process,” said Hariprasad Chede, CISO, National Bank of Fujairah, in his presentation. “It’s a cycle that consists of a preparation phase, an incident detection phase and a phase of incident containment, mitigation and recovery.”
However, it doesn’t stop there. According to Chede, the final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents.”
Chede highlighted that an important ingredient for a good incident management strategy is collaboration. “There should be an open line of communication between business and technical teams,” he said. “Integrity is probably the most important aspect any security team should have. This is because to effectively perform incident management practices, trust should be established among all parties concerned.”
Moreover, a Plan B should always be set in place, said Chede. “A good practice is having a ‘battle box’ of basic tools should things don’t go as planned.”
The last speaker of the day was, George Eapen, CISO, GE, MENAT, who delved on ‘Implementing effective cyber security in an enterprise.’
“IT security is an issue that can impact multiple aspects of a business,” said Eapen, commenting on how security is turning into a boardroom agenda. “IT used to be a ‘backdoor’ function. But as cyber-attack incidents increase, it’s starting to catch the attention of CEOs and CFOs as it is something that can significantly affect the profitability and continuity of any organisation.”
The first inning of Security Advisor ME’s CSO Perspectives closed with a thought-provoking panel discussion, which was participated by Safdar Zaman, head of IT Strategy and Governance, Nakheel; Ajay Rathi, CIO, Meraas Holding; Sebastian Samuel, CIO, AW Rostamani; Rinaldo R Oliveira, head of IT Risk and GRC, Commercial Bank of Dubai; and Debashish Basu Choudhuri, CISSP, director, Sales Engineering, Middle East, Splunk.