Can you briefly describe your role?
I am the CISO for GE in the MENAT region, which is one of the biggest growth regions with 12,000 employees and $20 billion in revenue. My mandate is to ensure my company is safe in the region, all customer engagements are protected, and drive secure business growth.
How do you see the CISO role changing? Is it getting more business focused?
The role is evolving, rather than changing. But, is it getting less technical? I don’t think so. CISOs are now getting into new areas, transcending beyond just IT. For example, we used to talk about IT security a few years ago. Now we are talking about cybersecurity and soon it will be about digital security. This paradigm shift alone will show you how the CISO role is evolving. From a GE point of view, when I started out in this role, my objective was to protect the enterprise. Gradually, I realised that a lot of my customers – GE businesses – are dealing with their customers, which requires me to get involved in commercial deals to ensure all parties understand the cyber risk, and they are compliant with the country’s cyber laws and regulations. Till recently, IT was seen as a back-office function in companies, and security a back-office to IT; it is no longer the case and I get time and attention from the top management of my company.
With the convergence of IT and OT, shouldn’t CISOs now look beyond IT shops?
Yes, and GE is a perfect example of that. We are involved in many verticals such as healthcare, power, aviation and oil & gas with dedicated business CISOs. As a CISO, I don’t look into just networks or firewalls. Many industrial control systems, which were historically isolated, are now getting connected to corporate networks so that we can monitor, diagnose it and leverage predictive analytics. Some of these devices were manufactured years back and were not designed with IOT in mind. These devices may have vulnerabilities such as zero day vulnerabilities. My role is making sure my company’s products are safe and people using them are protected.
Do you think following basic cyber hygiene could help companies prevent some of the serious threats such as ransomware?
Absolutely. If you look at the WannaCry ransomware, it targeted known vulnerabilities in Windows XP. At GE, we retired those systems two years ago. It is why I always say cybersecurity needs to be proactive, not reactive. In fact, I was looking at the details of companies impacted by this ransomware breakout earlier this year, and some of them were running on Windows XP, and they never thought they would be targeted. This is where patching could have prevented such a breach. Another key to preventing attacks is employee awareness. Around 99 percent of threats can be caught by security control mechanisms but you need employee awareness to catch that one percent which gets past.
How do you create employee awareness within your company?
My goal is to foster a cyber culture for my company in this region. Every employee needs to build a certain level of cyber awareness and security should be part of our DNA. We all play a role in keeping ourselves and our company safe and it is not only the responsibility of CISOs. To achieve this culture change, we have divided MENAT into four sub-regions, where we have cyber leaders who will identify all the critical sites in these sub regions. It may not be possible to train all 12,000 employees, so what I am planning to do is start with one employee in every critical site, who in turn will become the cyber ambassador and go-to-person for all things related to cybersecurity.
Do you face budget constraints when it comes to security spending?
There is no unlimited budget for anyone and it is very important to prioritise your projects and look for the best value and return for your investment. Cybersecurity is a very critical topic for the companies and always get high focus. There has been an increase in high-profile cyber-attacks in recent years where corporations are frequently targeted and these external events has resulted in an increase in security spending in most of the companies. Cybersecurity remains a top priority in GE and we have management support when it comes to funding and security spending.
Being part of a multi-national giant, do you share best practices within GE?
We do. GE has 300,000 employees with operations in 180 countries. We have a global CISO, Nasrin Rezai who manages regional CISOs (horizontal) and business CISOs (vertical). Some of the cyber risks in healthcare sector might be different from aviation- but there may be learnings or best practices to share. Similarly, cyber risks in Egypt might be very different to the ones in China but regional CISOs managing both regions can exchange information and best practices. So, we do make sure that we share the best practices not just between regions, but businesses as well.
Do more vendors necessarily mean more security?
I don’t think so. No vendor is going to offer you an end-to-end security solution to protect you from cyber attacks. When you roll out a tool, don’t assume that the tool itself will solve the problem. It is also about the processes you build around those tools and people using them. A good company with a healthy cyber hygiene will look at multiple solutions; they will keep looking at new risks, which may not have been covered by existing solutions. As a CISO, I try to understand the business risk along with the technical risk and articulate it to the leadership in a language they would understand. Cybersecurity is a balancing act between enabling operations and keeping you secure and, for that you need good vendor platforms, well-trained people and well-defined processes.
As a CISO, are you worried about Industrial IOT opening new attack vectors?
You should think about IoT in multiple ways. First off, products which are already out there, getting connected to networks. Second, new products that are getting developed. If you take GE as an example, our global CISO Nasrin Rezai plays a dual role- security leader for the enterprise and at the same time she is also our chief product security officer. We make sure that security is baked in right during the product lifecycle process, and we are also focusing on the security of our existing installed base. It may not be easy to patch a gas turbine which runs 24/7 in the middle of a desert. GE has acquired a company called Wurldtech which is part of GE Digital now and they manufacture OT firewalls. So, if you are in an IOT or OT environment, if you can’t bring down a system to patch it, you must do a proper risk assessment, and secure the environment with OT firewalls.