This post was originally published here by (ISC)² Management .
By Tamer Gamali, CISSP, CISO and member, (ISC)² EMEA Advisory Council
As a Chief Information Security Officer (CISO) based in Dubai with 15 years working in financial services, and a member of (ISC)²’s EMEA Advisory Council I am keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats. I have become aware of a growing body of opinion within cybersecurity circles that suggests the senior management tier represents a significant threat to their businesses today. They are a group that understands and works hard to mitigate risk, but, as more and more companies move forward with digital transformation strategies, not necessarily the risks that hold the greatest potential to harm their companies. This leaves a gap in the management of business and the management of business risk.
(ISC)² will be asking some probing questions around this concern as part of their presence at Infosecurity Middle East in Abu Dhabi next month, which is set within the Gulf Region’s International Exhibition for National Security and Resilience (ISNR Abu Dhabi 2018), and jointly organized by the UAE Ministry of Interior and Reed Exhibitions.
This year, the event explores the role of disruptive technologies and is looking to be a showcase of development in many of the innovations that are driving digital transformation today – artificial intelligence, connected vehicles, smart cities, unmanned solutions, robotics and more. It provides an appropriate setting for (ISC)²’s exploration of the shifts taking place in cyber security and risk management, the topic of a keynote presentation from (ISC)²‘s Dr. Adrian Davis, Director of Cybersecurity Advocacy for in EMEA. Complementing this keynote, I will be participating in the event’s CISO program, hosting a round-table discussion on whether our cyber and information security leaders are in a position to mitigate the operational risks that they are being tasked to manage today.
In his session, Adrian will acknowledge that the proliferation of cyberattacks making news headlines does not mean that security is being ignored. It does mean, however, that the measures being taken by companies today are not standing up to the test of real-world attack. The people working on the front-lines of information and cybersecurity in the Middle East report they struggle to gain the visibility they need to provide security oversight. Participating in (ISC)²’s workforce survey, only 19% say they can attribute more than half of the breaches experienced by their companies to known vulnerabilities. Our companies are changing with technology, but we are not in a good position to know how vulnerable we are becoming.
Cyber risks can be very difficult to quantify and continue to be overshadowed by the focus on financial risks that is given at the top levels of the organization. For many, they are evolving on a departmental or piecemeal basis, driven by pressures to keep pace with innovation and deliver projects, making it very difficult to assess the overall operational exposure. Today, however, we are in a business environment where the damage to reputation associated with cyber threats – an operational risk- can exceed traditional financial risk, and we are playing catch up with those that have developed the capability to do us harm.
Companies are clearly growing ever-more dependent on the online ecosystems that underpin their business, and more exposed to levels of operational risks than ever before. The lack of maturity in understanding of the risks and potential impact represents a significant threat to their business, not just a threat to their IT systems. Further, growing levels of data loss and disruption means that all companies are facing increasing levels of scrutiny from regulators, media and their customers, even if they haven’t experienced a problem. There is an expectation that companies will be responsible and accountable for protecting against these attacks, yet significant questions remain around whether they are organized to do so.
These are the scenarios and questions that I invite cybersecurity leaders to engage in at the round table session, as we explore whether CISO’s are properly enabled to mitigate operational risk. It’s organized as a closed-door session so that we can offer a real opportunity for frank and open discussion around current practice and governance models, expectations, and the challenges faced by the people in the room. Our intent is for it to be the first of several that brings CISO’s together around this issue, and the beginning of an effort to craft and share a collective view around what good practice looks like, and how it can be achieved. Personally, I’m looking forward to tackling some long-standing, but as-yet unresolved debates, such as where cybersecurity fits organizationally, whether it cybersecurity is still a technical discipline, or whether it is time to stop talking security and start talking risk.