Resilience: Considerations for CISOs in a Post-COVID Era

The RSA Conference 2021 Virtual Experience is happening May 17-20 and Symantec, as a division of Broadcom, will be providing a summary of some of the leading stories from the conference to help you stay informed.

After a tumultuous and draining 2020, it’s not surprising to see the term ‘resilience’ featured prominently during so many sessions at the RSA Conference 2021. And just in case some missed the message, the show organizers adopted the word as the show’s official motto this year.

But what does resilience mean for the security world? As enterprises turbocharge their digital transformation plans, security teams will need to find ways to stop cohorts of increasingly sophisticated threat actors from exploiting mistakes to steal their coveted data.

In the face of that challenge, resilience speaks to a mindset and an approach for a profession that must meet the new demands of a fast-changing world. And not just in North America or Europe. The conference organizers brought together a panel featuring four Chief Information Security Officers from the Middle East to hear what resiliency meant to them.

The panelists included Abeer Khedr, the Information Security Director for the National Bank of Egypt, Arwa Alhamad, the Cyber Security Enablement Director of the Saudi Telecom Company, Biju Hameed, the Director of Technology Infrastructure and Operations for Dubai Airports and Dr. Reem Al-Shammari, the Digital Transformation Leader of Corporate Solutions and Digital Oil Fields for the Kuwait Oil Company. The following excerpts have been edited for clarity.

Khedr:

I'm the CISO of the national bank of Egypt, the largest in the country by market share. The constantly evolving threat landscape is the primary challenge we face. This transformation in banking means that you're offering services to customers via multiple channels today from the internet to mobile, to new disruptive technologies like blockchain-based applications that we are starting to use to electronic wallets that we outsource to fintech companies to manage. In addition, you have to integrate with several third-party systems. So, there are no borders anymore. And the attack surface is constantly widening.

As a financial institution, we are targeted by all sorts of threat actors: the organized criminals that are behind the money banks, the skilled hackers, certain nation states, and even hacktivists. In addition to those threats that are normal to any organization irrespective of its industry, we're also faced with the most common threats, like malware, phishing, ransomware, as well as insider threats. So, this necessitates that as a bank, we maintain and constantly evolve our cyber resilience program accordingly.

We are also ensuring that we have an effective defense in depth strategy to guard against a possible control failure at any one layer. And this is key: which is also reported the regular need to management and the board to keep them aligned.

Al-Shammari:

Securing an oil company that contributes more than 93% of our national income is full of challenges. When we talk about cyber resilience within the company, it's never a specific project or a specific initiative. It's about creating the culture, embracing the three components of people process and technology, where you will be ensuring that you address all of these with the mindset of a CISO and a business partner as well.

We’re always looking to build that cyber resilience capability because it's never a question of will we be attacked; it's a matter of when. We are very aware of that in OT, the cyber risk stretches its physical arm to impact not only data but also sometimes people’s lives. There’s a big challenge involved in securing critical assets and integrating IT with OT and we need to create a common language for both environments. So, it's a continuous journey that takes the whole team to work collectively toward that goal with lots of collaboration.

Alhamad:

Telco companies are moving from becoming technical companies to digital companies. So we need to anticipate any disruptions. We take resiliency seriously. It's on the agenda of our board of directors. If we look at cyber security resiliency, we must think like an adversary. We need to always assume that a compromise is happening. We need to also understand the battlefield and understand that it's constantly changing in the region, outside the region and everywhere. It's an unfair equation because the attackers need to be right just one time. As defenders, we need to be right all the time.

One of the important points here is cyber hygiene. For instance, during COVID-19, everyone raced to bring out new services. But were they given the proper consideration assessments from a security point of view? We need to revisit them to make sure that they’re secure. Also, we need to be well-prepared. Sometimes, the impact of the way you handle an incident is higher than the impact of the incident itself. We need to create business continuity plans and incident response plans as well as scenarios to anticipate what could happen. And finally, we need to test our readiness by doing joint drills…take notes of the gaps and fix them in a timely manner.

Hameed:

The aviation center is no different when it comes to being on the receiving end of cyber pricing attacks. Any effects from a cyber incident affects not just the sector itself, but also national and international interests. The resilience of airlines and airports and the associated supportive functions is vital, and our role is ensuring that this critical sector of operations runs like clockwork. Solid resiliency programs need three core components: cyber security, risk management and enterprise resilience. All these three functions have to communicate, collaborate, and contextualize risks and threats.

Security Challenges

Khedr:

The threat landscape is evolving. In the case of the SolarWinds attack, the threat was not from an attack source that you'd normally expect, but rather from trusted software that you use to manage your network. This meant that there was a failure of controls at multiple levels. Therefore, impacted organizations need to revisit their defense in depth strategy. So, check configurations, recheck the configurations of firewalls, and incorporate the lessons learned from an incident into your cyber programs. Also, organizations need to make their managements and boards aware of incidents and the action being taken to address them. The guidance and support from national CERTs – computer emergency response teams – should be provided to smaller entities that don't have the internal capabilities to pursue an assessment of the impact of an incident.

Alhamad:

I'd just add that two thirds of breaches are actually coming from third-party supply chain or third-party vulnerabilities. We can prevent them if we stop working with third parties but that's not possible in this digital transformation race. So, if prevention is not possible, then mitigation is needed, and we need to start lowering the risk. We need to put under the cyber security microscope all aspects of the supply chain. No one is immune from cyber threats in today's world.

Hameed:

One of the biggest challenges is the fact that there is no longer a definitive perimeter. The emerging technologies that are more popular today referred to as Industry 4.0 technologies have truly become game-changers in how we approach both the technology itself and the cyber security that's practiced around it.

There’s more emphasis on decentralization as you see that the cloud, where a lot of IT has moved away from the traditional on-prem data centers. With the likes of IOT and 5G, we see more intelligence and connectivity move to the edge. This brings about new dimensions of cyber risk. The little device that’s in your pocket or jacket is a mini super-computer on its own. All of this means that the rules of engagement now completely need to be redefined.

Intelligence is taking a much bigger role in influencing outcomes. Take the concept of the digital twin. It now allows for a multidimensional approach when it comes to prototyping, operations, maintenance, and support and training to be done on virtual, augmented, or mixed reality layers without having to undertake the actual physical pain of creating these components or environments.

AI in cyber security is still in its infancy. My personal opinion is that the broader uses of AI in cyber today are mostly assistive in nature and not at the same maturity level in cyber as it is in other domains. When it comes to the bigger disruptions, both AI and Machine Learning only play a coexisting role at this point of time because you still need the human to intervene.

Leadership

Al-Shammari:

In the past, cyber security was an IT imperative. Today, it’s become a business imperative. This means that the business is keen and dependent on us. And being the digital transformation leader, I fill that role wearing two hats – having the mindset of a CSO and also enabling the business.   

But building a cyber security culture doesn't come without effort. We need to re-engineer the mindset through collective initiatives that have the sponsorship of the leadership. Then it will filter down to all the other employee levels and by default, everyone will do the same, if not even better. And with that, it becomes cyber resilience.

Alhamad:

They say the biggest challenge in communication is the illusion that it has been taken place. We might be communicating, but we're not communicating the right thing. Maybe we're not communicating the same language with our senior management. So, we need to always communicate, reporting our plans, our achievements, the threat landscape, the news and the headlines.

I believe that employees are the heart and soul of any company and what drives them are the core values. We need to have bold and courageous leadership that sets the direction and enables the teams to execute and make decisions.

Hameed:

Remember the “3 Cs”: collaborate, communicate and contextualize. Identify your risks, define your responses and manage them. And you can never stress this enough: a cyber resilience mindset is a pure amalgamation of cyber security and enterprise opinion. And it's important that all of these functions work hand in hand, transparently and cohesively, to achieve the desired outcomes.