What are the main challenges CISOs are facing in the Middle East?

Q. From a cybersecurity perspective, how has been 2023?

Very eventful year as far as cybersecurity is concerned. The year has been marked by a general increase in state-sponsored attacks due to geopolitical conflicts. The rise of AI has also been increasing and has greatly affected the way cybersecurity could be enhanced at the same time allowing cyber criminals well-versed with AI to launch more sophisticated attacks against their victims and making themselves harder to detect and/or defend against. The Internet of Things (IoT) vulnerabilities have also been increasing. According to Statista, the number of IoT devices exceeded 15 billion in 2023. Ransomware attacks have also increased in 2023 probably due to their perceived profitability. The cloud is also increasing exponentially with many developments happening in the cloud. This continued emergence of cloud environments has greatly affected application development and their associated security architectures. Cloud environments by their nature often consist of rapid DevOps cycles eliminating the need for application developers to adequately maintain secure applications. The cloud has also enabled containerization allowing for the movement of applications between on-premises and cloud environments thus increasing security exposures. 

Q. Can you highlight the top challenges you\’ve encountered? 

A. Legislative changes on a global scale have been a major challenge faced daily and it\’s often exacerbated by the need to instantly change course and work towards compliance to avoid the often-hefty fines and penalties, legal liabilities and reputational damage associated with non-compliance. For example, here in Saudi Arabia, we have witnessed regulations such as the Saidi Arabia Monetary Authority (SAMA) Cybersecurity Framework undergoing several changes which organisations are supposed to comply with such as the integration of cyber threat intelligence principles as one of its integral components.

Q. What are the top three challenges security leaders will face in 2024?

A. The skills challenge is likely going to be key as a result of the rise of disruptive technologies such as Generative AI. They will be a reshaping of the entire global workforce and skills to adequately deal with cybersecurity issues will be in short supply. The other critical challenge that will be faced has to do with regulatory changes as nation-states seek to protect their citizens from cyberattacks. This typically adds to the overall costs of cyber compliance. Lastly, cybercrime will also rise especially on digital platforms as people transact virtually. Cybersecurity Ventures expects damage costs from cybercrime to increase by about 15% each year over the next 3 years. 

Q. How are we making security a part of everyone’s job? 

A. Awareness programs integrated into daily work practices are key as well as including security in employees’ job descriptions. Adding security duties to job responsibilities makes it everyone’s duty to ensure the security of company assets as well as colleagues’ safety. Security awareness is also critical as it enables employees to stay alert and report suspicious activities. Security reporting processes should also be enhanced to make them easily accessible and user-friendly with no victimisation involved. Put briefly, a security culture should be inculcated into everyone emphasizing the notion that security is everyone’s responsibility. 

Q. What cybersecurity questions should every CEO ask? 

A. There are several questions of interest to every CEO. The first one is: Do we have the necessary skills to defend ourselves against cyber-attacks? This is key; if there are no skills efforts should be made to ensure that people are trained, or additional skilled resources are recruited. Cyber skills resident in the organisation should always be higher than the skills of the attackers.  The other question is: Are we complying with a plethora of cybersecurity laws, regulations, and standards to reduce incidences of fines and other penalties? This is very crucial for example in the payments industry where failure to comply with requirements such as PCI-DSS could force an organisation out of business. The last question has to do with resources; Are security budgets adequate to cater for the various security solutions required? Cybersecurity is an expensive process, and resources must be available and appropriately budgeted.  

Q. From the perspective of a cybersecurity leader, what do you believe is the most valuable asset? 

A. The human resource base is very key both for cybersecurity professionals and the general employee. In cybersecurity, precedence is always provided for the protection of human life before anything else. It is therefore important to ensure that people are equipped with adequate and relevant knowledge about how to identify indicators of attacks and remain alert for such attacks, 

Q. What will be the challenges of implementing Generative AI in organizations? 

A. There is generally limited uptake initially caused by hesitancy as people generally wish to test the technology first and proceed to move with due care. An example is Google has delayed the launch of Gemini, its conservational AI platform to early 2024 for further enhancements and testing and getting the necessary user-acceptance and trust. We are also seeing an acute AI skills shortage in the form of developers skilled in AI algorithms which will lead to massive lagging of projects in most organisations and generally poor-performing Generative AI models which generally affects organisational decision-making. Generative AI also leads to the displacement of employees in their physical form as their skills become redundant. We have already started to witness this on Upwork where jobs such as content writing have been displaced with Generative AI. Overall, freelancers on earned 5% less than they earned before ChatGPT as of April 2023. Lastly, costs of Generative AI are also typically on the higher side as the technology takes in huge computing resources which is also ecologically unfriendly. 

Q. What should organizations do if they are hacked?

A. If organisations are hacked, they should stay calm and act quickly by instantly activating their incident response plans, if they are available. They should ensure that they strictly follow the procedures contained therein. This involves containing the hacking incident and performing a preliminary damage assessment to understand the level and impact of the hack and the extent of resources needed for data and systems restoration. All vulnerabilities should be identified and fixed after which They should also report to regulatory authorities as well as enforcement agencies.  This is critical as several pieces of legislation require this. Notifying affected customers is also key. If ransomware is involved in the hack, it is advisable to never pay a ransom as this is seen as abetting criminal activities. Organisations should also learn from the hacking activities performed on them so that they can implement more effective cyber defences and plan against similar or more sophisticated attacks. 

Q. Can you tell me more about why security is more important in the financial sector?

A. The financial services sector holds very liquid assets which naturally attracts cyber criminals hence security should be more stringent. The current rise in digital platforms and fintech has also increased the extent of financial cybercrime in the form of card cloning and phishing attacks for example. As the overall banking public in Saudi Arabia and worldwide becomes more cashless, more incidences of online financial crime continue to be reported. The financial services sector also relies on proprietary technology hence any cyber-attacks on such could lead to huge losses and reputational damage. The sector also holds customer data and intellectual property which is typically very sensitive information and held on trust. If all this information falls into the hands of cybercriminals, this can lead to a variety of cybercrimes such as identity theft and financial fraud. Hence protecting this information assures customers that their sensitive information is safe and fosters confidence in the banking sector.