Despite the various threats that can affect an organization’s operations, such as ransomware, advanced persistent threats, and backdoor attacks, the chief information security officer and his or her team should still remain focused on maintaining a disciplined and effective strategy
This is an exclusive interview conducted by the Editor Team of CIO News with Mohamed Sadat, Head of Information Security at Paymob
My name is Mohamed Sadat I am an enthusiastic information security expert with over 12 years of experience across information technology and cyber security diversified across the information technology and the financial sectors in Raya Contact Center, Raya Data Center, Egyptian Credit Bureau, “IScore”, Egyptian Banks Company, “EBC”, and Paymob. I am now working as Head of Information Security (CISO) at Paymob.
Over these years, I built a great depth of knowledge that was utilised for my career path and enhanced the upcoming generations through public speaking, information security community participation, mentoring, and networking.
I graduated with a Bachelor’s Degree in Computer Engineering and Information Technology in 2008 from Modern Academy for Engineering and Technology, and completed a Master of Science in Cyber Security at EC Council University. Now I am studying for a Master of Business Administration MBA at the University of Liverpool John Moores holds multiple credentials specialised in information security, governance, security operations, and auditing including (ISO 22301, 27001 Lead Auditor, Certified Information Security Manager “CISM”, Certified in Risk and Information Systems Control “CRISC”, Certified Data Privacy Solutions Engineer “CDPSE”, Certified Chief Information Security Officer “CCISO”, Certified Governance, Risk & Compliance Professional “GRCP”, Certified Governance, Risk & Compliance Auditor “GRCA”).
In addition to my role as vice president of the ISACA Chapter in Cairo, I have provided mentoring services for industry newcomers as a Cyber Talent Internship, and have been recognised multiple times by the Arab Security Conference Information Security Awards as an Information Security Rising Star and CISO of the Year. I have been accredited as one of the finalists for CISO of the Year by the IDC Conference Information Security Awards.
Cyber security considerations for 2022
The threat landscape is constantly evolving. Cybercriminals are still as capable of adapting to new technologies as they were previously. As the threat landscape continues to evolve, chief information security officers (CISOs) should adopt a mindset of enabling their organisations to become more effective. This is not about telling their colleagues what they can’t do, but rather, it’s about showing them what they can do to protect themselves. Cyber security is no longer just about prevention (CISOs), and their teams should adopt a mindset of enablement. Despite the multiple hats that a chief information security officer (CISO) must wear, he or she can’t be everywhere at the same time. It’s important to remember that security is everyone’s job, and it’s also critical to maintaining stakeholder trust. To help the chief information security officer (CISO) and the other executives understand the importance of cyber security, I have identified eight key cyber security topics that they need to focus on in 2022 and beyond. These topics can help executives better understand how cyber can support the business with a security plan based on shared accountability. Despite the various threats that can affect an organization’s operations, such as ransomware, advanced persistent threats, and backdoor attacks, the chief information security officer and his or her team should still remain focused on maintaining a disciplined and effective strategy. This can help them prevent their organisations from being hit by cyber-attacks.
Expanding the strategic security conversation to “Align business goals with security needs”
Elevating boardroom visibility
Today, digital technology is more powerful than ever before, and it can help organisations transform their operations and improve their supply chains. However, it can also be incredibly vulnerable to attack, disrupting their business and causing them to lose revenue. A single data breach can affect a company’s network and transactions and ultimately disrupt business and impact revenue growth for days, or even weeks and months. As senior leaders recognise the importance of managing cyber risk for their organizations’ long-term success, they are now more focused on the C-suite and the boardroom. This is because the lack of a comprehensive security framework is not only detrimental to their operations but also prevents them from achieving their goals. Modern security solutions can only accomplish so much in terms of risk reduction if business objectives don’t include an embedded robust security framework. The global business environment is constantly changing due to various factors, such as technological, environmental, and geopolitical developments. As a result, the threat landscape is constantly evolving. As the chief information security officers (CISOs) of organisations become more responsible for their own security, they are increasingly expected to speak the language of the board and business in addition to the language of security and also work together to build resilience. This can be done through the development of pragmatic security investments that support the business’s growth objectives. To address the increasing number of security threats and the need for a more skilled security professional, cyber teams are developing strategies that include automation and enhancing their technology portfolios. They are also developing delivery models that can help them manage their security risk.
What’s your plan?
- Transition from traditional security thinking around confidentiality and availability of data and begin thinking about striving to ensure integrity and resilience.
- Engage key organisational stakeholders to commit to a security strategy that can protect organisational and customer data, manage risk, and be sensitive to short and long-term business priorities.
- Reformulate thinking in the executive suite as it relates to security by focusing on practical enterprise risk rather than expense and speed.
- Think less about operational key performance indicators (KPIs) and key risk indicators (KRIs) and focus on themes and trends in the underlying data: types of incidents, internal and external program-gaps, and data-related activities that are in progress, planned, or awaiting approval.
- Build relationships with key business areas by increasing awareness of how quickly they can achieve objectives by embedding security versus what they may lose in the event of a breach.
Achieving the x-factor: Critical talent and skillsets “Transform the cyber security team from enforcer to influencer.”
As the threat landscape evolves, the cyber team’s approach is changing.
The biggest changes that have occurred within the security team’s relationship with the rest of the organisation were in response to the COVID pandemic. But even going back several years, there is an increased need for speed-to-market, albeit with an acknowledgment of the risks involved. As the pandemic continues, organisations are starting to realise the need to manage their digital footprint and improve their security capabilities. This, in turn, has fueled the transition to a secure-by-design approach, the need to operationalize development, security, and operations (DevSecOps), and the critical ‘shift left’ of security along the software development life cycle (SDLC). The most effective chief information security officers (CISOs) spend their time talking about the company’s future direction and not about technology and are striving to ensure that executives in the C-suite and the board room are aware of and aligned with the security plan and vice versa. They should communicate how the organization’s cyber security programme supports and contributes to the growth of the bottom line.
What’s your plan?
- Change the narrative. Stop talking about technology and start talking about business.
- Don’t limit yourself to the traditional definition of cyber security; continue to build relationships with other areas of the organization and build a network of internal business partners.
- Embrace scenario thinking, testing, and responsiveness into the regular activities of the cyber function of an organization.
- Make compliance an important outcome of your security program rather than the reason for its existence.
- Be an evangelist; be passionate about what you do and inspire others to value security.
- Adopt a stance that cyber is a major part of what the company does; it’s in the company’s DNA. Assist the organisation in changing its perception of the role of security.
Cloud security adaptation “Enhance cloud security through automation—from deployment and monitoring to remediation.”
Cloud security in the digital transformation age
Despite the growing popularity of cloud adoption and usage, organisations must be aware of the risks associated with cloud migration. The lack of cloud security skills can lead to an organization’s trust deficit. This is because, while the cloud may be present, so are criminals and hackers. Due to the complexity of the cloud environment, it requires more automation to effectively manage its operations. This can create higher levels of incident reports, as 90 percent of organisations are prone to security breaches due to misconfigurations in the cloud. Many companies assume that the development team of their cloud platform should also be responsible for security. However, this is not realistic and should not be considered an integral part of their operations. Instead, security engineers are deep subject matter experts in that critical discipline and have relevant perspectives on the basic structure and needs of the cloud environment. The skills required effectively implementing and managing security in cloud and hybrid environments are not the same as traditional cyber security. For instance, a seasoned security professional might not be able to grasp the nuances of cloud security.
What’s your plan?
- Automate your cloud security, especially around deployment, monitoring, and recovery, by eliminating manual processes.
- Build a centralised cloud security team that comes from the development ranks versus leading with traditional security skills.
- Lock in the operational responsibilities in a shared model, defining which entity is responsible for security in the cloud and which entity has responsibility for the cloud.
- Look to security posture management tools that have pre-configured policy checks mapped to different regulatory regimes.
- Construct an incident response process that is in sync with your broad cloud strategy.
Placing identity at the heart of zero trust “Put IAM and zero trust to work in today’s hyperconnected workplace.”
The demand for frictionless experiences
The rapid pace of digital transformation that both private and public organizations, in addition to a rapidly normalising work-from-home structure, have adopted during the pandemic has created a window of opportunity for bad actors. That’s resulted in an increasing number of cyber security attacks during the last few months, especially ransomware and supply chain attacks. Due to the increasing number of attacks, the development of new identity and access management models is being conducted to provide better levels of resilience and enable organisations to manage their digital identities. These models are being designed to meet the needs of multi-cloud computing and federated environments. Due to the rise of digital identity and the complexity of the data collected and stored in an organization, customers, suppliers, and corporate users expect a seamless and secure experience. Unfortunately, many of the organisations that rely on third-party partners, gig workers, and contractors do not have the necessary processes in place to manage access to their data, which often results in significant breaches in the security chain. The emergence of zero trust represents a mindset shift in which the cyber team assumes compromise in connection with system access and makes security decisions on the basis of identity, device, data, and context.
What’s your plan?
- Experiment or begin to have a strategy around passwordless authentication for selected use cases.
- Be sure your identity programme has a sound data and analytics foundation.
- Embed a zero-trust mindset into your overall cyber strategy.
- Commit to creating a frictionless experience to enhance the user and customer experience by streamlining authentication and identity management.
- Automate security functionality to enable highly skilled professionals to focus on more strategic activities.
- Accept that adopting a zero-trust approach is a journey—it takes time to implement.
Exploiting security automation “Gain a competitive advantage through the smart deployment of security automation.”
Realise the business value.
Security automation is becoming more prevalent in companies as they can free up resources by automating routine tasks. Work that was previously performed by highly trained professionals, such as vulnerability scanning, log analysis, and compliance, is being standardised and automatically executed. This can help boost the productivity of an analyst and improve the efficiency of their operations. It can also provide them with an opportunity for scalability. The ability to automate routine transactions and lower-level threats helps the security operations centre prioritise tasks and respond more quickly to incidents that require human intervention. In addition to reducing the time it takes to respond to security incidents, automation can also help improve the efficiency of the operations center by identifying and monitoring security incidents in large log files.
What’s your plan?
- Take a proactive approach to security automation by focusing on threats instead of incidents.
- Automate mundane tasks to free up human capital and cognitive ability for more important activities.
- Leverage the existing technology and automation experts within your organization.
- Build security automation into every critical intersection point within the SDLC.
- Push the limits of what’s already known to be possible — be willing to fail but learn quickly and implement that insight.
- Keep it simple and don’t over-engineer solutions or acquire automation tools that don’t fit the problem or lead to business value for the firm.
Protecting the privacy frontier “Move to a multidisciplinary approach to privacy risk management that embeds privacy and security by design.”
Keep individuals’ rights top of mind.
Today, more global awareness and recognition exists for individual rights in relation to their personal information, with the cascade of global regulations, such as the GDPR. The focus on data rights, privacy, and security is sharper than ever. In real-time, the regulatory environment surrounding data privacy has changed. As governments and regulators recognise that breaches are just a subset of cyber incidents, they are beginning to acknowledge the importance of protecting the privacy of individuals. They’re demanding that companies immediately report breaches, regardless of whether they have an impact on the privacy of their customers. There is nearly universal harmony in the sense that so many countries and territories have implemented rights-based privacy rules and regulations aimed at empowering the individual and giving them back the control they relinquish when they share their personal information. With so many different regulations, however, the regulatory landscape is becoming increasingly difficult to navigate and comply with, particularly for global businesses operating in multiple jurisdictions.
What’s your plan?
- Educate senior and business management to understand how to manage data collection and avoid the negative impacts of failing to treat data protection respectfully or obtain the necessary permissions. How failure to respect consumer rights can negatively impact the company.
- Align your data privacy programme with both C-suite and business-line leadership priorities and vision to help ensure everybody is on the same page from collection, consent, and usage perspectives.
- Adopt a privacy-by-design standard to supplement and complement the rules, regulations, and regulatory expectations around privacy.
- Translate paper-based policies into verifiable business practices to convince consumers and regulators of your commitment to respecting consumer rights and protecting data.
- Explore opportunities to implement a data privacy management technology tool to automate processes, comply with regulations, help increase response speed and assist with reducing human error.
Secure beyond the boundaries “Encourage the broader supply chain to be cyber secure while protecting the organization.”
Ecosystem security: The current state of solutions and obstacles
Most organisations today are not the monolithic entities that customers have always believed them to be. Instead, they are complex and constantly evolving due to their various operational requirements and supply chains that often have direct access to business systems and data. Despite the various security frameworks and regulations that can help minimise the impact of third-party threats, there are still areas where the participants in these ecosystems can be vulnerable: cloud providers, SaaS companies, Internet of Things (IoT) device manufacturers, etc. Without clear obligations to protect their partners’ data, organisations may not have the necessary controls to prevent unauthorised access to their networks. When it comes to contract negotiation, it’s important that both parties thoroughly consider the security policies of the vendors they are considering. as well as the security built into the products and services to be accessed. Due diligence is typically conducted by each ecosystem partner. However, due to the complexity of the situation, it is not feasible for every partner to carry out this process. Instead, they can outsource it to third-party security programs. Some organisations are turning to security-ratings firms to supplement their point-in-time assessments. These services provide a set of predefined security risk scores that can be used to evaluate an ecosystem partner’s security. This helps determine if the partner’s security is good enough.
What’s your plan?
- Keep a close eye on regulatory requirements as they continue to evolve and focus on supply-chain security.
- Consider CCM as a way of moving ecosystems from compliance to a more operationally based view of security.
- Explore opportunities to automate and leverage AI/ML in supply-chain security approaches to enhance security and enable skilled security workers to focus on more strategic activities.
- Don’t overlook the operational technology (OT) supply chain; as IT and OT systems continue to converge, attackers will likely seek to exploit OT systems in an effort to compromise business data.
- Larger, more resourceful organizations should seek to take a capacity-building approach by applying security measures to protect their broader ecosystem, in addition to their own environment.
Reframing the cyber resilience conversation, “Broaden the ability to sustain operations, recover rapidly, and manage the consequences when a cyberattack occurs.”
“There is a plan.”
Most CEOs say they have a plan in place to address the possibility of a cyberattack. They also noted that it is high on the agenda of the board. Experience from the last few months suggests the more pertinent questions are: How prepared are you as a business to face a four to six-week outage as a result of a cyberattack? How would it impact customer service? What would it mean for your call and distribution centers? Would you be able to cover the next payroll? Could you pay suppliers? How might an outage impact the company’s regulatory and legal requirements?
Resilience demands an assessment of the key operational processes of the business and a strategy for protecting them. Today, most companies are almost inevitable targets of a cyber attack. Due to the increasing number of threats and the complexity of their operations, many security professionals are focusing on the reduction of likelihood and consequences. Clearly, it’s not enough to detect a successful breach; it’s equally important to act fast enough to limit the damage. Indeed, malicious code has been known to lie dormant within a breached environment for months before surreptitiously activating and re-infecting the system.
What’s your plan?
- Consider how long you can sustain the business if significant functions are down and what it would mean from a customer impact perspective.
- Think about how a significant cyber event would affect your dependency on suppliers.
- Elevate the topic of cyber security and cyber resilience to the board level.
- Ask whether your current resilience plans are fit for purpose for a cyberattack and take appropriate corrective measures.
- Have the humility to acknowledge that your assumptions might be wrong and come up with an alternate plan that can be operationalized quickly.
- Help the C-suite develop their crisis management capabilities and their individual roles in the event of a cyberattack through regular, real-world simulations.
- Focus on the fundamentals, but also invest in detection, rapid response, and recovery capabilities.
- If you don’t have the in-house capacity or capability, collaborate with relevant industry specialists.
In a not-so-distant future:
The rise of a connected, smart society is expected to bring an increase in cyber risks. Due to the evolution of multiple threat vectors, the threat landscape is likely to become more complex. Clearly, the technological advances powering business, communications, and entertainment bring with them new perils. We’ve explored various topics about security, including automating cybersecurity functions and data privacy, including the evolving role of the security team and the protection of the ecosystem. Today, we’re taking a look at some of the most common cyber security threats that are expected to become prominent in the near future. These topics are expected to become the focus of many cyber professionals in every industry.
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics