Envisioning the CISO of 2020CISO Council's Baig on Evolution to a Business-Centric Role
The CISO Council of Gulf, a platform for global information security and risk assurance leaders, formed recently to collaborate, contribute and help the security fraternity grow.
To help CISOs tackle future uncertainties and secure their infrastructure and enterprise, they must employ a new, more structured approach, says Ahmed Qurram Baig, founder of the CISO Council.
"With more organized crime and increased nation-state attacks expected, business demands that CISOs manage digital technology adoption and transformation with business objectives and the legal and regulatory landscape in mind," he observes.
Advocating a collaborative approach, Baig says, "It enables CISOs with access to tool kits, risk frameworks, technology and implementation documents, especially expert insights and guidance."
In an interview with Information Security Media Group, Baig explains how the smart cities and IoT era are compelling CISOs to experience an intense exercise to build a more serious cyber defense framework. Baig also shares insights on:
- Today's top challenges for CISOs;
- His vision for the CISO role in 2020;
- The need to secure critical infrastructure.
Baig, cybersecurity expert in the MENA region, was head of information security and compliance at a Dubai government entity; a CISO at an Abu Dhabi government entity; and head of business management and advisory services at TECOM (A Member of Dubai Holding). With over 16 years in strategy, risk management & compliance and information security, he's worked on projects for airlines, banks, defense and federal agencies across the Middle East.
GEETHA NANDIKOTKUR: What is giving sleepless nights to CISOs of UAE? How is CISO Council collaborating to address this concern?
AHMED BAIG: It's a nightmare for CISOs: the demand to be competitive and profitable beyond boundaries puts increased pressure on CISOs to adopt innovative solutions, protect critical business systems and sensitive data at any cost. CISOs are expected to ensure safety without teams providing sufficient inputs about new risks and specific security challenges that new businesses bring in, as each function works in a silo.
Besides, the management's lack of understanding of cybersecurity risks and the absence of security awareness among end users is like working on a landmine - a single mistake like clicking on a suspicious email can infect the systems and result in disaster.
The council has evolved a methodology to collaborate with them to create advisories in sharing critical information about recent attacks, creating situational awareness in dealing with the scenarios and suggesting solutions.
There are plans to provide updates via our global partners on threat intelligence and situational awareness.
NANDIKOTKUR:You have been advocating CISO 2020; what does that mean, and how is the CISO role evolving in UAE?
BAIG: The digital transformation of businesses globally and emerging smart cities are changing the very definition of the security role - from an information technology-centric to an operational and business-centric executive role. This compels CISOs to get more involved and be responsible for securing core business processes.
While predictions for digital trends 2020 are exciting, there's also concern. With pervasive digital technologies exposing organizations to unexpected and unseen risks, it will be challenging to handle so much unseen, unpredictable and moving targets.
So, business is demanding that CISOs understand and manage digital technology adoption with the business objectives and legal and regulatory landscape in mind. New generation CISOs are becoming part of the deadliest catch category (dangerous/riskiest jobs), fighting against unknown and unexpected threats. They are not expected to be geeks working behind a closed door, trying to secure and protect the business. CISOs who tend to express fear, uncertainty or doubt while interacting with business executives and other teams can be ostracized and might fail eventually.
I think the CISO role will evolve and lead organizations to create additional new roles around privacy and risk. This is happening in this region with smart cities with smart infrastructure and government services, and CISOs are urged to adapt to new regulations and safeguard data security and privacy.
Securing Critical Infrastructure
NANDIKOTKUR: Given that scenario, what then is the most pressing issue for CISOs?
BAIG: It is to protect the nation's critical infrastructure. They must undergo a very intense exercise to build a more serious cyber defense framework to ensure the necessary controls and security measures are in place. The more generic industry security frameworks will be a good place to start from.
However, they might not address industry specific needs to defend against advanced cyberattacks. The council will hand-hold them, build awareness of the areas of critical infrastructure protection and guide them on global trends and available frameworks with which to kick-start a cybersecurity program. We will involve them in various thought-leadership activities through round tables and other forums with global players.
The Way Forward
NANDIKOTKUR: What's the Council's future security agenda and priority areas?
BAIG: CISO Council is currently engaged with CISOs from more than 40 countries, reaching out to more than 1000 InfoSec leaders. We aim to double our reach in the next 18 months.
We are working with global and local entities to build a formal information sharing platform to tackle future threats.
Besides, our goal is creating opportunities of growth for security practitioners and establish job forums, have workshops for exchange of knowledge and nurture budding CISO members, connect the community with the government, regulatory bodies and industry associations for promoting compliance laws and regulations and evolving risk frameworks.