Alshaya Group’s CISO on what to do in case of a security breach

In today’s world, what is your opinion on the role of cybersecurity and what it should entail?
Most people in the world today know the importance of cybersecurity in everyday life. With people being online via their smartphones 24X7, cybersecurity is an essential part of life. Online banking, classes, virtual meetings, online shopping, etc. have made cybersecurity the backbone of the Internet these days. Organisations cannot design a website or a mobile app without a strong security architecture. We know the example of Zoom. It was built on a weak architecture, and it went through a lot of security problems such as “Zoom Bombings” a couple of years ago when Zoom had a breakout year. Because of those problems, many corporates ditched Zoom and adapted Microsoft Teams which became the most used video conferencing platform in the world. This example underlines the importance of cybersecurity.

What does it take to be a chief information security officer? What are the necessary skills required?
I believe a CISO needs to be well versed in the following:
Governance, risk, and compliance: Governance is the foremost job of a CISO and their office. Somebody should tick off an application going live on the Internet. This application should have gone through a security architecture review, vulnerability assessment, secure code analysis, penetration testing. A CISO’s job is to ensure that all this process was followed in the SDLC. Next comes documenting the risk of that application. Then, based on the industry you work on, a CISO must ensure compliance to various regulations and standards. GDPR compliance for data security and privacy is vital too.

End-to-end cybersecurity: A CISO should understand the latest in the landscape of cybersecurity. This includes but not limited to end point security, network security, application security, data security, cloud security, etc.

Budget management: This is an often-overlooked skill of a CISO. Most companies today are liberal in the cybersecurity budgets. However, CISOs don’t get unlimited budgets. So, it’s vital for CISOs to be great money managers too. CISOs should formulate their one-year and three-year roadmaps in such a way that they’re ahead of the curve in budget management including capex, opex, licence and contract costs, cyber and insurance costs.

Presentation and communication skills: Soft skills make a successful CISO. If a CISO hadn’t cultivated these skills, then it’s going to a rocky ride for them. Right from presenting the budgets and cybersecurity updates to the board; to conducting cybersecurity awareness sessions; to speaking in public forums a CISO is nowadays required to be a great orator.

People management: A CISO can never be successful without proper people management skills. This is not just managing their own teams. This includes managing upwards towards top management, stakeholder management, and vendor management too.

We’ve seen a plethora of attacks all across the world, and they’re just growing worse. What are the top threats to organisations you see right now?
Some of the attacks that continue to play havoc across the world right now include ransomware, phishing and a plethora of targeted attacks via emails and zero-day attacks among others.

What advice would you give companies in the event of a breach?
In the event of a breach, organisations should follow the detect, respond and recover strategies of the NIST cybersecurity framework. They should activate “cyber crisis committee” for advice and decisions. Furthermore, they must claim cyber insurance as soon as a breach is suspected and get professional help immediately.

What areas would you advise organisations to focus on when developing a new security programme or rebuilding an existing one?
Organisations and businesses should not try to reinvent the wheel when developing a new security programme or rebuilding an existing one. They should follow established global cybersecurity standards such as:
1) ISO27001:2013 or ISO27002:2022
2) The NIST cybersecurity framework
3) PCI-DSS
4) GDPR for data protection and privacy

Businesses should also make budget to bring in a cybersecurity auditing firm to do a capability assessment and give their findings and recommendations in the form of a three-year roadmap.

Read: What every CISO needs to do in their first 100 days: Gartner