CASE STUDY
The role of chief information security
officer (CISO) is not what it was five
or 10 years ago. According to those
who find themselves in the role today, that’s
not necessarily an immoral thing.
In the past, it used to be that chief security
officers (CSOs) were over-glorified IT security
administrators, babysitting the firewalls,
arguing with software vendors over botched
antivirus signature updates and cleaning
spyware off of infected laptops and desktop
PCs. True, that’s still the role some CSOs in
Middle East region find themselves in, but for
the majority the responsibility has shifted to
looking at the big picture and designing the
programme that balances acceptable risks
against the unacceptable.
In an ideal world, today’s CISO hires
someone else to handle all those technical
security tasks. Of course, the question is
whether you can inspire them to do what
you once had to do or if you’ll turn them off
with an attitude of superiority.
Talk us through the role of a CISO and
how you see enterprises in the Middle
East protecting their digital assets?
Being a CISO used to be a hard core
cybersecurity role, however, the function
of the CISO involves much more business
leadership and risk management. Today,
a CISO must be able to help executives
at C-suite level to understand risk as it
is about bits. CISOs in any enterprise
organisation in the Middle East musthave
skills to be able explain security for
non techies, build and maintain critical
relationships and communicate at both
senior and operational levels. Soft skills are
critical to evangelising security initiatives
and celebrating wins, which need to be
expressed as business outcomes.
Cybersecurity is gaining importance due to
the increased number of cyberattacks and
the huge losses that victims are reporting.
However, in many organisations the
implementation of cybersecurity comes
as a consequence of a threat or an attack.
Organisations can decide to mount reactive,
proactive and operational cyberdefences, or
a combination of the three depending on
financial capabilities and levels of exposure
to threats. Having a CISO will go through the
three types of approaches to implementing
cybersecurity and help the organisation to
choose the optimal cyberdefence strategy.
A CISO usually spends his or her time
dealing with cyber-risk, security operations,
data loss and fraud prevention, planning,
buying and rolling out security hardware and
software, identity and access management,
programme management such as
analysing security needs by implementing
programmes or projects that mitigate risks,
regular system patches, investigations and
forensics, and governance depending on the
organisation regulations.
What are some of the best ways to
foster an atmosphere of innovation
within big organisations in the
Middle East?
Everything starts with having and building
a team which can relay, a team that can
take ownership of client problems, a team
that can benchmark against the best. As
a leader, CISOs prime focus should be to
create a culture of innovation and build
effective teams, which can focus on the work
that needs to be done. We need to embrace
experimentation and risk as well as listen
to the teams we build and challenge as
necessary. If you can empower your team
with a leadership that inspires and values
them, the innovation fostering atmosphere
will eventually manifest itself.
In Middle East the banking and
financial services sector is huge, yet
offerings don’t really seem to have
evolved beyond basic services online.
What are some of the key things you
would say to banks and financial
services firms on how to build the
atmosphere of innovation? How do
you change that culture within the
banking and financial services sector
in the Middle East?
This might have been the case before
the COVID-19 pandemic, but now I am
seeing many banks speed their Digital
Transformation to be able to serve their
customers with the best experiences. As I
www.intelligentcio.com
INTELLIGENTCIO
59