A CISO’s journey starts on the technical side, evolving through business and eventually becoming strategic

At no time has the world been more vulnerable to cyber-threats. Their frequency and complexity mean that the role of cybersecurity within a business has never been more critical.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute had the good fortune to be able to sit down and talk to Jad H. Abdulsalam, VP, Cybersecurity & Digitisation at Ma’aden, Saudi Arabian Mining Co., the largest multi-commodity mining and metals company in the Middle East and among the fastest-growing mining companies in the world. In this interview, Jad has shared some of his opinions on such topics as the constantly evolving roles of the CISO in order to stay ahead of the threat landscape, and whether it is important for a CISO to have a seat on the board.  Read the full interview below.

Common ways to assess the value of a senior executive to an organisation’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

The objective of CISOs should not focus only on mitigating the cyber-risk. Instead, the aspiration is to sustain the business and ensure the continuity of the organisation’s growth

Setting such objectives will allow CISOs not only to mitigate the risk but to demonstrate their roles as true business enablers and crucial pillars toward achieving the business’ strategic objectives and ambitions.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

Reaching top management and board level continues to be one of the challenges CISO’s need to deal with from a business perspective due to the lack of adequate awareness and knowledge of cyber-risks at all levels, and it is very important for all CISO’s to address this gap and work continuously to minimise it before they communicate their risk cases.

Also, it is very important for CISO’s to present cyber threats as a business risk not as an IT or technology issues, to ensure buy-in and better management understanding.

For the reporting line, yes, it is very important for the CISO to maintain a strong position within their organisations for easy access to decision makers and ensure the right level of support is there when needed. The global trend today is moving towards having cybersecurity reports at the head of the organisation or board committees.

Many chief information security officers (CISOs) see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

A CISO’s journey starts on the “Technical” side, evolving through “Business” and eventually becoming “Strategic”. It is very important for CISO’s to consider those three aspects in their career journey to achieve the aspired-to strategic role they should be in as business enablers.

If it’s only focusing on the technical side, the journey will swiftly come to a halt and the cyber-risk will not be treated as it should be.

While most business leaders are more aware of their organisation’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

As I mentioned previously, addressing the lack of adequate awareness and knowledge levels on the cyber-risk with top management is very important at an early stage. This will allow for better communication and understanding of the business risk which will lead to better alignment and management consensus.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organisation’s needs?

A shortage of Cybersecurity resources and skill sets is a global challenge and all CISO’s are suffering from this challenge.

The first step is to consider the retention in cybersecurity as one of the business risks to be monitored and tracked on the right level.

Secondly, CISOs need to identify the potential options for this risk. Direct hires should not be the only sourcing mechanism. Today there’re different options which can be followed like staff augmentation through service contracts, managed services and outsourcing. In addition, CISOs, need to work on their personal network and their visibility in the market to identify potential candidates as future replacements.

Thirdly, CISOs need to work internally with their management and HR team to develop required retention plans for their current staff in terms of their succession plans, compensation and benefits, attraction opportunities … etc.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

First of all, cyber-risk needs to be treated as a business risk and be aligned with the organisations’ strategy and objective. To achieve that, organisations need to consider the People, Process and Technology domains in developing their cybersecurity plans, giving greater focus on the “Process” domain in terms of adopted standards, best practices, policies, frameworks, processes …etc. to establish the right and strong governance foundation for cybersecurity which will drive the execution of cyber-plans and ensure continuous improvement.

In many immature cases, we can see organisations fail to consider the Process as the first priority and instead move directly with People and Technology domains where the impact will be limited and short term.

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?

It is very important for any organisation to adopt and develop an Enterprise Security Architecture framework to drive the robust and dynamic changes in their technology environments. Such capability will allow for a more structured approach to acquire any new technology and observe new business demands in scalable manner.

The nature of recent cyberthreats has tended to focus on business disruption and reputational damage. Is this what you have experienced and if so, how does this impact your organisation?

Yes, they’re some of the attack drivers we’re facing in our region. However, the impact varies depending on the readiness of the affected organisations and their ability to minimise the impact level and lead time to recover.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

I believe the publicity associated with every cyber-attack is what creates the overrated trend not the technology or the threat actor used. Eventually, what matters is the readiness of the organisations to respond and recover through adequate business continuity plans.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?

User awareness and knowledge of cyber-risk will continue to be the most important defence, and this is proven through many major incidents. Unfortunate, we can see many organisations, globally, failing to consider this as an important topic.

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

It depends on the nature of the role the cybersecurity professional is handling. In some cases, the role does not require physical interaction or mobilisation and can be performed from anywhere, like GRC teams and the COVID-19 period was a very good example. Other roles cannot be performed remotely and require cybersecurity professional to be on-site or mobilise like SOC and device management teams.

Thank you, Jad, for taking the time to answer my questions and for sharing those great insights. We are all looking forward to your talk at the Global Cyber Conference and learning so much more in the panel session.

Jad H. Abdulsalam will be joining the panel discussion at the Global Cyber Conference on the topic of “Embedding cyber risk management into decision making process: best practices and key takeaways”.

Please also check out the interviews with our other speakers who will be in attendance at this year’s Global Cyber Conference, which you will find here.