Achieving management consensus on how best to address cyber risks continues to be a challenge

As a CISO, I can attest that achieving management consensus on how best to address cyber risks continues to be a challenge, despite increased awareness among business leaders. While there is generally a better understanding of the importance of cybersecurity, differing priorities, resource constraints, and organizational dynamics often hinder the establishment of a unified approach. Balancing security measures with business objectives requires effective communication and education to bridge the gap between technical and non-technical stakeholders.

Georges has over 20 years of experience in cybersecurity across multiple industries including aerospace, aviation and defence. EDGE Group is the largest defence contractor in the Middle East where Georges is the current CISO. Prior to joining EDGE, Georges oversaw the Cyber Resilience portfolio at the World Economic Forum Centre for Cybersecurity. Prior to this, he was the CISO at the Etihad Aviation Group and Thales Group for all US entities. 

Many chief information security officers (CISOs) see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

The role of the CISO is indeed evolving to adapt to the constantly changing threat landscape. In order to stay ahead of or keep up with emerging threats, CISOs need to adopt a multidimensional approach that combines technology, business acumen, and strategic thinking.

• CISOs must remain up to date with the latest advancements in technology and security tools. They need to understand emerging technologies such as artificial intelligence, machine learning, and cloud computing, and evaluate how these technologies can be harnessed to enhance security measures. Additionally, staying informed about the latest vulnerabilities and attack vectors is crucial to proactively address potential threats.
• CISOs must develop a deep understanding of the business they operate in. This includes understanding the organization’s goals, objectives, and risk appetite. By aligning security strategies with business objectives, CISOs can effectively communicate the importance of cybersecurity and gain support from key stakeholders.
• CISOs should actively engage with the broader business ecosystem. Collaborating with industry peers, participating in conferences, and staying connected to relevant regulatory bodies and information sharing communities enables them to stay informed about emerging threats, industry best practices, and compliance requirements.
• CISOs must adopt a proactive and strategic mindset. Instead of solely focusing on defence, they should incorporate intelligence-driven approaches that involve threat hunting, risk assessments, and incident response planning. By adopting a proactive stance, CISOs can identify potential threats before they materialize and implement measures to mitigate risks effectively.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

From the perspective of a CISO, having a seat on the board is crucial for effective security governance and risk management. It ensures that security considerations are integrated into strategic decision-making processes and highlights the importance of cybersecurity at the highest level of the organization. Reporting structure also matters significantly. Ideally, the CISO should report directly to the CEO or a board-level executive to ensure independence, authority, and clear communication channels. This arrangement enables the CISO to advocate for security initiatives, align security objectives with business goals, and effectively address risks, ultimately enhancing the organization’s security posture and resilience.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

To ensure effective response and recovery from a potential cyber-attack, organizations should consider the following key steps:

1. Develop a comprehensive cyber resilience strategy:

• Identify potential cyber risks and threats.
• Define objectives, roles, and responsibilities.
• Establish incident response and recovery plans.

2. Implement robust security measures:

• Regularly update and patch software.
• Deploy robust defence systems covering infrastructure, network, identity and data protection
• Conduct vulnerability assessments and penetration testing.
• Educate employees about best cybersecurity practices.

3. Establish incident response capabilities:

• Develop an incident response team and assign roles.
• Establish protocols for reporting and escalating incidents.
• Regularly conduct drills and exercises to test response effectiveness.

4. Enhance internal and external monitoring:

• Implement real-time monitoring tools to detect anomalous activities.
• Enable log management and analysis for threat detection.
• Monitor activities in the deep and dark web to anticipate future attack campaigns

5. Establish backup and recovery mechanisms:

• Regularly backup critical data and systems.
• Implement off-site storage or cloud-based backup solutions.
• Test data restoration processes to ensure effectiveness.

6. Foster partnerships and information sharing:

• Collaborate with industry peers, government agencies, and cybersecurity organizations.
• Participate in information-sharing initiatives and forums.
• Stay updated on emerging threats and mitigation techniques.

To prioritize and allocate resources effectively, organizations should consider the following factors:

• Identify critical assets and systems that require the highest level of protection.
• Assess potential impact and likelihood of cyber threats to prioritize mitigation efforts.
• Regularly review and update the cyber resilience strategy based on the evolving threat landscape.
• Allocate resources based on risk assessments and budget constraints.
• Continuously monitor and reassess the effectiveness of implemented security measures to make informed resource allocation decisions.

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

As a CISO, I can attest that achieving management consensus on how best to address cyber risks continues to be a challenge, despite increased awareness among business leaders. While there is generally a better understanding of the importance of cybersecurity, differing priorities, resource constraints, and organizational dynamics often hinder the establishment of a unified approach. Balancing security measures with business objectives requires effective communication and education to bridge the gap between technical and non-technical stakeholders. Additionally, evolving threat landscapes and the rapid pace of technological advancements add complexity to the decision-making process. Ultimately, fostering a culture of cybersecurity awareness and aligning it with strategic goals are key to overcoming these challenges.

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?

As a CISO, balancing the value of new technology with the potential for increased cyber risk is crucial to maintaining a secure digital environment. Several key elements need to be considered to strike this balance effectively:

• Regular Risk Assessments: Perform periodic risk assessments to reevaluate the cyber risk landscape, especially as new technology evolves. Stay informed about emerging threats, vulnerabilities, and best practices, and adapt security measures accordingly.
• Security by Design: Ensure that security is considered from the beginning of the technology integration process. Implement a “security by design” approach, where security controls and measures are built into the new technology and legacy systems to mitigate risks proactively.
• Robust Governance: Establish a strong governance framework that outlines roles, responsibilities, and accountability for managing the introduction and integration of new technology. This framework should include clear policies, procedures, and guidelines that address security requirements and risk mitigation strategies.
• Continuous Monitoring: Implement robust monitoring capabilities to detect and respond to potential cyber threats and vulnerabilities promptly. This includes real-time monitoring of network traffic, system logs, and user activities to identify any anomalies or suspicious behaviour.
• Employee Education and Awareness: Invest in comprehensive training programs to educate employees about the risks associated with the new technology and the organization’s security policies. Promote a culture of cybersecurity awareness and encourage employees to report any security concerns promptly.
• Vendor Management: Establish strong relationships with technology vendors and conduct thorough due diligence before engaging with them. Evaluate their security practices, ensure they comply with industry standards, and clarify their responsibilities regarding security updates, patches, and incident response.
• Incident Response Planning: Develop a robust incident response plan that outlines the steps to be taken in the event of a security breach or cyber incident. Test the plan regularly and ensure that all relevant stakeholders are aware of their roles and responsibilities.

What do you look forward to most at this year’s Global Cyber Conference?

I look forward to networking with old and new like-minded peers and friends, learning from the cybersecurity community on some of the most salient issues, contributing to the community by sharing insights from my experience during the two panels that I’ll participate in and having an enjoyable time in the beautiful city of Zurich.