Day two of Cyber Defence Summit discusses employee awareness and the shift to third platform technologies.
Following a day focused on ensuring that cyber security is a boardroom discussion, day two of the Cyber Defence Summit was opened by Eng. Mohammed E. Al-Ghamdi, Assistant Director General, National Center for Digital Certification (NCDC), Ministry of Communication and Information Technology (MCIT).
Eng Mohammed in his opening keynote commented: “In 2007, the E-Transaction Act was passed which gave the legal framework for a public key infrastructure in Saudi Arabia. Since then, NCDC has been able to pass several third party audits and receive the Web Trust seal; also the Saudi National Root Certification Authority was added to the list of Root CAs trusted globally by Microsoft systems. Now we are paving the way for Mobile PKI in the Kingdom allowing access to it anywhere and anytime. ” With a lot of companies focused on cost cutting and efficiency, an increasing number of enterprises are embracing cloud and mobile technologies to have a competitive edge and to better serve their customers. The volume of information being collected and processed has grown manifolds. People and companies are now more connected to the outside world and hence are more vulnerable.
The first panel discussion of the day focused on securing third platform technologies - social, mobile, cloud and big data. The discussion featured Abdulkareem Alsheha, Head of Information Security of a financial sector giant, Eng. Suliman Alsamhan, Head of Computer Forensics Lab, CERT-SA, Dr. Zaidan Alenezi, Strategy & CNI Coordination, National Cyber Security Center (NCSC), Ministry of Interior, Abdulrahim Said, Senior Security Architect, IBM and was moderated by Ahmad Alanazy, Information Security Evangelist, STC. Abdulrahim noted, “Companies are bandwagoning on new technologies and touch points for their customer base including social media without potentially realizing the risks associated with them. Policies, procedures and processes need to be set in place before a company decides what information flows into and out of the organisation. Then they need to be religiously monitored to realise any risks associated with this information flow. ”
Abdulkareem said, “Employees need to be made aware of compliance policies which should be regulated with strong legal binding and penalty clauses. Compliance policies with regular cyber security standards give us a better chance of security and protection from internal threats.” Eng. Suliman added in on the human aspect, “Humans are the weakest link in security. Hence there is a need for them to be addressed first. Installing latest cyber security technologies and policies without properly educating your employees is counter intuitive and not the holistic approach that is required.” The following panel discussion spoke about how necessary it is to consider cyber risk management as a critical aspect and highlight the requirement and benefits of business continuity planning and disaster recovery. Dr. Hosam Rowaihy, Director, Information Technology Center, KFUPM; Gregory Nowak, Principal Research Analyst, Information Security Forum (ISF) and Eng. Yasser Alruhaily, Head of Information Security Risk Management, STC featured on the panel discussion moderated by Director of Information Security, King Fahad Medical City, Fahad Al-Hussein.
Gregory said, “The board should define what is critical to the business and then it should be the responsibility of the IT team to devise an action plan for the protection of these critical assests. For this to be stress free and for a smooth process you need to understand how all the stakeholders define information security, engage with agencies with a good repute in threat intelligence, be relentless in demonstrating the business value of your plan and then proactively review your plan’s results for improvements. ” Dr. Hosam stressed about identifying the ‘crown jewels’ and the potential threats against them. He noted “Risk management is not a new concept and has always existed in business. Though what is required is the involvement of management in cyber risk management as all businesses are technology reliant. Identification of crown jewels and what is quintessential for a business is not the sole responsibility of the CIO. It requires the entire board to come together.”
The day ended with a simulation workshop conducted by Nasser El-Hout, Managing Director, Service Management Centre of Excellence. The workshop provided a real time understanding of which processes are running in parallel and identified which were important or mission critical.
The summit, organised by French business information group naseba, enabled cyber security experts from Saudi Arabia to meet in one location and formulate comprehensive, forward thinking plans to defend the Kingdom’s sensitive information-- and specifically its critical infrastructure -- from possible cyber threats.