Tasheel Finance CISO: Cybersecurity is a business issue

When he took on the role of CISO at Tasheel Finance in June 2020, at the height of the pandemic, Mohammed Al Doseri stepped up to a leadership position and quickly moved to enable the financial services organization to function by, among other initiatives: selecting secure software for meetings and discussions; creating a crisis management team; and securing VPN connections with multifactor authentication (MFA). Just as important, Al Doseri’s team supported ongoing digital transformation implementation, helping to introduce the company’s Digital Journey service for customers, which allows them to apply for a new loan or complete purchases wherever they are located, without visiting physical offices.

In this Q&A, Al Doseri explains that cybersecurity is not just about technology —it has become a business issue.

CIO Middle East: How do you lead a security strategy within the organisation?

Companies can no longer delegate the headaches of cybersecurity to the IT department, as it has become a business issue as well. This is especially important as businesses become more digitized, exposing them to an increasing number of threats if security risks are not properly managed. The types of threats that businesses face are also changing. Hacking software is becoming more powerful, allowing hackers to have a greater impact on a business. On top of previous threats such as data theft, extortion, and vandalism, cyberhackers are moving to more sophisticated agendas such as espionage, disinformation, market manipulation, and infrastructure disruption. To be able to mitigate these threats, businesses must not only consider cybersecurity as a business risk, but also act on it. To successfully protect a company, it must consider what these cyberrisks mean for the company as a whole and for its customers.

Facing cybersecurity as a business risk, rather than just a technology risk, is not as frightening as it sounds. Simple guidelines can assist a business in accomplishing this. Businesses require a strategy that incorporates cyber security into all aspects of their operations, from the IT department to employee training to security policies.

CIO Middle East: What are the best practices for making security become part of the board’s responsibility as well? How do you instil a culture of cyber awareness?

The best practices for making security become part of the board’s responsibility are: to educate company executives, create a common language, differentiate between security and resilience, and make security and resilience business priorities.

It’s vital for businesses to have a cybersecurity culture in order to ensure that you and your workers make informed security decisions. The old risk attitude of cybersecurity being the responsibility of the IT department does not apply to the digital environment we now live in. C-suite executives must abandon this approach and adopt a risk attitude, understanding that hazards are everywhere and cannot be attributed to a single department.

 CIO Middle East: MENA companies are investing more and more on cybersecurity. Taking into account all the ICT budget at Tasheel Finance, how much do you invest on cybersecurity?

With all of the changes that have occurred and the rapid change in technology, we are speeding around SAR4 million (US$1.1 million) especially with the business strategy to be a leader in the fintech technology that Tasheel Finance management team is working on by providing a new digital journey to the customer and offering credit card service.

CIO Middle East: Can it be considered safe to work in the cloud? Where do you store all your data? Do you use any cloud provider?

I believe the cloud is safe to use. To some extent, we can follow best practices by applying and maintaining control over our data in the cloud; however, as SAMA (Saudi Arabian Monetary Agency, KSA’s central bank) regulated, we are not permitted to use cloud services outside the Kingdom, and if we must use cloud services within the Kingdom, we must comply with the Cloud Computing Regulatory Framework and the SAMA Cybersecurity Framework. We currently do not use any cloud services and instead rely on our own infrastructure.

CIO Middle East: What technologies do you use to detect fraud? Could you please elaborate on these solutions?

Tasheel Finance employs several techniques, including: SOC- (security operation centre) driven continuous monitoring, email monitoring, and gateway; anomaly detection; pattern recognition; and threat detection and response. These tools include decision trees, cluster analysis, and association rules, as well as the ability to generate predictive models for fraud detection.

Tasheel Finance begins with basic anti-fraud controls. These include the separation of duties for authorization, asset custody, and the recording or reporting of transactions. In some cases, we ensure that basic controls are in place and redesign business procedures to reduce such risks.  Major frauds almost always involve senior management, particularly those with the authority to override controls.

A fraud prevention program must include fraud awareness training and communications. Every employee should be made aware of the risks of fraud and the corporate policies that prohibit such behavior.

Data analysis is a simple strategy for detecting fraud. The goal is to identify indicators of fraud by analysing the entire set of data (e.g., transactional data, master vendor data, and application control settings). Data analysis techniques range from statistical analysis for out-of-the-ordinary transactions to analytic tests to identify specific circumstances indicative of fraud.

CIO Middle East: How do you foresee machine learning being the future of cybersecurity?

Machine learning has not had the same level of success in cybersecurity as it has in other fields. Many early attempts struggled with issues such as producing too many false positives, resulting in mixed feelings about it.

Some major corporations have acquired machine learning capabilities in recent months. This could be an indication that at least some major organizations see machine learning and big data as valuable assets for the future.

It’s also possible that machine learning will soon be required in cybersecurity. Machine learning provides continuous monitoring and can handle larger data loads than a human can. Human intervention is still required. ML is not a ‘plug and play’ technology. It requires tuning to help distinguish between real attacks and what appears suspicious but is actually benign activity, and this tuning requires the assistance of human experts. Even the most pro-machine advocates are unlikely to claim that it can replace firewalls, antivirus, or human security experts, but it will supplement these more traditional defences to create a more multi-layered defence.

 CIO Middle East: How can a data breach affect stock performance across the region? What are the peculiarities and challenges of protecting the stock market? 

To better understand the impact of data breaches on the performance of globally traded company stocks, financial companies, or banks, an event study can be conducted using the timing of the announcement of large-scale data breaches for companies whose stocks are publicly traded to better understand the impact of data breaches on the performance of globally traded company stocks.

According to (some studies), stock prices generally suffer a minor negative impact because of data breaches, but this may vary depending on the severity of the data breach, the potential regulatory impacts on the company, the industry in which the company operates, the importance of the affected business to the company’s long-term