The CISO’s job extends beyond tech, Middle Eastern security pros say

Along with the increasing level of cyber-threats that companies of all sizes are experiencing, the importance of the CISO (chief information security officer) role in enterprises has grown at a similar rate. This is especially true in the Middle East and in particular for the Gulf countries, which are increasingly becoming the targets of sophisticated attacks aimed at stealing personal and company data and, in some cases, exposing state secrets.

Technology leaders and security experts met at GITEX recently to lay out the main security challenges and priorities for the next few years. Critical issues for CISOs, particularly as remote work becomes a common practice, include implementing cybersecurity awareness among staff. One of the most pressing topics for CISOs, though, is closing the skills gap and attracting young, tech-savvy workers into the security field.

At a time when data has become the most important asset that any company has, CISOs have gone from being a complement to the company’s C-suite structure, to becoming a fundamental asset.

Security professionals at GITEX had tips for young professionals interested in security. Jelena Zelenovic-Matone, CISO at European Investment Bank, advised anyone starting out in the security field to get to know their business from the ground up.

CISOs need to understand business

“The first thing you need to do after you get your degree is to be on the third line of defence in order to … understand the business, and in order to view a spectrum of things,” Zelenovic-Matone said. “You need to understand that you can’t fulfil [the CISO role] if you don’t understand the business; you need to move in all areas to improve your skills, before you are on the first line and become a CISO,” Zelenovic-Matone,  said.

Andrea Benito

Other security experts speaking at GITEX agreed that it’s important for security professionals to get know how business operates in all areas of an enterprise.

“You need to have knowledge in different areas, at the beginning on a technical level,” said Abdulla Bader Al Sayari, CISO at Department of Health (UAE). “You can play different roles in order to get experience.”

CISOs need to be open-minded and understand an organization’s operations, Al Sayari said. “In order to lead security you need to have some skills in business.”

In the early 1990s, with a mass migration of data to digital media, security experts were narrowly focused on applying necessary procedures and measures for the security of corporate information.

With the rise of jobs for cyber-security experts, some universities began to offer a bachelor’s degrees in cyber-security, in many cases as a specialization within computer science programmes.

Security leaders participate in strategy

Today, though, CISOs also require an ability to interact with business executives, as security issues become intertwined with basic business processes. And as security technology is incorporated into core enterprise IT systems, CISOs must contribute to strategic decisions at the corporate level.

Beyond an expertise in security technology, CISOs need people skills and should have an understanding of different IT systems in order to have an overview of a company, said security experts at GITEX.

“Passion should be our number one skill, we need it in this field,” said Majed Alshodari, CISO at Allied Cooperative Insurance Group (ACIG). “We need to rotate [through various IT jobs]; in my case working in IT and applications have helped me in achieving the qualification to understand more about cybersecurity.”

IT security technologies and systems are now sophisticated enough to free up high-level professionals from day-to-day administration, to focus on critical business decisions. That change makes trust in staff increasingly important.

Security is a 24/7 job

 Trust in business partners and suppliers is also an issue. “You are going to be always worried. It’s not only about your job, but it is also the issue of an ecosystem of third parties. You need to work with partners and you have to trust them,” said Harrison Nnaji, CISO at FirstBank Group.

With such a complex IT infrastructure, there are great demands on security professionals. “You need to be ready all the time,” Nnaji said.

Security staffers, meanwhile, are expected to take on an increasingly heavy workload. Seventy-one percent cybersecurity employees report being on call 24/7, every day of the year, according to the Ponemon Institute. It’s a clear recipe for fatigue.

While security is a 24/7 business, team leaders — who themselves are under stress —need to create a fair approach to scheduling and compensation, said security executives.

“If we think a CISO works from 9 to 5 pm we are mistaken, a CISO runs the services 24 hours, there are no holidays,” Alshodari said. “We do agree that a CISO is a crucial role — how to accommodate ensure that we deliver our solutions? Stress management comes with the package.”

While automation can reduce stress by reducing false positives and eliminating manual investigations, security leaders also should avoid having the security team take on the entire security burden for an enterprise Alshodari said. “Managing the entire risk is totally not recommended, we need to empower other departments and share the job.”