Spotlight on leadership and cybersecurity in changing times
Metin Mitchell, Managing Partner, and guest contributors
71% of Middle East bank CEOs at risk of losing their jobs
It used to be said that the only certainties in life were death and taxes. To this grim list a third is now added: you will be victim to a cyberattack. No company, no organization, no individual is immune.
The quickest way for a CEO to lose his or her job is to be ill prepared for an attack. How well a CEO prepares and how well their team deals with a cyberattack will all determine whether the CEO gets to keep their job when the bank is attacked.
One of the clearest signs that a bank is taking cybersecurity seriously is that the Chief Information Security Officer (CISO) or equivalent reports direct to the chief executive.
Yet research shows that of the top 40 banks in the Middle East incredibly more than two thirds do not have a CISO as a direct report… Banks are just not taking cybersecurity seriously. It must start with the top, the CEOs and the boards of banks.
If you doubt this, think of the big attacks that we all know about: Saudi Aramco, the NSA, Sony, the British health service (NHS), Target, Yahoo, Uber, ABN Amro, JP Morgan. And then guess at the ones that we don’t know about…
Consider for a moment the world we live in today. On the one hand we are in the middle of a Cold War that by some estimates is worse than the 1960s and 1970s – today nation states regularly make cyberattacks on non-military targets, harming commercial organizations and utility companies alike. On the other hand, we are in a world drowning in technology that opens up a myriad of vectors for us to be targeted by cyber criminals. Be under no illusion, cyber crime pays – it is a low risk, high reward activity. And at present rates it will grow in to a two trillion dollar industry globally by next year.
The only thing you can do is to reduce the chances of a successful attack, reduce the potential impact and ensure that you have an effective recovery plan.
The other sign that banks are not taking cybersecurity seriously is by looking at the profile of the CISO or senior security expert. All too often the CISO has been promoted up through the IT function. So cybersecurity is seen as a purely technical problem rather than as a major business issue and of strategic importance.
Cybersecurity is far from just being an IT issue. It is a complex multi discipline issue. Yes, of course there is an important technical side, but it also requires thought about how an organization does business, who it does business with. It encompasses legal issues, PR issues, HR issues. And most importantly, the CISO has to have a strong voice and the business skills to be able to communicate effectively the risk for the business/shareholder values to the CEO and the Board, as well as the required budget allocations and business changes to mitigate those risks.
How many of today’s CISOs in the Middle East have the skills to do that or more importantly, how many are empowered to do that and drive forward a multi discipline approach to cybersecurity?
What do banks in the Middle East need to be doing differently?
Cybersecurity has to be a board and CEO issue. The CEO has to be driving the cybersecurity agenda by sufficient allocation of budget to cybersecurity, elevating the status of the CISO, investing in skills development of the CISO and his/her team, ensuring that the whole bank has been trained in cybersecurity awareness, and be obsessed with protecting the bank’s assets.
If the CEO does this, then when the attack comes it can be dealt with quickly and any impact eradicated and the bank can return to business as normal. The CEO who has shown due care to shareholders and leadership in driving the cybersecurity agenda of the bank will get to keep their job.
Published in Cyber securityTagged under ceo Chief Information CISO Crime Cyber cyberattack cybersecurity Middle East Security Officer back to top