It used to be said that the only certainties in life were death and taxes. To this grim list a third is now added: you will be victim to a cyberattack. No company, no organization, no individual is immune.

The quickest way for a CEO to lose his or her job is to be ill prepared for an attack. How well a CEO prepares and how well their team deals with a cyberattack will all determine whether the CEO gets to keep their job when the bank is attacked.

One of the clearest signs that a bank is taking cybersecurity seriously is that the Chief Information Security Officer (CISO) or equivalent reports direct to the chief executive.

Yet research shows that of the top 40 banks in the Middle East incredibly more than two thirds do not have a CISO as a direct report… Banks are just not taking cybersecurity seriously.  It must start with the top, the CEOs and the boards of banks.



If you doubt this, think of the big attacks that we all know about: Saudi Aramco, the NSA, Sony, the British health service (NHS), Target, Yahoo, Uber, ABN Amro, JP Morgan.  And then guess at the ones that we don’t know about…

Consider for a moment the world we live in today. On the one hand we are in the middle of a Cold War that by some estimates is worse than the 1960s and 1970s – today nation states regularly make cyberattacks on non-military targets, harming commercial organizations and utility companies alike.  On the other hand, we are in a world drowning in technology that opens up a myriad of vectors for us to be targeted by cyber criminals. Be under no illusion, cyber crime pays – it is a low risk, high reward activity. And at present rates it will grow in to a two trillion dollar industry globally by next year.

The only thing you can do is to reduce the chances of a successful attack, reduce the potential impact and ensure that you have an effective recovery plan.

The other sign that banks are not taking cybersecurity seriously is by looking at the profile of the CISO or senior security expert. All too often the CISO has been promoted up through the IT function. So cybersecurity is seen as a purely technical problem rather than as a major business issue and of strategic importance.

Cybersecurity is far from just being an IT issue. It is a complex multi discipline issue. Yes, of course there is an important technical side, but it also requires thought about how an organization does business, who it does business with.  It encompasses legal issues, PR issues, HR issues. And most importantly, the CISO has to have a strong voice and the business skills to be able to communicate effectively the risk for the business/shareholder values to the CEO and the Board, as well as the required budget allocations and business changes to mitigate those risks.

How many of today’s CISOs in the Middle East have the skills to do that or more importantly, how many are empowered to do that and drive forward a multi discipline approach to cybersecurity?

What do banks in the Middle East need to be doing differently?

Cybersecurity has to be a board and CEO issue. The CEO has to be driving the cybersecurity agenda by sufficient allocation of budget to cybersecurity, elevating the status of the CISO, investing in skills development of the CISO and his/her team, ensuring that the whole bank has been trained in cybersecurity awareness, and be obsessed with protecting the bank’s assets.

If the CEO does this, then when the attack comes it can be dealt with quickly and any impact eradicated and the bank can return to business as normal. The CEO who has shown due care to shareholders and leadership in driving the cybersecurity agenda of the bank will get to keep their job.

Published in Cyber security

News release

14 February 2018

Two thirds of bank chief executives (71%) in the Middle East could be at risk of losing their jobs because they are not managing cybersecurity risks effectively.

Research shows that only 29% of Middle East banks with assets of more than $10bn have a chief information security officer (CISO) reporting directly to the chief executive – a key sign among cybersecurity professionals that an organisation is taking and managing these threats seriously. More than a third (35%) of CISOs have no direct reporting line to any C-level executives.

The research was carried out by Metin Mitchell & Co into the 49 qualifying banks in nine countries. No country was an outstanding performer; the two highest performers were Qatar (40%) and the Kingdom of Saudi Arabia at 38%.

Metin Mitchell, founder of the Dubai-based firm which specialises in executive search for Middle East financial services, said: “If cybersecurity experts are to have any impact in a bank they need more than technical skills – they also need a strong voice and business skills. They must be able to communicate effectively to the CEO and the board on the risks to both the business and shareholder values. They must also have the required budget and the ability to influence decision-making to mitigate those risks. 

“How many of today’s CISOs in the Middle East have the skills to do that? And more importantly, how many are empowered to do that and drive forward a multi disciplined approach to cybersecurity? How well a CEO prepares, and how well their team deals with a cyberattack, will all determine whether a CEO keeps their job when the bank is attacked.”

Raef Meeuwisse - ISACA governance expert, author and cybersecurity adviser to Metin Mitchell & Co – explained the importance of CISOs reporting to the chief executive: “There is a shortage of cybersecurity skills. In a market competing for resources, the best talent goes to the organizations that look most appealing to work for.

“Security staff are not like normal people. They are not interested in your sector, turnover or profit. They want to know if your organization has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, is your CISO reporting to the main board – and in the case of financial services this would be to the chief executive.”

Metin Mitchell & Co has launched a specialist cybersecurity service to recruit senior cybersecurity talent and advise on how best to structure and manage this cybersecurity talent.

Published in Cyber security

In this blog, I want to provide some valuable insights into the reasons that some firms struggle to obtain the cybersecurity skills they need, where others seem to have no challenge drawing in the right expertise.

As far as cybersecurity goes, there are 3 distinct types of enterprises out there right now:

  • Organizations with a robust security position.
  • Organizations trying to reach a robust security position but struggling to fill their roles.
  • Organizations that are still not yet focussed on their security.

It is accurate that the market is not awash with skilled cybersecurity professionals. In fact, although it can be easy to fill a role with a person, it is substantially harder to find the right person.

So what are the behaviours that help organizations to attract in the right people?

Based on reviewing the security practices at over 50 different organizations over the past ten years, these were some of the main characteristics that companies attracting the right personnel had in common. I have also listed them into a priority order of what is often most important to a candidate:

  1. Is your CISO reporting to the main board?
  2. Do you have a competent CISO who is good to work for?
  3. Is the role appealing, will it allow me to expand my skills through continuous learning?
  4. Does the role contain any unreachable or unreasonable expectations?
  5. What are the hours like and how much does it pay?

Were you surprised by anything on that list, or by the order of items? I was, until I took the time to understand the implications of each one.

Is your CISO reporting to the main board?

In a market competing for resources, it makes sense that the good resources will go to the organizations that look most appealing to work for.

Security staff are not like normal people. We are not interested in your sector, turnover or profit. What we are interested in is whether your organization has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, Is your CISO reporting into the main board?

If not, then any security-savvy candidate will know that the reporting line is wrong and will already exclude themselves. After all, if you still have security reporting in at some lower level, security risks will be buried in politics and from the perspective of a cyber professional, the chances of a megabreach or an organization-wide attack will be high. What professional wants to be on board a company for that experience?

Do you have a competent CISO who is good to work for?

In a world where technology and digital transformation are fundamental to success, acquiring a good CISO is as important to any enterprise as acquiring a good CEO.

The cybersecurity world is surprisingly small. Staff talk to staff from other companies. We generally know how the working environment and security posture is in each major company.

I have been working with Metin Mitchell to help develop the list of ideal CISO characteristics. My own opinion is as follows:

  • A skilled communicator and team builder with a strong contacts network.
  • Comfortable at the board level and skilled at controlled delegation.
  • Understand what needs to be achieved (have business and technical competence)
  • Are up to date on the latest major cyber threat and defence techniques
  • Understand how to manage risk – and not just how to push it down the road
  • Know how and when to leverage outsourcing for specialist security services

The few companies that have CISOs that match the list above have no issue with finding the staff they need. People want to work for them and with them – but they are currently a rare find and in high demand. Headhunting for CISOs is definitely an area Metin Mitchell can help with.

People often ask me what is the most important component in enterprise cybersecurity. Every company I know that has a  suitable CISO (meeting the criteria above) reporting to the main board, also has a robust security culture. 

To put it another way, if you look at any organization that has suffered a major attack or megabreach, you would find that they were missing many of the skills from the list above.

Is the role appealing, will it allow me to expand my skills through continuous learning?

Imagine you have some specialist cybersecurity skills that are in high demand. Perhaps you are a digital forensics specialist or a penetration tester. If so, keeping your skills up to date is fundamental to your value.

If you join a team of strong people with equivalent skills who invest in continuous learning, your value will be sustained. However, if you agree to go to an environment that simply wants you to work without peers or time to sustain your skills, you will quickly be deskilled and devalued.

This is a reason that many enterprises and CISOs choose to outsource certain specialist security services.

Does the role contain any unreachable or unreasonable expectations?

The scarcity and price tag for effective cybersecurity personnel often results in the creation of role descriptions that may seek to combine skills in an unreasonable way – for example, to expect someone to function as both a penetration tester and an incident responder.

Cybersecurity is a discipline. It only functions when each skill has the time and resources they need to accomplish their tasks.

Role descriptions that are put together optimistically and without the right understanding will once again lead many good potential candidates to exclude themselves from applying. After all, if an enterprise could not even get the role description to appear reasonable, then it is nearly certain that the role will have unreasonable and unachievable expectations.

What are the hours like and how much does it pay?

Although money is a factor, the expectation for working hours is often even more important to a candidate.

Most people expect to work a full week. Some people are also willing to be on call outside of working hours. However, if there are no limits on working into evenings and weekends then the role will not appeal to resources that are in high demand. They will have lots of options on the table.

Non-monetary items will often be more important to attracting in a candidate than just trying to increase the salary offer.

So – Is there a cybersecurity skills shortage?


However, the good news is that you can overcome the shortage and it does not require you to pay the most, you just need to be the most attractive place for a cybersecurity professional to want to work.

Published in Cyber security

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:


Elsewhere online

Popular Posts

Recent Posts