It used to be said that the only certainties in life were death and taxes. To this grim list a third is now added: you will be victim to a cyberattack. No company, no organization, no individual is immune.

The quickest way for a CEO to lose his or her job is to be ill prepared for an attack. How well a CEO prepares and how well their team deals with a cyberattack will all determine whether the CEO gets to keep their job when the bank is attacked.

One of the clearest signs that a bank is taking cybersecurity seriously is that the Chief Information Security Officer (CISO) or equivalent reports direct to the chief executive.

Yet research shows that of the top 40 banks in the Middle East incredibly more than two thirds do not have a CISO as a direct report… Banks are just not taking cybersecurity seriously.  It must start with the top, the CEOs and the boards of banks.

Capture

         

If you doubt this, think of the big attacks that we all know about: Saudi Aramco, the NSA, Sony, the British health service (NHS), Target, Yahoo, Uber, ABN Amro, JP Morgan.  And then guess at the ones that we don’t know about…

Consider for a moment the world we live in today. On the one hand we are in the middle of a Cold War that by some estimates is worse than the 1960s and 1970s – today nation states regularly make cyberattacks on non-military targets, harming commercial organizations and utility companies alike.  On the other hand, we are in a world drowning in technology that opens up a myriad of vectors for us to be targeted by cyber criminals. Be under no illusion, cyber crime pays – it is a low risk, high reward activity. And at present rates it will grow in to a two trillion dollar industry globally by next year.

The only thing you can do is to reduce the chances of a successful attack, reduce the potential impact and ensure that you have an effective recovery plan.

The other sign that banks are not taking cybersecurity seriously is by looking at the profile of the CISO or senior security expert. All too often the CISO has been promoted up through the IT function. So cybersecurity is seen as a purely technical problem rather than as a major business issue and of strategic importance.

Cybersecurity is far from just being an IT issue. It is a complex multi discipline issue. Yes, of course there is an important technical side, but it also requires thought about how an organization does business, who it does business with.  It encompasses legal issues, PR issues, HR issues. And most importantly, the CISO has to have a strong voice and the business skills to be able to communicate effectively the risk for the business/shareholder values to the CEO and the Board, as well as the required budget allocations and business changes to mitigate those risks.

How many of today’s CISOs in the Middle East have the skills to do that or more importantly, how many are empowered to do that and drive forward a multi discipline approach to cybersecurity?

What do banks in the Middle East need to be doing differently?

Cybersecurity has to be a board and CEO issue. The CEO has to be driving the cybersecurity agenda by sufficient allocation of budget to cybersecurity, elevating the status of the CISO, investing in skills development of the CISO and his/her team, ensuring that the whole bank has been trained in cybersecurity awareness, and be obsessed with protecting the bank’s assets.

If the CEO does this, then when the attack comes it can be dealt with quickly and any impact eradicated and the bank can return to business as normal. The CEO who has shown due care to shareholders and leadership in driving the cybersecurity agenda of the bank will get to keep their job.

Published in Cyber security

News release

14 February 2018

Two thirds of bank chief executives (71%) in the Middle East could be at risk of losing their jobs because they are not managing cybersecurity risks effectively.

Research shows that only 29% of Middle East banks with assets of more than $10bn have a chief information security officer (CISO) reporting directly to the chief executive – a key sign among cybersecurity professionals that an organisation is taking and managing these threats seriously. More than a third (35%) of CISOs have no direct reporting line to any C-level executives.

The research was carried out by Metin Mitchell & Co into the 49 qualifying banks in nine countries. No country was an outstanding performer; the two highest performers were Qatar (40%) and the Kingdom of Saudi Arabia at 38%.

Metin Mitchell, founder of the Dubai-based firm which specialises in executive search for Middle East financial services, said: “If cybersecurity experts are to have any impact in a bank they need more than technical skills – they also need a strong voice and business skills. They must be able to communicate effectively to the CEO and the board on the risks to both the business and shareholder values. They must also have the required budget and the ability to influence decision-making to mitigate those risks. 

“How many of today’s CISOs in the Middle East have the skills to do that? And more importantly, how many are empowered to do that and drive forward a multi disciplined approach to cybersecurity? How well a CEO prepares, and how well their team deals with a cyberattack, will all determine whether a CEO keeps their job when the bank is attacked.”

Raef Meeuwisse - ISACA governance expert, author and cybersecurity adviser to Metin Mitchell & Co – explained the importance of CISOs reporting to the chief executive: “There is a shortage of cybersecurity skills. In a market competing for resources, the best talent goes to the organizations that look most appealing to work for.

“Security staff are not like normal people. They are not interested in your sector, turnover or profit. They want to know if your organization has the security fundamentals in place. Are you likely to still be operating in a few years time? One of the easiest ways to check is simply to ask, is your CISO reporting to the main board – and in the case of financial services this would be to the chief executive.”

Metin Mitchell & Co has launched a specialist cybersecurity service to recruit senior cybersecurity talent and advise on how best to structure and manage this cybersecurity talent.

Published in Cyber security
Tuesday, 14 November 2017 09:02

Could CFOs become redundant?

I am delighted to be speaking at the CFO Strategies Forum in Dubai, on 15/16 November along with 150 invited CEOs, CFOs (chief financial officers) and C-suite executives.

With me to create a lively debate will be an august panel of Dr Bernd van Linder, CEO, Commercial Bank of Dubai; Waleed Abu Eleiz, CFO, Alfa International; and Adham Gasser, Regional CFO, P&G.

The topic of our debate is around the relationship between the CEO and CFO and the survival of CFOs in the face of automation; could CFOs even become redundant? How do they need to change or adapt to help the CEO and stay relevant?

In our session, we want to discuss research recently carried out by EY into The CFO and the chief executive officer.  This is part of their Partnering for Performance series which also looks at the partnership between the CFO and the CIO – a critical relationship in terms of the survival of CFOs.

Their survey of 652 global CFOs showed that the CFO role has been center stage in the financial crisis as CEOs relied on them to find cost reduction and strategies to shield against downturns in the economy. They became close allies of the CEO but this also meant reinforcing their cost management role and as economies have picked up, they now struggle to position themselves as a key strategic player in the future of the business.

CFO CEO relationship challenges image

And this is a real risk for CFOs in the long term. Cost reduction will almost certainly be something that artificial intelligence (AI) and algorithms can do better than humans. 

Research by McKinsey on Where machines can replace humans – and where they can’t (yet) concludes “While automation will eliminate very few occupations entirely in the next decade, it will affect portions of almost all jobs to a greater or lesser degree, depending on the type of work they entail. ” In the case of finance and management, they say 6 – 10% of time is spent on activities that could be automated. So it would be easy to think leadership roles are ‘safe’ for the forseeable future. 

The danger is in that word ‘forseeable’. Artificial intelligence has a way of catching even the experts out.  In May this year, the world was shocked when Google’s computer program AlphaGo beat the world’s expert at the game GO – it had been considered unimagable for a computer to beat a human champion in this fiendishly complex game.

It is natural for leaders to think they are indispensable – but are they?

If we look at the challenges facing corporates in the next decade, what are they? They are the big decisions of globalisation – which country is best for what; and digital – strategies that are fit for a digital world, using data analytics, governance and oversight frameworks, and managing the legal and regulatory risks of digital. Even the old focus of ‘staying close to our customer’ now requires data and data management.

So where are CFOs in all this? You would say they should be at the heart of this new digital world? All of the digital challenges sit comfortably within a CFO’s skillset?

Yet in EY’s research only 18% say they make a very significant contribution to the shift to a digital business model and fewer than half are significantly involved.

Qstn 5 contribution to digital image

I believe this is a shocking admission by CFOs. How are they so sidelined in a critical business issue?  We find the answer in another piece of EY’s research looking at the relationship between the CFO and CIO.  In this, CFOs admit the principal barrier to a close relationship with the CIO is their lack of understanding of IT issues.

barriers to IT collaboration image

So what does EY think that CFOs need to be doing about this – they don’t say ‘to avoid becoming redundant’, but I will say this for them.

They have a nine-point plan which includes understanding new digital business models – and new ways of financing these models; leveraging digital technologies within the finance function to improve data processing and reporting; having ‘digital natives’ within their finance team; and working with the board to develop a cyber security strategy.

The one thing they don’t say, to put it brutally, is that if CFOs are to avoid becoming redundant they must themselves own the digital space. They need to understand IT and digital just as they do finance – know the dangers, able to ask the right questions and more importantly, understand and make a judgement about the answers. 

Taking ownership of the digital landscape in their organisation will not only ensure CFOs are relevant and an acknowledged essential leader in their business, it will put them at the heart of the business and the close ally of CEOs.

I look forward to hearing the views of those on our panel – how important do they think this digital ownership is and what do they see as the skills for CFOs of the future.

Published in Leadership

Read more

To read more of Metin Mitchell’s insights on leadership, leave your email here:

Categories

Elsewhere online

Popular Posts

Recent Posts

Tweets