In an effort to understand how some of the most experienced CSOs/CISOs have combated cyber threats in the Middle East and around the globe, TECHx spoke with some of the most experienced CSOs/CISOs. Proofpoint’s resident CISO, Andrew Rose, is featured today. Check out how Proofpoint addresses cyber risks in the article below.
TECHx: What are the most pressing cybersecurity concerns faced today by organizations in the Middle East?
Andrew: Increasing familiarity with the post-pandemic work environment has enabled CISOs in the Middle East to feel more equipped to deal with cyber threats. While more than two-thirds (68%) of CISOs in the UAE believed they were unprepared for a targeted attack in 2021, this is down to just 44% this year.
While this shift in confidence is positive, there is a troubling disconnect between preparedness and perceived risk, as many CISOs struggle to identify which of the many common threats is likely to strike.
Our 2022 Voice of the CISO Report highlighted this lack of consensus among UAE CISOs as to the most significant threats targeting their organization. This year, Business Email Compromise and Cloud Account Compromise (O365 or G suite accounts being compromised) topped the list for UAE CISOs, both at 35%. They were closely followed by insider threats–whether negligent, accidental, or criminal–with 31%. Despite dominating recent headlines, ransomware came in at 28%.
TECHx: What are some of the best cybersecurity practices your company has adopted to ensure both a secure working environment and a simplified adoption process?
Andrew: Proofpoint is focused on continually developing security innovations that protect people—wherever they may work—and defend their data from today’s most harmful risks. In the past year alone, Proofpoint has made significant innovations across its entire product line.
It’s often stated that people are a firm’s most valuable asset, however, when it comes to cyber security, people are by far the most common attack vector – being manipulated by attackers into activating malware, sharing credentials or simply paying fake invoices. Proofpoint’s enhancements empower companies worldwide to stay ahead of this continually evolving threat landscape and better protect their people from attacks and compliance risks related to email, cloud, data and collaboration tools.
To stay ahead of the threat actors, we invest hundreds of millions annually into our products and rely on the most advanced AI/ML technologies to defend our customers. Our unmatched AI-powered data intelligence and ongoing commitment to innovation are why 75% of the Fortune 100 trust Proofpoint as their cybersecurity partner.
TECHx: How are you protecting your remote workforce from potential cyber threats?
Andrew: The shift to long-term hybrid working environments has emboldened cybercriminals and nearly 30% of CISOs in the UAE and KSA agree that targeted attacks on their organizations have increased since adopting mass hybrid working. This results in a broad and varied threat landscape, with numerous attack methods focused on users in relatively new working conditions.
Through a technical combination of email gateway rules, advanced threat analysis, email authentication, and visibility into cloud applications, we can block the vast majority of targeted attacks before they reach employees. Relying solely on technical controls however isn’t the solution – a robust cybersecurity strategy for a hybrid workforce requires a combination of people, process and technology – so other controls are required.
As the ‘work from anywhere’ culture continues for many organizations across the Middle East, teams need to develop and deploy clear best practice policies for hybrid working, covering system and network access, data management, user privileges, password hygiene, unauthorised applications, BYOD, data protection, and more.
One key aspect is that it is paramount for employees to truly understand how to spot and report attempted cyberattacks through an ongoing and comprehensive security awareness training programme.
TECHx: The human factor remains one of the most serious threats to an organization’s cybersecurity; in light of this, what kind of security training should employees receive?
Andrew: The World Economic Forum has recently reported that 95% of cybersecurity incidents occur due to human error. It was interesting to note, however, that Proofpoint’s recent Voice of the CISO Report showed that only half of CISOs in the UAE and KSA consider human error to be their organization’s biggest cyber vulnerability. The human factor is undoubtedly one of the most serious threats to an organization’s cybersecurity posture and it’s critical that every CISO understands this.
The modern cybercriminal no longer needs to hack into an organization. If they can compromise the staff member, perhaps with credential theft, they can simply log in and have direct access to all the ‘crown jewel’ data with much less effort. As a result, criminals are continually targeting humans rather than technology to expose confidential data, compromise networks, and even wire money, with attacks such as BEC. When your people are that vital to an attack, they need to be a vital part of your defence.
We must empower people, at all levels within our organisations, to understand security and the risky behaviours that can lead to breaches. Training and awareness programs are crucial, but one size does not fit all. The program should be from the perspective of the user –it should be relevant to their work and personal lives. We must also provide simple ways for users to report back to the security team. For example, single click buttons that automatically send potential phishing emails to the security team to analyse.
TECHx: What is the best and most immediate strategy for CSOs/CISOs to implement if a data loss occurs in their organization?
Andrew: Prevention is always better than cure, and we therefore always advise to be prepared for potential threats. Proactively protecting against data breaches – both major and minor – means minimizing the attack surface before an attacker gets near the network.
It’s important to remember that data doesn’t lose itself. Given today’s cybersecurity challenges, organizations need a better approach to enterprise Data Loss Prevention (DLP)— one that is people-centric. That’s because data loss originates with people. They can be negligent, they can be compromised by an external threat actor or they can be malicious for financial or political gain.
Proofpoint Enterprise Data Loss Prevention brings together our market-leading DLP solutions for email, cloud and endpoint. It combines content, behaviour and threat telemetry from these channels. This allows you to address the full spectrum of people-centric data-loss scenarios comprehensively.
TECHx: What do you consider to be the most important skills of a modern CSO/CISO?
Andrew: Given the increasing demands of a CISO’s role today, it is clear that they are under tremendous pressure. Proofpoint’s 2022 Voice of the CISO Report showed that 38% of CISOs in the UAE feel that the expectations on their role are excessive – the good news is that this is down from 67% in the previous year.
The CISO is now at the heart of an accelerated business strategy. With organisations fast adapting to a new, remote way of working, it is the role of the CISO to identify the showstoppers, patch the gaps, and ensure a safe transition to the new working model or face the consequences.
However, the perceived lack of alignment with the boardroom has increased, with just 14% of UAE CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. To bridge this divide, communication with the board is key. CISOs must learn the language of the C-suite, becoming business executives first and technologists second.
We must avoid engaging in overly technical conversations and instead focus on the value our work adds to the organisation – along with the value it protects. All discussions must begin and end with risk – the risk facing the business, its data, its IP, its agility, and its reputation. And the risk of failing to secure it.
We need to know those drivers for long-term revenue and demonstrate that we’re sympathetic to the tactical challenges that the firm has right now. Represent those in your interactions, reflect them in your narrative and make sure your C-suite audience realises that you’re aware of, and aligned with, the business priorities and challenges your firm faces.
TECHx: What advice or tips would you give to other CISOs in light of the current global cybersecurity landscape?
Andrew: You must recognise that your people, valued as they are, are your primary attack surface. The vast majority of cyber-attacks will seek to exploit your people to gain their traction. As a CISO, you must consider what percentage of resource, both financial and staff, you allocate to this challenge, because the majority of CISOs severely underinvest in this, their major challenge. Review your spend and your attention, to rebalance this deficit.
Recognise that the current geo-political situation represents a systemic risk to information and digital systems across society. CISOs must prepare for nation-state cyber weaponry to be released and rapidly repurposed for criminal intent. Many CISOs in critical services are reviewing their business continuity plans to ensure both safety, and baseline operational capability, in the absence of core information systems. If that means you need to figure out how to operate your plant using manual, paper based systems, so be it – get ready.
Finally, you must recognise that the CISO role is a stressful one, and you can ensure your personal longevity, and value to your enterprise, by proactively managing the stress. Take self-care seriously, and ensure that your staff do to. Too many security leaders are burning out under the constant pressure of the role – make sure you leave enough space for you, your team and your family to avoid such outcomes for yourself.