How CISOs will soon be automating security governance, risk, compliance

The Middle East, and GCC in specific, remain a prime target for cyber-criminals due to the prominence and scale of the financial and energy services sectors that require a high degree of regulatory compliance. This is due to the inherent risk of loss of confidentiality and integrity, and unavailability of information which may lead to disruption of critical infrastructure services in the region.

According to the World Economic Forum Global Risk Report 2019, cyberattacks were ranked as the highest technological risk followed by risks related to the breakdown of critical information infrastructure. The WEF has also warned of the increased likelihood of cyberattacks in the Gulf and especially in Saudi Arabia and the UAE.

This increase of likelihood, which is evident in the past waves of attacks against Saudi Arabia in 2012 and 2017, has ensured that cybersecurity compliance makes it to the top of the agendas of government agencies in both countries, with the UAE launching its National Cyber Security Strategy and Saudi Arabia envisioning a secure and resilient digital infrastructure as part of Saudi Vision 2030.

Saudi Arabia has introduced a variety of regulations and standards targeted at financial institutions, government entities and information technology providers to ensure a unified risk-based best practice approach to tackle the increase of cyberattacks and to create a cybersecurity culture amongst its citizens, residents and both private and government institutions.

The UAE has also revised the current National Cyber Security Standard, Critical Information Infrastructure Protection policy, is introducing Sector Specific Cybersecurity Standards and is working towards enhancing current cybersecurity laws.

This increase in regulations and standards may burden organisations in the short run in terms of financial, human resources and operational overheads. But it will no doubt contribute positively to the bottom line in the long term, by reducing the risk exposure of organisations and strengthening the trust of stakeholders who are looking to invest in this region.

Human resources’ skills remain the main challenge for organisations that are looking to comply with the numerous requirements coming out of cybersecurity regulations and standards. It is essential for an organisation to develop its resources regularly to meet the ever-changing threat landscape and compliance requirements.

Cybersecurity skills shortage impacts more than 70% of organisations in the form of increased workloads on current staff as revealed by a global study conducted by the Information System Security Association.

The shortage in skilled resources is leading organisations to be creative in their approach by outsourcing CISO functions – Virtual CISO. As well as embracing managed security services, both technical and governance services.

Financial challenges are also contributing to delays in meeting compliance requirements thus increasing the risk exposure of organisations. This is mainly due to the lack of a mature risk-based approach, coupled with cost-benefit analysis, to cybersecurity which in turn ensures funds are diverted to where they matter the most.

Cybersecurity awareness training platforms are one of the essential tools used by organisations to reduce the human risk factor and ensure a positive organisational cybersecurity cultural change that contributes to reducing the likelihood of incidents materialising and helps fills the end-user skills gap by transforming users into contributors to the compliance journey.

One of the most up and coming technologies in this region is GRC automation, as it enables organisations to overcome the resources shortage by streamlining most of the recurring governance and compliance activities and distributing the workload through the organisation as a whole.

This of course will require the organisation to have an effective cybersecurity organisational structure in place while ensuring that departmental stakeholders are well trained to fulfil their duties as cybersecurity champions.

Regulators need to work hand in hand with industry leaders to define practical minimum requirements that ensure industry standards and best practices are in place without hindering business growth. This can be accomplished by engaging industry experts to assist governments in identifying threats in their respective areas and suggesting requirements to reduce the likelihood and impact of such threats, thus mitigating the associated risks.

Regulators will also need to lend a hand by investing in human resources development, public awareness, grants to cybersecurity research institutions and cybersecurity educational scholarships to bridge the current skills gap.

Talal Wazani, Head of Strategic Security Consulting, Help AG.

Learning points

  • One of the most up and coming technologies in this region is GRC automation
  • It streamlines most of the recurring governance and compliance activities and distributes the workload through the organisation.
  • Regulators need to work hand in hand with industry leaders to define practical minimum requirements that ensure industry standards.
  • The WEF has also warned of the increased likelihood of cyberattacks in the Gulf and especially in Saudi Arabia and the UAE.
  • Human resource skills remain the main challenge to comply with the cybersecurity regulations and standards.
  • It is essential for an organisation to develop resources regularly to meet the threat landscape and compliance requirements.
  • Cybersecurity skills shortage impacts more than 70% of organisations in the form of increased workloads on st]aff.
  • The shortage in skilled resources is leading organisations to be creative in their approach by outsourcing CISO functions, Virtual CISO.
  • Financial challenges are contributing to delays in meeting compliance requirements increasing risk exposure of organisations.

With limited availability of human skills and spending, automation of risk and compliance process is a way forward, writes Help AG’s Talal Wazani.