Hello Tim, could you briefly introduce yourself?
Hello, and thanks for having me. I bring over 17 years of experience in IT and Cyber Security in Europe, the US, Australia, and the Middle East.
I hold a master’s degree in Information Technology Management from the University of Sydney and a bachelor’s degree in Computer Science/Applied Informatics. I am a Doctorate candidate in Information Assurance & Cybersecurity. My professional certifications include C|CISO, CISSP, CCSP, CEH, CISA, CISM, CRISC, CGEIT, CDPSE, ISO 27001 LA, CompTIA Security+, ITIL, and Agile PM.
I am a frequent speaker and panelist at industry-leading conferences. In 2019 I was nominated for the “Cyber Security Professional of the Year” award by the Australian Information Security Association for outstanding leadership, integrity, mentoring, and coaching in the industry
You are currently working as a Cyber Security Manager at SNC Lavalin, Infrastructure Middle East. Tell us more about your work.
I’m based in the Middle East, where we at SNC Lavalin deliver projects that transform the region by bringing opportunities and sustainable solutions. SNC Lavalin is a global, fully integrated professional services and project management company with operations in over 100 countries [1]. Our teams provide comprehensive end-to-end project solutions to clients across oil and gas, mining and metallurgy, infrastructure, clean power, nuclear, engineering design, and project management.
As a Cyber Security Manager, I have the opportunity to work on some of the largest and most impactful projects that are shaping the future of the Middle East region. I’m primarily focused on transport infrastructure, where we use our capabilities to ensure sufficient protection levels to interconnected transport architectures and consistent approaches to cyber risk management and cyber resilience. My multi-industry experience and expertise enable me to assess cybersecurity risk from different perspectives and provide our clients with enough information to make the best-informed decisions for their projects.
Your session at this year’s edition of the European Digital Week, where you were a speaker, was: Cybersecurity as a trusted business partner. How does cybersecurity help your business?
The strategy of “Business First, Risk Second and Cybersecurity Third” that I shared at my presentation is something that I developed and refined over the years in the old and challenging way – via trial and error.
I come from a software engineering background and I used to think that we can always develop the best and most secure software products. The reality is that we might have the best software and secure products, but they could be useless because they don’t solve a business problem. Working in multiple industries over the years, I realized that Information Technology and Cybersecurity have very different missions. Information Technology is about creating and enabling innovation, while Cybersecurity is about protecting assets and innovation.
Our job as Cybersecurity leaders is to ensure businesspeople understand not only the benefits but also the risks and the possible impacts when Information Technology assets are compromised. I consider Cybersecurity as an enabler to ensure the business delivers value. Cybersecurity is another enterprise risk – without establishing a trusted relationship with the business, it is very difficult, if not impossible, to manage it properly. The strategy that I shared at the European Digital Week 2020 incorporates the insights and lessons learned from working at a large international organization.
The strategy helped me develop several deep, meaningful, and trusted relationships with different parts of the organization for the first time and changed the perception of cybersecurity. My team and I worked extremely hard to ensure that we can get to “YES” for the business in the most secure way. As a result, we won organizational recognition, and later on, I was nominated for the “Cyber Security Professional of the Year” award.
Most of us, as cybersecurity leaders, tend to think about the security stack first. At the end of the day, business success is what pays the bills. Starting with the business needs, working together to determine the risks, and then focusing on cybersecurity helped me turn the ship around, change the culture towards cybersecurity and be successful when the odds were against me. We have to lead from the front and work with the business to ensure the risks are understood. We have to talk about what we collectively think the priorities are. Then cybersecurity objectives will be achieved much easily.
“During such demanding times, the cybersecurity risk is rapidly increasing, driven by global connectivity and usage of cloud services.” You said that for your presentation in the European Digital Week. What do you think are the most significant security threats a modern-day company is facing?
From what we have seen in the industries, the top 3 security threats nowadays are:
- Ransomware
There have been many situations where companies have suffered ransomware attacks [2], e.g., in infrastructure, manufacturing, healthcare, and many more because some of the processes and workflows they operate haven’t been designed with security in mind. The challenge with ransomware is significant because when the network is compromised, even if the company decides to pay the ransom (which could be up to millions of dollars), there is no guarantee that the data and systems will be safe and secure in the future. The data might have been sold to non-legitimate sources.
- Increased reliance on connectivity
We have seen many Distributed Denial of Service (DDoS) attacks on some significant institutions, e.g., the New Zealand Stock Exchange [3], halted services for days. The dependency on connectivity is a significant challenge in each business. Some industries see many issues from such a reliance and managing the expectation for connectivity is a big problem. Furthermore, network components handled by untrusted supply chain providers present significant risks of malicious or accidental introduction of vulnerabilities. Such vulnerable components could significantly impact the network performance and compromise the confidentiality, availability, and integrity of networks.
- Increased pressure from regulatory and compliance bodies
For example, in Europe, there is the General Data Protection Regulation (GDPR) [4]. There are also multiple regulations in the US and the Middle East to ensure that the companies first comply with the expectations and then provide evidence and maintain compliance. Ensuring sufficient protection for financial data, healthcare, and privacy protection is becoming a major issue. The pressure is increasing not only for the cybersecurity professionals but also for executives and boards of directors as part of their corporate governance responsibilities in ensuring sufficient data security and privacy protection. With the increasing amount of data that businesses are collecting, the regulators are likely to include even more requirements in the future.
Cybersecurity is a rapidly changing industry. Multiple threats are evolving so that businesses need to be aware of the possible impacts and implications.
How does a person secure their network?
It depends on what type of business the person is operating. There’s no silver bullet that can fix every problem. Nothing is 100% secure. We have to ensure that people are aware of their obligations regarding information security, data protection, network security, etc. We have to translate it into a language they understand and be able to communicate the same with their peers.
Information security professionals have to provide the relevant user awareness programs and activities, educate people of all levels of what they should and should not be doing. People ought to understand what is on the network and how it needs to be protected on the network.
From time to time, we should be using services, such as vulnerability management and penetration testing, to regularly assess and test the strength of the security controls that a business is operating. Meanwhile, making sure that the cybersecurity risk assessments are updated regularly.
Finally, is there anything else you wanted to tell us that we have not asked about?
Cybersecurity is a rapidly growing field. According to Cybersecurity Ventures, there will be more than 3.5 million unfulfilled cybersecurity jobs by 2021 [5]. As we know, 2021 is not far away and the industry will require even more resources due to the digitalization of workflows, remote working, and increased use of cloud services. I would encourage your young readers that if they are unsure about their career development and have no idea where to go, they should consider cybersecurity as an area that will provide them with many opportunities. No matter where they are now, they can start with the basics, such as network security, application security, data protection, security engineering and web security. They could consider taking information security certificates, join industrial organizations, attend conferences such as ours, always stay curious, ask questions, and be consistent. Most importantly, set big goals, and never give up!
References
[1] https://www.snclavalin.com/en/investors/corporate-overview
[2] https://www.keepnetlabs.com/top-11-ransomware-attacks-in-2020-2021/
[3] https://www.cpomagazine.com/cyber-security/new-zealand-stock-exchange-shut-down-by-ddos-cyber-attack/
[4] https://www.manchestereveningnews.co.uk/business/how-gdpr-affected-cybersecurity-became-15864742
[5] https://cybersecurityventures.com/jobs/
Prepared by,
Chudomira Stamova
/Editor at DiTech Media/