Last month, the world’s media was captivated by an audacious raid that took place on a safe-deposit vault in London’s Hatton Garden diamond district. Spread over a four-day Bank Holiday weekend, the intricately planned heist sparked inevitable comparisons with cinematic classics such as The Italian Job, Reservoir Dogs, and Ocean’s Eleven, with UK tabloids even christening four of the gang as Mr. Ginger, Mr. Strong, Mr. Montana, and The Gent.
Reports suggest that this motley crew of characters made off with over $300 million (Dh1.1 billion) in ill-gotten gains, but news of a much bigger raid garnered far less coverage when it was revealed just a couple of months earlier.
That news was the announcement that a multinational cybercriminal ring had stolen $1 billion from 100 banks around the world over a two-year period. The attackers apparently used sophisticated ‘spear phishing’ techniques to gain access to the banks’ networks, and once there were able to mimic the activities of individual clerks, transfer money between accounts without raising suspicion, and even remotely take control of ATMs, ordering the machines to dispense cash at predetermined times. While all this might lack the critical components of a classic cockney crime caper, it signals a grave escalation in what is becoming a very serious problem around the world, and not just for multinational banks.
Indeed, the IT security landscape in the Middle East has changed irrevocably over the last few years, with targeted attacks — or advanced persistent threats (APTs) — growing in both sophistication and frequency across the region. Just like the Hatton Garden thieves, APTs require a high degree of covertness over a long period of time. They usually target organisations — and even entire nation states — for financial or political gain, and in the last six months alone we have seen a number of prominent institutions here in the UAE fall victim to targeted cyberattacks.
Such high-profile incidents are driving awareness among the region’s enterprise community of the need to invest in comprehensive IT security solutions, with organisations increasingly realising that they must adopt both proactive and predictive strategies in order to sustain and protect their infrastructures. Each year in the build up to our annual Middle East CIO Summits, we survey a broad range of IT leaders from across the region, and security consistently ranks among their top three priorities for the year ahead. Yet an air of confusion continues to reign.
That’s because CIOs are typically caught in a conflict between demands to implement savings through the installation of third platform technologies (cloud, social, Big Data, and mobility) and the need to fix the most glaring deficiencies in their security postures. Shifting funds to cybersecurity projects requires CIOs to make risky trade-offs between achieving immediate protection and funding cost reductions for critical new investments.
And while CIOs are keen to tell me that they’re allocating a greater percentage of their IT budgets to security, the current rate of investment is still insufficient. This certainly isn’t due to a lack of awareness, but because CIOs often find themselves unable to present a viable business case to justify additional security spending.
All of this points to the need for cybersecurity planning to become central to the decision-making processes of all forward-thinking enterprises across the region. IT security can no longer be limited to investing in a few solutions to protect the endpoint or the network; it must now play a critical role across the entire organisation, from securing simple clients to protecting mobile devices and assets in the cloud, with comprehensive enterprise-wide policies put in place to govern the process.
There has been much debate in recent months over the role that the CIO should play in steering information security policies and strategies. Some propose that this function should become the sole preserve of a dedicated chief security officer (CSO), while others believe it should be assigned to a chief risk officer (CRO). However, I strongly believe that the overall responsibility for cybersecurity cannot be separated from the technical accountability for managing computer networks; the architecture, design, implementation operations, and human factors of a firm’s IT environment are all interrelated, and it is the CIO who is ultimately best positioned to provide the all-encompassing leadership that is required in this regard.
As attackers evolve into technically sophisticated criminal organisations, there is no doubt that the role of the CIO is expanding. The increasing importance of cybersecurity is elevating the policymaking role of the CIO, from managing IT operations to guiding the transformation of work functions as an inseparable part of a digitally managed business. Indeed, the CIO must now be involved in policymaking at the very highest level, with the position becoming comparable to the roles that have traditionally been reserved for decision makers tasked with guiding the overall organisation.
That said, the CIO’s ultimate cyberdefence is still his/her people, and the single most important role of the CIO should be guiding the evolution of existing team members to acquire skills and capabilities that exceed the sophistication and severity of the incoming threats. Get that right and you should remain ahead of the game; get it wrong and you may just find yourself at the centre of Hollywood’s next great heist.
The columnist is group vice-president and regional managing director for the Middle East, Africa and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC).