The Gulf Information Security Conference (GISEC) 2017 – Chairman’s Insights

There are some places in the world where you know things will be extra ordinary and superlative in execution and experience. Dubai leads the pack on this in much that it does and once again proved a benchmark and did not disappoint with its Gulf Information Security Exhibition and Conference (GISEC). GISEC is the pre-eminent Cyber/IT Security event in the region that stands shoulder to shoulder with the best you will find globally for its International spectrum of speakers, quality of content and calibre of C Level attendee’s from around the world. With over 10,000 attendees across the 3 days to the Exhibition and Conference it is becoming one of the fastest growing events on the GCC IT calendar.

2017 was no exception. As Chairman my memorable moments are many. The prize goes by little more than a nose over the final furlong to having the opportunity to introducing the world’s 1^st (first) RoboCop  onto the stage with its boss, Brigadier Khalid Al Razooqi. Close in the photo finish of which had to also be the first sight of ‘KATIM’ the other 1^st we enjoyed at GISEC. Robert Statica (SVP Technology & Research at DarkMatter) introduced us to ‘KATIM’ the next generation Secure Mobile phone that has just come out of stealth development by the innovative research team at Dark Matter. You will perhaps recognise the name Statica, Robert was the architect behind WICKR one of the most respected secure messaging applications available on all leading platforms so expect great things from KATIM.

The event was a re-set for a lot of established thinking and provided valuable clarity into real world priorities that businesses at all scales are facing and trying to address. Stimulating some intense debates during the round table and panel sessions, we witnessed many thought leaders looking beyond the obvious and sharing insights through new eyes that gave hope that there are practical and actionable steps we can all take to achieve Cyber Resilience. It was rewarding to speak to many attendees who despite their impeccable high quality demonstrable diligence and attention to detail will be going back to their companies and practices with re-focused priorities and fresh ideas.

The influencing views we were exposed to over the 3 days of the conference are not unique to the Gulf region either. The speaker line-up was truly international – US, UK, Hong Kong, Russia, Europe, Australia, Africa amongst regional contributions and from a range of sectors including Finance, Smart City through to Nuclear, Retail, education and government. Whilst I can never reproduce the rich diversity of shared experience and guidance the conference provided, I highlight some key takeaways which I know will resonate with many around the world and are but the tip of the iceberg of what was covered at the conference:

1. The headline point echoing through most sessions was the need to develop IT Security (Cyber) awareness at an organisational level if not a National level. This was heard from a number of eminent voices that brought much in common yet from opposite sides of the globe and very different cultures – From the USA, Diana Burley (Executive Director and Chair, Institute for Information Infrastructure Protection, George Washington University, US) and from the UAE, Eng. Ali Alamadi (Chairman of Emirates Information Security Awareness Committee EISA UAE ). Awareness has the potential to drive a cultural change in behaviour towards IT security. Cybersecurity is the new operational model and MUST be embraced at a cultural DNA level in all organisation. If it is not, the organisation can be considered as being in little more than Beta in its maturity. Organisations by adapting employee behaviour have a chance to stimulate a wider societal benefit as employees take their new-found awareness and ‘Normal’ practices back home with them, as Cyber Champions in their communities and families.
2. Next was the worrying lack of professionalism in security and total confusion in the market as to what a security professional is. (A side point also is the poor ratio of women to men, yet they may have a better aptitude than men when it comes to Cyber, in incident response for example). The forecast is a greater demand for Trusted Transparency and an increase in requests for organisational baseline Certifications that offer ease of 3^rd party Cyber Hygiene appraisal. A point echoed from a number of perspectives including terms such as Cyber Scorecard and Cyber Balance Sheet. Then there was trouble for Security Product Vendors who were called out for being as much the problem as any solution to organisation’s Cyber security woes. For example, a ‘Security’ Vendor in the eyes of customers IS NOT just a Vendor who is competent in a security product. A ‘Security’ Vendor is expected to be an organisation that meets a minimum level of baseline Cyber Hygiene in its own organisations and product development practices as well as services. Sadly, many apparently struggle to meet this very modest bar, with commercial imperatives being blamed. The message was clear. Global technology household names have an opportunity to set an example and to consider their own responsibilities and internal approach as well as to up skilling their supply chains to a minimum level of baseline Cyber Hygiene
3. Then there was the trending commentary around organisations that are addicted to technology fixes and rarely take the time to understand how their organisations tick before buying. How can a business have a proper defensive posture when it is not clear what its own business strategic priorities and objectives are? Which is why we heard that reactive response has become the default. Few apparently know what they should be prioritising until they experience a breach or incident, then everyone has a common cause and clarity of focus. Organisations are generally strong on technology investment but poor on integration and implementation because they lack that clear business context foundation. The net result is an inevitable complexity of systems that become unmanageable and themselves the weakest link.  
4. We heard that threat hunting is the future NOT threat response. It’s not IF a company is going to be breaches but when. Ah, but that predisposes that the business knows what its priorities are. Hmm… point c) above and their organisations find themselves in a closed loop that they need to break out of. That does not mean response capabilities are not important. The priority must be to detect threats fast, reduce dwell time and prevent malfeasants traversing and embedding themselves in corporate systems. Threat hunting is a very different skill to reactive defence. Threat hunting evolves readiness and is fundamental in mitigating attack impact and reducing the attack surface. This constrains the magnification of any possible attack and renders the type of attacks that the war gaming scenarios that were illustrated at the conference proved the exception NOT the norm. IT teams need to know how to ‘Go Hunting’, not wait to be the hunted = a positive proactive posture versus react when attacked!
5. 99% of breaches and incidents are due to insiders or organisations that have not even enforced basic Cyber Hygiene, NOT advanced attacks. Of course, this does not play well to a security vendor ecosystem marketing message. People and process deficiencies are the repeatable failure point in many speaker’s messages. Business must do the basics and IT vendors and managed service providers should be doing them already too. The worrying reality is that without sanctions it is clear businesses are not going to do anything willingly. This is compounded by the passivity of Governments and Supply chain owners to provide leadership and coordinated direction as to a baseline of Cyber Hygiene expectation.  
6. Cybersecurity scorecards (Cyber Security Balance Sheet is another term used) were resonant in many of the questions put to speakers. These are apparently desirable tools for CISO’s and CIO’s to deploy as they speak a familiar business language. Demands from regulators and markets for transparency of Cyber risk is already driving a need for this kind of clarity and we heard a lot of this from some of the global consultancies presenting. Dashboards (Key Risk Indicator’s) empower the board and allow for a readiness posture (real time) versus a compliant attitude (once a year audit and I’m good).
7. ‘You will get by with a little help from your friends’ – a timeless line from the Beatles and a wonderfully memorable moment from Mark Hughes (President of Security – BT UK). It’s so true and resonated well with the audience. It was clear that many see great value in sharing threat intelligence and effective practices almost more than any commercial Cyber Threat Intelligence service. Fostering a collaborative approach and sharing best practices and experiences through structured collaborative partnerships is raising the Cyber capabilities of organisations. People and Process was a predominant theme and central to the solution, technology is just a tool and in most breaches, is found to be poorly deployed or maintained. Consequently, it becomes the problem. There is disproportionate spending on technology versus people. Technology ages and goes out of date. People age (much slower) and grow in value through experience and shared lessons learnt. Something most of the security companies present in the Exhibition Hall probably did not hear, but if they want to sell their technology and or services, the message was to do it right and it will sell itself because the ‘people’ element is what the customer will ultimately be buying. People buy from people and trust in digital life is becoming a rare commodity.
8. Poor software development security practices by vendors and service providers is resulting in organisations inadvertently self-contaminating themselves with vulnerabilities and paying for the luxury. Greater accountability was demanded of software producers. They should be putting secure coding skills up front and central in the learning path. Privacy by design and Privacy be default.

This is by no means an exhaustive reflection of the enormous value that our attendees benefited from and gives you a modest insight into what you could expect if you join us next year.

The GISEC team and I all hope to have the opportunity of welcoming you to GISEC 2018. For there is one thing that is certain, by this time next year there will be a fresh litany of incidents to reflect and learn from as well as more firsts to witness and to enjoy.