Chairmans takeaways from GISEC 2019

Posted on April 15, 2019


NRG Presenting at GISEC 2019

Reflecting on a mind warp of a week chairing GISEC 2019 (The Gulf Information Security Conference & Exhibition) now the 3rd largest InfoSec conference globally, I have come to expect nothing less than thought provoking takeaways. It was a pleasure to represent NCC Group at the centre of the event and present on the 3rd day our own top line that resonated well with the overall conference theme – ‘CyberSecurity, the new business operating model’.

The UAE (United Arab Emirates) is a region that is leapfrogging the west in innovation, e-regulation and penetration of its digital societal goals. Placing CyberSecurity at the heart of both digital AND physical economic prosperity in the region, embedding it in everything they do. This is truly a CyberSecurity ready culture, no hint of a damp squid Cyber Essentials initiative here; fertile ground.

After the eye candy, Kevin Mitnick keynote, GISEC delivered with enough material to fill multiple blogs. Here is a taster of some of the key themes:

Threat Management – Mitre Att&ck was led in like the new post child, to evolve the old world of use cases into a common format and collaborative framework that can make sense to non-technical personnel. This was complemented with Information Theory dynamics defining threat ‘trigger points’, to get ahead of threats. Using appropriate threat signalling density to predict when a threat will go out of band.

Cloud Convergence – Digitals Physical dependency, OT (Operational Technology) and IT (Information Technology) contention, Cloud and on-premise, and the IoT (Internet of Things) universe. Cloud is driving the new operating models and forcing organisational change that demands agile disciplines. IoT is pushing the tolerance of Government and risks being subject to robust regulation. The UAE is leading with Telco regulation that is leading the world .

AI Panel Debate – concluded AI (Artificial Intelligence) is dangerous (Autonomous Car deaths) marketing hype. Suffering from inconsistent application across applied and general use cases. Not one panel member would trust AI autonomous decision-making promises … for some time. Quantum computing was agreed to be the event horizon when we move beyond binary states and could realise the prospect of intelligent outcomes. Need for regulation and greater transparency of accountability, ideas such as OpenSource review of underlying algorithms came to the fore The real question for customers is what analytic value actually lies behind the AI snake oil messaging.

Service Centricity – Imperatives to success in SecOps is moving from a functional driven organisational culture to a service driven one. Away from silos into an orchestrated automated SecOps posture. Human element will not scale and market skill demand will continue to outstrip supply. Automation and adaptive service attitudes are the future.

CISO Evolution – A journey through CISO’s (Chief Information Security Officer) maturing role, each building on the preceding:

  • 1994 > 2000 – Limited Security CISO.
  • > 2004 – Regulatory Compliance centric CISO
  • > 2008 – Risk orientated CISO
  • > 2016 – Threat and socially Cloud mobile CISO
  • > 2019 – Privacy and data aware CISO
  • > 2020’s – Business outcome savvy, board class CISO (Super CISO!)

GISEC once again moved the needle beyond ‘Security Theatre, as Bruce Schneier coins it, and into real world imperatives of usability and effectiveness in a digital economy – ‘CyberSecurity, as the new business operating model’.