The future of cybersecurity must be built on the basics
In recent times, there are many new concepts and ideas that are proliferating and seeding in the minds of the public. The “Metaverse”, which prompted Facebook to change its corporate name to Meta, and the various other nomenclature such as “Industry 4.0”, “deep tech” or even “digital future” where the cybersecurity industry also has its own set of terminologies such as “Zero Trust”, “Trusted Supply Chain”, and “APT”.
However, in the midst of all these new ideas that are mushrooming in much the same way as when the Internet came of age at the turn of the millennia, one must not forget that having strong fundamentals is the key to survival in this game of words. When the going gets tough, going back to basics, where the cybersecurity muscle memory will subconsciously repeat a specific set of processes and procedures with improved efficiency and accuracy that is acquired through practice and repetition, will reduce the margin of error, and streamline the process and procedures in any cybersecurity function that you are tasked.
Muscle memory is what differentiates the hobbyist sports enthusiast from the world-class sportsperson, where the mind-numbing repetitiveness of the routine, be it on the gymnastic grounds or in the swimming pool, for hours and days, weeks and years perfect that sublime movement or swim stroke to a precision of a level that is not one ounce too much or less, that will result into that additional 0.1 sec from winning or losing the competition.
Translating that language to cybersecurity means that regardless of the multi-worlds or clouds, we must always keep our feet firmly on the ground even if our judgement may be clouded. A good cybersecurity professional must possess a level of technical skill sets, no matter what. Currently, the market voice is of the opinion that we should open up the industry to accept cybersecurity professionals that are not from engineering and the hard sciences, but from the arts, music and history to alleviate the currently chronic manpower shortage. Some even felt that a good modern cybersecurity professional should instead possess great communication (and PR) skillsets and be a social media influencer with 100,000s of followers. Because at the end of the day, what was the undoing of the technical cybersecurity professional (usually stereotyped as a middle-aged man with potbelly with a pizza slice in one hand and a mug of coke in the other spending all their time in the hole of a data centre who probably had started his career either as a programmer or a system administrator) was the inability to connect with and get buy-in from the executive management and the board. That impecunious communication ability (or even the lack of it!) typically is the onset of a sorrowful malady of the incredible inability to articulate cybersecurity nuances into layman's terms that are easy to understand and relate back to the business, that has always been viewed as the Achilles’ Heel of our profession.
Thus, the modern solution is to replace the middle-aged potbellied technical man with a young, well-groomed, engaging person who can talk their way into the board and makes business sense. Or does it?
We just want to say that there is always no lack of managers and generals. From our observation, the crux is actually always the last mile where the difficulty is to translate a concept into something that is doable and can hit the ground running. We do not deny that getting management buy-in, being able to relate to business and getting cybersecurity to be recognised as a critical business enabler are important things that a cybersecurity professional – especially the Chief Information Security Officer (CISO) – needs to do and do it right. We also need to treasure the opportunity given to our profession as the new digital era where cloud computing herald in a new day where computing today is a basic utility, with IT hitting the mainstream and IT and security moving into the executive management team and the board as key strategic goals.
Experience and training in the basics essential for cybersecurity leaders of the future
However, we do not alienate ourselves from the need to truly understand the technical side of cybersecurity too, because we do not have the luxury of having an AI or artificial sentient forms that can form the bridge between management and operation, or do that heavy lifting on your behalf without one breaking into a sweat. Let me quote you three examples to illustrate this point. Example 1, a Ranger is an elite soldier that is trained in the art of special operations that conventional soldiers do not have the skill set or aptitude to carry out. Based on the argument of “modernisating” the Ranger and translating that into our expectation, does it mean that the “modern” ranger can argue and coax the enemy to drop their weapon and surrender or that he is expected to make his first parachute jump into enemy territory despite not being trained to do it physically but only having done it over an online training course? For example 2, a “modern” surgeon heading into an operating theatre to conduct neuro-surgery shouting orders to the nurse or a robot? Last but not least example 3, a “modern” pastry chef trying to bake a cake based on instructions from the Internet and shouting those orders to the household helper?
The above examples fully demonstrated that while it is important that the modern CISO needs to connect with his peers in the executive management team and be able to hold his own and stand his case in front of the board, that can’t be achieved without strong technical background with expertise gained from years being in the trenches. Building a house without solid foundations will surely fail. Hence, having a sound technical background, at least in the formative years of one’s cybersecurity career, is critical towards future progression in the industry. While we are not against the degrees being of art, or music or nothing to do with engineering, computer sciences or any of the hard sciences, we are definitely for the idea that the “modern” cybersecurity professional needs to be trained and have hands-on experience in some of the technical operational domains that he may choose to build his specialisation – be it identity management, digital forensics or security penetration testing.
We are for the idea to widen the search for cybersecurity talents, but we caution against throwing into the wind to appoint and assign that person without the necessary training, job internship and accumulation of real, hard experience, at least in the formative years that will put the person in good stead to be a leader rather than a manager “shouting instructions from the back”. Thus, in the UAE we are building the necessary mechanisms that will allow for a solid capacity building for our youth, but also keeping in mind the need for upgrading and upskilling for those experienced hires, or anyone considering a mid-career switch.
In conclusion, we are in extraordinary times, where we are witnessing the coming of the new digital era and the metaverse that we can only imagine in movies and games. We are now living this dream, but while having this vision, we need to ensure that it is not a pipedream but something that can be realised. As such, we need to ground ourselves with the basics, that one who learnt to swim 30 years ago and never swam thereafter, can still swim and survive if one is thrown into the sea 30 years later!
Our founding father for the UAE, His Highness Zayed bin Sultan Al Nahyan, once said, “Those who don’t learn from their past will not have a present nor a future”, hence going back to basics will definitely build the right foundation for all of these new deep technologies that are powering the metaverse of the future and demystify the accompanying ambiguous terminologies and nomenclature.
About the Authors
H.E. Dr. Mohamed Al-Kuwaiti, Head of Cyber Security, United Arab Emirates Government
Dr. Al-Kuwaiti was appointed to the Cabinet as the Head of Cyber Security for the UAE Government in 2020. As the Head of Cyber Security, his mandate includes being the Chairman of the UAE Cyber Security Council as well as Managing Director of the National Data Centre under the Supreme Council for National Security. As the Head of Cyber Security for the UAE Government by investiture, Dr. Al-Kuwaiti has legal authority over all aspects pertaining securing the cyberspace for the entire Nation.
In his current role, Dr. Al-Kuwaiti is tasked with the responsibility of charting a cyber security strategy for the Nation that not only ensures that the UAE will be entering the digital era fully capable of dealing with the new threat landscape brought about by the pandemic, but also to ensure the UAE’s leadership in cyber security globally towards establishing the UAE as the world’s leading trusted digital hub supporting the Nation’s digital transformation agenda and the digital future of all residents who made UAE their home.
Towards that end, the UAE has advanced 42 positions in the ITU Global Cybersecurity Index, rising to 5th place globally from 47th place in the last assessment. Dr. Al-Kuwaiti has also led the UAE to many firsts, including Guinness World Records for having the most users in a cyber capture the flag (CTF) competition and the largest bug bounty competition – record-breaking initiatives that aim to support capacity building in Cyber Security and improving the technical competencies of cyber security professionals and enthusiasts besides entering into the Guinness World Records.
Dr. Al-Kuwaiti also sits on the Boards of the UAE Council for Digital Wellbeing, Telecommunications and Digital Government Regulatory Authority (TDRA), Federal Geographic Information Center and is on the Advisory Committees of the College of Information Technology under United Arab Emirates University (UAEU) and Emirates ICT Innovation Center (EBTIC) under Khalifa University. Additionally, he is an Adjunct Professor under the Homeland Security Program at Rabdan Academy and a visiting lecturer on Cyber Security at universities such as Khalifa University and National Defense College in Abu Dhabi.
Prior to his current appointments, Dr. Al-Kuwaiti was with the National Electronic Security Authority in various appointments and capacities since 2013 where he was most recently Executive Director of Government Operations managing National and International government relations. He started his 20-year career as a Defense, Air, and Naval Military Attaché with the Embassy of The United Arab Emirates, based in Washington, D.C.
Dr. Al-Kuwaiti has published numerous papers and keynoted at many conferences such as IEEE, RSA, Cyber Warfare Europe, Tele Strategies, ISS World MEA, IDEX, International Anti-Cyber Crimes Conference, Future War Summit, GITEX, GISEC and World Government Summit to name a few. He holds a Doctorate in Computer Engineering and Network Security from George Washington University in the US and a master’s degree in Telecommunications and Computer Networks. He also holds a MA degree in International and Civil Security. Dr. Al-Kuwaiti is an honourable member of the Society of Engineers, IEEE Society, Golden Key National Honor Society and Computer Society and was recently honoured by (ISC)² with the 2022 Government Professional for MEA region Award.
Dr. Aloysius Cheang, Chief Security Officer, Huawei UAE
Aloysius Cheang is the Chief Security Officer for Huawei UAE responsible for driving the company’s cybersecurity vision of building a safe and secure intelligent connected digital world in the UAE and Islamic nations globally. He is also a Board Director for US-based (ISC)², as well as UK-based cyber leadership think tank, the Centre for Strategic Cyberspace + International Studies (CSCIS). In his career spanning over 20 years, Aloysius had delivered direct business values in strategic, complex, multi-year and multi-million-dollar technology and cyber programs for Global 500 organisations worldwide while managing large multi-cultural, multi-disciplinary team spread across 5 continents.
Prior to his current appointment, Aloysius was Co-Founder and Managing Director for Cloud Security Alliance Asia Pacific (CSA), the Worldwide Head of Security for Vodafone Global Enterprise and a Security Practice Leader with PricewaterhouseCoopers Singapore, having started his career with DSO National Laboratories in Singapore focusing on Defence R&D. As a globally recognised cybersecurity expert, Aloysius defined the term “Cybersecurity” having authored ISO/IEC 27032 “Guidelines for Cybersecurity" and his professional perspectives are highly valued by major international media such as the BBC, The Times, Wall Street Journal, ZDNet, ISMG, MSN News, CXO Insights, Teletimes International, Xinhua News, SCMP, Phoenix Media, The Hindu, The Nation, Bangkok Post, Economic Times Daily, China Times, The Straits Times, ChannelNewsAsia, Zawya, The National, Gulf Business, ITP, Telecom Review, Teletimes and Al Bawaba.