05 May Building cybersecurity capabilities

Khalid Saad Al Medbel, General Director, Information Security, Ministry of Health, takes a closer look at how cybersecurity capabilities can be strengthened with a holistic strategy that puts people at its heart.

With security threats becoming ever-more sophisticated and frequent, organisations in the Middle East need to take a proactive stand in order to protect both their data and their systems. Key to this is building the right knowledge and skills to develop strong, stable cybersecurity capabilities. Innovative cybersecurity technologies are emerging all the time and investment in this industry has increased dramatically due to the global need to counter the cyber risks organisations face.

However, these investments in such a vital and dynamic area require more than acquiring new and up-to-date technologies. It is vitally important to incorporate a holistic strategy that deals with multiple aspects and where human resources should be the cornerstone. For those leading the charge in building cybersecurity capabilities, one of the key considerations is creating an environment in which the human factor is accounted for.

This includes recruiting highly-trained individuals, who have the right skills to recognise and react to emerging trends in cybersecurity, as well as ensuring all staff have access to and are supported to develop their skills set and knowledge base. Management teams must concern themselves with maintaining these cybersecurity capabilities in such a way that incorporates both the technologies and skills, as well as sustaining proper development within the organisational culture.

Defining strategies

Despite technology transforming usual business processes to be more efficient and them enhancing the overall productivity, the ability to respond effectively to cyber risks is a significant part of information technology and business values. Therefore, increasing the coordination and controls related to cybersecurity within the organisation should be recognised as the main enabler for advantages in performance, agility and productivity.

The organisation’s capabilities can be viewed as a construction in many dimensions, these dimensions include building and maintaining robust, cost-effective IT services to support business strategies, in parallel with protecting and securing all types of assets that are needed for maintaining business strategies and overall objectives. Developing a competitive advantage in the very aggressive eld of cyberspace, is highly dependent on human capabilities. It should be addressed and targeted by investment decisions, along with boosting innovation and effective risk management.

Eventually, it will allow new business opportunities and valuable use of information capabilities to help secure a business’ future. On the other hand, any strategy should consider the organisational structure and liability for entities that are involved in cybersecurity, synchronise the efforts and allocate the resources based on the designed flow and actions of the strategy. The wide collaboration with national involved parties is significant, and requires effective contributions with concerned national organisations and gathering global support and cooperation if needed.

National cyber resiliency and Saudi Vision 2030

International practices analysis suggests that a cybersecurity strategy should be developed on a country level for better positioning, based on the future vision, addressing the national risks and mission-critical infrastructure, as well as national ICT services in a world of sophisticated and integrated systems. Saudi Vision 2030 is considered a pioneer in developing cyber resiliency.

Along with furthering the country’s growth and economic diversity, the plan calls for cybersecurity capacity building to ensure businesses are protected from malicious threat actors and remain one step ahead of threats. It presents an advanced model of a national strategy, focused on developing the human resources to face cyber attacks. It promotes educational and awareness programmes, in order to use technology safely, build sufficient skilled and experienced competencies and increase the capabilities to defend and counter cyber threats.

The programmes and strategies incorporate all the stakeholders at different levels in society to support direct and indirect governmental efforts and encourage potential cooperation. Furthermore, building the knowledge base helps them to reach a sufficient level of accepted risk and standardise the industry allowing it to be adopted by organisations and businesses. In addition, sharing the vulnerabilities, threats, experiences and establishing an environment of collaboration helps promote the discussion around cybersecurity. By doing so the regulations can be used as a fundamental instrument to build proper capabilities, mandates and compliance.

National cybersecurity strategy and initiatives

There are a number of cyber resiliency challenges, such as increased attack surface, lack of effectiveness of security policies and awareness’s, plus limited skills to respond efficiently. These acknowledge the breakdown and complexity of security tools and processes. The challenges would require collaborative efforts and a national strategy – such as Saudi Vision 2030 which is considered to be one of the leading models and recognised globally.

Saudi Vision 2030 empowers national cyber resiliency strategies, where those strategies are considered one of the important enablers for the Saudi Vision2030 mission. In 2020 the strategy stated a key part of its purpose was: “towards enhancing its regional and international standing, and growing its economic power. It has also strived and will continue to strive to empower safety and security as it considers them the foundation for its structure, development, and prosperity to bring about a bright future. It will also help achieve its ambitious vision (Saudi Vision 2030) and preserve its developmental, social, and economic gains, thus improving the efforts of the international organisations in raising the level of cybersecurity.”

In addition, the HRH Mohammed bin Salman initiative to empower Saudi women in cybersecurity, introduced in February 2020, aims to encourage and support women in cybersecurity, ensuring they have access to proper educational programmes for better and effective collaboration to build solid cybersecurity resilience in the country and take a leadership position in the field. It also aims to bridge the gaps in cybersecurity skills globally.

As a result, the Kingdom is highly ranked in the Global Cybersecurity Indexes which are conducted by global and credible entities, and recognised worldwide. The outcomes of such strategies and initiatives are significant. The criteria that enables successful models to be put in place over a short period of time include the focus on human aspects and building the capabilities to sustain a sufficient position in the country’s vision. At the heart of any successful security strategy lies people and knowledge. As threats continue to evolve and proliferate, developing cybersecurity capabilities must remain a priority.