GBE's CIO forum calls for security culture change
Specialists agree users must share responsibility for data management
A panel of experts, convened by Global Business Events (GBE) for CIO Middle East, today shared their views on control versus flexibility as it applies to bring your own device (BYOD).
The panel formed part of the opening session of a two-day event at the Maydan Hotel in Dubai, UAE, which included product demonstrations, seminars and an award ceremony. Many leading industry players were represented at the event, GBE's first in the Middle East.
The opening panel discussion reflected the security-related issues CIOs face as more and more companies embrace a BYOD model to allow employees to be mobile or work from home.
"Users today need more freedom [so they] can be more creative and come up with new ideas," said Majid Al Mahdioum, Head of the Search Security Quality Division at the UAE Telecom Regulatory Authority (TRA). Al Mahdioum favoured a flexible business culture that steered away from a "lock-down mentality" and placed responsibility for security on end-users through what he called "a cycle of awareness".
"Transparency with users is important, giving access based on ‘need to know' and keeping good monitoring solutions in place to ensure that data is protected and information is used in the right way," he said.
Shams Hasan, Director of IT at Carnegie Mellon University, Qatar also favoured a culture shift. "In security we often forget - as with most subjects in IT - the need for [IT staff] to get out of the network operations centre," he said.
Hasan highlighted the importance of user management - allowing users to become an integral part of the security model.
"As organisations get more innovative, the assets are actually going to be the intellectual property that resides on [devices]," he added. "More than the tools that [provide security] the issue has become about ‘how educated are the users?' We need to learn in IT how to stop having a bear-hug approach in dealing with data and security. We need to let the information flow out and let users manage it."
David Yates, Partner and Head of Technology, Media and Telecommunications at Al Tamimi & Company, drew attention to the legal environments in which many companies operate, both globally and regionally.
"The way in which many countries in the world respond to security risks is reactive. In the UAE and Saudi Arabia there are very strong laws that address cyber crime. Where many countries have struggled is in persuading organisations to implement their own measures to mitigate the risk of adverse consequences from such crimes."
"There has to be a clear framework [that outlines] who is supposed to do what when a [cyber incident] occurs," said Al Mahdioum, who advocated more decentralisation of cyber policing.
Yates pointed out that C-level decision-makers traditionally equate compliance with cost and that security issues are normally treated as unlikely until an attack occurs. This led to a culture of denial about cyber risks that left the boardroom lukewarm to changes in security policy and processes.
"Incentives have to be developed for organisations to act in their own financial interest and improve information security," he said.
Click here to visit Global Business Events' homepage.