Middle East Practitioners Bullish on New StrategiesActive Defence, Cybernetics Among Topics Discussed at Recent Security Event
Cybersecurity is known to be a dynamic field with a rapidly changing threat landscape that requires constant education and more than a little collaboration. The attackers only need to be right once, as they say; the defenders need to be right all the time. It helps if the good guys could organize and cooperate as well as the bad guys do.
See Also: Passwords Alone Aren't Enough
This topic - cross-regional collaboration and information sharing - was among the themes discussed at the Middle East Security Conference, held in Dubai on the 24th and 25th of May, which I had the pleasure last week of being a part of (see: Inside Dubai's MESA Security Event). Other hot topics that impressed me were biological cybernetics, active defense/deception technology and new ways to measure risk and effectiveness.
Even with these distinct differences in sensibilities and approach, the need to secure the ever-growing dependence on technology was a strong leitmotif
Re: information sharing, Dr. Amiruddin Wahab , CEO at Cybersecurity Malaysia, spoke on the need for regional cooperation in information security. To me, this theme seems to have great relevance, given the broad spectrum of maturity in cybersecurity that is in evidence in this region - from the barely ticking to those at the forefront of innovation. Whereas in India we tend to focus on in-country information sharing and other issues, I feel Wahab's session had some strong takeaways for many a national security practice, and showcased the need for and the efforts being made in this space in the region. Catch my full interview with him here.
In all, I met cybersecurity practitioners and leaders from no fewer than eight countries at MESA, the furthest afield being from Egypt and Malaysia. Truth be told, the best thing about being there was the wide spectrum of opinions, attitudes and cultural approaches to information security that were on display. But even with these distinct differences in sensibilities and approach, the need to secure the ever-growing dependence on technology was a strong leitmotif (see:MESA: Collaborative Approach is Critical).
While networking, in addition to getting a better handle on the security landscape in the Middle East, was one of my primary motivations for joining this event, I was pleasantly surprised to come away with some great new ideas in security that I intend to follow up going forward. Between running about conducting interviews, I was able to take in some of these sessions and was glad I did.
Phil Cracknell's session on the idea of a new approach to measuring the effectiveness of information security using the framework put forward by ClubCISO's Metrics Project was masterful. The session highlighted the need for the security community to break away from statistics and intelligence generated by analysts, consultants and vendors and look to the community to solve professional challenges, prime among which is the need for sound, standardized metrics. Cracknell is the founder at ClubCISO - a private forum for InfoSec professionals, based in the UK. Look out for ISMG's exclusive interview with Cracknell on the topic.
Another session I recall vividly is the session by Harshul Joshi, on a practical approach to risk and compliance. Joshi was a strong speaker and set himself apart by the stand he took on the way the industry today depends on standards and compliance to demonstrate security and offset risk, saying that the security community needs to move away from compliance standards to remain agile enough to tackle new threats. Truly a rousing session and quite well received.
Sam Lodhi, CISO at MHRA UK, delivered a thought-provoking keynote on biological cybernetics and its use in securing organizations better. But the cherry on the cake for me was Sahir Hidayatullah's session on enterprise active defense. Hidayatullah's session focused on the use of deception techniques in defense to thwart the modern hacker. Hidayatullah is the CEO at Smoke Screen and was one of the sponsors. However, the session itself was knowledge-rich, and the way Hidayatullah laid out the rationale for the use of deception technology and honeypots in the current threat landscape was riveting.
While much has been said in the last year on the offensive or active security being the next big paradigm shift, the examples and context Hidayatullah used in his spotlight session made a practical case for this becoming an important part of enterprise information security going forward. It was a pleasure interviewing Hidayatullah, and I look forward to exploring this theme deeper in the year ahead. Check out Hidayatullah's interview with ISMG soon.
One interesting observation for me was the presence of groups of women practitioners in the audience at the event, which would have been notable even elsewhere in the world, and more so here. I am told women are making great strides in information security in the Middle East, by Abeer Khedr, who is the information security director at the National Bank of Egypt. I had the opportunity to interview Khedr and came away with some unique insights on the career dynamics in information security for women in the Arabic world.
MESA in Retrospect
While the organizers were expecting over 150 participants, I doubt we hit that number. However, the awards ceremony on the evening of the first day was chock-a-block, as is to be expected. The awards themselves were a bit obscure in my opinion, as no details were given for what each award was being given out for. This, of course, did not discourage the audience at all, who got into the gala mood and set a festive atmosphere. Many that weren't able to make it for the conference instead flew out just to be part of the awards.
There are many things that could be improved upon, of course. But as these things go, MESA is off to a good start. This was the maiden event, and I can easily look at the initiative continuing in the years ahead.
While some sessions like the ones mentioned above were excellent, by comparison, some of the panel discussions did seem rather bleak. And the audience did thin out to low level toward the close of day one and all of day two. However, given the saturated nature of the Dubai events market, especially in the cybersecurity space, I would say the organizers had satisfactory results - certainly the awards were very well received.
That some of the promised activities, such as the interactive roundtables, did not happen was a disappointment, but overall the experience was enriching. I am happy to have attended and interacted with the security community in the region, and I look forward to the opportunity next year as well. In the meantime, stay tuned for interesting features and interviews from MESA. And I believe the organizers plan to upload the session video's and decks soon.
How was your MESA experience? Write me or tweet to me what you enjoyed and what could have been better.