Hadi Jaafarawi, Regional VP for Middle East & Africa at Qualys, explains why (and how) organizations need to balance both short and longer term goals and operational risks, when planning their cybersecurity strategies.
The Middle East is squarely in the crosshairs of cyberthreat actors. IBM Security’s 2024 Cost of a Breach report puts the average hit at US$8.75M for regional organizations (up from US$8.07M in 2023). Amid IT complexity, security operations centers (SOCs) must determine how to respond quickly, but faced with fluctuating budgets, security leaders may grapple with the dilemma of quick wins versus the building of a futureproof environment.
Do we play the long game or live in the moment? Do we prioritize strategy or tactics? Either option presents us with downsides. The truth is modern risk management demands we rummage in both long-term and short-term toolboxes. One of the thorniest problems facing chief information security officers (CISOs) is that the threat landscape is abuzz with innovation. No strategy can encompass the ad-hoc requirements of day-to-day cyber firefighting. Conversely, the tactics of the moment do not cover things like data categorization, permissions lists, compliance, and the growth of infrastructure to accommodate business expansion.
“When it comes to modern applications, a cautious, comprehensive approach to security cannot hope to match the speed of CI/CD pipelines. But luckily, we do not have to worry about offline periods. DevOps teams have the opportunity to bake security into their solutions. Modern systems developed in-house allow a long view of both development and update processes. This means devs can proactively defend environments through best-practice coding but also allow for prompt updates if third-party code libraries are found to be vulnerable.”
By: Hadi Jaafarawi, Regional VP for Middle East & Africa at Qualys
So, today’s CISO must look to both long- and short-term actions to secure what matters, satisfy regulators, build trust with customers, and harden the organization against outside assaults. Day by day, the security team must respond to patches as they are released. Qualys research shows an average time to patch that is, in some territories, as long as 30 days. Enterprises need a playbook that will shrink this lag. We have seen around a quarter of weaponized threats pop up on the same day the patch was released. Rapid response is therefore critical, and yet — especially in larger organizations where different departments may take responsibility for different tasks — it remains slow.
Armed for the fight
The battle has changed. The industrialization of cybercrime, the rise of the initial access broker, and the introduction of cloud-native weapons such as ransomware-as-a service (RaaS) mean the threat theatre can move rapidly against us. Bad actors are opportunistic and often attack the back of the pack. One of the ways in which long- and short-term views overlap for defenders is when the moment arrives, security teams should be well armed for short-term response as their adversaries are for the attack, if they have been proactively monitoring their overall risk.
It is easy to type the words on a keyboard — “solution”, “compliance”, “resilience”, “trust” — but on the cyber-battlefield, delivering these goals is a lot more complicated. IT sprawl, including the hybrid and multi-cloud environments now common across the region, gives the security leader pause. How can you strategize if you cannot visualize? Traditional IT assets now hum alongside unknowable data-center environments managed by third parties. And along with our goal words, we must consider challenge words like “cloud-native” and “containerized application”. Consider that the average lifespan of a container is around five minutes. How do we secure something so ephemeral?
Another challenge phrase is “legacy asset”. Traditional IT involved large investments in hardware and systems that were designed to remain in service for many years. Core systems like these are, by their very nature, revenue generators. Downtime for upgrades and patching can be problematic, and in some industries (like manufacturing), almost impossible. But these systems are key parts of the business, so they must be protected. What does our new unified, short-long approach say about scenarios like these? We must measure the risk of remaining in service, while vulnerable to a weaponized flaw, against the potential of revenue loss if the critical system goes offline for updates. Line-of-business executives will argue that the cyberthreat is theoretical but the loss of revenue due to downtime is calculable.
Baked right in
Both arguments are valid. It is for each organization to come to terms with its own risks. Collaboration across departments will be necessary to arrive at a long-term policy decision and a playbook for the short term. The playbook will either involve shorter, more efficient upgrades to reduce downtime, or lay out an action script for mitigating damage if an unpatched vulnerability is targeted.
When it comes to modern applications, a cautious, comprehensive approach to security cannot hope to match the speed of CI/CD pipelines. But luckily, we do not have to worry about offline periods. DevOps teams have the opportunity to bake security into their solutions. Modern systems developed in-house allow a long view of both development and update processes. This means devs can proactively defend environments through best-practice coding but also allow for prompt updates if third-party code libraries are found to be vulnerable.
Alternatively, if consuming an application in a SaaS model, organizations can shop around for the vendor that meets their short- and long-term security requirements. Today, we are seeing encouraging movement towards the practice of testing for vulnerabilities earlier in the development lifecycle — the so-called “shift-left” approach to security. However, we should note that this DevSecOps methodology requires more deliberation and potential conflict resolution between developers and security strategists.
Yes, we need to plan ahead. But we must take care that we are not caught off-guard while our eyes are on the horizon. It is the difference between playing a game of chess with a clever opponent and trying to figure out how the game will be played in a decade. The future-gazer may have to amend their assessment based on games being played right now, and the player with their eyes on the board may benefit in the future from predictions made by the long-term strategist. So, there is virtue to both approaches. Neither is as counterproductive as it appears. But neither can survive on its own.
About the Author:
As the Regional VP for Qualys in Middle East & Africa, Hadi is responsible for overseeing the sales, marketing, and technical operations of the region, as well as developing and maintaining strategic partnerships with key customers and stakeholders. He has been leading Qualys’ growth and expansion in the Middle East for over 12 years, delivering innovative and scalable cloud-based security solutions to various industries, such as government, banking, telecom, and oil and gas.
