Muath AlHomoud is the Chief Information Security Officer at Smart Digital Payments. Muath is a Certified Information Security Manager (CISM) and Certified Ethical Hacker / Security Executive passionate about facilitating rapid technology change at-pace to secure significant business value. He holds over 14 years of experience in successfully leading operations, technology and change in heavily regulated environments to optimize protection of business-critical information and assets in line with budgets of up to 6M Saudi Riyals. He is recognized for his vast experience in project management while defining, re-defining, and delivering operational processes in alignment with Agile methodologies and Digital Transformation initiatives to bring Internet of Things (IoT) and Robotics. He has also been a recipient of “CISO of the Year” and “CISO Powerlist” that hold Chief Information Security Officer (CISO).
In a recent chat with Digital First Magazine, Muath AlHomoud sheds light on the evolution of cybersecurity over the years, his professional background & areas of interest, challenges faced by him as a CISO leader, and a lot more. Following are the excerpts from the interview.
According to you, how has cybersecurity changed over the last few years?
Cybersecurity refers to the collection of practices, processes, and technologies which are designed for protecting data, programs, devices, and networks from unauthorized access, damage, and attack. Cybersecurity might even be referred to as security of information technology. It is significant because medical, financial, corporate, military, and government firms store, process, and collect unprecedented amounts of information on different devices including computers and tablets. A large part of the information can be quite sensitive, whether it is personal information, financial data, intellectual property, or other data types for which unauthorized exposure or access could have adverse effects. Sensitive data is transmitted by organizations across different networks and to other devices while carrying out businesses. Several media reports do focus on the larger cyber-attacks primarily such as most common threats, fissures at Netflix, JP Morgan and Target which have been to the medium-sized or small-sized businesses. According to several industry experts, 60 per cent of SMBs would fail within the 6 months in the cyber-attacks results. Moreover, there are several industries which appear to be the favorite one of the cybercriminals. According to the threat intelligence index of 2017 X-Force, the most attacked businesses were the financial services and primarily using the internal attacks. The attacks were expected to maximize for the retailers of the smaller franchised in the running year as well as along with those businesses with the distributed infrastructure. It is important to understand that effect of cybersecurity threats and attacks can be severe for organizations as they not only lose control over data, but also lose the trust and confidence of customers along with facing financial losses. There are different types of threats such as malware, spyware, and Ransomware. In 2011, the user information of 77mn users were stolen by the hackers for Sony Corporation. The Ransomware attacks have been so common in the recent past, as number of attacks in 2021 was around 500mn. The report revealed that the number of Ransomware attacks are increasing and current stats are 134% higher than the stats of 2020. In another report released in 2022, it was revealed that companies in the United States have faced huge financial losses due to cyber-attacks, and approximate figure shared by report was around $ 99,999 for different companies. The global cost of these cyber-attacks in 2015 was around $3 trillion, which is now estimated to reach the figure of $10.5 trillion till 2025 which means 15% increase is observed every year.
What are some of the key components to succeeding as a CISO in today’s business environment?
Modern CISOs play more than just a technical understanding of the business. In fact, the job requires more than just an understanding of the business aspect.
Can you tell us about your professional background and areas of interest?
I am working as a Chief Information Security Officer i.e., Smart Digital Payments (FinTech). I am concerned about maintaining the security of the systems, networks, and devices. There are different roles which are performed by me on a regular basis, like I tend to oversee and implement cybersecurity strategy of the organization. I also make sure that our business objectives are well aligned with the cybersecurity strategy so that there is no gap in this regard. I also keep the incident response activity and disaster recovery policy updated to ensure we are ahead of attackers in this regard.
Please share a project or inspiration with us that prompted your involvement in cyber security.
The evolution of cybercrimes has helped me to engage myself on the project related to the securing the financial services. There was a project where the management has given us the responsibility to identify any loopholes in our IT infrastructure. So, I hired independent IT auditors, and worked with them to have a complete audit of the IT infrastructure, which helped us to identify few vulnerable areas. We made dedicated strategy to cover those loopholes so that our cybersecurity remains updated to deal with possible threats.
Given your vast years of experience as a CISO leader, what are the main cyber security related challenges that executives face when it comes to embracing new technologies for their business?
They need to be trained for providing insight of new technology that the executives might not be interested to learn and know about. For instance, if an organization adopts cloud computing for management and transmission of data, then they must be aware of threats looming on cloud computing. The hackers are always looking for new methods to attack cloud data, and steal it to fulfil their wrong purposes. The Ransomware attacks, cloud attacks, phishing attacks, and IoT attacks are getting common, and stakeholders need to be proactive to have countermeasures.
What are some of the roadblocks you face to doing your job well? And what do you do to overcome those challenges?
I am always concerned about dealing with the aspects that why the things are not working as per the normal circumstances. I always note down the changes and work on them to restate the facts and processes. The biggest challenge in my views is the kind of threat posed by hackers and attackers as it seems that they are one step ahead of us. So, it is a constant challenge to make sure that our IT systems and data are not having any vulnerabilities for attackers to exploit.
What is one technology that really stands out for you and makes a difference?
The combination of Wi-Fi and the smart phone has been a great revolution, but the technology that really sparks my interest is artificial intelligence and the use of cloud computing, making the future for businesses with so many benefits to get.
How are cyber security skills evolving nowadays and how should they be deployed?
A number of government agencies attempt to safeguard social security numbers, fingerprints, and other personal information in a variety of ways. The data sets and the public authority servers, improperly, have known shortcomings that bring about bigger volumes of assaults in ongoing previous years. A group of hackers known as the Shadow Brokers broke into the NSA in 2016 and brought to light the problematic and common practice of collecting intelligence through a variety of errors, bugs, or defects in commercial products without informing the software developers. That reckless act has the potential to put billions of software users at risk. Many universities around the world did experience the larger number of the number of cyber-attacks in the previous decade along with the 539 breaches that affect the records around 13 million. Addition to the official registration of the universities and with the stored information or stored data, it is not shocking that some hackers do enjoy targeting their vaults rich data. In fact, many hackers love to hack the university servers or databases of the universities student’s panel to make some changes in the result cards or the transcript to increase their results. They may also hack to make changes in the attendance sheets. They may also try to make control the fee voucher or the finance accounts of the universities for reduction in the fee or fine. Cyber-attacks in the institutions of higher education uncovered 1.35 million characteristics around two years ago. Some reports have shown that both Harvard and Penn State faced some kind of breaches, and many of the colleges or institutions, as well as the offices across their systems, were affected in the running year of 2015. As few years go on, the attacks were extensive and unperceptive, by targeting many records of the student from playschool in the 12th grade. This is all based on carrying out the extensive research to determine the basis and other aspects linked with the cybersecurity. People are in a great need for having the opportunities of training in this regard.
What are you investing in now to prepare for the future?
I believe if the security policy is drafted and implemented well then, the cybersecurity attacks can better be avoided. A security policy is normally in a written form for offering guidance about what type of resource uses and behavior are required from the workers within a firm. The development of a cyber-security policy is a collective or joint operation of officials of an organization. Following are the players normally involved in creating a policy:
Board: Board members or officials with the same power within an entity. They must provide their advice in creating the policies.
IT Team: Members of the IT team normally are the largest consumers of the policy information in an organization as it includes making a standard around the utilization of computer systems, particularly controls of security.
Legal Team: The role of this team is to ensure the legal points present in the document and a particular point of eligibility is guided by it in the organization.
HR Team: Typically, a team of HR obtains a certified certificate of T&C from each and every worker that they have understood and read the stipulated policy since this team has to deal with punishment and reward-related issues of workers for implementing discipline.
What, personally, has allowed you the success you have had in the role of a leader in technology?
I have always managed to focus on the details related to the strategic tasks related to IT and cybersecurity systems that I had to perform on daily basis. In case I ever got a chance of training I just managed it well to learn and implement the relevant aspects of new changes made in the IT arena where challenges and opportunities are there to manage.
What piece of advice would you give to aspiring CISOs?
The future is bright, and the firm’s efforts are needed to be invested for the specified IT project or department which needs for great care and attention. The way hackers have kept themselves advanced in finding new ways to pose cyber-threats, it is our responsibility as CISOs to challenge them in any possible manner. It is quite important for CISOs to remain proactive all the time, and find new strategic roadmap to keep cybersecurity as secure as it should be.