Ep. 105: Roland Abi Najem - Cybersecurity Practices

Roland Abi Najem, CST, SCD, Founder & CEO of Revotips - Expert Tech Consultants, joins Count Me In to talk about cybersecurity. Roland is a cybersecurity and digital transformation consultant and expert, public speaker, and certified professional trainer with great experience in the areas of IT and cybersecurity. In this episode, we dive into the world of cybersecurity to better understand the evolution of the industry (particularly in the Middle East region), the risk areas, and how finance and accounting professionals can be better prepared to enhance digital safety measures which safeguard the welfare of their companies amid massive digital transformation. Download and listen now!

Contact Roland Abi Najem: https://www.linkedin.com/in/rolandabinajem/

Roland Abi Najem's Website:
https://www.rolandabinajem.com/

FULL EPISODE TRANSCRIPT:
Mitch: (00:00)
Welcome back for episode 105 of Count Me In, IMA’s  podcast about all things affecting the accounting and finance world. I'm your host Mitch Roshong, and today's episode features cybersecurity and digital transformation expert Roland Abi Najem. Roland is founder and CEO of Revotips, Expert Tech Consultants, and Solutions. In this episode, my co-host Rouba dives into better understand the evolution of cybersecurity, including the risk areas and how finance and accounting professionals can better enhance digital safety measures across their organizations. Keep listening as we head over to the conversation now.

Rouba: (00:46)
You’re a cyber security expert in the region, you have been one for many years. What does the work that you do entail?

Roland: (00:57)
Well, basically it's the most important thing to me on a personal level I should work on is, being up to date on daily basis. And I really mean it on daily basis because sometimes if you, for me, on a personal level, I have at least for example, a minimum three to four hours readings per day. And, I have to stay up to date with all technology related issues about, all type of, technology, the less the news and cyber attack happened, worldwide and so on. So because we always learn from case study happened worldwide. Moreover, I have to say after this was all a governance issue about new laws, new regulations, because also those, rules and regulation of, being up to date, also kind of on daily basis. And, we have, let's say GDPR in Europe, perhaps a hundred rules and regulation here in the region. So we must follow those guidance as there'll be, for example, in GDPR, if you don't follow the guidance and regulation, you'll have fin, 10 million euros and so on. Moreover when it comes to cybersecurity, it's not only about the technical know-how of each person, what, what any company will look for when they are working with a certain cybersecurity company or consult them, they will look first for personal know-how. They will look first for, as a company reputation and a brand name and the look for the person or the petition of each individual who's going to work in cybersecurity because, you know, when you are working on cybersecurity, sometimes when I'm doing, let's say a penetration testing and so on. So, you might have access to very confidential data and so on. So for other companies, they will need to make sure that they have full trust in the company and each individual working on the project. Plus we all know that, working in the GCC region, is really challenging because you are working like, with, a different type of culture and society. Within in one company was in one country is so working with a different culture, different society, different mentality, you are working in different industries like, government, all I'm guys, banking, staffed up everything. So, you need to be, aligned with all types of cultures and societies in order to understand the needs and the requirements and how they think and how they perceive things. So actually it's kind of hectic to be combined and I'll combine all those together and to stay up to date with them. But actually this is what makes, let's say the thing different, and, this is what gives me added value, in this industry.

Rouba: (03:43)
No, that's quite a task that you have on hand. When we look at the, the Middle East and Africa cybersecurity market, I mean, it's witnessed some tremendous growth over the last, few years, more than a decade even, and it's projected to grow even further from an estimated 15.6 billion in 2020 to 29.9 billion in 2025. And the compound annual growth rate is 13.8, which is exponential. And this is based on the post COVID scenario forecast. Now, the lion's share really goes to Saudi Arabia and the UAE, and some parts of Africa when you look at these figures, but what are some of the most notable initiatives that are taking place in the region?

Roland: (04:24)
Well, this is a very important question based on what you said on the growth of, everything regarding to, cyber security in terms of spending, nowadays, lots of, government issues and rules and regulations. They are forcing by law each company, especially when I talk about big companies that have billions of dollars, to have at least three cyber security providers, because we all know that when it comes to security, is that is no, let's say a one plus one equals two. It's not that simple. So you need to have the different providers see different companies that are working in cybersecurity for you, because we all know there is nothing called 100% security and no company can be 100% secure of the time. If you are currently secured, you are secured, let's say up to 70, 80% maximum and so on. So there are still gaps. That's why I asked to have multiple companies under 10 providers. And this is what makes the industry, let's say, growing up so fast because for each company needs at least three companies for cybersecurity. This is number one. Number two, a few days back in the UAE is a consult ministers form, a concept for cybersecurity, which is, which shows clearly important nowadays for everything we got in cybersecurity, because let's say sometimes now we're on, we're talking about what, what we're talking about, the Cyber War, not the normal wars, is that like a World War One and World War Two. So I'll talk about the Cyber War and we all know that everything is happening between, uh, let's say, North Korea and Iran and Saudi Arabia and USA and so on, and we're not talking about a cyber war. It doesn't come with only with what you call it say about, only a just hacking and cyber attacks and so on. It's all sometimes about data. And we all know, for example, what's happened between Donald Trump and the big fight. And most of the big parts of it was political and part of it was economic, but the biggest part is about the data. Where am I going to store  the data and how we are going to, to store it somewhere. So I'm not sure the initiative is, in Saudi Arabia, they have what we call the National Security Authorities, where you can, for example, if you are under attack or do you have, now you can claim directly online and they will support you, and in many ways. Here in Kuwait, since I'm based in Kuwait, we have, two laws, you have the Image alone, and we have a Cyber law, every since cyber crime law, and so on. So, the biggest challenge, and, here, I think is, how we can join all those laws with international laws in order to, to be aware of all the laws and regulations worldwide in order to try to make for everyone. Because let me give you an example, let's say in the UAE or the Kuwait or whatever, they have lots of European people. So if you are working with an European person, you have to follow. So those initiative, done by the government here, they are trying to help people understand people in companies understanding more cybersecurity, support them by putting guidelines, not only laws and regulations putting guidelines, because currently for lots of people, cybersecurity is still kind of new., Okay, we are under attack. What you should, what's your to do. What is the next process? And again, here, I'm going to mention something very important that cybersecurity is not a pure technical issue. So let's say when you are under attack, you should not only solve the technical part. For example, you should also, know how you should address the press, to people, how you should, put a legal case against the hackers, what you should do as a government and so on and so on. So it's kind of a complicated issue.

Rouba: (08:16)
Yeah. I mean, from the looks of it, I mean, if you look at this region, they're very eager to enable economic diversity. And so markets like UAE and Saudi Arabia, where, as you said, there's been a tremendous amount of investment towards technology and the adoption of transformative digital technologies to be specific. I mean, they've been some of the highest in the world. You have the highest mobile penetration here. You have a massive penetration of internet, IOT, cloud, so successful examples that are mind blowing. You have, Emirates National Bank of Dubai, one of the leading banks in the region, they've invested more than $1 billion on digital transformation, but this amazing transition has opened up a new gateway for global cyber attacks. Where does the Middle East stand relative to other regions in terms of both the rates of cybersecurity, cyber attacks and back-end preparation?

Roland: (09:10)
Well, basically, what you said is very important. I will give you a similar example, but, in a different way. Here in Kuwait, we had the Gulf bank here in Kuwait, a few months back, they got hacked and, hackers stole like 20 million KD, which is around the $66 million. And, after maybe a few weeks, they were able to get some of them, and, by the end of the whole case, there was a shortage of, three to $4 million. So actually, when you are investing on cybersecurity, you are not just investing. And this is a top formation. You have also some impressive big amount on cybersecurity, because again, if you don't invest, you are going to lose them through cyber attacks and so on. And, I'm going to mention something very important here in the GCC region, and the actually it started to happen in a very speed way after the COVID 19, which is the nationalization for all locals. For example, we all know about quite a position of authorization and so on and so on. So I, I totally, this aspect because every company is, are trying to, give more of a, let's say advantage for locals over experts and so on and so on. But, the main questions that we should ask is that are the locals put in any context with regards , the country, as they ready to handle such a critical position as a Fiesel, or let's say CIO, or some key position in any company like banking or oil and gas and so on to be able to cover all the cyber security threats and technical issues. This is the biggest concern. So for example, in Kuwait, before COVID-19, there was, about 10.3 million local Kuwaitism and around 3.3 million expats.. Sorry. So now until now the 3.3 million expats, they went down to 2.6, and lots of companies that are, investing in, let's say, instead of paying big salaries for experts who are, handling critical position, they are sorry they are fighting them. So, that's why, we are having a big problem here is that there are some people who are not the fit between the qualified 200 positions. They are handling people positions and, banking, oil, and gas and so on. So, I think this is the biggest challenge here in the region. and they should take action immediately in order, let's say, if you want to, to make a localization and let people work, from, the local company, it's great, its amazing, but you have to set your people ready and do the proper training for them in order to be able to handle such key positions.

Rouba: (12:01)
Absolutely. you, you deal with the C-level leaders all the time, and then though it's taken, I mean, you mentioned it earlier that it's taken a while for everyone to take the whole threat of cybersecurity a bit more seriously, and that this has been kind of a common also amongst family businesses in the region, which are a huge part of the economy. So has it been really difficult first of all, to convince them, about the whole concept of cybersecurity and have you had to drop some of the stats, which to me are convincing for anyone relatively, like, for example, if you take the fact that 80% of organizations in the UAE, for example, reported at least one cyber attack in 2019, that's pre COVID and we will get to the post COVID era or during COVID, but how do the professionals that you deal with, perceive the whole impact, even the viability of such a threat, like cybersecurity, do they take it seriously or do you have to make the case for them?

Roland: (12:57)
Well, actually, I'll tell you something, in cybersecurity, you are either hacked and your know or you don't know, but in all cases you are already hacked. So this, again, based on the fact that there's nothing called 100% security, but what you mentioned about also the family businesses is really critical because, one of the biggest challenge here is when dealing with the people's mentality, especially the C-levels and decision makers of companies. One of the biggest challenge, I would say some of the challenges and the, how we should, how we can deal with them. One was the biggest challenge is that when they, when people tell us that, okay, Oracle got hacked, Microsoft got hacked, White house got hacked. So even my company can be hacked easily, and, there's no shame in this. So, we don't have any problem. So I don't want to invest in cybersecurity. This is one biggest challenge. Another big challenge  is that, most of the, let's say the big boss, I should have access to everything. I should have all usernames and passwords and so on, and so on, regardless if I know how to store them, regardless if I know how to use them and so on, which make things very clear because for someone to have a very critical information and access to certain service or whatever, without knowing how to source them and how to protect them. And, the third and biggest problems that we have nowadays is that when you go to meet certain company or whatever, or the, some executive level CEO or whatever, he will start by asking you, okay, what'd you have solution for cybersecurity. Again, it's like, you going to the doctor and tell him, what do you have medicine for me? So cybersecurity, it's not about you. There's no solution fits all, and we cannot say that, for example, for those companies, this is the best solution.

Rouba: (14:47)
I think the vulnerabilities are different, right? I mean, the vulnerable vulnerabilities of each company and their operation differ.

Roland: (14:53)
Everything is different. Everything is different. That's why we have what you call a cybersecurity management framework, which is first, we have to identify, what are we trying to protect before starting protecting. Like when you go to the doctor, he needs to check you first, you know, what is your case in order to give you medicine? So when it comes to cybersecurity, first, you need to identify what lot like to protect. Then we need to protect it. Then we need to set a monitoring tool in order to detect, when you are under attack, then we need to respond then the need to recover. So there is a continuous process that we to proceed and it on a daily basis. And that should be a, let's say a policies and procedures and regulations to know, let's say, when we are under attack, what is your role? What is my role? Because we all know that say if that if there is a fight into building, everyone will start running. If there is no, let's say, documentation on what is your role and what is my role? Nobody will notice and everything, everyone will, will be panicked. And everyone will start running. So, that's why, we always convinced, companies that, don't let perfection be the enemy of baptism before, because again, anybody can go inside your house and break your door and go inside and the steal house, okay, it's can  happen. But does this means that we will see by keeping the door open? No, for sure. We need to lock at and try to make this as safe as possible and to enhance our security yet, because again, I always give this example for the hacker he's investing time, and for him, time is money in order to hack your system. So if he will take him, let's say few hours to hack your system. It's so easy for him. If it was takes, it will take him few days. It will be more difficult. It will take him weeks. Okay. I will not hack the system anymore. It's too complicated.

Rouba: (16:46)
The COVID-19 pandemic helped with this. I mean, in a way it catapulted the whole digitalization of, even at like to the highest level now, all overnight, the entire planet transited into remote work. So using online collaborative tools, moderating entire operations remotely, and suddenly the need for storage analysis, data sharing became like an emergency again overnight, but along with that came, malware, ransomware hacking, cracking, and so many other forms of cyber breaches. This increased vulnerability of commercial and financial data in a way accelerated, the implementation of cybersecurity measures made it a bit more convincing. So for example, if you takefrom April to the end of June, more than 2.5 million phishing attacks were detected across the middle East region, what do you think makes this region more prone to cyber attacks, especially during a pandemic.

Roland: (17:45)
What Covid-19 medically here, especially inthis region lots of companies, they don't invest in their people. They invest in technologies, they invest in latest updates, latest firewall, latest systems and so on maybe, but they not invest in people. And when it comes to cybersecurity, it's just as much equal as to have a strong people well-trained and what our people have also cybersecurity risks. In addition to, investing, to technology. It has the same level, because as you mentioned, when I talk about phishing emails, phishing emails, it's targeting the individuals. It's not, when I'm going to hack a certain system on infrastructure, I don't try to hide the biggest firewall and the biggest, I don't know, a cyber security, protection they have in the system. I will try, I will try to hack the weakest point in this system, which is the human resource, which is the personnel that are working inthe system. And he had what he knows a debate between them as a CFO and a CEO. For example, we should invest in our team. What if, what if they left? What is their state? Okay, so what happened now after COVID-19 and remote work is that basically we used to have, let's say a, let's say a closed system inside the company where all PCs are protected from internally. No one can put a USB inside the laptop or whatever. That's secured internet. All our data are secured and our servers, nobody can access our data from outside our location and so on, and so on. Then COVID-19 came COVID-19 came everything changed. So we're not talking about remote work. Let's I about people working from their mobile or laptop from anywhere. So maybe they  jumping from an airplane and working. Okay one of them was for example, sometimes you have very confidential data that you need. You don't need to get access to those data from outside from the internet, but nowadays you have to, because again, if you don't give access to this data, to the internet, none of the employees will have access to it because they are working on it. And since you opened up internet, you expose those data for a public list. This is number one. Number two, when we are talking about phishing emails and phishing I would give you a very funny example that happened. I was in a seminar for, as a cybersecurity consultant for, President Barack Obama, between 20012 and 2016. They told us a case where, the whitehouse was under attack. So, they did analysis and they knew that that, that attacked started from inside, not from outside because of a human mistake. So, what they did is that they did a, phishing tests. They sent a phishing email to test how the how's that employee will respond to the phishing email. And listen, you are not talking about the region here. We're talking about  2000 employee in the white house, whereas they should be all experts hour and so on. So they sent them efficient email. And inside this image, they sent the wrote, please don't click on this link and say, put efficient link. And guess what? 95 OF the 2000, they already clicked on this link. Yeah. And as I mentioned, I want to mention, another, example, two weeks back, we went and a small cyber security conference for top executives in cybersecurity. I'm not talking about CEOs, I'm talking about a CIO, a CSO and so on and so on. So one of them were saying things that me, on a personal level, I was subject to click on a phishing link and fishing email Why? Because we all know that most of our work nowadays, while working on mobiles, while working on smart phones with a small screen where you can by mistake, click on a certain link instead of clicking on something else, this is number one. And sometimes lots of people they are answering emails and replying and working whiledriving, or while playing with the kids and so on. So by any means you can click on any link by mistake and makes the whole damage. So that's why that's what, what made the phishing emails very critical nowadays. And especially due to, COVID-19 not so on, people, they decrease that investment in training and awareness and so on. And we all know the effectiveness of training online is not the same as the live training and physical training. So, that's why the damage is becoming so, so, so, so, so big.

Rouba: (22:23)
And, and I mean, if we want to like, kind of wrap this one up, by giving or empowering, you know, the finance and accounting sector, I have, a dual question for you. So the regional cybersecurity market, is becoming very competitive and it consists of a lot of major players, some of which have been homegrown, some of which have come over, from Western markets and offering cybersecurity services. So my question here is, first of all, in your experience, must there be a dedicated function within private organizations or even government that are purely dedicated to cybersecurity solutions and prevention beyond the IT. So that's one fold. And then the second part of it, how do finance and accounting professionals who are definitely involved in this process because of the financial implications of data as well, being the most, the highest risk, how do they go about searching and actually recruiting the right partners? And what should they be looking for in terms of track record capabilities and services and solutions being offered?

Roland: (23:27)
Let me, let me be clear, regarding  the first question, when it comes to cyber security to you, the traditional ways that, cyber security was part and under the IT is totally wrong. And now we can see that most of the, let's say, especially in banking sectors, the cybersecurity team is  either under risk department or a dedicated department under the CEO directly. So it's really now the, people that are related to cybersecurity is very important because you cannot be, you cannot put the cyber security team or any cyber security expert under the IT department because he should be auditing the IT team. Like for example, are putting a, as a senior audit on the accounting and finance team, it cannot happen like this. Need to have, do you need to give power for a certain people to be, let's say, on the left, say this department or directly under the CEO in order to, be able to audit and govern all the solution, by done and implemented by, by, by  IT.This is number one, number two, regarding, for the finance and, I team him in order to know which pockets to deal with. And so on. I want also to be very frank about what's happening currently in the region here. What is happening now, nowadays, when it comes to cybersecurity companies, it's kind of unfair competition. Why? Because, when it comes to standards, lots of, government entities or private entities or whatever, they don't have the technical know-how to derive technical requirements for standard. And this is very critical. Why, because actually they don't know what they want. All they know is that we have, let's say a security features, we have problems, we have concerns, and so on. We need someone to provide a solution, but we don't, we cannot write technical requirements in order to say, we need something for, let's say, we need something for the hardware we need, whatever we need, whatever.

Rouba: (25:31)
But wouldn't that, then wouldn't that then be part of a kind of audit of the systems in question, by a cybersecurity specialist, for example, and then they would then make the list of, solutions required.

Roland: (26:57)
Actually this is how it should go. So we can not let say, for example, if, let's say this company took a ax solution from this company and a solution, worked very well and so on. So I can take the same solution and implemented, on my own. We need to do like exactly what you said Rouba. We need to assess what are our requirements, what are our needs, who are our team, what type of training and education and awareness we should have for our team, what type of data we need to protect. So I will give you one, one, one quick example on the, for example, let's say if you have a university, a website, okay. This university website it's can, for example, it can go down for, let's say one hour or two hours for maintenance purposes or whatever in order to do something. But let's say if you are talking about bank account bank website, you cannot take down the bank. So, your main priority for, for a website for a bank is that to keep it live 24 seven with zero downtime, because people will think lots of time, but why is the website down and maybe they are under attack. My money is not safe and so on. And so on us on, so you're the main priority when you're talking about bank and so on. It's stability, not taking anything down and so on and so on. Why, for example, in, let's say university, a website it's okay, it's fine. It's site go down for one hour or two hours or whatever. So there are different priorities based on different industries, different aspects and so on. So that's why, what is good for you? What is the frequencies of fixtures does not fix me? So this is very important.

Rouba: (28:36)
No, I mean, it's also amazing to see, like, despite the very and highly advanced kind of state of, of, digital penetration in this region, there's still so much education, to be done. And, and so I guess, you know, you have your work cut out for you. Roland. You have a lot of work to do.

Roland: (28:56)
Actually this is what they are doing, and, many again, when it comes to also training and efficient learners. We differentiate between two things. We have the technical training for the, technical teams up. There are, for example, the, IT teams, the cyber security team and so on and so on, but still we have awareness training, and as a basic technical awareness for everybody in the company from maybe the entry level personto the CEO, they should all know, for example, what you should, if you can click on this link or know how to protect your passwords, how to protect, because there are common mistakes that are still now that are being done by everyone, for example, like, and I, I don't want to call stupid mistakes, but for example, last password password, or one, two, three, four, five, and so on, they would write their password on a note on their mobile and so on, as they would use the same password across Facebook, Instagram personally made business email and so on because our, okay, I can't remember all the password, the password, like a birthday date or marriageit and so on, which is now many easy to guetand very easy to know. And, it would be very critical for the organization and on a personal level

Closing: (30:11)
This has been Count Me In, IMA's podcast providing you with the latest perspectives of thought leaders from the accounting and finance profession. If you like, what you heard, and you'd like to be counted in for more relevant accounting and finance education, visit IMA's website at www.imanet.org.

©Copyright 2021 Institute of Management Accountants. All rights reserved.