David Chow, Chief Technology Strategy Officer at Trend Micro, talks about his experience in the cybersecurity industry and how the cybersecurity landscape has evolved in Saudi Arabia. He highlights that as the Kingdom embarks on its cloud journey, Trend Micro has a significant role in securing the country’s cyber defences despite the astonishing progress the company has enjoyed in the past few years.
What would you like to share with the Saudi organizations through your experience working at various American organizations? And what can they do to strengthen their cybersecurity posture?
In my view, understanding the scope of your digital domain is critical. This comprehension is key to addressing cybersecurity issues effectively. Without clear visibility of your environment, recognizing and remedying exposures is challenging. Therefore, a thorough assessment of what lies within your purview is the first step for any CIO or CISO. This enables you to prioritize risks and allocate resources efficiently to mitigate those risks.
Visibility is crucial, but so are the three pillars of people, process, and technology, which are often discussed but crucial to operationalize in IT and cybersecurity management.
Regarding people, it’s about fostering awareness and education among staff, leadership, and potentially board members to ensure alignment and commitment to security protocols. Hiring competent personnel is equally essential for maintaining a secure environment.
Numerous tools, like intrusion and endpoint protection, can enhance visibility on the technological front. The aim is to synthesize information from these data points into a unified view for better control and response.
Lastly, processes are the foundation for sustaining a strong security culture. They provide a framework for managing cyber hygiene, incident response, and compliance with regulations and audits.
In essence, visibility, people, process, and technology are the four critical domains to fortify any cybersecurity infrastructure.
What emerging cybersecurity threats should organisations be more vigilant about in the coming years?
I travel extensively in my role at Trend Micro, engaging in information exchange with government entities and C-level executives from the private sector worldwide. I’ve noticed that certain terms gain popularity each year because they encapsulate emerging trends in cybersecurity. For instance, “zero trust architecture” dominated discussions in 2022, and “artificial intelligence” has taken centre stage in 2023. I predict that “geopolitical risk” will become the buzzword of 2024.
These terms become buzzwords because they reflect real-world cybersecurity relevance. Reflecting on 2021, shortly after President Biden assumed office in the U.S., a significant surge in ransomware attacks caught the nation’s attention. The Colonial Pipeline attack, resulting from a phishing email, caused significant disruption, leading to widespread fuel shortages. This and similar incidents prompted President Biden to issue an executive order mandating U.S. government agencies achieve zero trust architecture by 2024.
Regarding the threat landscape, ransomware and complex cyberattacks have been critical issues. The spotlight on artificial intelligence in 2023 is also warranted. President Biden’s recent executive order on artificial intelligence underscores its significance. Artificial intelligence now enables the creation of convincing, personalized phishing emails, which makes detecting fraud more challenging than when poorly written emails served as red flags.
The advancement of AI also brings the threat of deep fakes to the fore, which I find particularly concerning. These deep fakes could create an identity crisis by impersonating individuals with high accuracy in videos and audio, potentially delivering messages that are opposing their true views.
Lastly, even if region-specific geopolitical risks can have global repercussions, influencing economic stability and security postures. Intelligence gathering and financial gain are often the motives behind cyber activities linked to geopolitical unrest. These are the pressing cyber threats we face and need to address proactively.
Can you probably share insights into what Trend Micro is doing to curb the evolving threat landscape?
Over the past five years, we at Trend Micro have focused on developing and perfecting a platform known as Vision One, an AI-powered Extended Detection and Response (XDR) tool. This solution offers a comprehensive view of an IT environment through a single dashboard. It allows for complete control and visibility, making it crucial for IT management. Vision One also facilitates communication at various organizational levels, from the board to C-level executives to operational teams, through its customizable dashboards and risk-scoring system. These features enable organizations to compare risks against industry standards and make informed decisions.
The significance of this capability lies in its ability to provide clear visibility of potential exposures. With our 35 years of experience and data analysis, we can quantify risks and prioritize resources effectively to address them. This is essential, as many entities face regulatory or audit requirements. Vision One offers a centralized solution for compiling these audit or regulation reports, streamlining the process significantly. Globally, our efforts have been augmented by integrating cyber threat intelligence and continuous R&D into the console.
In the MEA region, we’ve experienced substantial growth, expanding from seven to over eighty people in seven years. The positive feedback from clients regarding our products, services, and partnerships is a testament to our commitment to quality and innovation. As we continue to grow, we aim to maintain a strong global presence, with global executives focusing on various regions to share expertise and guide the development of local cybersecurity maturity.
What role do you see AI and machine learning playing in the future of cybersecurity? And how can KSA organizations leverage these technologies effectively?
I approach AI from two perspectives: one focusing on professional services and the other on cybersecurity. Speaking from a professional standpoint, I recall when I was asked to prepare a presentation with only an hour’s notice, comparing Australia’s Essential Eight cybersecurity framework with the U.S. framework. While I’m deeply familiar with the latter, having worked with the U.S. government and undergone annual audits, my knowledge of the Australian framework was more surface-level, gained from discussions with top government agencies during my visits there.
In this time-sensitive situation, I turned to ChatGPT. I requested it to compile information for this comparison, and remarkably, within 30 seconds, it gave me a comprehensive outline. This allowed me to focus on validating the information rather than writing it from scratch, and I successfully transformed this data into a PowerPoint presentation that the client greatly appreciated. This example illustrates how AI tools can significantly enhance productivity.
From a cybersecurity perspective, AI and machine learning can be leveraged to process extensive telemetry data. Previously, SIEM systems or correlation engines were common, but now AI and ML can perform initial data analysis. This is particularly useful in sorting through numerous incident flags, many of which are false positives. AI and ML refine this process through pattern recognition and data aggregation, ultimately providing SOC analysts with more accurate information on potential threats. This capability is invaluable, especially considering the global shortage of 2.1 million cybersecurity professionals. AI’s efficiency is vital in optimizing resource allocation in this field.
In the context of the country’s increasing digitization, what do you see? What should be the top priorities for organizations looking to enhance their cybersecurity posture?
When discussing cybersecurity, I often emphasize the importance of visibility and the balance between people, processes, and technology. A critical aspect of this is securing continuous buy-in within an organization. While cybersecurity is everyone’s responsibility, it’s not justifiable to blame the CISO alone in the event of an incident. This is because, often, they may be doing everything required of them, yet the crucial support must come from all levels, including staff, employees, and notably, from senior executives and the board.
A key point to consider is the high-value targets within an organization, typically the senior-most individuals. For instance, we conducted a phishing exercise in one of the agencies where I served as a C-level executive. We sent an email inviting staff to click on a link supposedly showing a live video feed of the lunchroom. Surprisingly, the Executive Director and Deputy Executive Director, the top two officials of the agency, were among those who clicked the link. When enquired, the Executive Director admitted to being driven by curiosity, while the Deputy Executive Director, despite being IT-savvy, believed that the IT team would resolve any potential issues. This mindset, even in a non-threatening exercise, underscores the risk if such a scenario were genuinely malicious, potentially leading to access to sensitive financial or privacy data.
This real-life example highlights the necessity of obtaining the necessary buy-in from the top. While IT departments can focus on enhancing visibility, streamlining processes, and leveraging technology, effective cybersecurity requires support and awareness at all organizational levels.
I find it encouraging to witness the government’s increasing focus on cybersecurity, particularly here in Saudi Arabia. With the government’s significant authority, the improvements and changes being implemented in this region are noteworthy. This heightened attention is creating a substantial market opportunity for various vendors and attracting global attention. Participants worldwide are converging at these global events, sharing experiences and, understandably, looking for potential business opportunities.
As a cybersecurity leader, Trend Micro, what advice would you like to offer the budding cybersecurity professionals who are looking to advance their careers?
In cybersecurity, professionals consistently have job opportunities due to the ever-rising threats driven primarily by various human factors. Whether for monetary gain or other reasons, cybersecurity conflicts will persist as long as people are in control of systems, running enterprises, or governing countries.
In my view, advancing a career in this field requires more than specializing in a single aspect of cybersecurity. It’s about broadening one’s career with diverse experiences. Reflecting on my career journey, I’ve worked across various IT sectors. My roles have included working at a help desk, managing IT operations and data centers, provisioning BlackBerrys, iPhones, and laptops, developing system applications, enhancing databases, and delving into cybersecurity policy, governance, risk compliance, and even the technical aspects of defence and architecture.
Having a well-rounded skill set is key to accelerating your career. It enables you to understand the perspectives and tendencies of different personas within the IT and cybersecurity realms. This understanding is crucial because, at its core, cybersecurity is about collaboration with people. Recognizing their challenges and inclinations helps foster collaboration, which is vital in this field.
Exposure and a basic understanding of various technical areas, along with keeping abreast of technical trends, are essential. However, the human element is just as important – understanding the people you work with, their personas, and how these interactions contribute to a larger network effect in your career. Ultimately, as you reach higher levels in your career, the next job opportunity often comes from within your network – from people who know you and can refer you, rather than from the traditional route of applying for positions.
What would you like to see about how the country is kind of at the forefront of leading this movement against the threat actors?
I must say, my recent experiences here have been truly impactful. In just a few days, I’ve observed engaging not only client interactions but also remarkable infrastructure developments. Everything here is newly built, reflecting a vigorous, goal-oriented approach. This resonates with me; I prefer proactive environments, not ones where we wait for things to happen.
In terms of cybersecurity, the growth I’ve witnessed is impressive, both within our team and in the industry in this region. The robustness of the industry here is notable. Interacting with high-level government officials and C-suite executives, their extraordinary hospitality struck me, coupled with genuine humbleness and a keenness to learn. They’re open to diverse experiences and global trends, including those from the U.S., and actively seek recommendations for internal reflection and application.
A particularly insightful discussion occurred with a healthcare organization, focusing on Operational Technology (OT), an overlooked area. We’re considering OT as part of the cybersecurity framework, particularly in healthcare with medical devices. The maturity of these conversations is evident in the desire for complete visibility, not just within IT but extending to OT, enabling more comprehensive correlation.
This level of maturity and eagerness to learn is a testament to the region’s growth. There’s a collective willingness to adopt best practices and elevate them further. As Saudi Arabia embarks on its cloud journey, there’s much to learn from the U.S. and other nations. Despite the U.S. initiating a cloud-first approach in 2010, adoption has been gradual, with legacy applications still prevalent. These lessons are invaluable to the region.
Trend Micro focuses on utilising cloud computing best, considering its redundancy capabilities and cost factors while ensuring compliance with local data sovereignty regulations. This approach will undoubtedly enhance cybersecurity maturity in the region.
Our progress in Saudi Arabia has been astonishing. Approaching the 200 million mark in seven or eight years is a significant milestone. The brand recognition and appreciation for our partnerships and services have been overwhelming. Conversations with clients confirm our substantial growth and potential for even more. Achieving 400 to 500 million in the next three to five years doesn’t seem far-fetched. I foresee a network effect, a snowballing growth that will only continue to expand.