Ali Taherian: How did you manage to form a united information security culture at NBE? What worked and what do you think might work for others?
Abeer Khedr: Enforcing the culture has to be a continuous message. Being the largest and the oldest bank in the country, we had to have an information security awareness program initiated and established. We started with the information security policy because policy is where you can clarify and fix the bank's position in regards to the different security topics and areas. We got the employees' commitment to those policies (which were published earlier, through internal portals) to make sure it is accessible to all employees. Then, through an awareness program, they had the chance to learn about different policies in detail and ask the related questions through different channels such as classroom training, online training, and a regular newsletter.
AT: How effective has the InfoSec Awareness program been so far?
AK: We are certified with ISO27001 and PCI-DSS that requires us to run an awareness program as well as measuring the effectiveness of that. Therefore, we have defined KPIs to measure the effectiveness of the program provided to the employees. For example, increasing the frequency of reporting of security issues or knowledge about what malware or ransomware is that help us measure the effectiveness of in culture.
AT: What skills or bodies of knowledge from the past experiences helped you in your current role?
AK: Having a degree in computer science gives you the chance to be in the IT and I got a master of business information technology at Middlesex University in the UK and that helped put another aspect to it, which was a combination of IT and management of IT. Of course, certifications in addition to the academic education are quite important.
AT: How, in your opinion, can business understanding contribute to success of a CISO?
AK: In my opinion, (the) CISO position is no longer just a technical position and it requires a combination of the strategy background that includes business, governance, and risk management. More knowledge in these domains makes one more qualified to address the challenges in the field.
AT: How do you think security professionals should communicate their problems to the board?
AK: When you discuss (this) with the senior management, they usually ask you certain questions. They are not interested in the technical details of the security issues and threats but they are more interested to know the risks and impact of them to the systems. Therefore, you should be able to explain (issues) to them in business terms. The background and understanding business helps you phrase those technical risks into the business terms that the management can appreciate.
AT: From your perspective as the group CISO of NBE, what are the biggest challenges you face in the year ahead?
AK: There are three areas that we need to balance our effort: external threat, insider threat and third party risks.
For third party assurance, we are trying to establish processes and procedures in the country, similar to the US and Europe. When you use third parties you get assurance using something like SSAE16 type I and II reports which gives you the assurance for design and operation effectiveness in that entity.
Doing due diligence for the third parties is important but, with an increased number of providers in large organisations, it becomes very difficult. You will find that the assurance reports mentioned above are more important to validate the assurance and pay attention to the controls that are being validated in those reports. We want to convince the local third parties about the importance of those reports and effectiveness of controls and agreeing them in order to ensure whatever controls they are trying to establish inside the organization is also applied to a very satisfying degree at the first part. Because if they process information on your behalf, accountability still lies with you, therefore, we have to make sure that they have the controls in place.
Insider threat is another important area that sometimes get overlooked. Not only identity management but also application control is very interesting because they are preventive in nature and minimise the chance of fraud by insuring you have a very controlled environment before an incident happens.
AT: As an information security leader in the financial industry what areas need to be innovating more?
AK: Innovation is a competitive advantage in financial and banking industries as it leads to attracting more customers. It shows your customer that you are tuning yourself to their evolving needs and they favor you if they can see their needs are better addressed through innovative products. For example, NBE is one of the first in the country that offers ITMs (Interactive teller machines) which have conferencing ability. It empowers customers to interact with customer service employees though conferencing to get more services on par to the traditional ATMs. Especially for the segment of the customers which are old and are not familiar with technology, (the) help of a human being empowers them to interact better with the machine. We need innovative products that provide customers with ease of use that also respond to their needs.
AT: What is your organisation doing to overcome skills shortages in the sector?
AK: Generally, there is a skill shortage in this industry, but we have been able to manage this somehow through graduates from the universities. In addition, I believe that pursuing information security certifications can make value to the experts in the industry and I encourage my current team to follow this path as a proof of having certain bodies of knowledge.
AT: What is your suggestion to women and newcomers who wants to follow a career in information security?
AK: They just need to be more flexible with allocation of their time. Many people say that there must be a work life balance and they take it with the meaning of work and life separation. I don't advocate its separation at all. I see your work and personal life as one thing. You live an integrated life, you cannot say I only work 9-5 and after that is family time. This separation is not practical and It has to be an integrated life. We can attend to personal matters when you are doing work and vice versa we can attend to urgent work matter in the evening. This way we are plan our life better and especially enable women enjoy different aspects of their life. It requires flexibility and planning and requires women to be honest about their priorities. While women are good at all aspects of IT and information security, but women have good communication skills by nature that makes them able to express issues in an elaborate manner which makes them really good at risk management.
AT: The introduction of biometrics to banks, reveals a new security strategy within the security industry. Does it mean that banks look at biometrics as a solution to substitute traditional authentication? How NBE looks at biometrics?
AK: Recently, the central bank of Egypt issued a regulation about the security of online banking (which) requires banks to provide 2-factor authentication. For biometric, it is not a perfect time for Egypt because of the technological and cultural legacies. We are willing to consider that but you should be cautious about false positives and immaturity of the technology when you have a very large customer base like NBE (more than 5 million customers). Our customers are from different categories and backgrounds and still, lots of them have feature mobile phones and not smartphones. However, we noticed the demand for MasterCard Selfie Payment (which identifies customers with pictures of their own face, taken in real time) and this will be a motivation for the banks to consider biometrics solution for online banking.
AT: From your perspective, how would you see the future of biometrics authentication in online banking?AK: If you want my opinion, it will happen. But when? It really depends on the culture. A good portion of our customers are willing to use it, but a big portion of them are not. Based on our experience in introducing innovative products to the market, the initial phase was not very promising but after two years that product has gain popularity and I think there will be the same trend for biometrics.
Other interviews from SC Media UK can be found here.