Keynote Address

"Strategic, Smart and Secure:
Mitigating 21st-Century Threats
for Resilience and Business Continuity”

ASIS 2014
5th Middle East Security Conference & Exhibition

Abdulrahman F. Al-Wuhaib
Senior Vice President
Saudi Aramco

Monday, February 17, 2014

Intercontinental Festival City
Dubai, United Arab Emirates

Thank you, ____.

Your Excellencies, distinguished guests, ladies and gentlemen: Good morning.

On behalf of Saudi Aramco, it is a pleasure to join you for this region’s signature security event. Our company has been proudly associated with ASIS for 38 years now, so we are old friends indeed. Congratulations on this fifth edition of the conference.

Let me take a moment to thank the organizers for putting together this event to strengthen security as our organizations’ first line of defense.

Security’s Rising Profile

It’s been exciting to watch the security profession grow beyond its traditional protective function to become a source of true competitive advantage. Today, that edge is all-important:

It can be a buffer against threats and vulnerabilities.

It can be a framework for strategic planning.

And it can deliver resiliency.

These advantages echo our conference theme, “Strategic, Smart and Secure.” And they have never been more important in a world where the potential for disruption is unprecedented.

Why Elevated Risk Is the New Normal

Why is risk so sharply elevated? Because relentless change is “the new normal.”

Economic, industrial and social shifts generally unfold at a moderate pace. Today, however, we’ve seen a century’s worth of changes compressed to a matter of decades, thanks in part to globalization, the advent of the Information Age, and advancing technology.

These drivers have brought real advantage to business and industry: we’re able to work faster and smarter; we are interconnected like never before. New market realities give us unparalleled capacity to innovate, create and grow.

But there’s a flip-side to the coin.

Interconnection carries inherent risk: we’re no longer isolated from what is happening to someone else, someplace else. Constantly evolving technology is susceptible to obsolescence and error. And that’s even before we factor in the human element!

The volatility and complexity that define this new century create a prime environment for malicious intent. There’s a new breed of threat whose devastating impact can easily spread – often by design – from business to business, sector to sector.

And make no mistake: cyber-criminals will fully exploit every chance to do harm.

The Speech Theme: “Strategic, Smart, Secure” Against Threat

Because 21st-century criminals are highly strategic, we must be even more so.

This morning I’d like for us to look at business continuity planning and resilience from the standpoint of imminent threat, specifically cyber-crime, and ways organizations can take action to be “Strategic, Smart and Secure.”

Each solution for effectively managing risk calls for security to serve an expanded, proactive, embedded role – with a place at the table as a full partner.

Cyber-Crime: A 21st Century Threat

By talking about cyber-crime, what I want to emphasize is not so much what it is, but what it does to economies and societies beyond the act itself.

The criminal element’s first tactic is to use our dependence on technology as a weapon.

Given the Internet’s pervasiveness in daily life – and the proliferation of smart phones, tablets, desk-top and lap-top computers, e-readers and printers in use – it’s easy to forget that the web as we know it is only a couple of decades old.

With millions of devices processing data on a massive scale, and the sheer velocity at which technology cycles, vulnerability is a given. Clearly we are still in the frontier days of 21st century technology, putting us at risk for theft of financial and information assets, and acts of sabotage like corrupted data or service denial.

Business and industry surveys reveal failure of technology, failure of supply chain, property damage and cyber-crime as the top four issues. It’s worth noting that cyber-crime is directly related to the other three.

The threat is so severe, in fact, that securing cyberspace has been named one of science and technology’s global Grand Challenges for the 21st century – right up there with access to clean water and food.

The cyber-criminal’s second strategic move is the characteristic ability to adapt along with technology. The changing profile illustrates this point.

In the 1990s, the biggest cyber-threat might be the mischief of a young male showing off his hacking skills. Today’s bad guys are no teenage computer geeks, but highly organized, globally networked and funded criminals and terrorists.

Their motivation has also evolved, from random, limited, self-propagating viruses and hackings with no specific victim, to increasingly well-targeted, financially or politically motivated hits.

In recent years, a significant rise in cyber-attack complexity and frequency has been triggered by the international economic downturn, events of the Arab Spring, and regional and worldwide unrest.

No one is immune. Extremely advanced, well-orchestrated attacks have penetrated the defenses of some of the most secure international and governmental establishments. Last year, major breaches occurred at Facebook, Adobe, Booz Allen Hamilton, and major media outlets, to name only a few.

Major South Korean financial institutions were crippled by malware, and several British banks and market infrastructures have come under attack. In our region, malicious mobile applications compromised regional banks.

And in recent weeks, the U.S. retailer Target experienced a data breach affecting 40 million credit and debit cards, and 70 million customer records.

The energy, oil and gas industry in particular has been subject to numerous attacks. Saudi Aramco experienced this situation firsthand, as I will discuss later.

Ultimately, cyber-crime’s adaptive nature makes possible what is perhaps its most insidious capability: creating an avenue for other types of security threat.

For example, industrial espionage leverages advanced technology to steal proprietary or privileged information, such as the 2009 attack on Silicon Valley in which Google lost intellectual property.

But maritime pirates, typically poor and uneducated in sharp contrast to the cyber-criminal profile, are increasingly hacking shipping databases, and using low-tech satellite phones and GPS to track vessels.

Crime can even be no-tech, as social engineers manipulate psychology and human interaction for criminal gain.

The Solutions: Strategic + Smart = Secure

These examples underscore the wide scope of threat that we face today. Clearly, no single solution can eliminate it; no single entity can conquer it. We need calculated plans, layered solutions and the support of partners.

To again reference the ASIS theme, our formula must be “Strategic plus Smart equals Secure.”

Deconstructing this equation lets us focus on how proactive prevention yields greater resilience.

Strategic

Logically, being Strategic must come first; otherwise, the crisis becomes the plan. Forward planning and systems design are the foundation of business continuity.

Finding and employing the best technologies also is foundational. This is no place to skimp; we can be sure criminals are putting money into their operations.

Risk assessment likewise is a strategic cornerstone. Contingency planning, continuity plans, and crisis management strategies, tested against scenarios, cannot be emphasized enough.

The value of these strategic areas was proven in the August 2012 attack on Saudi Aramco, which I mentioned earlier.

We previously thwarted thousands of attacks, but this malicious virus had never been seen before. Advance detection through software or security measures was not possible.

Thankfully, meticulous protection technologies and systems were in place for essential functions, as well as incident response plans for various situations.

These business continuity protocols, combined with built-in system architecture protecting our computer network, allowed us to sustain the attack. So while there were headaches, core business was not affected: no customer delivery, critical service or transaction was disrupted. In the words of our CEO, “Not a drop of oil was lost.”

The experience categorically showed that rigorous business continuity planning pays off. Note that key word, rigorous. Luck had nothing to do with the attackers failing. Preparedness, on the other hand, did.

From the standpoint of readiness, it is strongly recommended that physical security, as the backbone of organizational resilience, operate its computer systems on a separate, segregated network.

Besides mitigating risk, such a step facilitates next-generation solutions like physical security information management. The optimal gathering, sharing and analysis of situational data not only lets our people respond to a crisis in real time, it aids decision-making on risk management.

Smart

With the Strategic element is in place, we move to the Smart part of our formula – and that is to align and integrate security with other business functions, in the broadest sense.

Good people have always been key to the success of any organization, but highly specialized talent is vital for the 21st century. Because information and technology are the primary threat tools and targets we have explored today, we must pay special attention to information security resources.

Dedicated security/IT specialists are badly needed, but hard to find. Proactive companies will not hesitate to build their own workforces, especially combining security with other crucial disciplines.

A senior officer function with a dedicated information security organization can enforce segregation of duties and improve the focus of information security efforts. Policy enhancements, risk management and enhanced security monitoring are crucial elements in this domain.

It’s also important to develop young talent. Saudi Aramco is investing heavily in top university cyber-security program enrollment for young Saudis, including a hosted master’s degree through Georgia Tech.

We are also collaborating with local universities to enhance their academic programs in this field. For example, a major regional cyber-security event will be launched later this year in cooperation with King Fahd University of Petroleum & Minerals, and other local partners.

Secure

We now come to the sum of our equation: Strategic and Smart yield Secure – or, putting it another way, a better functioning, more resilient organization. Being secure starts at the top with a commitment to empower and embed security across the enterprise.

As the competency benchmark, certification is vital for keeping security professionals on top of knowledge, skills and standards in a volatile environment.

A culture of security is the next element. Ongoing awareness campaigns in tandem with mandatory eLearning align workplace practices with procedure, and promote accountability.

Building a broader cooperative network in which organizations can interface on security matters is also essential for readiness and knowledge transfer.

After our cyber-attack, Saudi Aramco held such a briefing with local and regional industry to share best practices and lessons learned, and to communicate going forward. Along similar lines, Saudi Arabia is developing a national cyber-security center for sharing intelligence within the Kingdom.

As cyber-crime poses escalating risk to national security around the globe, closer collaboration is urgently needed for preparedness and protection.

Given the importance of this region to the global economy and to energy security, I call on the GCC countries to take the lead, and create a regional center that is a model for cyber-security innovation, education and practice.

Managing Risk: Security’s Place at the Table

If there is one thing the fluid nature of 21st-century threat emphatically shows, it is that we can never be immune to risk, whatever the source. But we can inoculate ourselves through proactive, accelerated security measures and talent development.

It is worth repeating: the single most important action we can take is to elevate security and integrate it into everything we do. Security provides a safe, stable environment for business to thrive, as long as it meshes seamlessly with the overall organization’s vision, goals and objectives.

We need to empower our security professionals to help set and implement policy, assess and address risk and threat, manage reputation, and ensure organizational resiliency.

Ladies and gentlemen, security should always have a permanent place at the table.

Our being Strategic, Smart and Secure cannot happen otherwise.

Thank you for your kind attention, ladies and gentlemen.

I wish you a successful and productive conference.