By Abdulghaffar Setareh, Chief Risk Officer, Zain Group; and Aloysius Cheang, Chief Security Officer, Huawei Middle East & Central Asia
The modern concept of risk refers to the probability of an adverse outcome that could impact people, systems, or assets. From a technology risk perspective, it relates to the potential for destruction, damage, or loss of data or assets resulting from a cyber threat. A cyber threat magnifies the chances of an adverse event, such as when a threat actor exploits a vulnerability inside your system.
Today's threat landscape is more volatile than ever. Cyber threats are multiplying and pose serious financial, legal, and reputational challenges to organizations. We propose that the latent capability of harnessing risks and hedging against the barrage of threats is a better way of measuring the value of organizations and nations. This is particularly relevant amid a digital transformation that heralds a new age characterized by digitalization, virtualization, and intelligentization.
Cybersecurity is more than just having an incident response plan; it's about ensuring that your entire security posture can withstand a wide range of blended or hybrid threats. This involves integrating digital, virtualized, and physical security measures, hardening critical systems, and creating cross-functional and multi-disciplinary teams. These teams include members from core organizations as well as the wider ecosystem, such as partners, suppliers, and even customers, who can address risks from multiple angles and dimensions.
Auto-evolving and self-adaptable security frameworks, designed to evolve alongside emerging threats, will be crucial to maintaining business continuity in this volatile environment, driven by a risk-based approach to build business resiliency and competitive advantage. Modern and effective cybersecurity management entails more than managing technology risk; it encompasses managing business risk. Organizations must recognize cybersecurity as a strategic imperative integrated into their overall risk management framework, which must achieve consensus at the board level.
Traditional compliance methods are no longer sufficient in today's rapidly evolving business landscape, where cyber takes center stage. Organizations are recognizing the need for a more dynamic approach to managing risks—one that prioritizes critical threats and aligns with their strategic objectives. This approach shifts the focus from a one-size-fits-all compliance checklist, which is all about "checking the box", to a strategy that prioritizes risks based on their potential impact on the organization at every business decision. It's about leveraging cyber as a tool that best delivers its promise and achieves outcomes that support business objectives. It's also about understanding which risks are most critical and addressing them proactively based on priority rather than spreading resources thinly across all potential threats.
According to ‘Computer Security: Principles and Practice’ by William Stallings and Lawrie Brown, a vulnerability is a flaw or weakness in an asset's design, implementation, or operation and management that a threat could exploit. A threat is the potential for a threat agent to exploit a vulnerability, and a risk is the potential for loss when the threat happens. Each term can be considered an asset or "something that needs to be protected." Once we know an asset's vulnerabilities and threats, we can determine how much risk is posed to the asset owner. This measure combines the likelihood that a threat exploits a vulnerability and the scale of harmful consequences. This translates into the equation: Risk = (Probability that a threat occurs) × (Cost to the asset owner).
However, we are at a crossroad where AI and robotics will permanently change our world. We are all hurtling towards a quantum wormhole where we have not completed our digital transformation, yet we are talking about intelligent transformation—running before learning how to walk. Therefore, we must consider AI security in our cyber risk assessment.
The Open Worldwide Application Security Project (OWASP) recently warned the industry about the growing data exposure risk as a result of AI in its ‘New Top 10 List for LLMs’. Sensitive information disclosure via large language models (LLMs) and generative AI has become a more critical risk as AI adoption surges. According to Steve Wilson, project lead for the OWASP Top 10 for LLM Project, sensitive information disclosure has become a bigger issue as AI adoption has surged. "Developers often assume that LLMs will inherently protect private data, but we've seen repeated incidents where sensitive information has been unintentionally exposed through model outputs or compromised systems," Wilson said. Thus, there is a need to incorporate AI or intelligentization into our risk treatment equation, particularly for assets that include AI components or are part of the AI journey or corporate strategy of intelligentization, as summarized in Diagram 1.
Adopting a risk-based cybersecurity model confers benefits beyond simply preventing cyber-attacks. It builds cyber resilience and agility and brings in all the necessary stakeholders in the supply chain or even the business ecosystem into play, where expertise and resources are pooled together, leading to the development of stronger and more secure organizations, where security is only as strong as the weakest link. As such, we are directly addressing this “big elephant in the room” through the interplay of the new risk treatment methods highlighted above, while also bringing collaboration into play, but where does collaboration lead?
Diagram 2: Cyber Diplomacy as a Continuous, Self-Evolvement Framework for Building Resiliency and Trust
The process that leads toward cyber diplomacy is critical when dealing with what intelligentization will bring, such as evolving cybersecurity dangers and possibilities. Leveraging the new risk treatment methodology proposed in Diagram 1 as the DNA and foundational equation for building cyber resiliency, which can be further reinforced through collaboration within the organization's ecosystem of stakeholders, the next evolutionary step involves forming alliances and building relationships with the broader external environment. This often consists of transcending borders and traditional boundaries that define organizations or nations, raising awareness, and building a culture of cybersecurity. A basic understanding of cyber hygiene resonates as an alliance or group building unified standards, establishing processes for information sharing, and building capability and capacity together. Collectively, as an alliance, they tackle the volatile threat landscape and raise the threshold for cybersecurity, forming a stronghold together that creates a continuous circle of trust through cyber diplomacy, and realizing the value of developing joint norms and frameworks to manage and harness responsible technology adoption.
In conclusion, cyber resiliency is key to survival in the new intelligent world. The new intelligent world has redefined the security landscape. By taking proactive steps—leveraging actionable intelligence, building cyber resilience, and fostering collaboration that strengthens cyber diplomacy—organizations can defend against today's threats and prepare for tomorrow's challenges. It all starts with harnessing risk and introducing a new matrix for ranking organizational value and the readiness of countries in preparation for digitalization and national prosperity, bringing cyber resiliency to the forefront as a new measurement matrix for ranking the value of organizations and nations in the future intelligent world.
