Classification: For Official Use Only

Should cybersecurity be merely treated as response or a design principle?

I believe that we need to look at cyber risk mitigation strategically and apply a holistic, proactive
and preventative approach to cyber risk management. This is should be the case at all levels,
from operations to strategy. I use this approach.
As Chief Information Security Officer for FANR, my team and I obviously have an important role
to play, but within any organization, cybersecurity is everyone’s task. While cyber strategy must
be determined at the board level, it should definitely not stop there. In order to be effective, the
entire organization, its systems, and its workforce must embrace it.
Organisations can think about protection against this increased risk in several ways:
1. Build a culture of awareness
Cyber risks are no longer just an IT concern, nor are they limited to certain sectors of an
organization. Every employee, from the boardroom to the mailroom, plays an important role in
keeping an organization cyber secure, and understanding their responsibilities for holding data
securely.
2. Adopt a mindset of cyber resilience
With reputational risk, economic losses and legal consequences on the line, it is crucial for
organisations to create and implement an incident response plan in the event that a cyber-
incident occurs. Responding quickly and effectively will not only mitigate these risks, but also
ensure a successful recovery.
3. Practice,
This can be crucial when responding to a cyber-incident. Just having an incident response plan
in place is not enough - it is important that the plan be practiced and updated on a regular basis,
adjusting as needed for different scenarios and variations of cyber threats.

- What are the key principles of cyber security by design?

Principles of Cybersecurity
When implementing cybersecurity, there are two specific goals to be attained: first, confidential
information must be kept out of reach of potential cyber attackers and other unauthorized individuals.
Second, cybersecurity measures must not hinder authorized users' access to the information. The
following are the three main principles of cybersecurity.
Confidentiality - Cybersecurity should ensure that the information to be secured is only accessible
to authorized users and prevents the disclosure of information to unauthorized parties. For example,
to implement confidentiality of company information on a cloud-based Customer Relationship
Management (CRM) system, access can be restricted to users with the right username-password
combination. Most systems also implement confidentiality through data encryption, which is an
additional layer of security. Decryption of the data requires an individual or system to attempt access
using the requisite key.
Integrity - Cybersecurity efforts should ensure information remains accurate, consistent and not
subject to unauthorized modification. For example, from the CRM example provided, integrity is
 Classification: For Official Use Only

achieved when measures are put in place to ensure that email communication between a sales
representative and a customer is not intercepted and modified by an intruder when it is still in transit.
Availability - Efforts to secure information in cyberspace should not hinder its access by an
authorized party. Additionally, cybersecurity implementation has to provide for redundancy access in
case of any outage. For example, the company using the cloud-based CRM system can implement
proxy servers and firewalls as a security measure against Denial of Service (DoS) attacks, which
would create system unavailability if successful.

- What are compliance challenges in upgrading legacy systems? How should it be addressed?
Maintenance and support
The costs of legacy system maintenance operations includes Updates and changes. Legacy
systems are typically quite large in terms of code base as well as functionality. You cannot just
change or replace one system module. A small update might result in multiple conflicts across
the system. Any change or update to the legacy system requires time and effort, neither of
which come cheap
Integration and compliance
Modern software platforms often rely on third party APIs to access a few capabilities, such as
geolocation, user authentication, data sharing, and transactions. For example, careem relies on
the data provided through the Google Maps API for its core functionality within the UAE – an
ability to find and track cars nearby. Modern technologies are integration-ready by default.
Vendors typically provide support for most of the programming languages and frameworks out
of the box. Yet, Legacy or rare lack the compatibility. Connecting a legacy software to a third-
party tool or service often requires a significant amount of custom code. In addition, there is still
a chance that the final integration will not work as well as intended or that it will work at all
Another aspect of legacy systems that comes at a high cost is compliance. This is especially
true for heavily regulated sectors, such as the Energy sector. For example, noncompliance with
new standards set by NESA the standard is based on identified real-world threats; non-
compliance almost certainly leaves your organization exposed to attack, having far greater
significance than any penalties that could be imposed. Meanwhile, The Standards set by
regulation bodies is much harder to achieve in legacy IT environments.
Security
According to the 2018 State of Cyber Resilience, legacy infrastructure is one of the top threats
to cyber security. Indeed, legacy systems are usually less resistant to cyber-attacks, harmful
programs, and malware, which is only logical. If the software solution had been around for
years, the attackers most likely had enough time to get familiar with the code and find its
vulnerabilities.
Another reason for this is that the vendor might no longer support-outdated software. This
means that no patches are provided and no one keeps the system compliant with the latest
security requirements
 Classification: For Official Use Only

Despite the compliance challenges related to the legacy systems, Modern approaches and
techniques allow for lowering the cost and complexity of legacy systems. In this process, it is
very important to choose the appropriate strategy according to the defined levels of usage of
existing applications assets and movement toward better technology environment