At NEOM, cybersecurity will be an essential enabler for the safe delivery of all required services and it will be the responsibility of everybody. Mesfer Almesfer, chief information security officer (CISO), who is in charge of leading NEOM’s cybersecurity team, enlightened Telecom Review regarding the definition and development of the future cognitive city’s cybersecurity transformation program.
Importance of cybersecurity today
The impact of cybersecurity is not only exclusive to financial, declared Almesfer. From a financial perspective, although there are different data available that can be considered, around 1% of the global GDP is impacted negatively by cyber threats and attacks. In 2020 alone, the total losses were considered around $600 billion globally.
Everything we do now is more and more dependent on digital technologies, giving a lot of opportunities to companies, citizens, and consumers. But at the same time, this is opening a lot of access holes that can be leveraged by cyber attackers.
“From what we have seen, an attacker’s behavior is not only related to the possibility of stealing data or financial gain but, very often, it is also about the disruption of operations which can lead everyone to danger,” said Almesfer.
This has been evident during the pandemic as people moved into a more connected way of communication and operations. With this in mind, there is even more potential disruption from different types of cyber threats and attackers, causing a negative impact.
Cybersecurity is essential to NEOM
In the case of NEOM, any type of cyber threat is multiplied by an exponential factor as compared to other contexts. As a cognitive city to be built on data and technology, having a higher level of connectivity and reliance on very advanced automation (AI/ML) comes with higher risk exposure.
This is totally applicable to NEOM and its extensive sectors, Almesfer pointed out. “Due to its nature, relevance, and prominence globally, NEOM will face different types of challenges – from traditional ones involving individuals up to nation-state cyberattacks initiated by hacktivists. The former are those who are interested to gain financially by stealing data and conducting ransomware campaigns while the latter intends to damage the reputation of not only NEOM but the Kingdom of Saudi Arabia as a whole.”
By having the ability to control some of the data or even the implemented algorithms, perpetrators can manipulate the data and eventually cause unwanted risks in the areas of telecommunication, utilities, and self-driven transportation, among others.
Another challenge is the fact that despite knowing the type of cyberattacks that could happen in the next three years, there will be more to come after ten to twenty years that we are not even aware of yet. “NEOM is looking into technologies that will be put into place progressively as a form of strong preparation and continuous evolution of the ability to identify and respond to threats.”
The important aspect of cyber resilience is that the paradigm changed completely as compared to what was considered about thirty years ago. Almesfer cited that initially, we have thought, “Okay, I put my firewall, I protect my perimeter, and then everything is going to be safe”.
This is not the case anymore as the attack surface becomes more susceptible with multiple ways of entry. “This can come from either the classical information technology or the operational technology side, so all the smart devices we have can be actually used as a way to enter,” he explained.
For this reason, there should be a mindset switch that being cyber resilient is not only avoiding and preventing attacks but also having the ability to detect, recover and respond to them as quickly as possible.
This is actually what NEOM is aiming for. In light of this, Almesfer, together with his team, have formed the three pillars of NEOM’s cybersecurity strategy: Building a culture of cybersecurity across all the levels – from employees (internally) and residents (externally); monitoring and protecting the critical infrastructure; and cooperating with different entities, whether they are local or international, to have a coordinated response to cyber-attacks.
Establishing a cybersecurity culture
At the core of creating NEOM’s cybersecurity culture are namely awareness, knowledge, action, habits, and key initiatives. “We have already started phase one, which we can call the ability to develop employees’ awareness through foundational training,” explained Almesfer.
One of the key things is recognizing that not all users are the same. Therefore, even if the foundational training will be applied to everybody, “We are aware that there will be some users that will have higher privileges (e.g top management, IT administrators, etc.) and will receive a more advanced form of awareness and culture.”
The next level required to build a stronger cybersecurity culture is to instill the proper habits. In this way, people become more naturally aware and proactive in identifying and counteracting threats. Through a ‘carrot and stick’ approach, everybody will be aware that there are consequences if something is not done in line with the right policies, regulations, and/or practices. But at the same time, Almesfer echoed that “we strongly believe in the fact that people are not only the weakest link; people can actually be the strongest pillar of defense.”
To illustrate how grave the consequences can be, what is normally being done in NEOM, under the supervision of the CISO, is combining examples of what happened in other organizations and what is the actual impact. This makes people understand that this is not just theoretical.
Another aspect is carrying out progressive ways of how to communicate and make cybersecurity knowledge enrichment more fun, interesting, and interactive. “This can go from the more traditional computer-based training to video games that can be more attractive, especially with the younger generation.” NEOM is anticipated to make use of the extended reality (XR) technology where users are immersed in the context of looking for cyber attackers and learning how to react.
When forming habits, it is also necessary to lead by example. Those at the top of the ladder will be proving that they are attending training and complying with the right level of tests. And if they fail, they can be open and say, “Look, I made this mistake because I was not prepared.” This will have a domino effect when employees listen and follow suit to improve further and be more realistic.
Mentioning tests regarding cybersecurity, indeed, Almesfer highlighted that it's not enough just to communicate. “Testing is the way to verify that actually what you have understood has been embedded in your behaviors. This can be in different ways from the basic physical security, like a person who is tailgating you and you will ask, ‘Why are you following me? Do you have the right access card’ to more sophisticated things like phishing, where you receive an email crafted to trick you by clicking on a link so that you would download malware, or simply share some sensitive information.”
On top of the traditional training, communication, and other metrics, testing is extremely important to achieve NEOM’s overall cybersecurity objective.
Cybersecurity ambassadors
Going back to the reward-and-punishment analogy, NEOM strongly believes in the importance of giving the right level of incentives. This will also involve NEOM leaders in an effective manner.
“Part of the ‘carrot’ is cybersecurity advocacy programs with bronze, silver, and gold levels. These cybersecurity ambassadors will be ensuring to cascade across the organization the relevance of cybersecurity,” added Almesfer.
Fundamentally, cybersecurity ambassadors are the representatives of the different NEOM sectors and organizations. “Their role is, first of all, to truly believe in the importance of cybersecurity. And that's the reason why leadership role in identifying the right ones is essential.”
They will be the early adopters of any initiative related to cybersecurity and eventually help in cascading the information to the right team. They will be responsible for following up with the people who might have not attended the right level of programs or might be failing some tests on a recurring basis.
“My team and I will always be available to communicate what is more relevant for their respective sectors,” stated Almesfer.
Once the particular threats applicable have been understood, they can motivate and cascade to their team and help identify the best cybersecurity ambassador in their own sectors. “They will be able to ensure that everybody in the sector will be executing appropriately depending on what the behaviors require,” he concluded.