Interview with a CISO

Interview with Mohamad Mahjoub, CISO

1. What are some of the major challenges and trends that have been impacting the Enterprise Security space lately?

It's my pleasure to speak to the enterprise security magazine. I have been the CISO of the Near and Middle East region for the past three years. Now with the acquisition of SUEZ’s business in the area, IT and OT challenges are inevitable and opportunities are abound.

My areas of expertise are IT/OT governance, data protection, cloud security, risk management, and application security. I have more than 17 years of experience in IT with a focus on Cyber Security. I am the author of the book “Ethical Hacking with Kali Linux Made Easy” which is published on Amazon, as well as many online Cyber Security courses some of which are sponsored by Packt and O’Reilly, that’s on top of being an active YouTuber on ethical hacking topics.

2. What keeps you up at night when it comes to some of the major predicaments in the Enterprise Security space?

Everyone is fighting against a remarkable IT and OT threat landscape; Veolia Near and Middle East region is no different.

As you may be aware, some threats identified in the diagram below have the potential to evolve into disruptive and destructive capabilities, particularly the supply chain and ransomware attacks. On top of that, ransomware gangs are an emerging constant threat due to the fact that they share methods, infrastructure (C&C), and techniques.

Ransomware-as-a-Service (RaaS) has also emerged to be a common term where malicious ransomware packages are made available to other criminals, who can easily make use of them.

Moreover, the majority of the industrial environment is vulnerable to newly known defects (ripple 20 and amnesia), misconfigurations, and inadequate maintenance, which is in turn assisting these threats to materialise. The main challenge is that we always need to be vigilant about new threat vectors for IT and OT environments.

3. Can you tell us about the latest project that you have been working on and what are some of the technological and process elements that you leveraged to make the project successful?

I can sum it up in one phrase “Digital transformation Journey”. The pillars of this journey are the deployment of industrial IoT solutions, preparing for IT and OT convergence, in addition to embedding security within the end user experience by enabling them to connect securely from anywhere, anytime, from any device.

However we are tackling many challenges in this spectrum. Adopting new technology while urges us to balance the needs between security and pragmatism; bringing IT and OT together is not as easy as it seems, the reason is that we cannot lift and shift enterprise security controls to OT seamlessly.

We are constantly working with our peers all over the world on securing our systems to meet these demands and, as a result, business needs, while taking into account the uniqueness of local and relevant cyber legislations.

OT security has always been a challenge to us, that being said, we are benchmarking global standards such as NIST 800-53, NIST 800-82, and ISO 27001:2013 to building our internal “Security Framework” to help us provide a consistent language for the security community across Veolia, this will in turn assist us to analyse and effectively convey our security posture, away from the intricacies of frameworks and standards.

These projects have aided us in:

• Keeping an eye on the OT environment and developing specific use cases to respond swiftly to questionable activity.

• Protecting the OT environment by detecting and mitigating Cyber Risks to prevent attackers from exploiting vulnerabilities and attack surfaces.

• Getting ready for the IT/OT convergence.

4. Which are some of the technological trends which excite you for the future of the Enterprise Security space?

We all know that risk can be reduced by implementing a well-maintained defence-in-depth approach, which is exactly what we are continuously working on.

We believe that the governance umbrella, in addition to employee cyber awareness and having a defined and tested incident response procedure in place, is the cornerstone of this strategy.

We are currently deploying OT vulnerability management solutions across the region, which will provide us with many security benefits:

• OT Network Visibility at a High Level

• Capabilities for detecting threats

• In addition to operational knowledge

We believe that such initiatives go hand in hand with the need for digital transformation and corporate modernization.

5. How can budding and evolving companies reach you for suggestions to streamline their business?

Providing back to the cyber security community always gives me a sense of purpose. I’m glad to be of assistance to any company or business seeking any advise in that aspect. I’ll be happy to connect on LinkedIn.

Categories: : OT Security