Cybersecurity Leaders - Zeina Zakhour - The First Global Cyber Security Observatory

Cybersecurity Leaders – Zeina Zakhour, Global CTO for Cybersecurity @Atos

Cybersecurity Leaders – Zeina Zakhour is an experienced Chief Technology Officer with over 20 years in the cybersecurity and services industry. She is the Global CTO for cybersecurity in Atos.

Zeina covers the end-to-end spectrum of cybersecurity from security advisory, to security integration, managed detection and response services and IoT/edge security and has worked closely with Fortune 500 companies to advise them in their security strategy and secure their infrastructure and protect their data. She is a member of the Atos Scientific community, as well as being a distinguished expert in cybersecurity and is also a Certified Information Systems Security Professional (CISSP) and a certified ISO 27005 Risk Manager.

She was the recipient of Atos Innovation trophy in 2013, and in 2019 was named among the “100 fascinating Females Fighting cybercrime” in the book “Women Know Cyber”. She holds a Bachelor of Engineering in C.C.E from Notre Dame University Lebanon, a M.Sc. From Telecom Sud Paris and an Executive MBA focused on Innovation and Entrepreneurship from HEC School of Management.

Are there any common traits as to what makes a successful security program?

I have noticed that the most successful security programs have embraced the following three concepts:

Cybersecurity is not just about technology: it is rather about Technology, People and Processes. Installing the latest & brightest technologies will not necessarily protect an organization from cyber threats. Organizations need to train their cyber experts to face the threats of tomorrow, to optimize their processes, to adopt proven standards/frameworks as well as implement the necessary technologies to lead their security program successfully.
Cybersecurity is about balance: balance in investments to focus on the mitigation of the most critical cyber risks, as well as balance in security implementation to make sure security does not hinder the customer experience.
One cybersecurity does not fit all: for a successful digital journey, security must be integrated by design. But it must also be adapted to the organization’s business and industry cyber challenges. There is no one security program that fits all organizations. Depending on the industry, the organizations’ digital environment is different, the attack surface is different and even the threat landscape and main threat actors are different. And therefore those industry specific variables should be identified and integrated in the security program.

When speaking the language of business to their boards, are there certain phrases Leaders should be using?

The boards want to hear about cyber risks and the impact on the business. As much as technical details are important for our daily operation, reporting to the board will require us to abstract the technical details and focus on the cyber risks, the non-compliance costs and ROI of cybersecurity investments.

The boards want to understand the current security posture of the organization and its evolution over time as the threat landscape changes and as the organization’s digital infrastructure expands with new digital services, migration to the Cloud, adoption of Edge/IoT services, etc.

Some people call for daily security drills & exercises at all levels of an organization to help reinforce defensive strategies. What is your take on this?

Quality over quantity… always! The content of the Cybersecurity awareness program is far more important than the daily frequency of the exercises/training. I believe that organizations should focus on tailor-cutting their awareness program to the audience, integrating real life examples closely linked to the daily activities of the employees. Also I have noticed that adopting new techniques such as Gamification, capture the flag competition and the adoption of VR/AR in the learning process can increase exponentially the learning retention.

Another added value to any training strategy is the implementation of cyber range solutions to provide teams with a virtual training and simulation platform to test the efficiency of their processes and to prepare the operational teams on the latest cyberattack techniques.

As for the frequency of the security training, drills and exercises, it should be set based on the changing threat landscape, on the changing digital environment of the organization (new platform/service for instance), the onboarding of newcomers, the adoption of new processes/standards, etc.

Threats are everywhere and always changing, how can we address this difficult reality?

Not only is the ever-changing threat landscape a challenge for organizations to keep up to date and to update their security controls accordingly, it is also essential to make threat intelligence actional driving operations and optimizing response.

If organizations embrace the 3 key drivers below, I genuinely believe they will successfully be able to control threats and mitigate incidents before they become an actual breach:

Enhancing detection: with the adoption of security analytics to improve the detection capabilities and the ingestion/analysis of large volume of data. The enrichment of an organization’s internal data with external actionable threat intelligence can drive operations, improve quality of cybersecurity alerts and accelerate detection and remediation.
Adapting to the attack surface: with the adoption of security controls as well as security detection capabilities that can cover the heterogenous digital environment of the organization (industrial supply chain, IoT, Cloud, Edge, on prem, etc…)
Accelerating response: with the adoption of security automation and orchestration organizations will be able to optimize the investigation and remediation phases.

How do you make sure you know what new projects are on the roadmap and that security in based in from the process side?

Innovation will not thrive without cybersecurity. Therefore, organizations should adopt secure product/service development lifecycle where security is embedded by design in the processes and is part of the key milestones of the development process. DevSecOps should also be introduced early in the application development life cycle and embedded in every step of the CI/CD pipelines. Cybersecurity should not be considered as a one-time action, but rather as a recurring task that will have to be reviewed and updated throughout the lifecycle of the service/product whether during the development, build or operation phases.

You’ve been in the industry for 20 years. What are some of the biggest changes you’ve seen, not only in terms of threats, but also in how cybersecurity is viewed inside the organization?

Cybersecurity is a constantly changing industry. When I started my career 20 years ago, cybersecurity was mainly about firewalls and antivirus – life was so simple back then, wasn’t it?

I believe the cybersecurity industry went through many revolutions, from the host-based and perimeter security in the early 2000s to AI and Automation today. The increasing processing power and the inexpensive storage costs have made cyber AI and Automation a reality on the ground. Nowadays organizations are leveraging advanced analytics to improve protection and detection capabilities and implementing automation and orchestration to accelerate response and fine tune mitigation of cyber threats.

If I am to cover one other big change in the industry, it is the fact that cybersecurity is today on the Board agenda and no longer just a technical problem. The Board is accountable for the cybersecurity efficiency in their organizations as well as data privacy and protection and the CISO is now communicating regularly with the Board on the security hygiene of the organization and the cyber risk posture, which, in my humble view, is a giant leap for the success of the digital revolution.