A couple of months ago, the conference chair for Gartner’s Dubai Symposium, Mary Mesaglio, presented me a challenge. She said, “French, we need more local content and more security content. What’s possible?”
Having made some trips to the Gulf region in the last year, I’d met some really interesting people and heard some great stories. I told Mary that perhaps we could do a panel. I shared this idea with some other Gartner associates who have experience in the Middle East and some who work there, and there was real skepticism as to whether we could find panelists willing to share their stories and best practices on security. Some colleagues told me that the culture just wouldn’t support that kind of open sharing around topics as sensitive as security and risk management. When I told them that I was going to get the audience to participate in the discussion as well, I met with even more skepticism.
With the assistance of our Gulf region account executives, I reached out to two security and risk management leaders in the region whom I had met on earlier trips, José Rossi at RasGas in Qatar, and Amair Saleem at Dubai Road and Transport Authority. RasGas had been the target of a highly publicized cyber attack in 2012, and I knew that would grab the attention of attendees, and RTA operates one of the most technologically advanced driverless Metro systems in the world — which represents a breadth of risk management challenges. Their two organizations also demonstrate the convergence of operational technology (OT) and IT security and risk management.
José and Amair agreed to join the panel, and my colleague Kristian Steenstrup who leads our OT research community at Gartner also joined. Not only did this panel work out extremely well, the audience itself joined the panel — it was an hour long lively discussion among the attendees and panelists of security and risk management challenges and sharing of practices for dealing with those. The idea that security and risk management leaders, and CIOs — there were a number of them joining in as well — will not openly share with each other their challenges and solutions is a myth in the Gulf as it is in all the other regions where I have tried this interactive format. Clearly the panelists and the audience participants saw value in sharing and connecting with each other.
Here are key takeaways from the audience and panelists:
1 — Security awareness: Inducements are very important, such as including metrics in performance appraisals, rewards for tip of the week, and even providing security for personal IT in the home
2 — Risk Management: Should start from business objectives, can’t be a stand-alone function, and risk ownership must be unambiguous
3 — Cloud risk management: Data classification is essential in deciding what can go on the cloud and the type of cloud allowed
This panel and audience were the most dynamic and engaging that I have seen in a long time, and I am grateful to Amair, José, Kristian and the audience participants for contributing, to Mary for insisting that we do this, and to our events program manager Rutuja Vadhavkar for making the arrangements to add this session.
Join us for the first ever Gartner Security and Risk Management Summit in Dubai, 15-16 September 2014.