Exclusive: Middle East CISOs Evolve Into Strategic Business Risk Managers
While we often refer to change being a constant, Middle East leaders in both government and business circles will probably agree that in the 2020s this change has accelerated acutely. As a result, leadership roles have had to change to allow organizations to address externalities. The chief information security officer (CISO) is an example of this. Middle East CISOs face what can only be described as a daily onslaught of cyber threats. The United Arab Emirates’ Cyber Security Council released a report in February that noted a 58% surge in the number of ransomware groups operating in the country.
by Hadi Jaafarawi, Regional VP for the Middle East & Africa at Qualys
This is objectively alarming, but CISOs’ traditional response has been to address software vulnerabilities without placing them in the proper business context. For the wider organization to see the security function as a value center rather than a cost center, the CISO must evolve to become more of a risk manager — one who presents each digital asset’s vulnerabilities in terms of what damage may be inflicted on productivity, brand reputation, compliance status, or the bottom line.
If the CISO can build an effective narrative around these recognizable business outcomes, they can persuade other decision makers to greenlight investments in specialist staff, security tools, or even cyber insurance. To this end, it is crucial that the CISO identifies the organization’s “crown jewels” — core systems and sensitive data that, if compromised, could mean damage to the business. This identification process is not easy because it requires quantifying risk. Indeed, cybersecurity lags other industries like finance and healthcare in its measurement of risk. By embracing more sophisticated, probabilistic analysis, however, CISOs can begin to quantify risk in terms their fellow C-level executives can understand. Potential financial loss or operational downtime will get colleagues’ attention more reliably than lengthy technical presentations on the way software vulnerabilities can be exploited by threat actors.
Need for a Risk Operations Center (ROC)
Note that this modern CISO has switched from talking about safeguarding technology assets to discussing how to protect the business. As such, they will establish ways of measuring risk but also the business value added by security investments. And they will present these figures in probabilities and cash amounts rather than the vague terms of old, such as “high” or “medium”. And as Middle East organizations proceed with digital transformation and integrate AI into their operations, the newfound trust between line of business and security leaders could be the difference between resilience and chronic vulnerability.
It is because of this pressing need to formalize risk management that the Risk Operations Center (ROC) has emerged. The SOC (Security Operations Center) is designed to look at cyber threats in isolation and is a critical part of risk management, but the ROC takes a broader, more strategic approach, looking at what exposures must be eliminated, which should be mitigated, and which can be accepted or transferred. The ROC will likely be a huge part of the transformation of the CISO’s role, as it finally starts to answer some of the questions around the number of uncertainties in a business environment, and how to measure the severity of an outcome in terms of dollars and the likelihood of its occurrence in terms of a probability score.
Through the ROC, the reinvented CISO will bring together business stakeholders and technical specialists who will devise ways of measuring predictable impacts and their probabilities. They will come up with metrics to capture reductions in uncertainty given certain conditions and responses. It is in this collaborative environment that the organization will discover that elimination of risk is not really the CISO’s goal. Rather it is to define impact boundaries. How much harm is too much for the business to bear? This risk-tolerance measurement is one of the fundamental calculations made by cyber-insurance providers.
Collaboration first
The ROC is a new paradigm and is only part — albeit a large part — of CISO 2.0’s role. The security leader is now a generalist. They are a risk manager who aggregates any information the organization has on risk into a central data repository. They will already know from their days as CISO 1.0 how to compile digital asset registers and full-stack vulnerability lists and combine them with multiple threat-intelligence feeds. They will also have experience of formalizing controls. But now those controls and the resources of the ROC will be able to compensate for risks rather than just following untriaged lists. This allows for far greater efficiency in mitigation and remediation.
There is another aspect to CISO 2.0. Their collaboration with fellow department heads is closer. Strong security and effective risk management are collaborative by nature. Defining risk is a difficult job that is best approached by multidimensional teams that include operational, financial, compliance, and legal experts. By bringing these disparate voices together, the CISO gains a clearer picture of the broader business and its priorities and can more accurately quantify impacts as they relate to risks.
Without this collaboration the CISO may not even be aware of exposures like the storage of millions of records of personally identifiable information (PII) in the organization’s cloud environment. In the era of multi-cloud, an organization that is undergoing rapid digital transformation may have information silos. It is only through the kinds of surveys and audits made necessary by the establishment of the ROC that the CISO discovers such risks, which could expose the business to legal jeopardy in the event of compromise. The organization’s cyber insurance may also be invalidated because of lack of action on hidden issues.
Business 2.0
The 2025 CISO is more relevant than ever, but as a risk manager rather than a vulnerability manager. In collaboration with others they will become a business enabler, turning the cost-centered SOC into the value-centered ROC. They will speak the language of risk and of business and align security priorities accordingly. The security team will become a more integral and collaborative group, joining forces with all colleagues to innovate, protect, and generate lasting value.
