Uncategorized

Richard Watson

AI development has rapidly advanced, leading to a faster and more accessible IT landscape. This development has made IT more accessible to individuals and organizations alike. However, this rapid progress has also raised concerns regarding the associated threats that come with AI technology.

One of the primary concerns is the potential for AI to enhance the authenticity of malware and enable the creation of deepfakes. Malicious actors can leverage AI-powered techniques to create sophisticated and realistic cyber threats, which can pose significant risks to individuals and businesses. Deepfakes, in particular, have the potential to undermine trust and integrity by manipulating and fabricating audio and video content.

Businesses are increasingly incorporating AI into their operations, but many struggle to effectively govern and monitor its use. This poses a challenge, as the gap between the utilization of AI and the capabilities of IT and cybersecurity to manage it can result in vulnerabilities and risks. Data poisoning is a specific concern, as it can have adverse effects on critical business processes by deliberately targeting and manipulating datasets used in AI models.

The governance and risk management frameworks need to be updated to effectively handle the complexities of AI in business settings. Organizations must address the unique challenges posed by AI in terms of privacy, accountability, and ethics. Furthermore, the integrity of the data used to train AI models is crucial. AI models are only as good as the data they are trained on, and any biases or errors in the data can produce flawed and unreliable results.

Establishing trust in AI models is also vital. Many individuals have concerns about the use of AI and are hesitant to trust companies that heavily rely on this technology. The ability to explain AI decisions, protect data privacy, and mitigate bias are essential to building this trust.

Furthermore, there are concerns about surrendering control to AI technology due to its immense knowledge and fast assimilation of new information. People worry about the potential misuse of AI in areas such as warfare and crime. Policy measures, such as President Biden’s executive order, have been introduced to address these risks and manage the responsible use of AI.

The field of AI and cybersecurity faces a significant talent gap. The demand for skilled professionals in these areas far exceeds the available supply. This talent gap presents a challenge in effectively addressing the complex cybersecurity threats posed by AI.

To tackle these challenges, organizations should create clear strategies and collaborate globally. Learning from global forums and collaborations can help shape effective strategies to address the risks and enhance cybersecurity practices. Organizations must take proactive steps and not wait for perfect conditions or complete knowledge to act. Waiting can result in missed opportunities to protect against the risks associated with AI.

Integration of AI is necessary to combat the increasing volume of phishing attacks. Phishing attacks have seen a substantial increase, and AI can play a crucial role in detecting and preventing these attacks. However, operating models must be transformed to ensure effective integration of AI, ending with human involvement for a thorough and closed-loop activity.

AI and generative AI have the potential to frustrate criminals and increase the cost of their activities. By utilizing AI technology, criminal activities can become more challenging and costly to execute. For example, applying AI and generative AI can disrupt the metrics and cost-effectiveness of certain criminal operations, such as call centre scams.

In conclusion, while AI development has brought significant advancements and accessibility to IT, there are numerous challenges and risks associated with its use. These challenges include the authenticity of cyber threats, governance and monitoring issues, data integrity, trust-building, talent gaps, control concerns, and the potential misuse of AI. Organizations must address these challenges, develop effective strategies, collaborate globally, and integrate AI into their operations to ensure cybersecurity and responsible use of AI technology.

Dr. Yazeed Alabdulkarim

The analysis highlights the escalating threat of cyber attacks and the challenges faced by cybersecurity defenses. This is supported by the fact that 94% of companies have experienced a cyber attack, and experts predict an exponential growth in the rate of cyber attacks by 2023. Cybercrimes are adopting Software-as-a-Service (SaaS) models and leveraging automation technology to scale their attacks. The availability of Malware as a Service in the cybercrime economy further strengthens their ability to carry out attacks at a larger volume and faster pace.

Generative AI is identified as a potential contributor to the intensification of the cyber attack situation. It is suggested that Generative AI could be used to create self-adaptive malwares and assemble knowledge useful for physical attacks. This raises concerns about the future impact of Generative AI on cybersecurity.

There are differing stances on the regulation of Generative AI. Some argue for limitations on its use, citing the belief that the rise of cyber attacks is due to the use of Generative AI. On the other hand, there are proponents of utilizing Generative AI for defense and combating its nefarious uses. They believe that considering threat actors and designing based on the attack surface can help leverage Generative AI for defensive purposes.

Disinformation is identified as a significant issue associated with Generative AI. The ability of Generative AI to generate realistic fake content raises concerns about the spread of disinformation and its potential consequences.

On a positive note, Generative AI can be used to analyze and respond to security alerts. It is suggested that employing Generative AI in this way can help speed up defensive measures to match the increasing speed of cyber attacks. Furthermore, it is argued that limiting the use of AI technology in cybersecurity would be counterproductive. Instead, AI can play a crucial role in fully analyzing security alerts and addressing the two-speed race in cybersecurity.

The analysis also highlights the incorporation of AI elements in emerging technologies. It is predicted that upcoming technologies will incorporate AI components, indicating the widespread influence of AI. However, there are concerns that fundamental threats associated with AI will also be present in these emerging technologies.

Understanding how AI models operate is emphasized as an important aspect in the field. The ability to explain AI models is crucial for addressing concerns and building trust in AI technology.

Watermarking on AI output is proposed as a potential solution to distinguish real content from fake. It is suggested that both AI companies and authorities should establish watermarking systems to ensure the reliability and authenticity of AI-generated content.

In conclusion, the analysis reveals the growing threat of cyber attacks and the need for stronger cybersecurity defenses. The impact of Generative AI on this situation is a subject of concern, with its potential to intensify attacks and contribute to the spread of disinformation. The regulation and use of Generative AI are topics of debate, with arguments made for limitations as well as for leveraging it in defense and combating nefarious activities. The incorporation of AI elements in emerging technologies raises both opportunities and concerns, while the understanding of AI models and the need for explainable AI should not be overlooked. Finally, watermarking on AI output has the potential to differentiate real content from fake and enhance reliability.

Dr. Victoria Baines

Data poisoning and technology evolution have emerged as significant concerns in the field of cybersecurity. Data poisoning refers to the deliberate manipulation of training data to generate outputs that deviate from the intended results. This form of attack can be insidious, as it slowly corrupts the learning process of machine learning models. Furthermore, influence operations have been conducted to spread discord and misinformation.

The rapid evolution of technology, particularly in artificial intelligence (AI), has created new opportunities for cybercriminals to exploit. AI has led to the replacement of humans with non-human agents in various domains, causing disruptions and potential threats. People have found ways to make bots go bad, and large language models have been repurposed for writing malware. This highlights the need for vigilance in harnessing technological advancements, as they can be exploited for malicious purposes.

The emergence of AI has also resulted in an evolution of cyber threats. Malware implementation has seen new methods and techniques, such as gaming AI models. The ecosystem of cybercriminals may undergo changes due to AI advancements, necessitating proactive measures to counter these evolving threats.

However, not all is bleak in the world of cybersecurity. AI and automation can play a vital role in alleviating the scale and stress issues faced by human operators. The current volume of alerts and red flags in cybersecurity is overwhelming for human teams. A 2019 survey revealed that 70% of cybersecurity executives experience moderate to high stress levels. AI can assist in scaling responses and relieving human operators from burnout, enabling them to focus on tasks they are proficient in, such as threat hunting.

It is worth noting that public perception of AI is often shaped by dystopian depictions in popular culture. The portrayal of AI in science fiction and dystopian narratives tends to create a negative perception. Interestingly, people are more inclined to show positivity towards “chatbots” rather than “Artificial Intelligence”. This demonstrates the influence of popular culture in shaping public opinion and highlights the need for accurate and balanced representation of AI in media.

In conclusion, data poisoning and technology evolution present significant challenges in the field of cybersecurity. The deliberate manipulation of training data and the exploitation of rapid technological advancements pose threats to the integrity and security of systems. However, AI and automation offer promising solutions to address scalability and stress-related issues, allowing human operators to focus on their core competencies. Moreover, it is important to educate the public about AI beyond dystopian depictions to foster a more balanced understanding of its potential and limitations.

Alexandra Topalian

A panel discussion was recently held to examine the cyber threats and opportunities presented by generative AI in the context of cybersecurity. The panel consisted of Richard Watson, a Global Cyber Security Leader at EY, Professor Victoria Baines, an Independent Cyber Security Researcher, Kevin Brown, the Chief Operating Officer at NCC Group, PLC, and Dr. Yazid Al Abdelkarim, the Chief Scientist of Emerging Technologies at CITE. Throughout the discussion, the participants highlighted the potential risks associated with the use of artificial intelligence (AI), specifically generative AI, in the cyber world.

One of the key points discussed during the panel was the emergence of new cyber threats arising from AI. Richard Watson, an EY consultant, stressed the importance of identifying these risks and provided examples of how generative AI can be employed to produce various types of content such as visuals, text, and audio. The panelists also acknowledged the potential danger of data poisoning in relation to generative AI.

Professor Baines echoed Watson’s concerns about data poisoning, emphasising its significance in her research. She also delved into the evolving nature of cyber crimes as new technologies, like generative AI, continue to advance. The panelists then proceeded to explore how cyber criminals can exploit generative AI to develop more sophisticated and elusive cyber threats. They highlighted the potential convergence of generative AI with social engineering tactics, such as phishing, and how this combination could amplify the effectiveness of manipulative attacks.

Dr. Yazid Al Abdelkarim shed light on the scale of cybersecurity attacks and the impact of generative AI. He stressed the need for regulation and shared insights on how SAIT advises organizations on staying ahead of cyber threats. The panelists discussed the challenges, including a talent gap, associated with implementing effective strategies for early detection and management of cyber threats. Kevin Brown shared real-life incidents to illustrate how organizations tackle these challenges.

The threat of deepfakes, where AI-generated content is used to manipulate or fabricate media, was another topic explored during the panel. The participants discussed strategies for addressing this type of threat, with a focus on early detection. They also touched on the ethical boundaries of retaliating against cyber attackers based on psychological profiling, highlighting the importance of complying with the law.

Regarding opportunities, the panelists agreed that generative AI offers benefits in the field of data protection and cybersecurity. Professor Baines emphasized the potential positive aspects of generative AI, highlighting opportunities for enhanced cybersecurity and protection of sensitive information.

In conclusion, the panelists acknowledged the lasting impact of generative AI on the landscape of emerging technologies and its growing influence on cybersecurity. They recognized the advantages and challenges brought about by generative AI in the field. The discussion underscored the need for effective regulations, risk management approaches, and cybersecurity strategies to address the evolving cyber threats posed by generative AI.

Kevin Brown

Generative AI, a powerful technology with various applications, is now being used for criminal activities, leading to concerns about its negative impacts on cybersecurity and criminal behavior. One key concern is that generative AI is lowering the barrier for criminals to exploit it. This means that criminals can easily leverage generative AI for illicit activities, making it more challenging for law enforcement agencies and organizations to prevent and mitigate cybercrime.

Another major concern is that criminals have an advantage over organizations when it comes to adopting new AI technologies. Criminals can quickly launch and utilize new AI technologies without having to consider the regulatory and legal aspects that organizations are bound by. This first-mover advantage allows criminals to stay one step ahead and exploit AI technologies for their nefarious activities.

The emergence of technologies like deepfakes has also brought in a new wave of potential cyber threats. Deepfakes, which are manipulated or fabricated videos or images, have become more accessible and can be utilized in harmful ways. This poses a significant risk to individuals and organizations, as deepfakes can be used for social engineering attacks and to manipulate public opinion or spread misinformation.

Moreover, the use of large language models in artificial intelligence has raised concerns about data poisoning. Large language models can be manipulated and poisoned, leading to a range of malicious motivations. This poses a threat to the integrity and reliability of AI systems, as attackers can exploit vulnerabilities in the data used to train these models.

Additionally, generative AI has the potential to amplify the effectiveness of phishing and manipulative attacks. By using generative AI, criminals can increase the volume and quality of phishing attempts. This allows them to create phishing messages that are highly professional, relevant, and tailored to the targeted individual or business. As a result, generative AI professionalizes phishing, making it more difficult for individuals and organizations to detect and protect themselves against such attacks.

In conclusion, the increased use of generative AI for criminal activities has raised significant concerns about cybersecurity and criminal behavior. The technology has lowered the barrier for criminals to exploit it, giving them an advantage over organizations in adopting new AI technologies. Furthermore, the accessibility of technologies like deepfakes and the potential for data poisoning in large language models have added to the complexity of the cybersecurity landscape. Additionally, generative AI has the potential to amplify the effectiveness of phishing and manipulative attacks, making it harder to detect and defend against such cyber threats. It is crucial for policymakers, law enforcement agencies, and organizations to address these concerns and develop strategies to mitigate the negative impacts of generative AI on cybersecurity.

Alexandra Topalian:
Cyber Threats of Generative AI Richard Watson, Global Cyber Security Leader, EY Yazid Al Abdelkarim, Chief Scientist, Emerging Technologies, CITE Professor Victoria Baines, Independent Cyber Security Researcher Kevin Brown, Chief Operating Officer, NCC Group, PLC Alexandra Topalian, Moderator, International Moderator Good afternoon everyone and welcome to this panel discussion. It is a very hot topic. It is Unmasking Cyber Threats of Generative AI. As we launch into a new era of technology, producing different types of content, generative AI is visual, it is text, it is audio. And so we are here today to discuss the threats, but also the opportunities of generative AI on cyber security. So Richard, let’s start with you since you are the closest to me. As you assist your EY clients in identifying the cyber risks that they face, what are some of the new cyber threats that are created by artificial intelligence?

Richard Watson:
Thanks Alex. AI is moving so quickly. It’s rapid development and it’s kind of democratized IT to some extent. And so a lot has been made around the threats that are things around the velocity of AI, and particularly when the technology gets into the hands of adversaries, how authentic malware can become and deep fakes and so on. But one of the risks we’ve really been focused on at EY is just how quickly it moves from an organizational perspective. We’ve long known about this phenomenon of shadow IT. Well, AI almost puts shadow IT on steroids. And so what we’re actually seeing is the business is using AI every day, but the organization is struggling to keep up with how to monitor that. You’re getting a gap between business use of AI and how IT and cyber security can manage and monitor that. And as a result, you get all sorts of threats around things like data poisoning, around the hijacking of AI, and obviously the privacy risks and so on that create. But really the challenge for organizations is how do you update your governance and your risk management to deal with the business’s use of AI and some of the risks that creates for the organization.

Alexandra Topalian:
And what are some of these risks, if you can give like some more detailed examples?

Richard Watson:
Yeah, well, I mean, so data poisoning being the first one. Obviously, AI models are only as good as the data used to train them. And increasingly as business processes around things like next best action in a call center or how to respond in the case of cyber security defense to certain threats. If prompts are deliberately targeted to kind of poison the data, it can create adverse business reactions. So, you know, cyber security is about confidentiality, integrity, availability of data. You know, really this issue is around managing the integrity of data and then the consequential actions on business processes, which increasingly we’re going to become reliant on as organizations automate their business processes with AI.

Alexandra Topalian:
Professor Baines, I saw you nodding. Do you also feel in your research, have you noticed that data is being poisoned?

Dr. Victoria Baines:
It’s certainly something that we are alerted to. I mean, data poisoning can be quite a slow burn attack in the sense of if you’re seeding skewed data, it might take a bit of time to come out in adverse outcomes. But if we think about influence operations over the last few years, some of those have been targeted, say by nation states or state sponsored groups, not necessarily to get an immediate outcome to vote for a particular candidate or political party, but to sow discord in a community. So that general sense of there being an adverse outcome for a particular group in society that has almost an indirect effect, just kind of disruption as much as anything. I mean, for me, artificial intelligence and the threats attached to generative AI, it’s also about just thinking in terms of what happens when we replace humans with non-human agents in a business. And there are a number of constants, I would say, when I do my futures work, and it’s based on a certain amount of time in law enforcement surrounded by badness. That is that over thousands of years, we know that there will always be people who want to harm other people and other people’s assets. And we know that technology is evolving at such an incredibly rapid rate. So those people will make use of the technology available to them. So yes, we’ve seen people trying to make bots go bad. And we’ve seen large language models like ChatGPT implementing safeguards so that you can’t write malware with ChatGPT, for instance. But interestingly, what we’ve seen spring out of that is people gaming that, repurposing large language models, selling them on the dark web, on kind of dark forums, precisely so that you can write malware. So I think it’s worth kind of broadening out and thinking, rather than it just being how this will affect my business right now, how it will change the cyber criminal ecosystem as well.

Alexandra Topalian:
And as new technologies emerge, do you find that the nature of the crimes is changing in your research?

Dr. Victoria Baines:
Yeah, I mean, this is what makes my job so exciting. It changes daily, hourly, particularly with advances in large language models. I think they have outstripped our expectations, haven’t they? Generally speaking, it’s always my default to say, well, most of the time it’s just old wine in new bottles. It’s just a different kind of attack vector for the cyber crime that we’ve already seen. But I do think data poisoning there is the exception. It’s a new kind of threat to skew that training data so that it produces something other than we’re intending in our use. That’s a new one for me.

Alexandra Topalian:
Right. Thank you. Mr. Brown, what are some of the ways in which generative AI can be exploited by cyber criminals to develop more sophisticated and evasive cyber threats? First of all, good afternoon, everybody. I think some of the bits have been pulled out already.

Kevin Brown:
What generative AI has introduced is a far low barrier of entry into criminal activity. Before, perhaps, you had to have the technical background, the tooling, and the motivation. And now we’re seeing generative AI being used for a far wider range. So whilst we talk about sophistication, I think it’s the ease of access that I’m certainly starting to see more about. I think we also talk about what’s emerging, what is hidden. It’s something that is directly in front of all of us, and that’s a first-mover advantage. Now, in a commercial world, if you’re looking to launch a new product, you’re always trying to get the edge of your competitor. And that’s no different where criminals, they don’t have the risk profile that organizations have. They don’t have to be looking at the explainability of the artificial intelligence. They don’t have to be looking at the legalities, the regulatory. It’s a case of we’ve developed something, let’s launch it. So unfortunately, from sitting on the good side of the fence, we’re always going to be slightly behind the curve from that perspective. Some of the other areas just to highlight, and perhaps we can go back to this. Obviously, social engineering is one that comes to the forefront, as well as the professionalization of deepfakes. We’ve talked about deepfakes for many years, but again, it’s now become far more accessible. And then clearly, we’re into the LLMs, the large language models, and how that can be manipulated, poisoned. And we’ve got used to and accustomed to being a financial motivation. In fact, what we’re seeing through data poisoning is there’s a far wider range of motivations. Some of them may be short-term, but given the amount of elections and political change that’s going on around the world, there’s certainly going to be some slow-burn ones that are already happening.

Alexandra Topalian:
And the potential convergence of generative AI with social engineering tactics, how is this fusion, how could it amplify the effectiveness of phishing and other manipulative attacks?

Kevin Brown:
First of all, I think it’s a massive impact. Certainly through our threat intelligence team at NCC Group, we’ve seen over 1,000% increase already. And I have to say it with a bit of a smile on my face, because all of the phishing training, the phishing awareness programs that we’ve rolled out to all of our colleagues is we’re teaching them to spot the obvious. And with previous phishing attempts, you would look for spelling mistakes, you’d look for grammatic errors. Well, actually, what generative AI has done is just professionalize that. So not only have you now got this increased throughput and volume, all of the training that we’ve educated our colleagues on is almost, you’re putting that to one side because you’re now confronted by emails which have got a lot more relevance, a lot more professionalism. And with generative AI as well, it’s enabling a lot more targeting of spear phishing so that you can really start to add context to the phishing emails. You can talk about the industry. You can really give relevance to the business without too much work. So I think it’s a real game changer for certainly what we’ve seen.

Alexandra Topalian:
Thank you, Mr. Brown. Dr. Yazid, welcome. What is the impact of generative AI related to the scale of cybersecurity attacks?

Dr. Yazeed Alabdulkarim:
So, assalamu alaikum. Good afternoon, everybody. So to understand the scale of generative AI, first we have to consider the current state. So if we look at the current state in 2023, basically adversaries are accelerating and defenders are not able to keep up. It’s basically a two-speed race. So to add to that, basically a research study shows that 94% of companies have experienced a cyber attack in one way or the other. So what’s happening is that just as technology transferring to SaaS, for example, software as a service offering, the cyber crime world is doing the same. So SaaS is becoming in the cyber crime economy as well. And for example, we could see a malware as a service offered in the cyber crime. And to add to this, the automation of the technology is making the threat actors able to accelerate the speed and the volume of attacks and the back as well. With generative AI, it’s expected that the situation will be more difficult because now the attackers will be able to have more means to automate and to generate more intelligent attacks. For example, you could have an adversary creating a self-adaptive malware. And that malware will be able to circumvent and to be undetected by the detection systems. As well as another threat of the generative AI is the assembly of knowledge. So basically with generative AI, you could assemble knowledge that can be utilized for physical attacks. Instead of usually when we have physical attacks, it’s limited to state violent actors. But now even non-state violent actors will be able to acquire that knowledge to launch a similar attack. And if we consider these risks as well, the surveys show that about 85% of security officers believe that the rise of cyber security attacks that we have seen in 2023 is because of the use of generative AI.

Alexandra Topalian:
Thank you, doctor. And as an advisor for SAIT, what can we do in regards to the regulations that are being implemented?

Dr. Yazeed Alabdulkarim:
Yeah, regulations are basically a controversial topic because many believe that it’s challenging to enforce the constraints. And it’s basically wishful thinking. But if we see the initiatives, there is the initiatives by the UN nation. It’s forming a high-level advisory body for AI. Similarly, we have seen the recent U.S. executive order about the safe and secure and trustworthy use and development of AI. But when you consider regulations, there are basically two approaches. One approach is to have regulations to limit the use of generative AI to prevent it to get in the hands of bad actors. However, this approach will end up basically hurting the openness of the technology as well as preventing it for the good users. So I believe the best way to combat generative AI threats is basically by using it for defense and to basically outperform adversaries. So if you do that, you’ll be aligning with the second objective of regulations. Instead of limiting the technology, we should utilize it and use it for defense. For example, and we should design it based on the attack surface. For example, if we consider one of the main issues of generative AI is disinformation. So we should realize that threat actor and then try to come up with defense mechanisms to basically mitigate the risks related to that as well.

Alexandra Topalian:
And how would you go about outperforming?

Dr. Yazeed Alabdulkarim:
Basically, one example, if we see one of the main challenges related to cybersecurity is responding to alerts. A recent research study shows that only 48% of security alerts are investigated. So one way is to use generative AI to basically fully analyze these security alerts and to basically also not only analyzing and potentially responding to them. And that way you will be able to address the two-speed race that I mentioned. So as the adversary are speeding up, we should do the same. We should utilize that technology and not limit it. And then there are many use cases that can be addressed, as I mentioned, with the security alerts.

Alexandra Topalian:
Okay. Thank you, doctor. Well, generative AI is here to stay, correct? Richard, how would you best advise your… Your customers and how they should deal with their risk management approach. Yeah, I think

Richard Watson:
Dr. Yazeed used a key word there, which is trust and I think Establishing trust in AI models is going to be key I think the World Economic Forum has done some of the most recent studies in this space and they found that four out of ten Adults admitted that AI powered products Worry them and that 50% of come 50% of adults, you know Wouldn’t trust companies who use AI as much as they trust companies that don’t and so it’s really incumbent on Organizations to repeat that they would trust companies 50% of adults Would not trust companies who use AI as much as they trust companies who don’t don’t use AI In other words, there’s a huge amount of suspicion There’s a lot of trust AI so I mean one of the things we’ve done at UI to help combat this is The notion of a confidence index So we’ve got our data scientists and our cyber security professionals together to create essentially a framework and an algorithm For you know, how do you determine if a piece of AI is trustworthy or not? So it looks at things like explain ability data privacy Bias and so on so about seven or eight different variables to essentially give a trust score to a process that is using AI and In and if you look at some of the proposed regulation like the European Union AI Act, you know That seems to be the way that regulation is going to go as well It’s gonna be a risk based approach based on some profiling of AI That determines how much testing you need to do and how much disclosure you need to do so I think Providing some metric that Helps create this trust. I think will be really key for organizations and then secondly will need to update their Risk management processes because it’s a case of the business who’s using AI for business purposes Organizational Responsibility, you know audits and so on and then the operational functions that are actually using The AI and maintaining the models coming together to manage this. It’s a bit like the Issue we had where privacy data governance and cyber security, you know had to come together to to manage data You know, we’ve got that again, but with slightly different Stakeholders and axes to worry about

Alexandra Topalian:
and then with this issue of trust. There is also a very negative connotation .That’s come with artificial intelligence Why do you think that is?

Richard Watson:
Yeah, I mean, I think people are just staggered as as Victoria said around, you know, how quickly and how comprehensive You know this technology is it’s it’s become I mean AI is obviously been around for sort of 10-15 years But the generative AI aspect which sort of burst onto the stage in November when Microsoft Acquired open AI, I think it’s shocked people into just how Lucid this technology is and just how much it knows and how quickly it can assimilate new information and people just aren’t ready to surrender that level of control To technology and are worried about it And again, if you look at you know, President Biden’s executive order that came out on Monday You know pretty much the second bullet is about managing the risk of AI use for biological Warfare weapons creation, you know, so all of these big nasty problems are sort of Immediately associated with AI and I think that worries people

Alexandra Topalian:
or having a plane flown without a pilot. But professor Baines suggests that there can be Opportunities right when it comes to cybersecurity and data protection. Tell us a little bit about how you perceive that

Dr. Victoria Baines:
You know your both of your points about the rhetoric of this when you use that term AI Artificial intelligence we immediately think of popular culture. We immediately think of science fiction I’m you can count on one hand the positive blue sky Representations of AI and science fiction. It’s all very dystopian, isn’t it? And we’re kind of inculcated with that sense that it’s all gonna go horribly wrong But if you were to say to people, how do you feel about chatbots? They’d probably be a lot more positive and they’re interacting with them as if they’re dealing with a customer service agent Even though they know that might not be a person on the end of the chat message in terms of opportunities Actually, I’d quite like to pick up on you know What you were talking about in terms of the scale of the problem and about all of those alerts that go Unmanaged because I do a certain amount of research on Burnouts in cyber security and as we all know there aren’t enough people working in incident response There aren’t enough people working in security operations and in 2019 Nominate ran a survey of UK and u.s. C suites cyber security executives and 70% of them said they were suffering from moderate to high stress And I think you know We all recognize that you were talking about the the alerts that go unnoticed or the alerts that don’t get worked Where we are at the moment is with the scale of the red flags that we already have are Too much for incident response teams for security operations centers If what we’re saying is that the scale is going to increase exponentially We absolutely need an automated response a certain amount of automated defense and incident response Not just because it makes sense for the increasing scale But because that’s how we make best use of the humans that we have on our teams. It’s how we keep them from Quitting their jobs and going to work into something else It’s how we preserve their mental health and well-being and dare I say it as someone who has worked these cues in the past It’s how you you know, you give humans tasks that they are good at the threat hunting that sense of what doesn’t feel or smell quite right which so far Machine learning and AI is not particularly good at

Alexandra Topalian:
Hmm interesting, we definitely do have a talent gap there Kevin how would you best advise your organizations on the strategies that they could adopt to detect early detection and Management of cyber threats.

Richard Watson:
There’s a couple of things just to just to pick up on what Richard and Vicki have said as well The first thing is may seem the obvious but to do something I’ve met a number of clients that are almost in this state of paralysis where AI has been around for years Generative AI comes along and they don’t actually know what to do and I think if we look across the globe and I think this is why GCF as a forum is is is perfect for being able to have these open discussions because it just reinforces that people are not alone So my first bit of advice is actually to have a clear strategy. It can be a really basic strategy But it gives you a purpose as to how you’re going to approach the topic. It doesn’t have to be about sophistication coming back to His Excellency the Minister of Education yesterday who I thought was particularly refreshing I really like the point where he was talking about if we’re waiting for the All of the the boxes to be ticked on the clipboard. We’ve missed it We’ve got to go with a risk based approach and that’s where I think with Organizations and certainly how I advise them is to have a strategy based upon what you know but I think the one that is is most pressing as Vicki just mentioned is the skills gap AI the advances of AI has been amazing in the last few years Has it closed the gap two sessions ago on the stage? We were talking about a gap of five million that says to me. We’re not using it So it’s really about understanding the strategy Leveraging colleagues from across the globe forums such as this to help you form your strategy, but most importantly do something and

Alexandra Topalian:
How how do your clients deal with that skills gap? Are they give us some real-life examples?

Richard Watson:
It’s I take a great example fishing. Yes, so I’ve mentioned an increase of a thousand percent Comes back to perhaps what Richard mentioned as well as trust you speak to clients who are trying to run a sock The volume of phishing attacks has gone through the roof. They’ve got AI but but their operating model is still the same The the methodology that has been approached is to take the AI But ultimately it still raises a ticket and ends with a human. So as opposed to saying well What is the closed-loop activity? Where is it? Actually, I’m quite happy to take a little bit of risk fishing emails is one that should just be a closed-loop activity There doesn’t need to be a necessarily human in there. So I work with a lot of clients to transform operating models Because it’s around people process and technology and that has to be the starting point

Alexandra Topalian:
And I just want to pick up on a point you mentioned about the deep fakes What strategies do you recommend for those sort of threats?

Richard Watson:
Again, it naturally depends what industry what sector you’re in it comes back to then the basics of social engineering and recognizing that You’ve got to have additional controls in place It comes back to what I guess from a security industry perspective has been spoken around for years is to defense in depth So if you’ve got someone on to one of your call center agents, it can’t just be that’s the only line of defense in terms Of verification is it is it really mr. Brown on the other end of the phone? You’re gonna have to have other verification methods as well But but what I will say and and and and yes it as well had a great point is we we have to put AI And generative AI to match it because it’s gonna frustrate the criminals and the moment you start to frustrate the moment you slow down Actually, we’re now raising the barrier of entry We’re raising the risk profile and actually the cost for criminals to commit the crime Is now going through the roof and that’s the position that we need to get to so do you mean retaliation? No, not even retaliation it’s actually slowing down their process because criminals yes, they’re criminals, but they’ve still got investment cases They’ve got business cases. You look at some of the call center scams They’ve got metrics around how many calls they’ve got a they’ve got to make how many people do they aim to hook a day? And the moment you start to put AI and generative AI on the other end of that call You’ve just blown their metrics and their business case and all of a sudden the cost of being able to be involved in this criminal Activity that’s just Multiplied by X times.

Alexandra Topalian:
Okay, because we did have a cyber psychologist here yesterday. That was discussing the concept of fighting back and You know retaliating based on the profiling that you do Of the cyber attacker and that’s well, that’s something that you know there’s a fine line with breaking the rules and Breaking the law. All right Dr. Yazi’s my last question to you as we’re running out of time What would be the impact of generate AI on the spectrum of emerging technologies?

Dr. Yazeed Alabdulkarim:
basically as you see all the Upcoming emerging technologies will have the IEI components on them So, what does that mean that all the fundamentals threats that are coming from AI will be present in these Emerging technologies so we have we have we need to have the urge to address them at least or at least evaluate the as I mentioned the attack surface of the Generative AI and try to address the fundamentally so that when the emerging ticks coming up when it’s Related to generate AI we at least have we don’t have a we are not starting from zero we have at least an edge there and for example, one of the initiatives that is coming up is that explain explainable AI and that’s very crucial because we need to one of ways of Addressing the concerns is exactly knowing how it or how the basically the model operates to explain the outcomes that are coming Unfortunately, we’re not there yet. So basically that’s why you are when you have a model you have these Hallucinations coming up because it’s a it’s kind it’s a basically a black box. So we that explainable AI should help to to hopefully address the These concerns as well and just to add one point of regarding the deep fix as as my colleague has mentioned We have seen that recently most of the AI dirty AI companies have voluntarily Proposed to put watermarking on their basically output So you’ll be able to know whether it’s coming from the model or not. I don’t believe this will be sufficient What’s I believe what’s more important as I and it’s back to the defense point that I mentioned that authorities should have their own watermarking and that will give the Ability to know exactly that is coming from a reliable source. Otherwise, it’s basically a misinformation or something that is basically deep fake

Alexandra Topalian:
Right. Well, thank you very much panelists for being with us today. It’s definitely something that’s not going to be going away anytime soon But I do see a lot of benefits to generative AI as well as the downfalls Ladies and gentlemen, please put your hands together For this emerging shadows panel and generative AI. Thank you

Moderator – Jane Witherspoon

During a discussion on the barriers inhibiting women from pursuing careers in cybersecurity, Jane Witherspoon highlighted the importance of addressing these obstacles. Jane firmly believes in achieving equal gender representation in the field, as this is crucial for promoting diversity and ensuring that all perspectives are included in the development of cybersecurity strategies. Seeking insights on how to encourage more women to enter the industry, Jane turned to Tania, who shared her own experiences and insights.

Tania, while recounting her journey in overcoming barriers, shed light on a few key factors. She emphasized the need for role models in the cybersecurity field who can inspire and guide aspiring female professionals. Such role models play a crucial role in empowering and encouraging women to pursue careers in this male-dominated industry. Additionally, Tania highlighted the presence of misconceptions surrounding cybersecurity roles, which hinder women from considering it as a viable career option. Addressing these misconceptions through education and awareness can help break down barriers and attract more women to the cybersecurity field.

The discussion between Jane Witherspoon and Tania showed a positive sentiment towards the goal of achieving equal gender representation in cybersecurity. By openly discussing the barriers and seeking solutions, they demonstrated an active commitment to creating a supportive and inclusive environment for women in the field. The insights and experiences shared by Tania revealed valuable lessons that can be used to develop strategies to encourage more women to pursue careers in cybersecurity.

Overall, the conversation between Jane Witherspoon and Tania highlights the importance of addressing the existing barriers inhibiting women from entering the cybersecurity field. By promoting equal gender representation and providing role models, as well as dispelling misconceptions, we can encourage more women to pursue careers in this critical industry. Taking these steps will not only bridge the gender gap but also help create a more diverse and inclusive cybersecurity workforce for the future.

H.E. Dr. Margarete Schramböck

The analysis of the provided information reveals several important points that highlight the importance of gender diversity and inclusion in the field of cybersecurity. Firstly, it is crucial to promote and include women in cybersecurity, as demonstrated by the success stories from Aramco Digital’s security operations team, where approximately 50% of the team consists of women. Additionally, in Saudi Arabia, 58% of engineers are women, indicating a positive trend towards gender equality in this field.

The presence of authentic company cultures and the availability of female role models are identified as key factors in attracting more women to cybersecurity. The success of Vision 2030 in Saudi Arabia is cited as an example of how companies and organizations can demonstrate authenticity and effectively encourage women’s participation in this field.

There is a recognized lack of female role models, particularly in middle management positions, which further limits the progression of women in cybersecurity. This observation is supported by the personal experience of a female CEO who highlights the existing gap in this area.

Demographics play a significant role in shaping the opportunities for digital transformation and cybersecurity. Saudi Arabia, with its young population, presents an exciting potential for change in these areas. The presence of many young people eager to be part of the transformation, particularly in the digital sphere, highlights the importance of tapping into this demographic advantage.

Furthermore, there is a notable disparity between investment in technology and the digital sector in Saudi Arabia compared to Europe. The analysis underscores that Saudi Arabia has more prominent investments in tech initiatives, such as ‘Sabrani,’ than Europe, reflecting a greater emphasis on the digital sector in the kingdom.

The evolution of digital jobs and the shift towards white-collar work has significantly contributed to including more women in the workforce, particularly in countries like Saudi Arabia where many women are engaged in engineering roles. This evolution is viewed as an opportunity to leverage the unique skillset that women bring to tech teams and digital jobs, further promoting gender diversity and equality.

The analysis also highlights the economic slowdown and challenging age structure that Europe currently faces, compared to Saudi Arabia’s growth rate of 8% on average. This divergence emphasizes the different economic and demographic circumstances between the two regions, reaffirming the need for caution in Europe’s role in the global technological landscape while acknowledging Saudi Arabia’s potential to play an important role in the future.

The COVID-19 pandemic has brought about a shift in work models, making it easier to balance family life with job responsibilities. This newfound flexibility and adaptability in remote working arrangements have highlighted different ways of working, providing evidence that alternative working models are feasible.

The integration of women into companies should start right from the hiring process, addressing women more directly and removing barriers to their inclusion. This observation is drawn from the experience of a former CEO who recognizes the importance of taking proactive steps to ensure gender equality throughout the acquisition and hiring phases.

Support from various communities is crucial in fostering growth and success in all areas, including cybersecurity. The example of Dr. Margarete Schramböck, who started her career by selling telephone systems and reached out to mentors within the tech community, underscores the significance of community support and mentorship.

Advocacy for mixed teams and collaboration is also deemed essential in promoting gender equality and reducing inequalities. The belief in doing things together rather than separately, demonstrated by an individual’s personal experience of being often the only woman in the room early in her career, showcases the importance of fostering diverse and collaborative teams.

Early engagement of young women in subjects of their interest, such as through apprenticeships in fields like e-commerce, has proven to be a successful strategy for attracting them to the tech field. The introduction of e-commerce apprenticeships in Austria resulted in 60% of participants being women, showcasing the effectiveness of this approach in bridging the gender gap in tech.

In conclusion, the analysis reveals the significance of gender diversity and inclusion in cybersecurity. It highlights the importance of promoting and including women in this field, authentic company cultures, the presence of female role models, demographics, and investment in technology. The evolution of digital jobs, the economic challenges faced by Europe, the impact of COVID-19 on work models, and the need for integration of women into companies from the hiring phase are all noteworthy aspects. The analysis also emphasizes the importance of community support, advocacy for mixed teams and collaboration, and early engagement of young women in subjects of their interest. Overall, a comprehensive approach involving various strategies is vital for achieving gender equality and fostering growth in the field of cybersecurity.

Dr. Cécile Aptel

The lack of representation of women in the cybersecurity sector is an urgent issue that needs to be addressed. Currently, only about a third of diplomats in cybersecurity are women, highlighting a significant gender disparity. The underrepresentation of women in this field has implications for individual, business, and state cybersecurity.

One contributing factor to this gender disparity is the societal discouragement of girls pursuing STEM and technology studies. This bias limits opportunities for girls in education and future careers in security-related sectors. As a result, women remain underrepresented in defense, military, and intelligence, which are closely linked to cybersecurity.

To attract and retain women in cybersecurity, flexible working arrangements are crucial. Providing flexibility in work schedules and arrangements allows women to balance personal and professional responsibilities effectively. Creating inclusive and supportive company cultures that value and consider women’s opinions is also important. Men play an important role in achieving gender equality by mentoring and supporting women in their professional growth.

Further measures are needed to increase the representation of women in expert groups related to international security and ICT. Diverse representation in these groups is essential for comprehensive and inclusive decision-making processes.

Equipping women with technical, managerial, and leadership skills is important for their advancement in the cybersecurity sector. Networking and mentorship opportunities are significant for women’s career growth. Education plays a vital role in addressing gender inequality, and partnerships between industry and education facilities are key to providing quality education that prepares students, especially girls, for cybersecurity careers. Programs that educate children about responsible digital behavior and cybersecurity are fundamental for their safety online.

Collaboration between men and women is crucial for the growth and success of the cybersecurity field. Mixed teams have proven to be more innovative, and fostering inclusivity and equal opportunities will enhance creativity and problem-solving in the sector. Men have a role to play in achieving gender parity by embracing the benefits of gender equality.

While progress has been made in Saudi Arabia towards gender equality, continued efforts are needed to ensure sustained progress and an inclusive society for women.

In conclusion, addressing the underrepresentation of women in the cybersecurity sector requires a comprehensive approach. Encouraging girls to pursue STEM education, providing flexible working arrangements, valuing women’s opinions, and fostering mentorship opportunities are crucial steps towards achieving gender equality. Partnerships between industry and education facilities, as well as educating children about responsible digital behavior, are essential for the future of the cybersecurity field. Creating an inclusive and supportive environment where men and women can collaborate will drive innovation and enhance the effectiveness and security of the cybersecurity sector.

Betania Allo

Women in cybersecurity face numerous challenges, including gender bias, lack of representation, and unequal opportunities. Betania Allo, a successful cybersecurity professional, emphasized the need for mentoring and early education programs to encourage girls to explore this field. Inclusive hiring practices and anti-bias training are necessary for organizations to address the deficit of women in cybersecurity roles. Forums and platforms for dialogue are essential in advocating for gender equality and representation. Betania Allo’s positive experience working in Saudi Arabia demonstrates the importance of openness and trust in talent from all over the world. Representation of women in leadership roles is crucial for decision-making, and collaborative efforts between men and women are needed to advocate for gender equality. Mentorship plays a vital role in women’s career progression in cybersecurity. Women-led forums offer ideal platforms for conversations about representation. Highlighting the intersection of technology with other areas of expertise can attract more women and girls to the technology field. The biggest challenge for women in cybersecurity is overcoming the fear to enter the field. Empowerment and support are key in encouraging women to pursue careers in cybersecurity. Overall, addressing these challenges will lead to a more diverse and inclusive cybersecurity industry.

Moderator – Jane Witherspoon:
Space Needs You, attracting women to cyber security careers. Her Excellency, Dr. Margit Schrambach, former Minister for Digital and Economic Affairs, Austria. Dr. Cecile Aptil, Deputy Director, United Nations Institute for Disarmament Research, UNIDIR. Jane Weatherspoon, Moderator, Beirut Chief Middle East, Euronews. Betania Allo, Cybersecurity Innovation and Partnerships Manager, NEOM. Hello ladies and gentlemen and your excellencies, what a pleasure to be here and thank you for that round of applause. I think we need a second one for the all-female panel. As our voice of God said, we’re going to be talking about the gender disparity within cybersecurity. Women are still critically underrepresented, holding only 25% of the cybersecurity jobs globally. So, my esteemed panel, we’re going to get straight down to business. I would like to address my first question to Dr. Margit. You know, what are the primary challenges that organizers encounter when trying to not just attract but retain women in cybersecurity?

H.E. Dr. Margarete Schramböck :
Yes, first let me say I’m really happy to be here today. Thank you for having me and I’m also happy to see such a big audience that is interested in this topic because this does not happen so often. So, I think this is something special about Saudi Arabia. Being here now for quite a few months, I’ve also learned that in Saudi, 58% of engineers are women, which is different to Europe and it’s different especially to German-speaking regions in Europe and this is something which Saudi can really be proud of and really happy to see that. Being on the board of Aramco Digital, I see it also in the daily work that 50% of our team members in the security operations center are female and this is a very, very good sign. Why do they do it so well here in Saudi? Well, there is a clear vision, Vision 2030, and it’s in the vision. You can read it, you talk about it, you discuss about it, but most importantly, you do it and this is something which is special here and which I also wanted to mention. Now, to your question, you have been asking about the challenges, so companies really to be successful in the field of cyber needs diverse teams, they need mixed teams. We know this from the past, we know that companies, teams are much more successful if they take this into consideration and why shouldn’t it be true for cyber? It is true for cyber as it is for all the other areas. Now, the companies and the organizations need to be authentic in this, so women feel very quickly if what the company talks or the organization talks is what the company do and if this is in line, you will, of course, attract even more women in this sector. Looking at the different stages, of course, we also need role model and this is also a challenge for companies and organizations, so that often they are lacking role models. I was many years a role model, I was 15 years CEO of European IT companies including a telecom company which is like SDC, it was called A1 for Central Eastern Europe, and, yes, it was often clear that we were missing middle management, so women in middle management that could be a role model. So it’s tough, it’s hard, we still have to work on it.

Moderator – Jane Witherspoon:
We’re going to come on to, a little later in our conversation, roles and those roles at the top, but at this point, I would like to bring in Dr Cecile because you have some thoughts in terms of expanding on the security aspect, don’t you?

Dr. Cécile Aptel:
Yes, thank you, Jane, and before I answer your question, if I may, thank our guests. So first, Saudi Arabia, I’m absolutely delighted to be here and to discuss this question here and of course the Global Cyber Security Forum for providing this opportunity. When we think of cyber security, there is obviously the cyber dimension and we know that some of the challenges come from girls in a number of contexts not always being keen to pursue studies in the STEM and in technological areas, that seems to be less the case in Saudi Arabia which is great, but in addition to cyber, there is the security element and if we look at security the way it is also construed, security is a sector in which women are far behind. I mean obviously when we look at defence, military, intelligence, and why do I say that? Because cyber security is multi-layered and when we think cyber security, it’s not only individual or business security, it’s also state cyber security and cyber attacks, cyber warfare. Within this context, there are negotiations ongoing, obviously notably at the United Nations, and we see that in those contexts there are very few women involved in these negotiations. In fact, only about a third of women diplomats, we see women diplomats across sectors and in the area of cyber security, these numbers are really lagging. So the combination of cyber challenges and security challenges is really probably also one of that convergence that we need to address.

Moderator – Jane Witherspoon:
But Tania, you’re sitting on the end. I want to just give a bit more context to your career because we see you’re Cyber Security Innovation and Partnerships Manager at NEOM, but your previous roles, you’re the former United Nations Senior Officer in Counterterrorism and Emerging Technologies, quite a title. I’d like you to elaborate, if you can, on how organizations can address the barriers that discourage women from entering fields, biases, lack of role models, which is something Dr. Margaret just touched on, misconceptions about cyber security roles. What has your experience been?

Betania Allo:
Thank you so much for the great question and thank you again. I second my colleague’s words. I’m extremely happy to be here and very grateful to the organization of the GCF for having us. So yes, indeed, women in cyber security still face a lot of challenges, as you mentioned, gender bias, lack of representation, unequal opportunities. And I think that organizations, and we all here in the room, have a huge responsibility to make sure that this changes. So in my experience, one of the things that make women doubt whether cyber security is a path for them is the lack of information. So mentoring and correct education, you know, paths in early exposure to cyber security and what it is, is one of the most important things that can encourage girls to get into this path. Then, well, I got into cyber security later in life, and maybe because of that lack of mentorship at an early age, but mentoring for me was key to have the luck and the privilege to have great mentors in my life who gave me the best guidance, advice, and encouraged me to challenge my own fears, and that allowed me to be here and to, you know, start a career that builds on different skills that I’ve had before. So organizations, per se, I think that also need to work a lot in more inclusive hiring practices, anti-bias training for both men and women, because there is something that is still happening everywhere in the world, and even in the countries that are famous for their gender parity policies, there’s still gender bias in technology and in cyber security as well. So yes, I think that this kind of forums, this kind of platforms for dialogue, I think are a great opportunity to encourage everyone to advocate for this kind of causes that will make the room fuller and fuller of women.

Moderator – Jane Witherspoon:
As a female actually doing it here in Saudi, you know, what has been that experience and the change from coming from outside? How was it received?

Betania Allo:
Well, I was very lucky, because when I first started thinking about moving to Saudi, to the Middle East, I was very lucky to have several opportunities here, and, well, Neom, do I need to even explain what Neom has, you know, and how amazing and exciting it is to be working. I consider myself so privileged, but something I did not know is that most of my colleagues would be Saudi, they would be from here, right? So although Neom has 70% expats, my department is mostly Saudis, because of regulations. So I was received with such generosity, such solidarity, from all levels, I was trusted with so much responsibility, and being a woman and being a foreigner, you know, those are two elements that makes it even more impressive, and I think it speaks volumes of the massive changes of this country has been through, and how much they trust talent from all over the world.

Moderator – Jane Witherspoon:
Dr. Margaret, can you elaborate from a European perspective?

H.E. Dr. Margarete Schramböck :
Well, Europe is in a very tough situation at the moment. So contrary to Saudi, which is growing at, I would say, 8% on average, Europe is really has slowed down, and the age structure is completely different. So what I find exciting here, and being in the board of Aramco, building up Aramco Digital, we can see that we have this wonderful age structure with a lot of young people, excited people who want to change, and want to be part of this transformation, also in the digital, especially in the digital area, and in the cyber security. So the focus is, as you’ve heard also from the CEO of Aramco, that there is investment, and there is investment, for example, in Sabrani. Do we see similar big investments in Europe at the moment, to a lower extent? So Europe still plays a role, but has to be very careful. And I think there will be different centers in this world. Of course, we have the US, and we have China. But there is a big room for Saudi, and its huge population, and its engineers to play an important role here. And we are in the middle of this transformation, which makes it so exciting. For me, coming back to being successful, having successful innovations and competitive products, always needs these two sides. So females bring completely different skills into the teams, and especially in the cyber, we can see, and in many digital jobs, it means from blue-collar worker to white-collar worker. Think of a harbor. When you are in a harbor, and you have to move the containers, this was pure blue-collar worker in the past. Now it’s white-collar, somebody sitting in a control center, as it is in cyber. You are doing things which you can do remotely, which you can do in a team. You don’t have to be outside in the construction site. And this evolution of tech solutions has also helped to engage more women. Contrary to Europe, I think, with Saudi and many women in engineering, there is a really good basis here.

Moderator – Jane Witherspoon:
I want to bring in the element of family raising as well, and being a working mom myself, as many of us are in this room. Can we have it all? Can we balance it? I think that makes it a little bit easier, some of these initiatives, and the situations like remote working.

H.E. Dr. Margarete Schramböck :
I think what COVID has shown us is that different types of working is possible, and that it can be done in a different way. And this helps, of course, to combine the topics of family and kids and the jobs. From the company perspective, and being a CEO for 15 years, it is worth starting at the very beginning. So it all starts before the women are joining the company. Sometimes we think, when we are managers, it starts when they are here. No, it starts in the acquisition or in the hiring process, where it is different to the male side, where you have to address women more directly. You have to invite them. It is a little bit different than it is on the other side.

Moderator – Jane Witherspoon:
Cecile, I think you have something to add in there. Sure.

Dr. Cécile Aptel:
Just the fact that flexible arrangements are important not only to attract women, but especially to retain women, and to enable them to really make a career, which I think is one of the challenges. It’s challenging in the cybersecurity for everyone. We need to really be also very clear that it’s not only about women. It’s difficult to attract men and have enough workforce. So the challenge is compounded for women, and it’s important for companies to have ways of retaining women. Flexibility, flexible working arrangements are important, but it’s also important to ensure that women feel valued. feel that they belong in the companies to retain them. And I think that’s an important dimension. And when we think of inclusive workforce, it’s not only having women sitting at the table, but being able to voice their concerns. And very often, because of a number of cultural expectations everywhere around the world, women are not likely to really ask for the floor. And so I think it’s particularly important that men, who are, of course, the great partners in this adventure of having more women, extend their reach to women. That they also mentor women, young women, sponsor them, and really just make sure that women’s views are also asked and considered. All of this is what makes women feel that they belong, that they have a role to play, and therefore to stay there.

Moderator – Jane Witherspoon:
Well, we did mention it earlier, and we were talking about roles. You know, what needs to be done? Cecile, I’m going to keep you on the floor. What needs to be done to ensure that enough roles are at the top of the chain? And how do we attain that, despite the fact that there is this leaky pipeline phenomenon, you know, stepping back and coming back into the room, you know, where maybe women are deemed to have lost some crucial years? What needs to be done about that?

Dr. Cécile Aptel:
So again, I think having working places that are inclusive, that are flexible enough to attract and retain women, that women feel that they belong there. But I think that some additional measures are needed. And I’ll go back to the example that I was giving earlier, you know, the lack of women diplomats engaged in UN processes on cyber, or even ICT in international security environment. Because that was a real concern, back in 2018, the UN Secretary General, Guterres, decided to really make a commitment to ensure that there will be more women appointed in the group of experts of the United Nations. And thanks to that commitment, which he took very seriously, more states nominated more women. And as a result, we really went from having 25% only of experts in 2018, to today 40% of experts being women that participate into these working groups. And similarly, in terms of diplomats participating in the negotiation, there’s been fellowship, in particular women in international security in cyberspace fellowship, that has been targeting relatively junior diplomat women, but not only diplomats, regulators, ICT experts, lawyers working in these areas, professors working in these areas, and encouraging them over a number of years to come and participate, to be there in those UN working group, in particular, the open-ended working group on the use of ICT in international security environment. And not only were they there, but then they were mentored. They had access to more senior leaders and diplomats that could train them. And they had specific training on participating in multilateral negotiations. Just to indicate that measures need to be multilayered, that it’s not simply, in fact, just thinking that it will happen unless the women are equipped with skills. And to go back to the question of how it works in the corporate sector, it’s one thing to be a technical expert in cybersecurity. It’s something else to be equipped with the skills to manage a team, and then to make it to leadership role or board roles, because you have leadership. And all of that with men usually happens through networking. Younger women that don’t necessarily have older women to be playing that role model still need to benefit from that networking and learning those skills. So we need very deliberate efforts to really make sure that women are also trained with managerial and leadership skills.

Betania Allo:
But Tania, I’ve seen you’ve been nodding all the way through that. I absolutely agree in everything, and I don’t know where to start. Have you anything, I mean, in terms of your experience, in terms of female leadership at the top and what you’ve taken away from that that has maybe helped you in your career progression? Well, so as you mentioned earlier, I don’t come from a very traditional path to cybersecurity, if that’s even a thing, right? So I, for some background, I’m a lawyer. I’m originally from Argentina. And then I moved to the US for graduate studies, and I have degrees in international relations and cybersecurity law and policy. And now I’m pursuing my PhD in cybersecurity. So as you can see, I went from building upon my legal and policy background to a more technical one. And honestly, I will go back to the mentorship and the fellowship that you just mentioned. Networks of women have been so helpful for me while I was making these decisions through, because I don’t consider it I transitioned careers. I think I always say that I’ve been building upon my different roles and bringing what I’ve learned from my other experiences to my new roles. So I think that one of the most important things is representation, to see women on leadership roles and to see women in those, in tables where decisions are being made, to make sure that their voices are heard. And that’s why we need men to advocate as well. We need you guys to look around the table. How come we don’t have any women sitting in this meeting, for example? What is wrong? Really, we couldn’t find any women to come here and join us. That’s why it’s not only our fight, it’s all of us responsibility to advocate for this happening. And in my experience, having really strong and determined women being my bosses and women who mentored me, and even men who also gave me the opportunity to believe in myself, and they believed in me maybe more than I believed in myself back then, right? And I think those are the people that I am so grateful that I had the opportunity to meet. And there is a lot of generosity out there. I know there are so many students here listening, and just don’t be scared to reach out. You will be amazed. This room is full of generous people who are willing to tell you more about their careers, tell you more about their experiences, and guide you through your own career path so you can find success as soon as possible. So yeah, I think that these forums, again, are the perfect platform to have these conversations.

Moderator – Jane Witherspoon:
Dr. Margaret, how important are those support of extended communities within the cybersecurity sphere?

H.E. Dr. Margarete Schramböck :
Well, my opinion, it’s the support of the different communities is key in all the areas. I’ve started out selling telephone systems. Now, selling telephone systems or being a technical director for telephone system is not the one thing you would have expected from somebody graduated from a business school. It happened more by coincidence, but then you have to take the opportunity. And what I did is I was searching for mentors always myself. At that time in the 90s, that was really long ago, in the 90s- I remember them, don’t worry. Yes, nobody was really into that mentoring and thought, yeah, you would need a mentor. So I was looking into, in that time, the tech community and I was investigating who could be that. And I addressed the person. And yes, there were men, there were male managers and not women because there were no women there. I was the only one. So for a long period of time, then gradually we got more. So the more you have the community of women also, you can also rely on them. But I’m a big fan of mixed teams, as I said before, and I’m a big fan of doing things together and not just in the separate areas. Looking at education, this is something I wanted to add on that. Maybe we can talk about that.

Moderator – Jane Witherspoon:
No, absolutely. I mean, I know Batania mentioned earlier, to get in at the earliest opportunity and learn about the field that you want to work in. But how can educational institutions maybe collaborate with industry partners and create, I guess, curricula that will appeal and empower women to pursue careers in this field? And especially from an earlier age, like you said, Batania.

H.E. Dr. Margarete Schramböck :
The earlier we start, the better. So at a very young age, to encourage the girls to attend classes, extra classes, and so on. And it, of course, needs to be a little bit adapted to their interests. And what I did, for example, in Austria, I introduced a new form of apprenticeship on e-commerce. So we had a lot of apprenticeship. You must know that in Austria, 50% of young people choose apprenticeship. It’s a little bit different than all in other countries in the world, except for Germany, Switzerland, and Austria. And introducing this apprenticeship for e-commerce suddenly led in 60% of the young people who chose this being women. So because they were interested in that. And I was not taking care, I didn’t care where they would start. They don’t need to start in mechatronic, but they can start in the e-commerce. They can start in the cyber, which are more fields which are of their interest because they are more in the area which they like.

Moderator – Jane Witherspoon:
But Tania, I know you’re gonna hide. I know this is coming for you.

Betania Allo:
It’s something that I’m very passionate about, maybe because of how I had to navigate it myself. So I feel really passionate about women and girls getting into the field. And even if they’re not in the field yet, to try to see how technology can be, can intersect to that area of expertise that you have, and slowly transition into a technological, more technological role. That’s what I saw building from technology and policy. So I think that besides what Margaret was saying regarding early exposure, I would say, again, mentoring, extremely important mentoring programs. And we at NEOM are extremely involved in mentorship and scholarship programs with different institutions here in Saudi and abroad. And that helps a lot because sometimes different elements makes it difficult for girls and women to pursue careers in technology. And those things help a lot. So that’s something that the tech industry can also collaborate and give that step forward in helping the next generation of cyber leaders also be 50-50.

Moderator – Jane Witherspoon:
Cecile?

Dr. Cécile Aptel:
Yes, education is so crucial. And as a former professor, I really cannot but say that, yes, education is absolutely critical. I think that the partnerships between industry and education facilities is not only in terms of the curriculum. I think that there is also something else that we have discussed here, which is protection of children in, in fact, the cyberspace. And this will be growing. This is already a big concern today. How do we protect children? And how do we ensure that children are secure and safe when using the cyberspace? But it’s also going to grow because we are probably facing radical changes in education. I mean, the next generation is probably going to be largely educated in schools that are not only very equipped, but very connected. And the very context of what is education is dramatically changing in our lifetime, which really means that there is, we have to be taking very seriously the issue of child protection and of educating children, not only in terms of cyber security to become expert, but to become responsible for their own security in the digital space and in the cyberspace. So I think that we are going to necessarily see partnerships there and they’re welcome because it’s a different way of, in fact, being human that our children are facing in terms of their career and their life.

Moderator – Jane Witherspoon:
We’ve got one minute on the clock. I’m going to start at the end with Batania. I would like you in 20 seconds, what’s the biggest challenge in the next five years for women in cyber security?

Betania Allo:
I would say like losing the fear to getting into the field. Ask for help, ask for mentorship, don’t be scared. You deserve a seat in that room and I very much look forward to seeing that in the next five years.

Moderator – Jane Witherspoon:
Amazing. Cecile.

Dr. Cécile Aptel:
I think it’s not only for women, it’s for women and men. Yes. Far too often, men may feel threatened by the fact that women are also entering the market, you know, the different markets, including cyber security. And I think it’s extremely important that we reframe that. It’s a win-win. It’s not that one is exposing the other. It’s really that we can have team, mixed team working together and becoming that much more innovative and in fact creating even much more of a market for everyone to work together. So I think partnerships is absolutely key and that men, as much as women, have a key role to play. And I want to then take the opportunity to say how impressed I am being in Saudi Arabia to see how much has been achieved. So big kudos as well here.

Moderator – Jane Witherspoon:
Last word, Dr. Margaret.

H.E. Dr. Margarete Schramböck :
Well, for me, it’s for the young generations to tell them, be brave, take the opportunity, create the opportunity. There is never a better moment than this moment and especially here, where so much transformation is going on.

Moderator – Jane Witherspoon:
Ladies and gentlemen, thank you for being with us for this session. And to my esteemed panel, thank you. Thank you.

Gareth Maclachlan

Trellix, which was formed around a year ago, is the result of a merger between FireEye and McAfee. It is a global organization serving approximately 45,000 enterprises. Human exploitation in cyber threats revolves around three main tactics: familiarity, urgency, and personal or corporate cost. Cyber attackers use familiar elements to manipulate users into making decisions that benefit the attackers. They create a sense of urgency, forcing users to act quickly without thinking critically. Additionally, they exploit the personal or corporate cost associated with certain actions, making users more likely to react as desired by the attackers.

One common type of cyber attack is VIP impersonation, where attackers use a text message from a CEO or executive, requesting the recipient to perform unusual activities. However, this tactic is often ineffective as such activities are typically not part of regular business practices.

Credential phishing, on the other hand, is a common and highly effective cyber attack method. Attackers run campaigns focused on obtaining users’ credentials, often using pop-ups or fake login pages that mimic reputable companies. The stolen credentials can be valuable to the attackers for further malicious activities.

Another approach used by cyber attackers is exploiting usual business activities. For example, they may send invoices or resumes through email, taking advantage of the fact that users are more likely to trust such communication as everyday business practices. By doing so, the attackers bypass users’ natural suspicion towards email and successfully launch their attacks.

Security firms should focus on assisting customers in safeguarding their organizations from cyber threats. It is crucial to avoid blaming users for system failures, as this approach creates a culture of fear and discourages individuals from reporting potential threats. Gareth Maclachlan argues for a different perspective on cybersecurity, emphasizing the need to investigate how an attack bypassed the system, rather than blaming individuals who may have clicked on malicious links or fallen victim to other tactics.

Traditional phishing training methods may inadvertently desensitize employees to actual threats. Research suggests that employees feel they understand the risks and may miss genuine threats as a result. It is important to consider alternative approaches to phishing training, such as personalizing the training using AI and LLMs, to increase its effectiveness.

Recognizing and praising individuals who successfully identify and report genuine cyber attacks can encourage a behavioral norm of recognizing that security is everyone’s responsibility. This proactive approach to positive reinforcement could decrease the likelihood of mistakes in the future.

Psychologists can also play a role in understanding and dealing with cognitive biases that impact data security. Gareth Maclachlan contemplates the role of psychology in this context and acknowledges his own biases in his perspective.

When considering digital transformation in regions like the Kingdom, it is essential to view security from a broader perspective beyond just enterprise security. Gareth Maclachlan highlights the large scale of digital transformation in the Kingdom and suggests that minds should open to consider security in relation to systems and spaces beyond individual enterprises.

During incidents, it is important to focus on learning from system failures rather than blaming users. This approach promotes growth and improvement in security practices.

Publicly celebrating and recognizing employees when they correctly report potential threats can contribute to a culture of security awareness and employee engagement.

Performing regular checks on all applications, particularly hosted software-as-a-service applications, is crucial to avoid compromise. Organizations can be compromised if a customer or individual uploads a hostile file.

In conclusion, the summary highlights the importance of understanding how cyber attackers exploit human vulnerabilities and the need for security firms to prioritize assisting customers in protecting their organizations. It emphasizes the significance of taking a system-focused approach to cybersecurity rather than blaming users for system failures. Additionally, the summary explores alternative approaches to phishing training, the role of psychologists in addressing cognitive biases, and the need for a broader perspective on security in the context of digital transformation.

Moderator – Lucy Hedges

The threat of cyber attacks in today’s interconnected and digital world is larger than ever before. Cyber criminals are taking advantage of human cognitive vulnerabilities, exploiting weaknesses in human nature within cyber systems. They employ various tactics to exploit human fallibility and compromise cybersecurity.

To address these vulnerabilities, industry-industry collaboration is crucial. By working together, industries can explore elements of human error and gain insights into the psychological factors that make humans susceptible to attacks. This collaborative approach can lead to the development of effective strategies and measures to reduce cyber vulnerabilities.

One area where human vulnerability is evident is in the realm of social networks. Many people are unaware of the extent to which they reveal personal information on these platforms. This lack of understanding puts individuals at risk, as attackers can exploit this information for malicious purposes. Attackers are becoming increasingly sophisticated and can use personal data shared on social media platforms to impersonate friends and family members, effectively deceiving individuals. This highlights the importance of being selective and cautious with the information shared online.

Lucy Hedges, a cybersecurity expert, emphasises the significance of understanding and managing the information shared online. She shares anecdotes of individuals who have fallen victim to cyber attacks as a result of their personal information being exploited. While living in the online world can be beneficial, it is crucial to exercise caution and be mindful of the information we share.

Furthermore, there is a need for workplaces to promote caution and awareness towards potential cybersecurity threats, particularly those that come through emails. Hedges recalls an incident at her former workplace where a cyber attack occurred due to an employee interacting with a malicious link. It is essential for organisations to create a culture that encourages vigilance and provides training on identifying suspicious emails and other potential threats.

In conclusion, the threat of cyber attacks is ever-present in today’s digital world. Human cognitive vulnerabilities are exploited by cyber criminals, and it is vital to address this issue through industry collaboration. Individuals must be cautious about the information they share on social networks, as attackers can use personal data for malicious purposes. Additionally, workplaces should promote awareness and caution towards cybersecurity threats, especially those via email. Being alert and proactive is essential in combating cyber vulnerabilities and protecting personal and organisational data.

Prof. William H. Dutton

The discussions focused on important themes such as cybersecurity and cognitive biases, highlighting several key points and arguments.

One significant issue that was discussed is the confirmatory bias, which is the tendency for individuals to believe information that confirms their existing beliefs. It was emphasized that this bias can be exploited, as people are more likely to accept and share information that aligns with their preconceived notions. This poses a challenge in combatting misinformation and propaganda, as individuals tend to seek out information that reaffirms their own opinions.

The emergence of cognitive politics was identified as a consequence of cognitive warfare. It was revealed that in the past, attitude shaping was common, but now the focus has shifted towards shaping beliefs about a particular subject matter. This manipulation of beliefs through cognitive tactics raises concerns about the trustworthiness of information on the internet and its impact on society.

Blaming users for succumbing to cyber threats was strongly argued against. It was emphasized that blaming individuals solely for falling victim to cyber attacks absolves others who are involved in cybercriminal activities. Instead, open communication and collaboration were suggested as necessary approaches to rectify and avoid future issues. By discussing suspicions or experiences with phishing or scams, people can collectively learn from each other’s mistakes and work towards a safer online environment.

The adoption of a cybersecurity mindset was identified as an increasing trend among internet users. There is a growing awareness of the cybersecurity implications of every action taken online, as people are becoming more conscious of the threats and seeking to protect themselves. This shift in mindset is encouraging and demonstrates a proactive approach towards personal cybersecurity.

Addressing cybersecurity threats was viewed as an ongoing process that requires an ecosystem-wide approach. It was recognized that everyone, from the top to the bottom of an organization, has responsibilities towards cybersecurity. This highlights the need for collective efforts to ensure a secure online environment.

Psychologists were seen as playing a significant role in cybersecurity by educating users about their psychological tendencies. It was noted that human bias and the tendency to confirm existing biases play a significant role in the propagation of misinformation. Therefore, educating individuals about these biases can help them recognize and mitigate the impact of these tendencies on their online behavior.

While acknowledging the positive aspects of social media, such as networking and information exchange, it was suggested that more support should be given to smaller organizations and individuals outside the corporate sector. Data showed that smaller organizations and individuals in non-corporate sectors did not receive as much support as larger organizations and SMEs. Addressing this disparity in support is crucial to ensure that all entities have the necessary resources and knowledge to protect themselves online.

In conclusion, the discussions highlighted the need for individuals to take an active role in ensuring cybersecurity. The confirmatory bias, cognitive politics, and the importance of a cybersecurity mindset were all significant points of focus. Open communication, collaboration, and the involvement of psychologists were recognized as important measures in combating cyber threats. Notably, addressing cybersecurity challenges were seen as requiring a collective effort that involves individuals, organizations, and society as a whole.

David Chow

David Chow, an experienced IT expert, provides valuable insights into the complexities of cybersecurity, with a particular emphasis on the human aspect. He highlights the challenge posed by the human factor, stating that while technical aspects such as patching and network assessments can be effectively managed, the human element presents a bigger challenge. Exploiting cognitive vulnerabilities, such as appealing to emotions or curiosity, can be a significant avenue for cyberattacks.

Chow gives an example of potential scams that exploit human nature, such as seeking donations or manipulating curiosity. This underscores the need for individuals to be vigilant and aware of these cognitive vulnerabilities to prevent falling victim to such attacks.

Furthermore, Chow discusses the importance of background checks and personal security measures in mitigating cognitive vulnerabilities. Drawing from his experience at the White House, he explains that extensive background checks, FBI reviews, and financial assessments are crucial in making informed decisions and minimizing risks associated with those who may exploit cognitive vulnerabilities.

Regarding news consumption, Chow observes a clear pattern where different political administrations tend to prefer news channels aligned with their political ideologies, demonstrating confirmation bias. During Republican rule, Fox News, a conservative news channel, is the preferred choice, while CNN is commonly watched during Democrat rule. This highlights how political biases can shape news consumption and potentially influence public opinion.

Addressing user responsibility, Chow argues against solely blaming IT professionals for cybersecurity breaches. He conducted a phishing exercise that revealed the need for users to be more vigilant and take responsibility in ensuring cybersecurity. He emphasizes that everyone plays a role in cybersecurity and that it is a collective effort.

Chow also warns against excessive sharing of personal information on social media, as it can make individuals vulnerable to frauds and scams. He shares a personal experience of receiving a fraudulent text asking for an Apple gift card, which targeted him based on the information he had shared about his new job on social media. This highlights the importance of exercising discretion and being mindful of the information shared online.

In conclusion, Chow’s analysis underscores the multifaceted nature of cybersecurity, highlighting the need to address the human aspect and cognitive vulnerabilities. Measures such as background checks and personal security are essential in mitigating risks. Awareness of confirmation bias in news consumption and the importance of user responsibility contribute to establishing a strong cybersecurity culture. Lastly, his experience with social media scams serves as a reminder to exercise caution and respect individuals’ privacy when sharing personal information online.

Philippe VALLE

The analysis highlights several key points regarding cybersecurity and social engineering. One important aspect is the prevalence and impact of attacks based on human vulnerability, commonly known as social engineering. Attackers exploit the information available on social networks to gain the trust of their victims. This underscores the need for awareness and education to combat social engineering attacks. The analysis suggests that training sessions within companies could play a crucial role in educating individuals about social engineering techniques and how to identify and avoid falling victim to them.

However, it is also mentioned that blaming the user for cybersecurity breaches is counterproductive. Human error is an inevitable factor in any system, and it is unrealistic to expect individuals to be perfect in preventing all cyber threats. Instead, it is argued that a system-based approach should be adopted to address the root causes of cyber attacks. This observation underscores the importance of having robust cybersecurity measures in place, such as implementing multi-factor authentication and regularly updating access management policies.

The analysis further suggests that companies should establish quick incident reporting systems to effectively respond to cyber incidents. Time is of the essence in handling incidents, and prompt reporting can enable response teams to address the issues in a timely manner. This recommendation aligns with the notion that incident management should prioritize quick reporting and response rather than focusing on blaming individuals.

When it comes to application design, the analysis emphasizes the need for a balanced approach that considers both security and user-friendliness. Applications that are too difficult to access or operate may be bypassed, while those perceived as easily accessible may be seen as weak in terms of security. Therefore, application designers should aim to strike a balance between ensuring the security of transactions and providing a user-friendly experience.

Regarding data and application access, the analysis highlights the importance of clear and strong access management policies that focus on segmentation or zero trust. Defining who has access to what in terms of applications and data is crucial in controlling security, and monitoring access levels is considered good practice. Additionally, the implementation of multi-factor authentication is seen as crucial for organizations to enhance security and prevent unauthorized access. These measures can significantly contribute to safeguarding sensitive information.

An additional noteworthy observation is the need for regular updates to access management policies when people change roles within a company. As responsibilities change, so should access rights, ensuring that individuals only have access to the data and applications necessary for their current position.

In conclusion, the analysis highlights the significance of addressing social engineering attacks, the importance of implementing robust cybersecurity measures, the need for quick incident reporting systems, the balance between security and user-friendliness in application design, and the crucial role of access management policies and multi-factor authentication in maintaining data security.

Moderator – Lucy Hedges:
Philippe Vallee, Executive Vice President, Digital Identity and Security, Thales Lucy Hedges, Moderator, Technology Journalist and TV Presenter Professor William Dutton, Martin Fellow, Oxford University’s Global Cybersecurity Capacity Centre Emeritus Professor, University of Southern California David Shaw, Global Chief Technology Strategy Officer, Trend Micro Getting that selfie in there David, I like that. Hi everybody, it’s great to be back on stage here at the Global Cybersecurity Forum on Day 2. I hope you’re all having a fantastic day so far and after Day 1, I don’t doubt for a second that today is going to be another brilliant day of informative and insightful discussions like the one we’re about to have on stage right now. So in today’s interconnected and digital world, the threat of cyber attacks is larger than it’s ever been before, I don’t need to tell you that. And what makes this subject particularly intriguing is that it’s not just about technology, it’s about human nature as well. So we’re going to unravel the mystery behind why humans often fall prey to cyber attacks from phishing emails and social engineering, there are countless tactics that cyber criminals employ to exploit human fallibility and our cognitive vulnerabilities as a clear point of weakness in cyber systems. And my brilliant bunch of esteemed panellists are going to explore the elements of human error and shed light on the psychological factors that make us susceptible to these kinds of attacks while offering insights into the potential benefits of industry-industry collaboration and how we can better protect ourselves and ultimately reduce cyber vulnerabilities to create a more secure cyberspace for everyone. We’ve got a diverse range of experts with various backgrounds, so I don’t doubt for a second that this is set to be a very insightful conversation. So Philippe, Gareth, Bill, David, how are you? Great. Thanks, Lucy. Excellent. Very well, thank you. It’s good to have you. So I think a great place to start would be by really setting the scene. Let’s kind of paint the bigger picture by asking what are cognitive vulnerabilities in the context of cyber security, and how do they differ from technical vulnerabilities? And anyone can grab that one first. Don’t be polite.

David Chow:
Sure. I guess I can start since everybody’s looking at me. So my name is David Chow. I want to share a little bit about my past experience working as an IT practitioner. I worked in the U.S. government for 20 years, and also working at the White House for President Bush and President Obama. And coming from an IT practitioner standpoint, that I can handle all the technical aspect from the technical vulnerabilities, your patchings, your exploits, your network assessments, anything related to that. But the hardest part to defend is actually the human aspect. The human aspect in terms of every day, everybody goes through on a daily basis, they have their daily motions, you have your kids that you have to take care of. You may feel up, you may feel down, but because of that daily changes, you may click on something that you typically don’t click on. Or somebody could potentially try to exploit your softer side. Somebody could be saying that, try to appeal to your nature and say, hey, we’re seeking for a donation. We’re looking for this. Would you mind help us with something like donating certain money? So you click on the link out of curiosity, and then all of a sudden that creates some sort of cyber attack. I want to share very quickly about an example. It’s not entirely related to cybersecurity, but it’s definitely focusing on cognitive vulnerability. When I was working at the White House, we had to go through an extensive background investigation. Obviously, you’re serving the president, you have to do that. We also have to go through… FBI reviews, personal interviews, neighbor interviews, as well as going through your assessments of your financial background. The whole concept there is actually to ensure that there is not a level of cognitive vulnerability. So you’re making the right decisions, you’re not hanging out with the wrong crowd, you don’t have large sum of money coming in, or you’re not incurring any debt. So that in a way, it’s more from the physical personnel security standpoint, but it’s actually tie into the cyber as one enhance on practice and better cyber maturity.

Moderator – Lucy Hedges:
Thanks, David. Anyone want to add anything to that?

Gareth Maclachlan:
Yeah, I’ll add a bit. So just to kind of give you a little background, Trellix was the merger of FireEye and McAfee that we brought together about a year or so ago. And we cover about 45,000 enterprises across the globe, a lot here in the kingdom. One of the things that we see is always the attack and really the attempt to exploit the human part of it really focuses maybe on kind of three things. It focuses on familiarity. Does it look like something a user is used to doing? Is there a sense of urgency, something which is like forcing you to make a decision faster or behave in a way that you wouldn’t normally do? Is there a personal cost? Maybe it’s a corporate cost, maybe it’s a personal cost. For example, if I look at my own email that comes to me personally, I seem to have an addiction for buying antivirus software. I must sign up for a year’s worth of Norton antivirus at least once a week. So you kind of get this idea that you might have lost your own money, so you’re more likely to respond to it. And for us, try to understand those bits, see how attackers are starting to exploit them and get people to act almost against their better judgment because putting some of those stresses on them really gets to the heart of the human factor.

Philippe VALLE:
One point, these attacks based on people or let’s say human vulnerability are called also sometimes social engineering. By social engineering, you connect to social networks, which means that people often do not know the number of information they are releasing to the public by putting all their life on their social networks. Typically, one of the things that could be done in training session, for example, within the company is to explain to people how they could retrieve, for example, the stock of information that Facebook has on them, I should say Meta, has on them about their personal life. Because, I mean, those attackers are using that core information to attack and like was said previously and pretend that they know very well the person. So let’s be very careful about the level of information we leave every day on the different social networks.

Moderator – Lucy Hedges:
It really is quite unbelievable how many people don’t really realize that the information that they put out there, especially on social media, is so susceptible to these kind of attacks. You know, we’re under the impression that this data that was being owned by these big companies is potentially private, but, you know, these attackers are getting smarter and smarter by the day and being able to tune in to all these personal details is really quite mind-blowing. I know so many people that have been, you know, attacked by their personal information that they’ve put online and I think it’s important for us all to realize that living your life online is fantastic, but also be very selective about the kind of information that you put out there as well. So what about cognitive biases, guys? What does this mean and how does that affect our behavior online? Do you want to go for that, Bill?

Prof. William H. Dutton:
I think, you know, this might be a way of broadening the discussion a bit, because I think we usually mean by cognitive biases what psychological… predispositions do we have that could be played with by bad actors and I think or with information that they may have and I think that’s the general way we think about cognitive biases but I my own personal view is that I think more and more the biggest issue is confirmatory bias that is we all want to confirm what we already believe to be the truth and and this it applies to hacking I mean if we really want our printer fixed and we’re in an emergency and somebody approaches us and say hey I can fix your printer and log on here and whatever then you’re you want to believe that because it it meets a need I mean but I think in another way cognitive biases have a much broader it’s a very broad area that we’re talking about and I would I would link it right now to the the rise of what what I would call cognitive politics which is the it derives from the emergence of cognitive warfare in the sense that in earlier days we take up a propaganda and influence campaign and advertising shaping your opinion shaping your opinions about a person or a product or a thing and I think increasingly propaganda and influence campaigns are focused on challenge on shaping your beliefs so instead of shaping attitudes were shaping beliefs what is the truth so what is the border of this country what is the history of this person and so forth so that what that means is increasingly we shape where how people vote or how people side with different issues by shaping their beliefs about the whole subject matter. And so this is really a big issue where I think that, I don’t know if it’s too broad for this panel, but I think that we have to think more and more about cognitive politics because it undermines what we believe and it may undermine, you know, it may really harm trust in the internet and trust in information because we don’t know whether we’re being played by particular individuals or trying to shape what we believe rather than simply whether we’re positively or negatively disposed to a person.

David Chow:
Yeah, it’s enough to make you super paranoid, isn’t it? Can I give an example? Okay. So when I was, obviously I worked for three different presidents and when there’s a change in administration, you see that the television, the television news channel that the political appointee watch is actually different. So when Republican is actually in charge, you see Fox News. That’s conservative news, right? And then when you see Democrats, when they’re in charge, you actually see pervasively CNN. So that’s an example where they want to be confirmed of their viewpoints, these politicians or these political appointees. And that’s very interesting in terms of rather than looking from a broader point of view, they just want to confirm their own assumptions and be able to move forward with their assumptions.

Moderator – Lucy Hedges:
Yeah, absolutely. So let’s give a few examples now. You know, what are some of the most common types of cyber attacks? You know, we’ve touched on a few examples, but if you’ve got any more to add, I’m sure the audience will appreciate that. So what are the common types of cyber attacks or psychological tricks that attackers use to manipulate victims and, you know, obviously target these human cognitive vulnerabilities and why are they so effective? Go on, Gareth.

Gareth Maclachlan:
I’ll take that first of all. So one of the things I think it’s also worth thinking about is what’s the call to action that an attacker actually wants? You know, you can spend a lot of time thinking about, you know, how you might construct a phishing email, how you might influence someone and get them to respond to something. But you’ve actually got to get them to do something in order to have an effect. So it might be intelligence operations, as you say. It might be changing the way they think, changing the way they vote. That’s too big for me to worry about, right? You know, working in a cybersecurity firm, I care really about helping our customers keep their organization safe, keeping their citizens safe. And what we’ve seen is, you know, different waves of different attacks. So for example, there’ll be a lot which talk about VIP impersonation. You get a text message from your CEO saying, I want you to go and do something. You must go and do it now. That’s a great way to get people to respond because it’s a position of authority. But what does your CEO normally ask you to do? It’s kind of unlikely that he’s going to say, I need you to transfer money to this organization you’ve never heard of and isn’t set up in your systems. Our business practices go against that. So you don’t get people to act even though the authority is there. And your CEO sending you a text message and say, I want you to run down the road and go and buy some gift cards. That’s not usual either. So it doesn’t work. What does work are things like credential phishing. So we see a lot of campaigns really focused on people trying to get someone’s credentials because that’s the most valuable thing you can use as a way to go launch another attack. So we’ll see pop-ups pretending to be a log on for Microsoft or a log on for Cisco or log on for some other organization. That is quite effective. Very difficult to know what it is. You’re used to it. It’s familiar. It’s a usual action. And it’s incredibly valuable to the attackers. So those sorts of things go through. And then what we see is really people trying to bypass the natural kind of suspicion we’ve built up around email. We all know email is a bad thing. is dangerous. Our antenna are up, we worry about it, we’re gonna think twice before we click on that link. But if you’re working in finance, if you’re working in accounts, you’re working in an HR and a invoice comes through or a resume comes through a CV, well that’s usual so you’ll click on it. So we often think about it’s not just email or something was suspicious, what’s all the other routes in which you may be less aware of or less resistant to might come through.

Moderator – Lucy Hedges:
And it’s that familiarity isn’t it, that’s what really traps people. You know when I was working at the Metro newspaper, we got attacked because someone clicked on a malicious link and it was connected to work. I don’t think it was a CV, I can’t remember what it was, but this email went around and said you know this is happening, we’ve been attacked, so be more aware and just be a bit more cautious when you’re clicking on these links. And it’s a bit frustrating isn’t it, but you know we all have to be cautious, incredibly cautious, especially in a work environment. We do, but just if

Gareth Maclachlan:
I may continue, we also you know avoid blaming the user. Links are supposed to be clicked on. You know we’ve always taken the approach of think how, not who. If someone clicks on a link, well you can’t expect your employees to be perfect every time. You’ve got to ask how did the link actually get there, what failed to put them in that situation. So do you think this kind of

Moderator – Lucy Hedges:
blame the user mentality in cybersecurity is counterproductive, you know, in addressing these issues when it comes to cognitive vulnerabilities?

Philippe VALLE:
For me to be even blunter, every time a CISO or Chief Information Security Officer of a company runs an internal phishing campaign to test, there will always be a percentage point of the population which will click anyway. So you can train the people and so on. So for me, being the victim of phishing attack is not a human error, it’s a technical error. You should have a system, a technology and probably things need to be invented here. to be perfected, but it’s a system answer that we need to provide and not blame somebody for clinking on it. You can be tired, it can be the end of the day, you have been trained, but you are subject to error. That’s human beings.

Moderator – Lucy Hedges:
Yeah, yeah, absolutely. Anyone got anything to add before I move on?

Prof. William H. Dutton:
Well, I mean, I’m totally for this idea, because I think if you blame the user that you let everybody else off the hook. But you’re reminding me, think back to telemarketing. I mean, telemarketing had an economic model where they could send out tons of marketing material to tons of people, but they only needed a small fraction of individuals to be interested in that. And so you could never stop it, because the economic model of that was so successful. And I think it’s similar here where you may see an obvious phishing email in your inbox, and think you’re smart this time. But they send out this to so many people that it may hit another person at the wrong time for that person where they really want that, and it makes sense to them, because at that moment they are looking for this particular aspect or whatever. So even really very intelligent people in really great positions can be fooled by this. And that’s why I think one of the key issues is always to talk to people. If you think something might be a little funny about this, talk to the person next to you or talk to a friend. What do you think this is, a phishing email or whatever? If you have doubts, it probably is, and you should have… But, gosh, the president of a major corporation in the United States years ago, decades ago, clicked on the I love you virus, you know, the I love you. And so, I mean, he’s hitting himself, right? And he was, but he, at least he had the audacity to say, admit that he did this, it was stupid and whatever, but it hit him at the wrong time. He was busy, clicked on this, opened a link, and infected all of the systems in his corporation. So it’s, anyway, I think, don’t blame the user, but every time there isn’t a problem, you should let people know about it. If you suspect it, or if it happened, you should let people know about it so that it can be corrected. If you don’t tell anybody, it’s very hard to correct these problems.

Moderator – Lucy Hedges:
Exactly. And that’s a great rule of thumb. David, I can see you’re ready for Mike.

David Chow:
I just want to provide a slightly contrary view to not blaming the user. And this is based on personal practice. So I was a CISO for a financial regulator within the US, and we sent out this phishing campaign, right? This phishing exercise, basically, we sent an email saying that, you know, see what your colleagues are doing in the lunchroom. So people click on it, right? We sent it to executives, obviously the most high profile target, and then we sent it to everybody else. So the executive director and deputy executive director for the agency clicked on it. They’re the top two career individuals within the agency. So I asked the executive director, I said, why did you click on it? He said, well, you know, I was curious, right? And then I asked the deputy executive director, who’s actually very IT savvy, I said, why did you click on it? And he said, well, I clicked on it because I was curious, plus I know that you IT guys will take care of it if something happens. So I agree with Philippe, when he’s talking about that there There’s technical errors, technical issues that we need to set as practitioners. We need to set the expectation. We need to provide the education. We also need to constantly ensure that our tools is catching ransomware attacks or some other attacks. But at the same time, it starts with everybody, right? Users need to take the mindset of being more vigilant. If we continue to say that don’t blame the user, so if something happens, we blame the CIO or blame the CISO, that’s not fair for the CIO or the CISO or the practitioners either. So I think cybersecurity actually starts with everybody. Perhaps you get one free pass, and there needs to be a level of expectation. But the bottom line is that it has to start with everybody.

Moderator – Lucy Hedges:
Go on, Bill.

Gareth Maclachlan:
I think one of the things that we need to start thinking about as an industry is we spent a lot of time doing phishing training, sending out phishing emails, encouraging people to say, did you click on it or not? Click on it. Ooh, tick. Yes, good. You got it. You found the right thing. There’s a little research now, which is almost starting to suggest that that is training people the wrong way. People are starting to feel like they know what the risk is, and they’re missing things. We’ve been doing some experimentation with, yeah, guess what, AI and LLMs to start looking about can you actually generate personalized training? To your point earlier about the social media information, can you go and create a targeted email to train a user based upon information you know about them? And the second bit for me is whilst we tell people, good job, you caught that phishing email, what we tend not to do as organizations is actually also call out when people find real attacks that have come through. You’re encouraged. You see an attack. You think, I’m not sure about this email. I’ll report it to the IT department. The IT department will come back a little bit later and go, yeah, we investigated. Yeah, that was bad. Well done. That’s it. But actually starting to maybe… report to the company as a whole, this month these individuals found these things and kept us safe. You start to encourage that almost kind of behavioral norm of getting people to actually recognize that security is owned by everyone. My comment around don’t blame the user is you don’t want people to feel that if they do inadvertently forefoul of something, that is necessary weakness. You’re right about they’ve got to keep the antenna up, but trying to find that balance and kind of call out successful activity, successful steps, rather than just punishing negative is always good.

Philippe VALLE:
Yeah. Philippe, did you have something to add to that? No, but it’s similar to what you just said, Gareth. I think instead of having this name and blame approach, which is counterproductive, I think the company should create a notion of the quicker I report this incident to the respond team. A fake or true incident, by the way, the better the security response team can act and address the question. So I think it’s very important that in any company you have an emergency number to be called so that you can report it as quickly as possible, because time is really of the essence. If we need to cut the server from the organization and so on, the response team can do it quickly if they know that something is happening.

Moderator – Lucy Hedges:
Yeah. Oh, go on, Bill, if you’ve got something to add.

Prof. William H. Dutton:
Just to say, just comment on, I mean, I don’t mean, yes, the user, first of all, all of us are users, and everybody from the top to the bottom of the organization and across society are internet users, 5.3 billion users in the world. And so I’m not going to let them all off the hook. I mean, the thing is not to pass on the blame to the user and not fix these issues that enable bad actors to get more access. But there is encouraging. growth of what I would call a cyber, I wrote years ago about the need for a cybersecurity mindset among everyone, all users at all levels. And there’s really a lot of signs that that’s happening, that more of us, if I ask somebody over dinner or visit, you know, what do you think of cybersecurity? They’ll tell me what they do and what they’re thinking about and what kinds of emails they’ve gotten and how they protect themselves. This is the kind of thing that has to happen, that we all have to have a more of a cybersecurity mindset where we’re not thinking of doing this once a week or doing that when I’m told to by IT, but then every day that it’s just a normal habitual part of your life that you think through the cybersecurity implications of everything you do, whether you download new software or answer an email or what have you. And there are signs that that’s actually happening. But again, that’s the challenge of the whole ecosystem of cybersecurity, that we continue to build a cybersecurity mindset so that malicious actors have a much more difficult time stealing your information or informing you and misinforming you.

Moderator – Lucy Hedges:
So staying within the realm of this cybersecurity mindset, we’ve just discussed solutions or measures put in place by businesses to try and help detect and kind of counter these kind of attacks. But how can psychologists be brought into this conversation to help support efforts to detect and counter these kinds of attacks?

Prof. William H. Dutton:
Well, I’m not a psychologist, so I’ll answer that. First of all, you know, everyone wants to blame the technology. You’re getting disinformation because you’re in a filter bubble or you’re in an echo chamber caused by social media. media, are caused by the search engine that you’re looking at. Bull! This is not… You are the biggest algorithm, okay? You are the worst algorithm in the lot, because you’re the one who decides not to look at that, but to look at this, to watch a particular channel and not to watch contrary information. So you have to… Psychologists need to explain to users that they have often psychological propensities like confirming their existing biases, and they have to understand that. And if you understand that, gee, yeah, we all try to confirm exactly our political beliefs or what we want is that somebody loves me and I’m a whatever, then you will challenge that more often. You’ll try to diversify the information you see. You’ll try to find counter-information and look at the arguments of the opponents and so forth. So anyway, I think… But psychologists have to tell us about, you know, raise public awareness not about computing, but about ourselves, about what our propensities are in misusing computing. Yeah, go on, David. Is there a way to use psychology to make people not to use social media? Social media is fantastic. Eighty percent of the people in Britain use the internet. Eighty percent of the internet users use social media. It’s fine. It is… But it’s demonized. And I think what we need to do is try not to… Think about it. Even in cybersecurity areas. The internet is fantastic in terms of shopping, in terms of getting information. People believe, have confidence in what they can find online through search, for example, as much as they do in broadcast television news. And I don’t think they’re wrong. But I think we’re in a time frame in which we’re demonizing all media, but I get it. You do see examples of bad use of social media and bad actors on social media. Good practice, people creating private social media groups on WhatsApp, things like that. People are responding to that, adapting to it. And don’t throw away what is really valuable, networking people. Social media allows you to source the people you want to talk to and not to rely on just the people in your office, just the people in your home, just the people in your school. Extremely valuable.

Philippe VALLE:
Yeah. Go on, Philippe. My two cents of psychology here is also to really work on the balance between security and user-friendliness. Because people tend to, if the application is too easily accessible, whatever the application, it’s weak. If the application is too hard to access or to operate, then people will try to bypass. That’s a two cents. That’s a standard psychological behavior. So what is important, I would say, when we design an application as a company, as a product, when we put an application on the market, it’s important that we think about the usability, the user-friendliness, the way it will interact with the people. Obviously, a higher level of security will be required if the transaction at stake is important, but let’s make sure that we always find that right balance between security and user-friendliness.

Moderator – Lucy Hedges:
Yeah. Yeah.

David Chow:
I do want to demonize social media. Sorry, as a practitioner, this is what I have to say. I do, I’m not faulting that people use their, what they need to use to put their personal lives out there, put their professional lives out there. I don’t have social media account except LinkedIn. And I thought that I was safe, right? I don’t have anything, nobody’s stalking me. So, two weeks after I started working at Trend Micro, I got a text from the CEO. Or you mentioned that the CEO was asking for a gift card, Apple gift card, and she said that she’s at a conference. She just doesn’t have time to talk. Her minutes is running out. So, I was like, okay, so I just interviewed with the CEO. She just brought me on board. What do I do? So, what I did was, I thought this must be fraud, but there’s also inkling that this may happen because she travels quite a bit. I call her assistant, and it’s actually because she’s overseas. I was in the US, she’s in Taiwan. So, it was three in the morning. The guy was upset. The guy basically said, yeah, she’s here. She’s not traveling. So, I realized, okay, I made a mistake in terms of getting into believing that this could be possibly true. And I didn’t put anything on social media except that I started my job at Trend Micro, right? So, I think in a way that people are looking for, bad actors are looking for ways to get whatever information. And when we talked about using AI, we talked about social engineering, the more information that you put out there about yourself, the more vulnerable that you actually become. So, yes, I’m not discouraging you from putting your information out there. This is who you are. This is what you want to do. But I’m just saying that you also have to be extra vigilant in terms of the issue that you may encounter. And also, at the same time, that from a practitioner standpoint, yeah, I mean, this is something that it’s actually frowned upon because somebody can actually use AI to create some sort of a personalized email or letter sent in directly. to you, knowing everything about you, which making you to believe that this person is actually sharing the right information. So you’ll probably click on it. All you need to do is just click on something, click on the wrong link, and you can actually gridlock your entire environment. That’s why I’m demonizing the practice from the, more from the practitioner safeguarding standpoint. But if people wanna continue to use it, that’s their discretion.

Gareth Maclachlan:
Yeah, yeah. Go on, Gareth. I’m gonna go back to that kind of question around the role of psychologists, and particularly the role of psychologists in helping us understand the impact and understanding our own biases. I’m going to admit to maybe two of my own biases right now. The first one thing to me is, you know, when thinking about this panel and thinking about the questions, I was thinking about it really from my own fairly myopic view of keeping companies safe. So I was thinking about enterprise security, how do we do that, what do we do for employees? And it’s really, you know, I was last in the kingdom in 2014, 2015. You know, first time back in eight years. And the scale of digital transformation, the changes that have happened in the kingdom are huge. And so the first bit for me was realizing I was thinking about enterprise security. Suddenly you start thinking about what’s the role of trust and bias and kind of cognitive exploitation in a country like this, which is focused on digital transformation and what it means for citizens. You start to understand that there’s a much broader aspect that we need to go think about. So I think, you know, it’s the combination of, yeah, even us sitting up here as technologists, we think about systems, we think about our own little space, we forget to open our minds each time.

Moderator – Lucy Hedges:
Yeah, it’s kind of looking at it from a bigger picture point of view and all the kind of multifaceted nature of these kinds of attacks. And so time’s running low, so I’m just going to move on to the next one. I think maybe offering up a bit of advice might be quite nice. You know, how can organizations and industries collaborate to share insights and- best practices when it comes to addressing human weaknesses? I’m sure the audience would be interested to hear from you guys on this. Anyone can take it.

Philippe VALLE:
Let me start here, if I can. So I would say this is this notion of segmentation. We have different name for it. The fact that we also call it zero trust, in the sense that you need to define with a fairly strong policy, who has access to what, in terms of application, in terms of data, in terms of you segregate really the different access levels. You monitor it, you check it. And this is a possibility, let’s say, to control, to control, let’s say, the level of security. Something that we will never say enough, implement every time you can multi-factor authentication. This is very, very strong advice. Simple technology, you would not imagine how many companies today don’t even have this kind of simple measure in place for all the application, whether you access them inside or outside. And again, this policy of access management needs to be updated, because I mean, when people are changing job within the company, they are also changing responsibility, so this needs to be updated. It’s fastidious, it’s heavy, but it’s usually a good practice to have.

Moderator – Lucy Hedges:
Yeah, yeah, brilliant advice there. Go on, Gareth.

Gareth Maclachlan:
For me, I’d say there’s three things that I would usually say when I’m talking to a CISO. I mean, first of all, I think it’s that concept of how, not who. So when an incident does happen, you don’t blame the user, you focus on what failed in the systems and the processes and the controls that got there, and you learn from that. The second bit for me is actually celebrating or publicizing when an employee actually does report something correctly, because it starts to. Reinforce, but that’s the behavior that’s expected. You want people to protect the organization. We all have a duty to do that But third for me I mean everyone in this room is very familiar with thinking about risk and about controls and manage that and identifying that’s the one place that I do see as As an industry we’ve tended to Maybe ignore or not think about the risk quite so much is some of the business applications that we’re starting to adopt particularly Hosted software as a service as applications whether those are finance systems HR systems customer care systems. We’ve seen so many organizations actually being compromised because a customer has or a customer has uploaded a file which is supposed to be something that affects sending through or a Individual has made a loan application through a banking portal and what they’ve uploaded is a hostile file Yeah, so being able to scan and do the same checks on all applications as you do on email is one thing I’d always call out. Yeah, you guys have anything to add gone David

David Chow:
From my perspective one is that you have to have the visibility of your risks That is you don’t know what you don’t know But what’s critical is that you need to know what’s going on within your environment so that you can start quantifying their risk level and then Prioritize what needs to be addressed, but then also focusing on people process technology I know I sound like IT practitioner, which I’m very proud of it, but you know Set aside the technology aspect you hear a lot from various vendors I’m part of the vendors community, but the bottom line is that people process is actually the You could be a strength it could also be weakness that one needs to explore to make sure that proper education proper expectation But at the same time not having the proper process procedure lay in so that people can really build a cyber awareness culture I think that’s that’s what’s so critical within the environment You know, I agree with the panel members here that, you know, there is a lot of, you know, blaming the users in a way that I think everybody should be on the hook. Perhaps setting the right expectation, but then after the expectation has been set, focusing on, you know, everybody needs to be vigilant and protecting the environment.

Moderator – Lucy Hedges:
Yeah. Absolutely. Bill, final words from you.

Prof. William H. Dutton:
One thing that probably should be said is we did a global survey of people recently about whether they had more cybersecurity problems working from home or working in different locations and so forth. And we found out that actually working at home wasn’t a problem. Most organizations are set up to support remote working and they have a variety of strategies and we asked people whether their corporate or organization or institution supported like their own laptop from the company. Do they use multi-factor authentication and so forth? We are surprised most companies and most organizations are providing a lot of support so that people can work almost anywhere at any time within a safe environment and they have relatively few problems. But in the very smaller, the smaller organizations and with individuals that are outside the corporate sector, if there’s something that can be done to support those smaller organizations and I don’t, but in terms of those in sizable, in small and medium sized enterprises even are fairly well protected and they, companies are doing a pretty good job actually, pretty good security in a sense.

Moderator – Lucy Hedges:
Yeah. So on that note, that brings us to the end of our conversation. Please give a well-deserved round of applause to my excellent, all knowledgeable panelists Philip, Gareth, Bill and David. Thank you for a brilliant and insightful conversation. It’s great to pick your brain. So thank you. You’re welcome.

Dr. Almerindo Graziano

CyberRanges is a leading vendor of CyberRange technology that focuses on providing large-scale capabilities for experiential training and education in the cybersecurity industry. Almerindo Graziano, the CEO of CyberRanges, emphasises the crucial role of leadership, vision, and alignment with company values in ensuring staff retention. Graziano believes that when a company’s vision and values resonate with its employees, they are more likely to stay, leading to increased loyalty and a stronger team.

In addition to prioritising staff retention, Graziano is passionate about creating value rather than solely focusing on profit. He argues that companies should strive to provide value to their employees and society as a whole, rather than just pursuing financial gains. Graziano’s approach aligns with the principles of responsible consumption and production, as outlined in SDG 12.

The analysis also highlights a concerning gap in skills within the security sector. It argues that this gap exists because security education and training have become commodified, with a primary focus on profit rather than the quality of education and the skills imparted to students. The sentiment here is negative, indicating a concern about the direction in which security education and training have been heading.

To address this gap, the analysis suggests government intervention is needed to increase the accessibility of security education programmes. By starting these programmes in schools and making them more widely available, governments can help bridge the skills gap and ensure that security training and education are accessible to all, not just a privileged few. This approach not only supports SDG 4 (Quality Education) but also aligns with SDG 10 (Reduced Inequalities) by advocating for equal access to education.

Overall, the analysis highlights the importance of CyberRanges’ mission in providing large-scale experiential training and education in the cybersecurity industry. It emphasises the necessity of leadership, vision, and values alignment for staff retention. The analysis also sheds light on the need for a shift towards value creation rather than profit maximisation in the industry. Additionally, it draws attention to the commodification of security education and advocates for government intervention to ensure widespread access to security education programmes, promoting equality and reducing skills gaps in the field.

Oliver Väärtnõu

The analysis reveals key points about Cybernetica and the challenges in the cybersecurity industry. Cybernetica is known for creating mission-critical IT systems based on extensive research and development. They primarily serve governments and critical infrastructure providers. In the evolving cybersecurity industry, attracting and retaining talent is a significant challenge. The Estonian government’s investment in cybersecurity has intensified competition. Companies like Cybernetica are offering perks and aligning workplace values and missions to attract talent. Mismatch between words and actions can lead to talent loss. Creating a positive work environment and engaging employees in research projects contribute to talent retention. Estonia has tripled the number of people studying computer science, but attracting individuals to pursue PhDs remains challenging. Industrial degree programs are being established to bridge the IT skills gap. Successful cooperation between the government and the IT industry in Estonia is essential. Overall, Cybernetica’s expertise and the challenges in the cybersecurity industry highlight the importance of talent attraction, retention, workplace values, education, and government-industry cooperation.

Filippo Cassini

Filippo Cassini is the Global Technical Officer for 4inet, a leading global cybersecurity provider with a wide range of products. His primary role focuses on serving larger, strategic customers and partners by offering top-notch solutions. However, one significant challenge he faces in his position is sourcing highly skilled talent from the market with a minimum of 10 years of cybersecurity experience. Once talent is acquired, retention becomes another obstacle for the company.

In order to attract skilled professionals, Cassini is open to forming partnerships in Saudi Arabia. By establishing collaborations in this region, 4inet aims to tap into the talent pool and bring in qualified individuals to strengthen their workforce. This approach aligns with the company’s goal of achieving decent work and economic growth, as well as promoting partnerships for sustainable development.

The field of cybersecurity constantly evolves with the emergence of new technologies and business models. Staying up-to-date with these advancements is crucial for 4inet. Cassini recognizes the challenge of keeping pace with emerging technologies and adapting to new business models. To tackle this challenge, the company understands the importance of involving and engaging their engineering team. By anticipating future developments and actively involving their engineers in decision-making processes, 4inet ensures that they remain at the forefront of the industry.

Furthermore, engineers in the cybersecurity field prioritize work environments that are not only financially rewarding but also involving, engaging, and entertaining. Retention strategies implemented by 4inet encompass investing in future technologies and creating an engaging atmosphere for their employees. By providing an environment that stimulates growth and innovation, they aim to retain their valuable talent.

In summary, Filippo Cassini’s role as Global Technical Officer at 4inet involves catering to their strategic customers and partners with top solutions. The challenges he faces include sourcing skilled cybersecurity professionals, retaining talent, and keeping up with emerging technologies and new business models. The company’s strategies involve forming partnerships in Saudi Arabia, actively involving their engineering team, and creating an engaging work environment to ensure the long-term success of 4inet.

Jess Garcia

In this expanded summary, we will delve into key points highlighted by several speakers. Oney Security, a leading service provider in digital forensics and incident response, is led by CEO Jess Garcia. Oney Security efficiently responds to incidents and effectively confronts adversaries in customers’ networks.

One notable aspect of Jess Garcia’s work is her active involvement in teaching at the SANS Institute for over two decades. Her teaching engagements have spanned various locations worldwide, showcasing her expertise and commitment to cybersecurity education.

Talent retention in the cybersecurity industry emerges as a complex issue that requires special attention. It is acknowledged that HR departments are designed to handle the challenges that come with managing a large workforce, particularly in large organizations. However, the solutions implemented for talent retention cannot be uniformly applied across the board, especially when there is a shortage of skilled professionals in the market.

Furthermore, the importance of tailoring retention strategies to suit the specific needs and stages of employees’ lives is emphasized. Retaining a 22-year-old employee may differ significantly from retaining a 35-year-old employee. Additionally, it is noted that motivation factors for cybersecurity professionals go beyond monetary incentives.

The necessity for tailor-made solutions is underscored, which involves focusing on knowledge growth and considering motivation factors beyond financial rewards. Recognizing this need, Oney Security has adopted this approach by establishing an oversized HR team and creating dedicated departments such as knowledge management.

Upon analyzing these key points, it becomes apparent that Oney Security, under the guidance of CEO Jess Garcia, is proactive in responding to incidents and threats in customers’ networks. Jess Garcia’s extensive teaching experience at the SANS Institute highlights her commitment to cybersecurity education.

Moreover, the complexity of talent retention in the cybersecurity sector is recognized, and the importance of personalized strategies is emphasized. Oney Security’s focus on knowledge growth and factors beyond financial motivation showcases their dedication to developing effective retention methods.

Overall, this expanded summary showcases the various perspectives on Oney Security, its CEO Jess Garcia, and the challenges and strategies associated with talent retention in the cybersecurity industry.

Orhan Osmani

In a panel discussion on cybersecurity workforce challenges, industry experts addressed the growing number of job opportunities in the field, with 5.5 million jobs currently available. Retaining talent has become a significant struggle for organisations due to the high demand for cybersecurity professionals. Filippo Cassini, Global Technical Officer and Senior Vice President of Engineering at Fortinet, noted that the average industry retention rate is around 20%. However, some companies have successfully achieved a remarkably low 4% retention rate by implementing unique strategies. Sharing these successful approaches with others in the industry was also highlighted as important. Almerindo Graziano, Chief Executive Officer and Co-Founder of Cyber Ranges, pointed out that smaller companies also face challenges in retaining cybersecurity talent, despite having fewer resources. They still need to find effective ways to keep their skilled professionals engaged and committed. Jess, Head of Industry and Partnerships Center for Cybersecurity at 1E Security, shared insights into her company’s retention strategies. Although she did not disclose specific details, she acknowledged the value of a well-defined retention strategy tailored to the needs of the cybersecurity industry. Oliver Vartanu, Chief Executive Officer at Cybrentica AS, emphasized the significance of fostering a collaborative and innovative work environment to retain employees. He stressed the importance of providing a platform for professional growth, teamwork, and knowledge sharing within the company. Vartanu also emphasized the need to avoid toxic work environments in order to create an atmosphere where employees feel supported and valued. Akshay Joshi, Head of Industry and Partnerships Center for Cybersecurity at WEF, highlighted the need to address the demand and supply imbalance in the cybersecurity profession. He emphasized the importance of creating a compelling domain for professionals to attract and retain talent through enhanced education, training programs, and awareness campaigns. The panel also discussed the role of governments and educational institutions in stimulating the supply of cybersecurity professionals. They debated potential actions that governments and education systems could take to encourage individuals to pursue careers in cybersecurity. While specific recommendations were not mentioned, the discussion underscored the importance of collaborative efforts between industry, academia, and governments to bridge the skills gap in the cybersecurity workforce. In conclusion, the panel discussion provided insight into the challenges faced by organisations in retaining cybersecurity talent due to high demand. Strategies such as sharing successful approaches, fostering collaborative environments, and stimulating interest through education and governmental support were discussed as potential solutions. The panelists’ insights offered valuable perspectives on addressing cybersecurity workforce challenges.

Akshay Joshi

The analysis highlights several key points regarding talent management in cybersecurity. Firstly, there is a significant shortage of 5.5 million professionals in the cybersecurity field, which has grown by 2.1 million in recent years. This shortage underscores the urgent need for skilled individuals in this sector. The attractiveness of a cybersecurity career is driven by the potential for greater financial gain and exposure to different areas within the field.

Effective talent retention is crucial for success in cyberspace. A survey of leaders found that 60% view talent attraction and retention as the most important factor in achieving cyber resilience. However, retaining talent in cybersecurity is challenging due to the multitude of job opportunities available outside the industry. People leave not only due to organizational factors but also because of the vast opportunities for career advancement elsewhere.

Limited awareness about cybersecurity as a career option among non-technical individuals is a significant barrier to talent management. For instance, none of the 150 MBA students surveyed were considering a career in cybersecurity, highlighting the need to raise awareness and attract diverse talent to the field.

Recruitment practices also contribute to the talent shortage in cybersecurity. Job descriptions often require highly technical skills and entry-level certifications, making it difficult for newcomers to enter the industry. Misalignment between recruitment practices and the demand for cybersecurity professionals exacerbates the shortage.

Creating clear professional pathways and demonstrating job potential are essential for attracting and retaining talent in cybersecurity. By establishing progression routes and showcasing the numerous opportunities available, organizations can incentivize individuals to pursue careers in the field.

Additionally, prioritizing employee well-being is crucial in such a demanding industry. Burnout is common in cybersecurity and leads to high attrition rates. Providing support systems and prioritizing employee well-being can improve talent retention.

Implemented a widely accepted strategic cybersecurity talent framework is recommended. This framework would provide a cohesive strategy for talent management and help address the talent shortage. Adoption of this framework by the industry and government is critical for success.

Promoting diversity by design is also vital in cybersecurity talent management. By introducing gender diversity and reducing inequalities, organizations can build a more inclusive and innovative workforce.

In conclusion, the analysis indicates that talent management in UK cybersecurity is heading in a positive direction. However, challenges such as the talent shortage, limited awareness, misaligned recruitment practices, and employee well-being need to be addressed. By tackling these issues and implementing the suggested approaches, the UK can strengthen its cybersecurity workforce and effectively combat the growing threats in cyberspace.

Orhan Osmani:
and Chief Executive Officer, 1E Security. Dr. Almirendo Graziano, Chief Executive Officer, Co-Founder, Cyber Ranges. Oliver Vartanu, Chief Executive Officer, Cybrentica AS. Filippo Cassini, Global Technical Officer and Senior Vice President, Engineering, Fortinet. Akshay Joshi, Head of Industry and Partnerships Center for Cybersecurity, WEF. Orhan Osmani, Moderator, Senior Cybersecurity Coordinator, Development Sector, International Telecommunications Union, ITU. Thank you. Good afternoon, everyone. Thank you for joining us here today. And we have a great group of panelists here. We are different from previous panel, it was all female, now all male panel. So the topic is interesting. So we’d like to go straight away into the content of it. I just would like to start with a simple fact, which recently, like two days ago, IC2 released a new report on workforce. And at this moment, we are at 5.5 million jobs available in cybersecurity. And this one creates another challenge for speakers here to retain their talent in their organizations. And to start with, I would just start with a question for all the panelists. I would like to take by order from Almerindo towards the end to Filippo. Just kindly to introduce yourself, your organization, what you do, and what are the challenges currently you face in brief, and then we can go to the rest of the questions. Almerindo, floor is yours. Thank you, Orhan.

Dr. Almerindo Graziano:
My name is Almerindo Graziano. I’m the CEO of CyberRanges. We are a vendor of CyberRange technology, which is specialized in experiential training and education. And we deal with the challenge of providing large-scale capabilities to develop the experience and the professionalism of the young and current generations.

Jess Garcia:
Hello, everyone. I am Jess Garcia. I am the CEO of Oney Security. We are a service provider in the digital forensics and incident response side. What basically we do is threat adversaries in our customers’ networks. And whenever there is an incident, we respond to those incidents in the most efficient way possible. I’m also an instructor with the SANS Institute. I’ve been teaching for SANS for more than 20 years now, all around the globe. So it allows me to see the reality also of all the, let’s say, professionals, and in many cases, young people, who are trying to get a career in this space. So it’s a good balance for this conversation we’re going to be having.

Oliver Väärtnõu:
Hello, everyone. I’m Oliver Värtnö, CEO of Cybernetica, an Estonian IT powerhouse. We say that we create mission-critical IT systems. But before I talk a little bit about Cybernetica, what we do, and what kind of challenges we face, I’d like to thank the organizers, the site and NCA, for once again inviting me to this excellent forum on cybersecurity. And I really value the discussions that we’ve had here. But back to Cybernetica. So we say that we build mission-critical IT systems. And in fact, we have kind of three pillars that are really important for us. The foundation of our work is actually research and development. We really commit our organization to do a lot of work on cybersecurity, on information security, and basically, with that, building our expertise in the domain and pushing the domain forward. Secondly, we build systems for our customers, mostly mission-critical systems, mostly for governments or national critical infrastructure providers. And thirdly, we also provide cybersecurity services in order to help our customers to understand whether their systems are resilient and secure. And yeah, of course, we are facing a lot of challenges when we’re talking about talent attraction and retention. This is a very, very highly evolving industry, and especially in Estonia, where, as our president mentioned yesterday, the cybersecurity budget is growing by the government, I think in the last two years, five times. If you look at the increase of, for example, venture capital into Estonia in order to attract talent, then we are, in fact, operating in a super-competitive environment and have to survive there and have to find our way there.

Akshay Joshi:
Hello, my name is Akshay Joshi, and I lead the broader operations of the Center for Cybersecurity at the World Economic Forum. I feel very privileged to have an opportunity to share some thoughts on the topic today, which is incredibly important, one that we need to address together. We publish the Global Cybersecurity Outlook, a flagship report each year at the World Economic Forum Annual Meeting in Davos. Last year, actually this year, in 2023, when we published it, 60% of leaders that we surveyed came forth and said that they view talent, attraction, and retention as perhaps the single key, most important factor towards cyber resilience. Add to that, Oran mentioned right now that there is a shortage of 5.5 million professionals. It’s important to state that last year, ISC2 shared a number which was 3.4 million. So if we do the math, that number has grown over a period of year by 2.1 million. The shortage is massive, and therefore it generates a supply and demand asymmetry. As long as there is a supply and demand asymmetry, cybersecurity is very attractive for people in the field who continue to pursue opportunities for greater financial gain, and more importantly sometimes for exposure to different areas of cybersecurity. Obviously you want to have dynamic experiences if you’re progressing in the field. So in light of some of these challenges, it puts a disproportionate burden on retention because it’s not just, people are leaving not just because of what you are doing or not doing as an organization, but because the opportunity is so huge. My hope is though that at some point through the public-private efforts, we will be able to reduce this gap, and at that point, I think the single biggest factor that will keep us and be a determinant of how successful we are in cyberspace is essentially a focus on retention, which is what we’re going to be talking about today.

Orhan Osmani:
Filippo?

Filippo Cassini:
Yeah, so my name is Filippo Cassini. I’m Global Technical Officer for 4inet. 4inet is a global leading cybersecurity provider. We do have a large product range. We cover about 40, 45 different technology across our product line, and on my specific role inside the company, it’s essentially focused on our most large and strategic customers and partners, providing top solutions, things which are kind of cutting edge, and considering the span of technology for my company, the challenge is of course to be able to have access to the top people in the market. These people become available to our customers. I’m generally looking for people with at least 10 years of experience in cybersecurity, and of course, once I have them, retention becomes the next challenge, so thanks a lot for having me here. It’s really a pleasure to come and share, and I’m also looking at partnerships inside Saudi Arabia to be able to attract those talent in our company.

Orhan Osmani:
Thank you. Thank you, Filippo. I think I’m gonna go back again to you on a question. How unique is the retention challenge for cybersecurity domain compared to other industries? And considering the new technological developments and so on, as we know, the average of the industry is about 20%. We know some of the colleagues here that have good retention at 4%, and they need to share their secret recipe how they are doing that, but please, from your end, you have 150 staff in your technical team. What are the challenges, and how different are from other sectors? Thank you.

Filippo Cassini:
Yeah, so I would say, as you can see during this event, there’s a lot of discussion about emerging technologies, about what is the future, and that discussion actually forces a lot of interest and a lot of investment in those section, which in turn becomes startup companies. It becomes companies with new business models, with new ideas, and that has a kind of a tendency of attracting the top engineers, those that want to measure themselves and challenge themselves with the new stuff which is available in the industry. So for me, actually, the challenge is actually to preempt that kind of vision, be able to anticipate, and be able to involve my engineering team in what’s coming, something that kind of goes beyond sometimes the immediate interest of the rest of the company, which is, of course, focused typically in selling product. Because in general, engineers don’t only look at the salary, but they also look at how involving, how engaging, how entertaining the environment in which they are is, it is, right? So for me, that’s extremely important, to have a strategy, to work for a company that keeps investing in the future, keeps looking at what’s coming, so that the people inside of it is not just motivated by the revenue, but also by the technology that is coming in.

Orhan Osmani:
Thank you, thank you. Almerindo, your company is smaller than Fortinet. You face similar challenges. Maybe you can give us some insights.

Dr. Almerindo Graziano:
Actually, we are, I don’t know if we are lucky or good, because we actually have a very long tenure in our organization and we retain people very well. My feeling about the retention problem in cybersecurity, which is, I think, much greater than the other markets, because of security being such an important aspect of our life is that many organizations are… I’m sorry, I blame the leadership, as always we should do. And I believe the secret and importance is in leading and communicating the reason why we, as a company, exist and ensuring that we find people that are aligned with our vision and what we want to do. And as a company, our objective is not to make money. Our objective is to provide value. And then you need to find people that believe in that vision in the value that you want to provide. And then you’re gonna have some people that want to be aligned and believe in the vision of increasing the competence level in the world, the education. Some people want to defend the world. Some people want to provide attack tools and offensive tools. And I think it’s in this alignment that you find the strength and the retention, because if we just focus the retention on the financial value, then we compete with each other. But if we focus on the leadership, on the vision, on the value that we want to provide, it will be like auto-sorting algorithms that you see in programming, where people will start to see, okay, I like that leadership. I want to do that. I want to pursue that career. I want to be the best engineer, or I want to be the best trainer, or I want to be part of this team. And that’s where I think the leadership in a lot of organization is losing the focus, because they’re so driven by making money, which is ultimately, obviously, a byproduct of running a business, that they forget the reason why they create a company in the first place. And people, often, the biggest reason why they stay in the organization is because they marry a vision. They marry the culture. And the accumulation of people that believe in the vision makes it much harder then to leave the company, because then you don’t only live in the vision, but you live in a group of people that all believe in the same thing. And I think that’s the secret.

Orhan Osmani:
Thank you, Al. And I have a next question, but, basically, you have touched upon it, so I would like to address it to Jess. Maybe just continue where Al left it, because he opened it very well for you. What are the strategies? How do you do on your end? And so maybe you can share that recipe as well, like Al Merino, the 4% retention rate, which you have it in your company, would be a great story. Thank you.

Jess Garcia:
Thank you very much. I would like to make a differentiation, as we here all come from cybersecurity companies. Obviously, we are biased, right? Obviously, many of you are from other industries, and you may wonder, well, what if my industry is not cybersecurity? So I will make a differentiation. First, I will talk a little bit of how we see things, and then I will try to put myself in the skin of other organizations out there which have the same problem, but are not cybersecurity-focused. So the first thing I think which is very important is to understand that this is a very complex problem. We try, and our HR departments are designed to deal with large amounts of people, especially for large organizations, right? And they need, because of the size, because of how they are structured, to have a homogeneous process for all of them. What is the problem? When we come to a specific area, it may be cybersecurity, but it may be other areas where you don’t have so many people available in the market, you cannot apply the same solutions. And I think that’s the biggest problem we have, large organizations have for retention. If you try to apply the same policies for, let’s say, individuals who are in high demand, you’re gonna be failing, right? So that’s the first step. How do you solve that problem? The first thing is try to build a tailor-made, let’s say, suit for that collective. One of the things is exactly what Almerindo was saying. You need to motivate them. One of the most important things to understand in the cybersecurity sector is that individuals are not motivated by money, most of the times. Second is there is a difference between the different stages in their lives, and it’s not the same trying to retain someone who is 22 than someone who is 35, right? It’s gonna be a very different retention strategy. And you need to understand all these things. What we do specifically in my company, we’ve created, our company has, for instance, I don’t know the statistics, it probably is a very, very oversized HR team to be able to do that retention policies. We have created departments like knowledge management to make sure that they are motivated. They all the time are challenged to get more knowledge, which is one of the things that motivates all of us in the cybersecurity industry. Become a better professional. Tackle more complicated things. Those are the things that are gonna be motivating and retaining your talent. If your process is done, contemplate these specific things, unfortunately, you will not be able to retain them, okay? So my first advice would be, we need to adopt a posture where we focus on the policies that will retain those specific communities, and we make them, as Almerindo was also saying, a leadership thing, right? Because otherwise, HR will just do their jobs, and that’s not gonna be enough.

Orhan Osmani:
Thank you, Jess. Olivia, I think I would like to follow up on what we are discussing here, maybe to add, this is what management can do to provide platform for people to grow inside the organization. But when you provide the platform, how the teams inside do innovation, teamwork, how that one changes the momentum in the company in terms of helping people to stay in the company? Because for sure, you don’t want to work in toxic environment. You want to work in an environment where people work together and share. How do you do that in your company?

Oliver Väärtnõu:
Yeah, first of all, I want to kind of give you a background a little bit about Estonia and the rate of transformation. So ever since Skype was sold to eBay and Microsoft, Estonia has been kind of quoted as the unicorn country in the world. And that has basically created a super competitive environment for talent. As, again, our president said yesterday, we have eight unicorns coming out of a country which is most per capita in the world. And Cybernetica is not a unicorn, but nevertheless, we have to compete in this market. And we have to also service our government and service our e-government ecosystem in order to protect it. So basically, we’ve been pushed a lot by our startup sector, actually, to take on a lot of the schemes for retention and attracting talent. When I came to Cybernetica, that was 10 years ago, the things were not that competitive. But nowadays, we have to offer all kinds of perks to people because they think that if you work in Bolt or Wwise or Microsoft, you expect the same thing to get also from Cybernetica. So we’ve done all that. And then we’ve also worked a lot on our values and on our core proposition to people. So why are we here? What is our mission? What are we doing? So we want to create a better world, a safer cyberspace. And we have to, like was said in the previous channel as well, we have to follow our actions through, actually. So these values, that is super important. When people nowadays see that you are talking one thing and doing another thing, then you’re starting to lose a lot of talent. What else we have done is we’ve started to look at how to bring interesting projects to people. Like I mentioned, we have one arm research, one arm development, third arm cybersecurity services. And nowadays, we are creating these cross-functional, cross-discipline teams inside Cybernetica to work on research topics, applied research topics. Whether it’s in the usage of AI for cybersecurity, whether it’s applying post-quantum encryption to certain, for example, electronic identity technologies, or whether it’s securing AI. So we offer people to work on research projects, to take away from their day-to-day jobs to work with top researchers and also top universities to find a little different way to their day-to-day jobs. This is not for everybody, but this is definitely something that these smart, ambitious people that Filippo was also referring to are actually looking for. And once they’ve done that, they can continue or move back to their day-to-day jobs and work there.

Orhan Osmani:
Thank you, Oliver. Question for Akshay. You mentioned earlier, you mentioned we need to address the demand and supply asymmetry. What actionable measures can be taken to create the cybersecurity as a compelling domain for profession and so on?

Akshay Joshi:
Thank you very much. So you know, it takes me back. I went to business school in the UK, and a few months ago, I was actually back to interact with the students. Obviously, because I work in cybersecurity now, the topic moved towards cybersecurity and how it’s a promising domain. 150 students in the class, eventually you go for an MBA program, you have some amount of student debt, and you’re looking to land a promising career. If you took a guess, how many, what percentage of that group of 150 was considering a career in cybersecurity? Would there be any guesses? Zero. It was literally zero percent. And that’s the point. That you know, there is very limited awareness about cybersecurity as a career option for anyone who is not a technical expert. If you extend it further, and you speak to anybody in the cybersecurity industry, and you know, I mean, at the World Economic Forum Center for Cybersecurity, we have the unique privilege of speaking to some of the best minds in cybersecurity. Every leader has a lot of openness when it comes to hiring people from different domains. What happens when you get down to the job description? The job descriptions, essentially, are very technical in nature, and require certifications such as CISSP, CISM, and others, which an entry-level person trying to make a foray or a lateral move into cybersecurity cannot feasibly have because the way they are designed is they require a certain amount of experience. So we’re not putting money where our mouth is. We’re saying that we are open, we want to bridge that gap, that number keeps on going from 3.4 to 5.5, but at the same time, the approaches that we are taking to bring talent into the workforce are not, I wouldn’t say nobody’s doing it, but we’re not doing it at a scale that we can create opportunities for people. So at one level, there is a need for awareness. At a second level, there is a need for making sure that our recruitment practices are aligned, and eventually, we then need to go on to create pathways for people. And a lot of what my colleagues mentioned was about interesting opportunities. What happens once you enter the workforce? You need meaningful opportunities to be able to develop, and that’s the role of pathways over there. One of the other elements that I want to highlight is specifically around well-being. And that goes towards one of the strategic cybersecurity talent frameworks that we are developing at the Center for Cybersecurity at the World Economic Forum. The fourth element that we want to consider beyond what I spoke about is essentially well-being. This is an extremely demanding profession for anybody who’s gone through the ranks, and I think all my colleagues over here essentially have, can probably attest to the fact that this job comes with a lot of demands. How are we making sure that the people who are working in this domain have their well-being and interest taken care of? Mental well-being, I mean, a lot of people actually leave the industry because of burnout. So how are we creating the right mechanisms for people to join and thrive in the workforce is a big question for all of us. So for me, a strategic cybersecurity talent framework is essential, and it needs wider acceptance across government and industry as a whole.

Orhan Osmani:
Thank you, Akshay. I think, just I would like to ask the panelists here about what do you think about what governments and education can do about supply? Is there anything you can add on on that component? Do you think something can happen in the education industry or governments can do something to stimulate?

Dr. Almerindo Graziano:
Yeah, sorry if I may add. Yes, please. I think that one of the biggest problem that the gap, the skills gap exists today is because over the years, security education and training is become a business with the objective of making money. And we’ve lost sight of the value that it actually provides to society. So accessibility, I wouldn’t say commoditization, but definitely accessibility of educational program at university, starting from earlier age, even from high school or earlier, then university increases dramatically the uptake of security, the skilling. But if we live in a society where the training and education is only accessible to the few, then it becomes very difficult to then elevate the state of security and have more people involved in cyber security. And I would like to see more of that from the government. I can see how great activities being done in this country from that viewpoint. But across the world is not that common or not that accessible all the time. So that’s something that can really make a difference.

Orhan Osmani:
Thank you, El. Oliver, you wanted to add?

Oliver Väärtnõu:
Yeah, so we have in Estonia together with the industry really worked in cooperation with the government in order to have more talent to be brought to the IT sector and the cyber security sector. So we have, in fact, in the last 10 years, I think tripled the amount of people that are studying computer sciences in the Estonian universities, both bachelor’s degrees, master’s degrees. We are having little bit of a trouble attracting people to do their PhDs in computer science because just everybody sees that it’s so much easier to work, that’s number one. Secondly, the community is constantly providing input into the curriculum. So what do we see, what do we want from the universities that these young people should be trained about? So we have actually every year discussions with our IT academies on what are the specific skills that we are looking for in addition to, of course, basic programming skills, math, et cetera, et cetera. And finally, in order to make this smooth transformation, we are putting a lot of effort actually into training programs and even doing industrial bachelor’s degrees, industrial master’s degrees, industrial doctorate degrees. So there is a very, very kind of intertwined community that is pushing this industry forward. And currently it’s working. We are having problems with these top people trying to attract people into doing their PhDs because working is very lucrative at that point in time. But it requires the government to be open and it requires the government to listen to the industry. And we have that trust.

Orhan Osmani:
Thank you, Oliver. I think we’re running out of time. If anyone has something quick to say.

Akshay Joshi:
I think the only thing that I’d like to probably add is that the kingdom is doing this extremely well, but I think there is an opportunity as we bridge this gap and that is to introduce diversity by design. So I’d really encourage us to think about that element as well.

Orhan Osmani:
Sure, thank you everyone. And thank you for listening to us. And if anyone wants to catch up with us, we can be around so we can talk to you. Thank you very much for applauding for the speakers. Thank you very much.

Ken Naumann

The speakers in the analysis delved into the intersection of AI and cybersecurity, exploring various key aspects. They expressed concerns about the potential manipulation and poisoning of AI systems by hackers, which can have negative consequences. Hackers continuously find new ways to access AI and manipulate its data, resulting in erratic or even malicious behavior of AI systems. This highlights the alarming issue of AI systems becoming challenging to control once they have been manipulated.

The analysis also highlighted the regulatory challenges associated with AI technology. It was noted that regulations and standards for AI often struggle to keep up with the rapid pace of technological development. The adoption of generative AI has surprised the speakers considerably over the last year and a half, emphasizing the need for regulations and standards to effectively oversee and ensure the responsible use of AI.

The discussion further addressed the importance of establishing standards for the role of AI in cyber activities. The cyber community was urged to collaborate and develop these standards to effectively harness AI’s potential in enhancing cybersecurity, shaping the ethical and safe implementation of AI in the cyber domain.

Additionally, the analysis explored the significance of secure cross-border data sharing for improving AI. The speakers highlighted the role of data sharing, emphasizing the need to share data across country borders securely. This step would optimize AI capabilities and enable greater global collaboration in AI-driven initiatives.

The analysis also examined the role of leadership in determining AI’s responsibilities. It was agreed that leaders need to make careful decisions about when to entrust more responsibility to AI technology. Safety, honesty, and the protection of current job holders were stressed as paramount considerations when integrating AI into various sectors.

Moreover, the analysis discussed differing perspectives on the timeline and approach to integrating AI into various roles. While some individuals believed AI could take over the analyst role in a short period of three to five years, others argued for a more measured and gradual process.

An interesting observation was made regarding the evolving role of cybersecurity specialists. It was suggested that their responsibilities might expand beyond protecting the environment to include safeguarding AI systems. This evolution reflects the increasing significance of cybersecurity in the context of AI technology.

In conclusion, the analysis highlighted the potential risks and challenges associated with AI and cybersecurity. The importance of addressing the manipulation and control of AI systems, bridging the gap between regulations and rapid technological advancement, establishing standards for AI in cyber activities, and promoting secure cross-border data sharing were emphasized. Additionally, the need for careful decision-making by leaders and the evolving role of cybersecurity specialists in protecting both the environment and AI systems were discussed.

Moderator – Massimo Marioni

Title: The Critical Role of AI in Securing the Future

Summary: The panel discussion titled “AI’s role in securing the future” focused on the importance of leveraging AI to identify and address cybersecurity vulnerabilities in a constantly evolving online landscape. The panelists stressed the need for advanced systems capable of early risk detection and effective communication to individuals.

With the rapid pace of technological advancements, integrating AI is crucial in enhancing online safety. The session highlighted how AI can proactively identify and resolve security issues before they cause significant harm. Dr. Helmut Reisinger, CEO of EMEA and LATAM at Palo Alto Networks, provided impressive examples of how AI is currently being used to address cybersecurity vulnerabilities.

However, Ken Naumann, CEO of NetWitness, discussed the challenges of manipulative tactics used to exploit AI systems. Understanding these tactics is critical in safeguarding the integrity and security of AI systems.

Looking ahead, the panel discussed the potential of AI to make cyberspace safer. They emphasized the importance of talent development to further advance AI capabilities. As AI evolves rapidly, individuals must receive adequate training and education to keep up with developments in the workplace.

The panel also addressed the complex issue of global collaboration in establishing regulations for AI. Despite differing opinions on AI usage, finding a way to set regulations is essential. The example of Italy wanting to ban a specific AI technology highlighted the complexity of this challenge. The panel agreed that international cooperation is necessary to establish and enforce regulations across borders.

The session concluded with a discussion on striking a balance between promoting innovation and mitigating risks. The panelists, as senior leaders, offered insights on implementing rules to achieve this balance effectively.

In summary, the panel discussion emphasized the significant role of AI in identifying and mitigating cybersecurity vulnerabilities. It underscored the importance of talent development, global collaboration, and effective regulation to harness the potential of AI while managing associated risks. Safeguarding the future of digital security necessitates strategic implementation of AI technologies.

Sean Yang

The analysis focuses on the importance of AI governance and training in preparing for AI in the workplace. It emphasizes the need for different stakeholders to receive tailored training and awareness to effectively fulfill their responsibilities. This includes AI users, technical vendors or providers, government regulators, third-party certification bodies, and the public. Stakeholders must have a clear understanding of their roles and responsibilities in relation to AI.

Decision makers, such as executives who make policies and strategies, need to improve their awareness about AI and understand the risks associated with AI applications. A top-down approach to AI governance is often employed, where executives play a crucial role in making informed decisions. Therefore, it is necessary for decision makers to possess a comprehensive understanding of the risks associated with AI.

Furthermore, the analysis highlights the need to review and update traditional engineering concepts, such as software engineering, security engineering, and data engineering, in light of the rapid development of AI technology. The integration of AI into various industries necessitates the adaptation and improvement of existing concepts and practices.

The role of universities and educational institutions is also emphasized. It is noted that many universities still utilize outdated textbooks in their AI and software engineering courses. To bridge this gap and ensure that graduates have the necessary skills for the industry, universities should update their training materials and curriculum to align with current industry practices. This collaboration between industry and academia can help address the skills gap and ensure that graduates are well-prepared for the AI-driven workplace.

Another important point made in the analysis is that AI is a general enabling technology and should be viewed as such, rather than as a standalone product. The focus should not only be on AI technology itself but also on the management of its applications and scenarios. This highlights the need for AI governance to manage the entire AI lifecycle, from design to operations, to maximize its potential benefits and mitigate risks.

The analysis concludes with the assertion that AI is a people-oriented technology. It highlights the potential of AI to support and serve people, as well as the importance of AI governance in improving its applications. This perspective underscores the need for responsible and ethical development and deployment of AI to ensure positive impacts on society and individuals.

Overall, the analysis emphasizes the significance of AI governance and training in effectively preparing for AI in the workplace. It provides insights into the specific needs and responsibilities of different stakeholders, the importance of decision makers’ awareness of AI risks, the need to update traditional engineering concepts, the importance of collaboration between universities and industry, and the people-centric nature of AI. These insights can guide policymakers, businesses, and educational institutions in developing strategies and frameworks to harness the potential of AI while ensuring its responsible and beneficial use.

Helmut Reisinger

The analysis reveals several key points regarding the role of AI in cybersecurity. Firstly, AI is essential in dealing with the rapidly growing cyber threat landscape as it enables faster detection and response. Palo Alto Networks, for example, detects 1.5 million new attacks daily, and with the use of AI, the meantime to detect is reduced to just 10 seconds, and to repair is reduced to one minute. This highlights the significant impact that AI can have in combating cyber threats.

It is argued that reliance on AI for cybersecurity is inevitable due to the speed, scale, and sophistication of threats. In the past, the time between infiltration and exfiltration of data was 40 days in 2021, but AI reduced it to 5 days last year. It is believed that AI has the potential to further reduce this time to a matter of hours, demonstrating its importance in responding effectively to cyber threats.

Additionally, machine learning and AI are regarded as crucial for cross-correlation in cybersecurity. By cross-correlating telemetry data across various aspects such as user identity, device identity, and application, machine learning algorithms can provide valuable insights for detecting and preventing cyber attacks.

The analysis also highlights the need to consolidate security estate for end-to-end security. With around 3,500 technology providers and medium to large enterprises using 20 to 30 different security tools on average, the cybersecurity sector is currently fragmented. This fragmentation leads to a lack of intercommunication between tools, which hinders the effectiveness of security measures. Therefore, it is important to streamline and integrate security tools to ensure comprehensive and cohesive protection against cyber threats.

Challenges arise with the use of open-source components in coding. While open-source coding is prevalent, with 80% of code created in the world utilising open-source components, the presence of malware in just one open-source library can have a significant snowball effect, compromising the security of the entire system. This highlights the need for caution and thorough security measures when working with open-source components.

Furthermore, the analysis underscores the importance of considering regional regulations and governance in cybersecurity. While cybersecurity is a universal topic, different regions and countries may have varying standards and regulations. For example, Saudi Arabia has specific governance on where data needs to be stored. Adhering to and adapting to these regulations is crucial to ensuring compliance and maintaining the security of data.

The analysis suggests that convergence of global standards on cybersecurity, data governance, and AI regulation is expected in the future, although it may not happen immediately. This convergence would provide a unified framework for addressing cybersecurity challenges worldwide and supporting global collaboration.

Real-time and autonomous cybersecurity solutions are deemed crucial in the current landscape. As the time between infiltration and exfiltration of data shrinks, the ability to respond in real time becomes increasingly important. AI is seen as a prerequisite for highly automated cybersecurity solutions that can effectively detect and mitigate threats in real time.

It is highlighted that the effectiveness of AI in security is reliant on the quality of data it is trained on. Good data is essential for achieving the desired outcome of rapid detection and remediation. Therefore, organizations should ensure that they have access to the right telemetry data to maximize the effectiveness of AI in cybersecurity.

Policy makers are advised to encourage the growth of AI in cybersecurity while being aware of its risks. AI is a driver on both the cybersecurity and attacker side, with an observed 910% increase in faked/vulnerable chat websites after the launch of GPT chat. Therefore, policies should address the potential misuse of AI while promoting its benefits in enhancing cybersecurity.

Lastly, the analysis highlights the interdependence of cybersecurity and AI for the safety of digital assets. Both are crucial for providing real-time cybersecurity solutions. However, the integration of AI and cybersecurity is necessary, as AI without cybersecurity or cybersecurity without AI will not be as effective in protecting digital assets.

In conclusion, the analysis emphasizes the importance of AI in addressing the growing cyber threat landscape. It provides evidence of AI’s effectiveness in faster detection and response, cross-correlation in cybersecurity, and the consolidation of security measures. However, challenges with open-source components and regional regulations need to be considered. The convergence of global standards is expected in the long run, but real-time and autonomous cybersecurity solutions are currently crucial. The quality of data used to train AI is essential for its effectiveness, and policymakers should encourage AI growth while mitigating risks. Ultimately, the interdependence of cybersecurity and AI is crucial for safeguarding digital assets.

Moderator – Massimo Marioni:
AI’s role in securing the future. Dr. Helmut Reisinger, Chief Executive Officer, EMEA and LATAM, Palo Alto Networks. Ken Naumann, Chief Executive Officer, NetWitness. Sean Yang, Global Cybersecurity and Privacy Officer, Huawei. Massimo Marioni, Moderator, Europe Editor, Fortune. Hello everyone. Hello everyone. Welcome to the panel titled AI’s role in securing the future. Now, in today’s world, where there are always new online dangers, we really need elite systems to warn us early about these risks. And technology is changing fast. So that’s why AI has become super important in keeping us all safe online. Now this session is all about how AI can fix and find online security problems and identify them before they cause great damage. So we’ll start off by asking Helmut, can you start by explaining how AI can be used to identify and mitigate cybersecurity vulnerabilities? And can you tell us about any cool ways that that’s already been done?

Helmut Reisinger:
Yeah. Good afternoon, everybody. As-salamu alaykum. I am representing Palo Alto Networks. We are a cybersecurity specialist. And just to give you one number, we are detecting every day 1.5 million new attacks that have not been there before. Newly individual identifiable attacks. This cannot be done by humans. So AI is part of the solution. And we have been doing AI machine learning for more than eight years now. We did not start when JetGPT, the generative AI, was announced. And it’s built across our different platforms. And why is that important? Because we believe that the threat landscape that you are facing here in the kingdom, in the region, but also globally, and this has been shared since the morning, is actually exponentially growing. And AI brings three dimensions to it. It’s gonna be more speedy, or it allows for more speed on attack side. It allows for more scale. Ransomware as a service. Now you can even program it and get scale and speed. And it will allow for an even higher sophistication if you think about social engineering. And taking this together with the ingredients what drives the threat landscape that is exposing you as public organizations, as enterprises here in the kingdom, which is geopolitics is a driver. A driver is your supercritical infrastructure that you have here supplying energy to the world. It’s the AI and digital transformation that you’re having. And with that, we believe you need to leverage AI on that. And how do we do that? Is we combine telemetry data of security from firewalls, networks, the cloud assets, and we provide it then into security operation center solution that we provide. And that gives an outcome based on AI, which is basically 10 seconds meantime to detect and one minute meantime to repair. Because the topic is that the speed, the time between infiltration of an organization and exfiltration of data is shrinking. It was about 40, I think I heard it in the morning as well, somebody said it was two months in the OT infrastructure people were wandering around. It was about 40 days, 2021. It’s been five days last year. And with AI, it’s gonna be a matter of hours. So in a nutshell, AI enables what we believe is the future, which is real-time cybersecurity and highly automated cybersecurity. Because we human beings, we cannot deal with all of that at the same time. A borderless space.

Moderator – Massimo Marioni:
So how AI can identify and nip these risks before they happen. Ken, on the flip side, what are some of the common tactics used to manipulate or poison AI systems that we need to be aware of?

Ken Naumann:
Yeah, I think many of the techniques being used now are really not that different from typical techniques that everyday hackers use, right? And what these criminal organizations are doing or nation-states that are pointed in the wrong direction are coming up with ways to access… Sorry, that’s a drone that’s going around. That came up in the last panel I did. Try to ignore it. Coming up with ways to access AI and poison the data. So creating situations where AI is starting to hallucinate, starting to actually act as a bad actor within an organization’s environment. And once that gets out into the wild, it’s really hard to bring back in. So as these organizations become more sophisticated and are able to access the data, controlling the AI and manipulating these models, you are going to start to see AI take on a life of its own that was deployed for the benefit of an organization actually turn against that organization. And hackers are currently working on that today.

Moderator – Massimo Marioni:
Now, looking ahead, what do you see as the future for AI making cyber safe a safer helmet?

Helmut Reisinger:
Well, if I take into account… By the way, that’s a good example here. It’s a very noisy drone. That’s easily identifiable. If you have digital threats, they are not as easily identifiable. And this is why what we at Palo Alto always do is we cross-correlate with machine learning and AI. What do we cross-correlate? We cross-correlate telemetry data for cyber security, as I said, across firewalls, networks, cloud assets, and endpoints. And we cross-correlate the behavior, the user identity, the device identity, and the application. And out of this cross-correlation, which you need to do by machine learning and AI, then you can apply the right models and then you come to the outcomes of 10 seconds mean time to detect and one minute mean time to repair. So this cross-correlation is critical. And what we see, and I think this is for the whole of the cyber security industry that we are all representing here, as a challenge is that today’s system are very, or the industry itself is very fragmented. There’s 3,500 technology providers out there. On average, a medium to large enterprise in the kingdom, in Germany, in the United States is using between 20 to 30 different tools to protect the digital assets. But they don’t talk to each other. This is why we fundamentally believe, what Gartner is also saying, we need to help you on a modular basis to consolidate your security estate so that you have an end-to-end security in whichever cloud you have your workloads, and also from code to cloud. We heard the CEO from Aramco speaking about the importance of OT, and there’s a lot of code being created. The problem is 80% of the code that is created in the world, also here in the kingdom, is using open-source components. Now the problem is if one of these open-source libraries contain malware, you have a big snowball effect. And again here, identity, device, application and behavior cross-correlated with AI. This is the way how to sort it.

Moderator – Massimo Marioni:
Sean, I can see you at the end there. Building a pool of talent is a key factor for progressing AI. So what kind of classes or training do people need to prepare for AI in the workplace, especially when AI keeps changing at such a rapid rate?

Sean Yang:
Yeah, thanks for asking. I think in recent days, and suddenly AI getting very hot. Every country, they start working on AI and AI-related security. And I would like to see, like the GCF, and all the people working here and trying to improve the international consensus on AI governance. But if you’re talking about the real classes, to answer your questions, I would like to see first, we need to think about what kind of structure we need to build. Now, we should like to say AI governance, we need to have different roles. Just like one of the speakers mentioned about, like cybersecurity is a team sport, and same like AI. Now we identify with five rules. First one is AI user, like the enterprise or like anyone who apply AI to their product and to their production or to their daily enterprise operations. The number two is technical vendors or the AI providers. And also the government regulators and the third party certification body and also the public peoples. Because eventually AI’s application will significantly impact their life. Okay, if we identify the different multiple stakeholders, then different stakeholders need to take their responsibility and also they need a different training or different awareness. So I would like to see, in the recent days, I found a very interesting things. And two weeks ago, and we had a discussion in Singapore International Cybersecurity Week. And we’re talking about talent, we say over-knowledge but unskilled workforce. Which means now to get knowledge is very easy, but questions how to apply this kind of knowledge to their practice is a kind of challenge. So from this point of view, I would like to see to fill three gaps. The first one is to see how we can significantly improve the decision makers’ awareness. And for example, if we’re talking about governance, normally it’s always from top to down. So which means the top senior executives who decided the strategy, who decided the policies and needed to have awareness about AI. So which means they needed to know, may not need to know all the details, but they need to know and what kind of risk behind AI’s applications. The second one is working level. I would like to see a lot of situations is pretty similar like cybersecurity. You can see, Ken just mentioned about a lot of thing like open source software. To address all this kind of supply chain security issues, we need to review all this kind of traditional concept like the software engineering, security engineering, data engineering. All this kind of ideas is pretty traditional ideas. However, now we have AI. Then we have to review and also we need to put a lot of new meaning and new concept inside that can absolutely consolidate the cornerstone of the basic abilities in the working lab or technology levels to support the fast growth of the digital transformation and also the AI applications. The third one and probably is like a training inside universities. Huawei worked together with 79 university in China and we figured out a lot of universities do using a very old textbook. So let’s read one. We work together with top 11 universities to see how we can share our practice on a software engineering capabilities together with them then using this way and we train all this kind of training of trainer the young teachers and as well as The young graduate and once we finish the graduation They already understand what is the practice inside industry they can quickly update Quickly catch up the industry practice

Moderator – Massimo Marioni:
Thank you, and now another key issue is is collaboration not just in the workplace, but but across the world And and that’s a complex challenge so Can you explain how different countries can set rules for AI even when they’re not all? Necessarily aligned on how to use the technology for instance you know when chat GPT first exploded Italy Wanted to ban it for it for you know a certain amount of time So it’s a very complex challenge, and I’ve heard people say if you don’t have worldwide Regulation over AI you’ve got no regulation Ken. Do you do you think do you agree with that sentiment?

Ken Naumann:
I do agree with that you know the adoption of generative AI Has surprised me considerably over the last year year and a half and You know for me And my belief is you know the the regulations whether they’re on a country Basis or on a worldwide basis are going to be playing catch-up for the the future and I don’t think we’re ever going to totally catch up through Coming up with a comprehensive set of regulations or standards things that I think we can do are things like what we’re doing today Where we’re sharing information We’re sharing ideas, and I think that the GCF is has done a big service to the entire cyber community Other things we can do is come up with standards as a community not necessarily You know trying to get governments to cooperate with one another, but as a community of cyber professionals on You know what the role of AI should be as it relates to cyber You know standards around modeling standards around data the ability to share data across country borders and Coming up with safe and effective ways to to do that. I think it’s going to be a big step in the right direction and Ultimately you know the the more data that can be shared Honestly and Securely I think the the more likely we are going to be able to catch up with any

Moderator – Massimo Marioni:
Bad use of the technology yeah helmet. What’s your take well?

Helmut Reisinger:
first of all Cybersecurity is a universal topic because digitalization is happening everywhere notably also here in the kingdom On the other hand we should not dream. We should be realistic that we will not have tomorrow Immediately one standard across the globe which means we need to respect different ecosystems of digital space regulation or cyber security regulation for example Sean is coming from Shenzhen We as Palo Alto our sassy solution is fully compliant as well for China active businesses Which means if a German company active in China needs the same security across the globe in Saudi Arabia in China as well as for example in Brazil they get one standard But it fits as well to the local regulation that is needed we need to adapt that same is here You have a specific governance here on data and where data needs to be stored in the kingdom That’s where we need to simply adapt. That’s what we need to respect on the other hand I believe that some areas other areas other Theaters in the world are setting the pace we heard this morning from Barroso Europe was probably setting the pace in GDPR Europe was also quite fast when it comes to AI talking about unacceptable risk AI Sensitive AI foundational model AI and then basically a risk-free AI now This week u.s. Has also issued the first executive order on AI This will help to set the scene to get the discussion going and to get to a better level and of course AI I Think regulation is kind of needed Because there is a big potential of using it for the dark side of the world against your industrial your enterprise your public sector services that you want to provide and I can only see it also in Europe, you know about one year ago President Biden issued an executive order as well on a tech surface management ASM a tech service, but does you step from outside and look into an enterprise? What are your? risk areas and vulnerabilities and he forced Every entity of the federal government of the u.s. To do an attack surface analysis every seven days This is by far not the standard in Europe, but the closer you get to the Ukraine border I can tell you Baltics you heard the lady from Estonia this morning the more alertedness you have on that So I think this will set step-by-step to standard and I think the world will step-by-step converge on that But again, let’s not dream and be realistic

Moderator – Massimo Marioni:
Now you’re all senior leaders within your companies What do you think are the most important things for leaders to think about when they’re making rules in order to strike a balance between? Promoting innovation and Safeguarding against potential risks. I’ll give you all a chance to to answer here. So let’s start with with Sean

Sean Yang:
Thank you for question You know, actually we think is probably First of all, we need to say AI is not a product AI is a general Enabling technology if you compare with the last round of the industry Renovation like the computer science they change everything, right? so from this point view, I would like to see if we’re talking about all the rules and the governance and probably is not need to Focus on AI technology itself, but need to think about how we how we can build the rules structures and governance structures and to manage this kind of scenarios or this kind of product if we not talking about the Application scenarios that we’re talking about AI governance. There’s no meaning because AI technology are evolving, right? They are changing if you took based on a changing technology talking about the governance Sometimes it’s not cannot generate a concrete things. That’s number one number two I think in that we are facing a lot of challenge and probably generate by AI and First of all, we need to say in AI eventually will support or serving the people So which is the people oriented technologies? so the governance or rules and first of all and needed to improve and the applications and so from this point of view and That’s reason why we create this kind of internal governance which define the intention in define the principle and define the scenario and Define the product and how we apply the technology inside of solution or inside of a business of situations I think whatever from the security by design or security by default or security by operations we need to pay attention to the overall for And the life cycles management for AI application that probably it can bring more concrete meaning for AI governance

Moderator – Massimo Marioni:
Can number one thing for leaders to think about when implementing? I think there’s there’s a big decision coming up for

Ken Naumann:
technology leaders, especially Developers of software in the cyberspace And that decision is when you turn over more and more responsibility to the AI technology You know, when when does that shift happen where right now? Or in the immediate future AI can serve as a very good co-pilot but when does it actually become the pilot and I think it’s up to us as leaders of the organizations that are innovating around this technology to Make that determination in a way that a is going to be safe for the people who adopt the technology be doing in a Honest way in terms of being able to recognize What the current state of evolution is around AI and then see do it in a way that’s going to protect The people who are currently doing those jobs And You know, there’s a bit of a push pull in the industry right now Some people think that you know AI technology is going to take over the analyst role in a sock within the next three to five years Other people think that the steps that need to be taken before that happened need to be very measured and It needs to happen over a much more Long elongated period of time the other thing that I would bring up is you know What is the role ultimately going to be of a security? cyber security Specialists and you know, is it going to actually be protecting the environment or protecting AI? and you know to me there’s going to be a lot of a process of be procedures in terms of you know, how you go about doing that what technologies you use to do that and making sure that we put all the building blocks in place ultimately before we turn over our security future to machines

Moderator – Massimo Marioni:
Very well said helmet last word one man

Helmut Reisinger:
Well, if if it’s true that remember the time of infiltration versus exfiltration is shrinking heavily the world will need to have real-time and Autonomous autonomous meaning highly automated Cybersecurity solution that does not come without AI It’s a prerequisite so If this is a prerequisite the innovation will be how can we have the best use of AI? That is only possibly if you have good data So if you want to come to an outcome of 10 seconds meantime to detect and one minute meantime to remediate You need to have the right telemetry data. Remember device ID as well as the endpoint Telemetry data and from the cloud and then apply those algorithms and I think policymakers are very well advised to give space and oxygen to the AI space on The other hand as well to be aware and cognizant that AI is also a driver on the attacker side Just to give you one final number in the first seven months since chat GPT was launched our market leading unit 842 it’s a threat intelligence unit that we have have noticed 910% increase of faked slash Vulnerable chat GPT like websites being created as a trap for people and the public So it’s important for societies for enterprises and public organizations I think AI without cyber security or cyber security without AI vice versa will not work if we want to Keep your digital assets safe in a real-time and autonomous cyber security version

Moderator – Massimo Marioni:
Thank you very much that wraps up our panel everyone There’s a 10-minute break before the start of the next panel so there we go

Moderator – John Defterios

The participation of high-level officials in the Global Cybersecurity Forum (GCF) signifies the importance of secure cyberspace for Saudi Arabia and the Middle East. This demonstrates the country’s recognition that cyberspace is an integral part of the security apparatus, especially in conflict-ridden areas. The Middle East and North Africa region is currently experiencing upheavals due to ongoing conflicts, further highlighting the significance of addressing cybersecurity.

Saudi Arabia also acknowledges the need to address cybersecurity in the Global South. The initial reactions to the start of the pandemic were more focused on protecting one’s own citizens, without considering the global community. However, just like a pandemic, situations in cyberspace can cross boundaries, and Saudi Arabia sees the necessity for the Global South to be protected digitally as they continue to develop. The country recognizes the growth opportunity within the Global South and the importance of safeguarding it digitally.

Emphasis is placed on collaboration and a global perspective when addressing cybersecurity needs in the Global South. John Defterios, a prominent figure, suggests adopting a global approach to tackle the cybersecurity challenges faced by developing nations, particularly within the Global South. He draws parallels between cyber issues and the global nature of a pandemic, emphasizing the need for a coordinated and collaborative effort.

Despite regional unrest, there is trust in Saudi Arabia and the Gulf States’ ability to maintain stability. The Gulf States have a history of 35 years of coverage during which stability has been maintained, and this track record instills confidence. This trust extends to Saudi Arabia’s ambitious 2030 plan, which emphasizes cybersecurity, educational reforms, and global integration despite the prevailing regional instability.

The progress of reforms and the 2030 vision in Saudi Arabia has seen remarkable transformation over the past seven years. Saudi Arabia’s 2030 vision encompasses various reforms aimed at achieving sustainable economic growth and promoting peace and justice. However, there are concerns about the continuity of the 2030 plan amidst the regional uncertainty.

In conclusion, the increased participation of high-level officials in the Global Cybersecurity Forum highlights the importance of secure cyberspace for Saudi Arabia and the Middle East. The country recognizes the significance of addressing cybersecurity in the Global South, emphasizing collaboration and a global perspective. Despite regional unrest, there is trust in Saudi Arabia and the Gulf States to maintain stability. The progress of reforms and the 2030 vision in Saudi Arabia has shown significant transformation, although questions remain about the plan’s continuity in the face of regional uncertainty.

H.E. Adel Al-Jubeir

This analysis focuses on the various topics discussed by H.E. Adel Al-Jubeir, highlighting the importance of cybersecurity, global cooperation, and the future of Saudi Arabia. It underscores the significance of collaboration, international cooperation, and global stability in addressing various global challenges.

One of the main points emphasised in the analysis is the critical role that cybersecurity plays in both local and global prosperity. It is highlighted that cybersecurity impacts every aspect of life, including education and the economy. The argument presented is that cybersecurity is essential for both local and global prosperity. The supporting facts for this argument include the assertion that Saudi Arabia is a major player in the international system, and its success affects global stability.

Another main point discussed is the need for global cooperation to solve world challenges. The argument put forth is that challenges such as climate change and pandemics affect everyone, regardless of their country or religion, and that success in facing these challenges depends on global cooperation and transparency. The sentiment towards this point is positive, and supporting facts include the statement that challenges like climate change and pandemics impact the entire world, and thus, a cooperative approach is necessary.

The future of Saudi Arabia is another significant topic discussed, with an emphasis on diversification and empowerment. The argument made is that the future of Saudi Arabia depends on diversifying the economy and empowering women and youth. Vision 2030, a plan to transform Saudi Arabia by diversifying the economy and empowering women and youth, is referenced as a means to achieve this. Moreover, it is mentioned that the country seeks to attract both domestic and international investments.

Additionally, the analysis highlights the vital role that Saudi Arabia can play as a bridge builder between China and the United States. The supporting facts state that Saudi Arabia has strategic relations with the United States and that China is Saudi Arabia’s largest trading partner. The sentiment towards this point is positive.

The analysis also acknowledges the necessity for a transition from confrontation to cooperation and a shift from competition to a sum-sum game in which all parties benefit. The sentiment towards this point is neutral, and the supporting facts suggest that the international system is better served when the two largest economies, the U.S. and China, cooperate and avoid confrontation.

Another topic discussed is the need for scientific, rational, and logical approaches to addressing climate change and cybersecurity issues, rather than being emotional and hypocritical. The sentiment towards this point is negative, and the argument posits that it is essential to approach these issues using scientific reasoning and rationality. The supporting facts mention the history of climate change discussions and cybersecurity resolutions.

Furthermore, the analysis highlights the pressing need for quick agreements on cybersecurity definitions, dangers, and international conventions. The argument suggests that multilateral cooperation should be accelerated to counter cyber threats. The supporting facts state that cyber issues relate to extremism recruitment, child pornography, money laundering, and the compromise of critical institutions.

H.E. Adel Al-Jubeir is mentioned as viewing the establishment of a center for cybersecurity as beneficial. The supporting facts suggest that the center will play a critical role in highlighting the importance of dealing with cybersecurity, formulating effective measures, and facilitating the global exchange of ideas.

The importance of cybersecurity is further reiterated, with the assertion that it should rank among the top three policy issues. This sentiment is supported by the mention of common reliance on internet access for essential needs and a comparison of cybersecurity with the rising concern for climate change.

The analysis also emphasizes the necessity of global cooperation to combat cyber threats. It highlights the need for a cooperative way forward, as exclusivity does not benefit anyone.

The rapid advancement of artificial intelligence (AI) and emerging technologies is also discussed. It is stated that the speed of technological development and the emergence of new technologies is outpacing our ability to regulate and secure them. The sentiment towards this point is concerned, and the argument suggests that there is a need for transparency and regulation in AI and cybersecurity to avoid confusion and chaos. The supporting facts mention the potential for AI to create simulations of real people saying things they didn’t and the possibility of misrepresenting world leaders.

The analysis also highlights the importance of finding global solutions to cyber protection, particularly for the Global South. It mentions that the world is moving towards globalization and that no single country can solve global problems alone. The sentiment towards this point is positive.

Furthermore, the analysis emphasizes the significance of global collaboration and interconnectedness. It mentions Saudi Arabia’s focus on connecting itself with the world and participating in reciprocal learning, allowing for better understanding, trade, investment, and cultural exchange. The sentiment towards this point is positive.

The stability of Saudi Arabia amidst regional disturbances is also emphasized, with the sentiment being positive. It is mentioned that Saudi Arabia has been consistent in its progress and reforms, regardless of regional unrest.

The participation of Saudi Arabia in global institutions, such as the G20 and BRICS, and the hosting of global events like the World Cup, is also highlighted. The sentiment towards this point is positive, and the argument suggests that there is no contradiction between participating in global institutions and hosting global events.

The analysis further underscores the importance of increased cooperation among nations, leading to better understanding, trade, investment, and cultural exchange. It states that Saudi Arabia is participating in global forums to build bridges and that increased understanding leads to global stability and prosperity.

Lastly, the analysis emphasizes the critical importance of maintaining trust in societal systems, particularly in areas such as e-commerce, aviation, and vital infrastructure like power and water systems. The sentiment towards this point is positive, and the argument asserts the significance of trust in maintaining societal stability.

In conclusion, the analysis highlights the importance of cybersecurity, global cooperation, and the future of Saudi Arabia. It emphasizes the need for transparency and regulation in AI and cybersecurity, as well as the necessity for global solutions to cyber protection. The analysis also underscores the significance of maintaining trust in societal systems and the role of education and awareness. Overall, it emphasizes the importance of collaboration, international cooperation, and global stability in addressing various global challenges.

Moderator – John Defterios:
His Excellency Adel Al-Jubeir, Minister of State for Foreign Affairs, Member of the Council of Ministries, and Envoy of Climate Affairs, Saudi Arabia, John Defterios, Moderator, former CNN, Emerging Markets, Editor and Anchor. Good morning, everybody. It’s nice to see such a terrific turnout. Your Excellency the Governor, it’s great to start the second day here with such a distinguished guest. It’s great to see you. His Excellency Adel Al-Jubeir is the Minister of State for Foreign Affairs. He’s a climate envoy and a member of the Cabinet of Ministers. We’re going to do a 25-minute session looking at creating a cyberspace for all that’s secure, the urgency in which to do so, and then the nexus at which climate discussions and cyberspace meet. And I would add also our reaction as a global community, Your Excellency, to the COVID-19 pandemic. Initially, it was every state for itself, and then towards the end of that process, it became very collective. But how do we get cyberspace and that collective space to begin with? Your Excellency, we were discussing in the Green Room beforehand that the GCF Institute was established by royal decree in 2023, which is quite a landmark. And I think geographically and strategically, and Saudi Arabia being the largest economy in the Middle East and North Africa by a wide margin, also provides an opportunity to build momentum and a consensus, which I’d like to give to. He didn’t hear the formal welcome, but let’s give him a nice Riyadh welcome to His Excellency Adel Al-Jubeir.

H.E. Adel Al-Jubeir:
Thank you. Thank you. Thank you very much.

Moderator – John Defterios:
I think, and we cannot overlook this, but I think it’s incredibly important to see someone at your strategic level within the government and wearing the hat as the Minister of State for Foreign Affairs and the Climate Envoy, and so active within the Cabinet of Ministers, to be at the GCF. What does it tell us, first and foremost, about the importance of a secure cyberspace for all in the kingdom because of critical infrastructure, but also for this region in the Middle East and North Africa, which we have to say is going through convulsions now because of conflict? What does it say about the role of cyberspace in that security apparatus, would you say?

H.E. Adel Al-Jubeir:
It’s very – well, first of all, thank you for having me, everybody. It’s great to be here. It’s extremely important. When you look at cyber, you look at – it impacts every aspect of our life, from education, from paying our bills, from acquiring information. I mean, you name it, it’s linked to it. And ensuring that we have a functioning, secure system that allows us to operate efficiently is very important to us personally, to the economy, and to the global economy. Saudi Arabia is a major player in the international system. We are the largest exporter of oil. We are one of the largest investors in the global economy. We are custodians of the two holy mosques. We have influence and access and throughout the Muslim world, 1.7 billion people pray in the direction of Mecca five times a day. We are geographically located between three continents, Asia, Europe, and Africa. Three of the most important waterways in the world are right next to us, the Straits of Hormuz, the Bab al-Mandab, the Suez Canal. So we are connected to the world, and the world is connected to us. What happens in the international system has a direct impact on Saudi Arabia and vice versa, whether negative or positive. So it is critically important for us that we have a stable, functioning, prosperous international system. That’s how we prosper. When you look at our Vision 2030, the objective of it is to ensure that we are an active player in the international system by transforming our country, diversifying our economy, empowering youth, empowering women. And in order to do so, we need to have an efficient and transparent public sector. We have to have new areas of investment, whether it’s mining, whether it’s tourism, whether it’s recreation, whether it’s entertainment, artificial intelligence, renewable energy, all of these. And in order to have those, we have to have a world-class education system, and we have to have a world-class healthcare system, and we have to have the ability to attract investments both domestic and international. So all of this is part of our package Vision 2030, and we are much better able to achieve our objectives if the international system is stable and secure. And the stability of cyber is critical to this, and the establishment of this center is one means for Saudi Arabia to contribute to making the cyber world more stable and more secure, and also to connecting the world and acting as a bridge between different countries and between different regions in order to have a cooperative approach rather than a competitive approach. We cannot deal with the challenges of our world, whether it’s cybersecurity, whether it’s climate change, whether it’s pandemics, unless we work together. One country cannot do it alone. When it comes to climate issues, rising temperatures do not avoid one country because it’s doing something. It impacts all of us, and so all of us have to work together in order to deal with it. When you look at pandemics, the virus doesn’t distinguish between Muslim and Christian and Jew and Buddhist. It doesn’t distinguish between American and Saudi and German. We’re all the same. And unless and because we worked closely together as a global community with transparency, we were able to overcome this pandemic. The same with cybersecurity. One country cannot do it alone. We have to work together. We have to share information. We have to share expertise, experience, and we have to agree on common terminology in order to be able to deal with the challenges.

Moderator – John Defterios:
Great. Let me just delve into that a little bit more. Geographically, as I mentioned in my opening comments, you straddle east and west and are, as you noted, very connected to Africa now, which is a great growth opportunity for the continent, but also, I think, for the heart of the Gulf here. But does it allow Saudi Arabia to serve that bridge between China and the U.S., which is competing in technology, right, but you want them to compete on fair grounds and also have a dialogue and also work together for a secure cyberspace, specifically because of the Global Cybersecurity Forum and now being an institute? What role can it play as a bridge builder?

H.E. Adel Al-Jubeir:
It can play whatever role it needs to play. It’s very important that we switch confrontation to cooperation, and it’s important that we switch competition from being a zero-sum game to being a sum-sum game where everybody benefits. Saudi Arabia has strategic relations with the United States. China is our largest trading partner. Both relations will continue to grow and prosper. The international system is better served when there is cooperation between the two largest economies, where the international system is not served when there is confrontation, and I believe both sides want to avoid any kind of confrontation. And Saudi Arabia’s role is to work with everybody to try to create a cooperative environment in which everybody benefits.

Moderator – John Defterios:
Good. As a climate envoy, you’re very knowledgeable about the process. My journalistic coverage started in 1992 with the Rio Accord, and yours predates that in terms of the history of the COP process. How do we avoid the missteps of having two distinct camps in the COP process? And we’ve learned post-pandemic that the energy system of today can’t be shut off and you start the energy system of tomorrow, and we don’t want that slow process to filter in to the cyber community. Can you make that comparison what we should avoid as landmines, if you will?

H.E. Adel Al-Jubeir:
I think the most important thing is to be scientific and rational and logical about dealing with issues and not emotional. We see a lot of emotions when it comes to climate change discussions, and we frankly see a lot of hypocrisy, and that doesn’t serve anyone. We have a problem. We need to fix the problem. The temperatures are not coming down. The air is not becoming cleaner. And no matter how much we argue, we need to roll up our sleeves, work together to solve the problems in a rational and effective manner, and we need to do it quickly. I believe with the climate discussions started essentially with the Stockholm Conference in 1972, where the issue of the environment was put on the agenda. And then it took another two decades until we had the Rio summit, Earth Summit, which focused on climate change and the dangers of climate change. Then we had Kyoto. Then we had the Paris summit, which was a small miracle that countries agreed on the path forward and the need to limit rising temperatures. And then we’ve had the subsequent COP meetings. It’s moving towards a more rational discussion, but it’s taken almost 50 years, and that’s too long when it comes to cyber security. Cyber security, the issue of dealing with cyber began really in 1998 at the United Nations. The first resolution with regards to a governmental working group was passed in 2003. That’s 20 years ago. We still have a way to go. I think it’s important that we agree we need to move very quickly because technology is moving much faster. We need to agree on the terms that we, how we define things so that we know what we’re talking about. We need to agree on where the dangers are, and we need to work very quickly in those areas. We have problems with, in terms of the internet, with recruitment for extremism. We have problems with child pornography. We have problems with crime, whether it’s money laundering, whether it’s extortion. Even things as simple as bullying, you can have somebody, one end of the world bullying somebody on the other end of the world. How do you stop it? How do you criminalize it, and how do you prosecute these individuals? We need international conventions for these, and we need them quickly. And we need to deal with other issues that involve cyber. I think the most important thing is agreeing on definitions, agreeing on areas that need to be addressed, coming up with legal mechanisms to counter those areas, exchanging information with regards to how people take advantage of cyber in order to commit crimes, and what is the most effective way of dealing with it. We need to exchange information with regards to the type of viruses that people try to use to damage other institutions. We need to protect the functioning of critical institutions to countries that really have banks, power plants, hospitals, traffic lights. These are important things for day-to-day life, and I think those are areas that should not be as sensitive to national governments as issues that directly relate to national security. So we should be able to find ways of moving forward. I’m hopeful that people recognize the dangers, and that they recognize that multilateral efforts are complicated, they take a long time, but they recognize that the need is urgent and we need to find a way to speed it up. And I believe the center that is established will have a critically important role to play in highlighting the importance of dealing with the challenge of cyber security and coming up with the most effective ways of addressing it and being a platform for people from around the world, as we’ve seen yesterday, to come and exchange ideas and come up, identify problems, and point out certain pathways forward that will help us overcome those problems.

Moderator – John Defterios:
Yes, if you look at today, and this emerged last week at the FII when they did a poll, it’s very interesting what you said about the trust of a system and the quality of life. So they polled the participants and they said quality of life is essential as a number one issue. The threat of inflation and the cost of living was second on that list. Third on the list for those that were a bit older like us was climate, right? And then the youth said, oh, climate is at the top of the category for them because they’re very fearful of the future. Where does cyberspace, a secure cyberspace, which is not in the front and center of our consciousness, but should it belong in the top five in terms of policy and maintaining trust and government collaboration or not?

H.E. Adel Al-Jubeir:
Absolutely, it should be in the top three, if not top two. How many times do you complain when you arrive in a country and you turn on your cell phone and you don’t have internet access? And this is just because of the systems, not because somebody fiddled with it. So how would you feel if you woke up one day and you’re shut out from the world? You can’t access your bank accounts. You can’t access your medical records. You can’t communicate with your doctor. It has a profound impact on your life and on your quality of life. We’re used to things today that were unthinkable 30 years ago or 20 years ago, and we take them for granted. And I think with climate, I mentioned the Stockholm Conference in 1972. Nobody was paying attention to the environment. They thought the environment was picking up trash, but now they see rising temperatures and they see more dust storms and they see more hurricanes and they see rising water levels and they say, oh my goodness, this is having an impact on my life and the life of my children and grandchildren. With cyber, we are now in that phase where people are becoming cognizant of the problem. But heaven forbid, hopefully we never get there, but if you had a shutdown, then people will say this is the number one priority. We need to deal with it. So to your question, it is a critically important issue and I think it ranks right up there with climate change, pandemics, and cyber. I think these are the three critical issues that we face as a global community and we have to pay attention to it and we have to come up with a cooperative way forward because being exclusive or not being cooperative doesn’t help anyone.

Moderator – John Defterios:
Okay, the other thing I was gonna ask you about was there’s an AI conference running in parallel with the Global Cyber Security Forum and President Biden signed an AI executive order saying that we need to have greater transparency and testing by the private sector in collaboration with government. His first executive order when it came to technology was on cyber security four months into office. Does that give us this opportunity to link the opportunity and threat of AI and have it dovetail with policy around cyber security? Because many fear that AI’s gonna move so far in advance that it’ll test the cyber security networks of the world. How do you see that and the actions by the US to put this high on the radar?

H.E. Adel Al-Jubeir:
I think it has to be when you have the ability to take you and have you come out and say things that you didn’t say with real credibility. Imagine if you had world leaders issuing statements that have nothing to do with reality, that they had nothing to do with. What kind of confusion does it create in terms of global financial markets, in terms of perceptions, in terms of it can be chaotic. It will be chaotic, not can be. And so it’s important that we deal with all of these issues. And the challenge with cyber, I believe, and I’m not a technical person, so forgive me if I’m off here, but the way I see it is it’s moving so quickly that we need to catch up with it. And when you think you have a handle on something, something else emerges. And so it’s important that we try to stay ahead of the curve, although I don’t believe we are, but we need to find a way to at least keep up with the changes so that we don’t have miscalculations that happen because of misinformation that we believe to be correct information.

Moderator – John Defterios:
Great. We talked about the COVID-19 pandemic briefly, and I mentioned it in my opening remarks and during the opening panel yesterday, the initial reactions, I have to protect my citizenry, and I wasn’t thinking of the global community. And that also pertains to the Global South when it comes to a secure cyberspace for women, for development, for collaboration. How do we take a role here, a global look at solving this for the Global South? Because as you said, the pandemic crosses boundaries, right? But the same thing could be said in cyberspace. And how does Saudi Arabia see that necessity for the Global South to be protected, if you will, as they develop? Because there’s a great growth opportunity at our doorstep.

H.E. Adel Al-Jubeir:
I think we need to step back and look at the large picture. And what we see is the world moving towards globalization. Everybody talks about it. But the fact is we’re one unit, a small planet. Globalization, in your view, is not dead then. You can reset. It’s, we live on one small planet. And what happens in one end of the planet affects people on the other end of the planet, whether it’s a pandemic, whether it’s climate change, whether it’s cyber. And the solutions to these problems and these challenges have to be global. One country cannot go it alone. So it’s not a, I don’t, I think the world has to move from us versus them, or one section of the world versus another, to we’re all in this together. And when you look at Saudi Arabia, for example, or Vision 2030, part of it, a major part of it is connecting Saudi Arabia with the world and connecting the world with Saudi Arabia. We have sent more than 500,000 of our young men and women to study around the world over the past 15 years or so. Over the past 40 or 50 years, numbers are much higher. And the objective is not only to acquire education, but to learn about the world and for the world to learn about them. Because when you, when they come back and we see it now in the energy and the dynamism that we have in Saudi Arabia, people are connected. They’re aware of the world. They’re aware of their role in the world. And they’re aware of the importance of dealing with the world. We’re proud of our national identity. We’re proud of who we are, but we recognize that we are part of the global community and that the community as a whole has to come together to deal with the challenges that we face, whether it’s cyber, whether it’s climate change, or whether it’s pandemics.

Moderator – John Defterios:
I would love to ask you your thoughts on the continuity of the 2030 plan. And when we have regional unrest like we have it today, how the GCC can remain stable and that vision 2030 on track. Many would probably question, can you continue with the reforms? Can you continue with progress when there’s regional uncertainty? My history after 35 years of covering it is that people have trust in Saudi Arabia and the Gulf States to remain stable. Can you address that, do you think, in this context of trying to create a secure cyberspace? Because the transformation in seven years has been phenomenal. And people want to know if it’s on track and stays on track.

H.E. Adel Al-Jubeir:
We have an objective. We have a whole of government and a whole of society approach towards achieving that objective. We have exceeded most of the benchmarks for that objective. We will continue to pursue that objective because that’s in the interest of our nation. And so we will do this. And we will deal with other challenges as they come up. But it will not deter Saudi Arabia from continuing on its path of progress and reform and implementation of its vision 2030. And our record speaks for itself. Saudi Arabia has been, the Saudi state was first established in 1727. We’re talking more than 300 years ago. And before that, there was a state in Darayya for several centuries. We have seen the coming and passing of many storms in our region. And we have been determined and steadfast and consistent in our movement forward. You will not find, in the history of Saudi Arabia, zigzagging or backtracking. We set an objective, we work towards it, and we achieve it. And then we set another objective and we are fully determined to continue along this path. And we are fully determined to make Saudi Arabia a very dynamic and very efficient and a very prosperous and very stable society as we have been doing for decades.

Moderator – John Defterios:
Great. Final question is, as a member of the G20, the expanded BRICS, which Saudi Arabia joins in 2024, hosting a World Cup in 2034, how do we make sure that globalization and these institutions don’t compete against each other, where the G20 and the BRICS collaborate, they take that collaboration into the UN structure? And I didn’t want to interrupt you, but.

H.E. Adel Al-Jubeir:
No, it’s all connected. We don’t see any contradictions between them. I think the global sports events are very exciting. They bring people together. We’re very excited about hosting the World Cup in 2034. Hopefully you will come and you and I can watch the final game with Saudi Arabia in it. We have a, we believe that the G20 is a forum for countries to come together. With regards to BRICS, Saudi Arabia received an invitation. And we think that we don’t see contradiction between one and the other. We think that the more countries can build bridges with each other, the better understanding you have, the more cooperation you have, the more trade and investment, the more exchange of cultures and people, the better it is for all sides concerned. And we think this is what will contribute to global stability, which opens the path for global prosperity.

Moderator – John Defterios:
Good. Your call to the audience, you know, there’s a lot of trust that’s built in society because our systems work. And these people actually work really hard to make sure that that trust remains, right? If you’re doing, as you suggested, e-commerce, or if you’re flying, the critical infrastructure for power and for water systems. What’s the call to action here for this audience as we conclude our second day later this afternoon?

H.E. Adel Al-Jubeir:
Keep doing what you’re doing and make sure that you educate everybody around you, in particular somebody like me who is not very tech savvy, because what you’re doing is critically important, not only to Saudi Arabia, but to the world. And I think the center will have to, will play a very important role, I have no doubt, in bringing the world together and in making the world a better place and a more stable place. So keep up the good work.

Moderator – John Defterios:
Good. Can we give a nice round of applause for His Excellency Adele Al-Jubeir. Thank you very, very much. Thank you. Nicely done. Thank you very much. We’ll exit here. Thanks, we’ll get the microphone in the back off. Just go to your left, yeah.

Felix A. Barrio Juárez

The European Union’s Next Generation Action public policy aims to stimulate economic recovery through increased investment in research and development (R&D). This policy recognizes that investment in R&D is crucial for post-COVID economic recovery, specifically in the area of digital transformation.

In Spain, one in three euros invested through the Next Generation Action programme is allocated to digital transformation. This highlights the recognition of the importance of digital transformation for economic growth and recovery. Furthermore, Spain has spent over 224 million euros on R&D for small and medium enterprises (SMEs), supporting their role as a successful strategy for market catalysation.

The digital transformation and cybersecurity sector’s contribution to Spain’s economic growth has risen from 12% to 22% in just three years. This demonstrates the significant impact that digital transformation and cybersecurity have on Spain’s national economic growth.

Cybersecurity is not only essential for economic growth but also plays a crucial role in national technological sovereignty. It allows for independence in terms of national technology and ensures the protection of critical infrastructure and sensitive data.

However, there are concerns about standards becoming barriers for smaller businesses and new entrants in the digital market. The establishment of strict standards may put small companies at a disadvantage and limit the entry of new players into the market. It is essential to strike a balance between setting standards and allowing for the participation of new entrants to foster innovation and competition.

Building cybersecurity capabilities is a top priority, and there is a call for the private sector to step up in this field. Felix emphasizes the importance of prioritising the development of cybersecurity capabilities and highlights the need for private initiative in building these capabilities.

Additionally, public services have a role to play in empowering vulnerable sectors, such as consumers, to be part of the cybersecurity solution. By focusing on the more vulnerable sectors and involving the public in cybersecurity efforts, Felix believes that public services can contribute to promoting peace, justice, and strong institutions.

In conclusion, the European Union’s Next Generation Action public policy recognises the importance of investment in R&D for economic recovery, particularly in digital transformation. Spain is investing significantly in digital transformation and supporting the growth of SMEs through R&D funding. The digital transformation and cybersecurity sector are playing an increasingly important role in Spain’s economic growth. However, there are concerns about standards becoming barriers for smaller businesses and new entrants. Building cybersecurity capabilities and empowering the public are crucial aspects of addressing these challenges.

Ir. Dr. Megat Zuhairy bin Megat

In 2020, Malaysia established a cybersecurity strategy with a five-year plan to create a secure, trusted, and resilient cyberspace. The strategy is built upon five pillars: effective governance and management, legislative strengthening and enforcement, innovation R&D, capacity and capability building, and global collaboration. It aligns with the Malaysia Digital Economy Blueprint and the IR 4.0 policy, supporting the nation’s goals of industry, innovation, and infrastructure.

One argument in favor of Malaysia’s cybersecurity strategy is that it supports other nations’ strategies and policies, highlighting the importance of partnerships and collaboration in addressing cyber threats. The strategy also aims to build a strong cybersecurity workforce by promoting it as a career choice among students and collaborating with industry and academic institutions.

However, there is a concern that an excessive focus on standards might impede innovation. While standards are crucial for efficiency and consistency, too much emphasis on them could limit the rate of innovation. Striking the right balance between standards and innovation is essential for an environment that fosters both safety and technological advancement.

In conclusion, Malaysia’s cybersecurity strategy, with its five pillars and alignment with national strategies, reflects the country’s commitment to a secure cyberspace. By focusing on education, industry collaboration, and capacity building, Malaysia aims to effectively tackle cyber threats and build a robust cybersecurity workforce. It is crucial to maintain a balance between adhering to standards and promoting innovation to ensure continued growth in the sector.

Eng. Walid A. Abukhaled

The importance of cybersecurity is highlighted in the provided data, with it being described as a top priority. There is a consensus among the arguments that cybersecurity is of utmost importance and should be taken seriously by organizations and nations alike. Daily cyber attacks targeting strategic companies and assets are a major concern, indicating the widespread risk posed by cyber threats. It is emphasized that no organization is immune from these attacks, with a cautionary message to those who believe it cannot happen to them.

SAMI, a defence system, recognizes the significance of cybersecurity and takes it seriously. It is stated that SAMI develops state-of-the-art technology to ensure independence and incorporates cybersecurity into its day-to-day business operations. This indicates a proactive approach to maintaining a robust cybersecurity strategy.

Furthermore, the argument is made that education on cybersecurity is crucial. It is stated that education is the number one issue, and the role of cybersecurity in educating people is tremendous. This underscores the need for raising awareness and ensuring that individuals are equipped with the necessary knowledge and skills to protect themselves and their organizations from cyber threats.

The data also highlights the vulnerability of Saudi Arabia to cyber attacks. It is mentioned that Saudi Arabia was previously one of the most targeted countries. This demonstrates the need for a robust cybersecurity infrastructure and strategies to protect national assets and interests.

Another noteworthy argument is the creation of a regional or global command and control centre for cybersecurity. The data suggests that establishing such a centre would facilitate the identification, sharing, and prevention of cyber threats. It is also mentioned that this centre would serve as a platform for sharing best practices and regulatory reforms, contributing to the development of future cybersecurity leaders.

The relationship between foreign investments and the safety and security of a nation is brought up as well. The argument posits that there is a direct link between safety, security, and prosperity, emphasising the importance of protecting strategic assets and investments for the future economy.

The role of small and medium enterprises (SMEs) in supporting larger organizations and fostering innovation in the cybersecurity industry is recognised. It is highlighted that SMEs play a crucial role and can bring new and innovative ideas to the table. To support SMEs, the suggestion is made that regulations should be in place to allocate a certain percentage of contracts from large companies to support them. This would create a more level playing field and encourage the growth of SMEs in the cybersecurity sector.

The value of human capital is emphasised, with Vision 2030 in Saudi Arabia prioritising investment in human capital. This indicates recognition of the importance of developing and nurturing talent in the cybersecurity field.

Furthermore, the issue of salary inflation in the cybersecurity industry is raised. It is mentioned that cybersecurity specialists with four years of experience are demanding CEO-level salaries. This suggests a growing concern regarding the escalation of salaries in the industry.

Trust is identified as an integral component of the cybersecurity industry. The data highlights the need for a regulatory framework to earn trust and address issues such as data breaches, loss of personal information, and concerns about privacy infringements through apps.

Lastly, the data points out the benefits of global cooperation in cybersecurity. It is mentioned that the Global Cybersecurity Forum provides an opportunity to learn from global mindsets, indicating the value of knowledge exchange and collaboration in addressing the challenges of cybersecurity.

In conclusion, the extended summary highlights the importance of cybersecurity as a top priority, the need for increased security in the face of daily cyber attacks, and the recognition of cybersecurity by organizations and nations alike. It emphasizes the crucial role of education, the vulnerability of Saudi Arabia to cyber attacks, and the potential benefits of establishing a regional or global command centre for cybersecurity. The relationship between foreign investments and the safety and security of a nation is underscored, along with the support needed for SMEs and the value of human capital in the cybersecurity industry. The concerns of salary inflation and the importance of trust and global cooperation are also addressed. Overall, the data presents a comprehensive overview of the various aspects of cybersecurity and its significance in today’s world.

H.E. Eng. Abdulrahman Ali Al-Malki

Cybersecurity plays a vital role in safeguarding assets and systems, although it can be costly. The protection of these valuable assets necessitates a significant budget allocation. Moreover, constant losses after cyber attacks can be mitigated through proper financial investment in cybersecurity. This perspective highlights the importance of cybersecurity measures despite the associated expenses.

A substantial cybersecurity budget not only ensures the protection of assets but also has the potential to attract global solutions and foreign companies. Nations with significant investments in cybersecurity have been successful in enticing international solutions. Additionally, a strong cybersecurity infrastructure instills confidence in foreign companies, thereby encouraging their investment. This stance emphasizes the positive outcomes of allocating a high budget to cybersecurity.

Furthermore, it is crucial to provide support and cooperation to Saudi Arabia’s Cooperation Council in their leadership role in cybersecurity. Expressing support for their efforts signifies the importance of collaboration in creating effective cybersecurity measures. This cooperative approach fosters positive outcomes in achieving cybersecurity goals.

In Qatar, a comprehensive plan has been implemented to ensure sovereign security at a national level, particularly in relation to the World Cup. This comprehensive plan encompasses a national security framework that extends across all institutions, ministries, and select private sector companies. Vigilant monitoring of the framework’s implementation on a daily basis ensures the highest level of security. Implementing such a plan demonstrates Qatar’s commitment to national security.

During the World Cup, Qatar actively cooperated with international partners, receiving support from teams of other countries. This collaborative approach involved sharing problems and challenges with friendly nations and receiving analyzed data on security threats. This exchange of information and support during the World Cup helped strengthen Qatar’s security measures.

Even after the World Cup, Qatar continues to maintain relationships with the countries they cooperated with. Ongoing sharing and receiving of data on sovereign security exemplify Qatar’s commitment to sustaining these relationships. This enduring partnership remains essential in safeguarding national security.

Building capabilities and licensing workers in the field of cybersecurity is a priority in Qatar. The country has studied two directions in this realm, focusing on enhancing cybersecurity skills and knowledge, as well as licensing workers. These efforts span across different levels, including companies, organizations, as well as individual workers and engineers. By prioritizing these actions, Qatar aims to develop a workforce proficient in cybersecurity.

Identifying and managing risks within the supply chain is critical for maintaining uninterrupted services. Even the smallest entity within the supply chain has the potential to cause complete failure of the service. Neglecting to thoroughly study and address supply chain risks can lead to significant problems. This highlights the necessity of recognizing and effectively managing risks within the supply chain.

In conclusion, cybersecurity is indispensable for protecting assets and systems, despite its associated expenses. A high cybersecurity budget attracts global solutions and foreign companies, promoting economic growth. Supporting Saudi Arabia’s Cooperation Council in their cybersecurity efforts is crucial for collaborative and effective measures. Qatar has implemented a comprehensive national security plan, ensuring sovereign security at a national level. The country actively cooperated with international partners during the World Cup and continues to maintain relationships with these countries. Additionally, building capabilities and licensing workers in the field of cybersecurity is a priority for Qatar. Identifying and managing risks in the supply chain is critical to avoid service failures. These insights shed light on the importance of cybersecurity and collaborative efforts in maintaining security and economic growth.

Moderator

Summary:

Cybersecurity plays a critical role in protecting strategic companies and assets from daily attacks. Saudi Arabian Military Industries (SAMI) is developing its defense system with a commercial mindset, ensuring cyber resilience and extreme protection. Education is crucial in mitigating cybersecurity risks, as people often underestimate the likelihood of being targeted. Clear regulations and policies are necessary to provide a framework for effective cybersecurity. International cooperation and collaboration are key to combating cyber threats, with suggestions for the establishment of regional/global command centers and sharing of threat intelligence. Consumer protection, support for SMEs, and finding a balance between standards and innovation are important considerations. Qatar has a comprehensive plan for sovereign security, while international collaborations during events like the World Cup demonstrate the importance of working together. Building trust, capacity, and capability in the cybersecurity field are also emphasized.

Moderator:
Catalysing cyber Stimulating cyber security market through ecosystem development Engineer Waleed Abu Khalid Chief Executive Officer, Saudi Arabian Military Industries, SAMI Dr. Miqat Zuhairi bin Miqat Chief Executive, National Cyber Security Agency, Malaysia Felix Barrio Juarez, Director General, Spanish National Cyber Security Institute His Excellency Engineer Abdurrahman Al Malki, National Cyber Security Agency, Qatar John Defterios, Moderator, Former CNN, Emerging Markets, Editor and Anchor Okay, thank you very much. It’s great to be back for this session called Catalysing Cyber. So we’re opening session today, we looked at like the five key pillars that the GCF is looking at in 2023, and some of the companies here in Saudi Arabia, which are supporting those different pillars. But what does that mean in practice? And this panel, we have specialists from government that actually run their cyber security authorities, and how they interact with, for example, the finance ministry, the economy, ministry, the Ministry of Defense, we have the Saudi industry of military industries here, which is excellent to show an example of how that sector, the defense sector, takes this very seriously. We’re going to have a robust debate for 40 minutes, can we give them a nice round of applause for joining us today? I’m obviously not Nisha Pillai, who’s… a friend, but John Defterios as they announced, so I don’t know if they can change the board behind us, but I’m happy, and we know this community extremely well. If I may start with you, Engineer Walid, about how do you develop the system, and this is very important because you’re very much, and everybody here on this panel, very much into processes about how you develop a cybersecurity apparatus. And in the conflicts that we see around the world today, most people think of security in the military sense of action, but this is a different, if you will, enemy, but also a different opportunity. Do you want to explain how SAMI as a military industry here in the kingdom sees that development, why it’s so crucial for the security, but also the development of the country? I think that would be great.

Eng. Walid A. Abukhaled:
Please. Sure, sure. No, absolutely. Thank you, John. I just took permission to speak in English because it’s a truly global cybersecurity forum, and I think for all our benefits, first I can’t thank the organizer enough, I can’t thank NCA enough for having us here, because if there’s a topic that is at the highest level of importance, probably it is cybersecurity. If any company in the world, if any organization in the world think they are immune, they better think again. There’s daily attacks on almost every strategic company, on every strategic asset. People who believe this may not happen to them, they better think again. So the presence of this forum is amazing, it’s great, and hopefully it will add great value and I’m sure at the end of it there will be certain recommendation other than the benefits of offering it. of clear networking with subject matter experts. Look, at SAMI, we got to a point, of course we got to a point, I don’t know how much you know about SAMI, but in just 20 seconds or 30 seconds, it’s a national defense champion. It was established in 2018, 100% owned by public investment fund. Although we are owned by the government, we are 100% commercial mindset. We are in it for the business. Our mandate is to be to localize 50% of the defense spend in the Kingdom of Saudi Arabia. As such, it means we have to develop our own system, state-of-the-art technology, to ensure independence that we create our own defense system in the Kingdom of Saudi Arabia. Now, what we know for a fact, the concern is not only cyber attacks on the company for people to take sensitive information, that’s extremely important to our customers, but the system we built have to be cyber protected. So in everything we do, cyber security is part of our day-to-day business. If we are designing a system, a defense system, we need to make sure that this is very resilient, extremely protected, that no one can penetrate it. And we try our best, of course, because as I said, there is no such thing as 100% secure. From education perspective, of course, now we have about 4,000 employees. I can assure you our cyber security function plays a tremendous role in educating. Education is the number one issue, because there are many people still believe that it will not happen to me, it will happen to other people who don’t take care. No, it does happen. It’s unbelievable how many phishing emails we get per day, how many people try to penetrate and get information. And that, I can assure you, is happening to all. So as such, we take this extremely seriously. We built a very rigid, very strong defense system when it comes to cyber. And we can’t thank NCA enough, because they’re doing tremendous work in putting clear regulations, clear policies for all of us to implement, and we ensure that we are fully aligned with them. the NCA in the kingdom.

Moderator:
Yeah, your clarity on this is very, very impressive. Before I call on His Excellency the Engineer from Qatar who speaks fluent English but in deference to our audience, he’s going to speak in Arabic. For our English speakers or if you don’t understand Arabic, do grab a translation device now. I’ll therefore call on our friend from Malaysia, Dr. Magat, and I think we can start with how seriously Malaysia takes this initiative because it’s part of a national cybersecurity plan. And why, and I know Malaysia well, I’ve been there at least 15 times in the last 15 years, why it takes it so seriously as a financial center, as a trade hub, the development of the IT sector along the Silk Road and the Spice Route, I mean, Malaysia has quite deep ties in business. Why did you find it so strategic for Malaysia to have actually a five-year plan?

Ir. Dr. Megat Zuhairy bin Megat:
Bismillahirrahmanirrahim. Assalamualaikum warahmatullahi wabarakatuh and a very good afternoon, ladies and gentlemen. First of all, I would like to express my gratitude for inviting me here today, especially after two months of holding this post. Before this, I was involved in digital transformation, I was not in cybersecurity. Just to answer to your question, John, I think we established our Malaysia cybersecurity strategy in 2020. It was a five-year plan, which fight with five pillars. The first one is effective governance and management, which we established NAXA, National Cybersecurity Agency of Malaysia, which I am right now heading. Number two is legislative, strengthening legislative enforcement, of which we will establish our cybersecurity bill next year in March, which we will table in the parliament. Number three is all about innovation R&D. Number four is all about capacity, capability building, awareness, and also education. And number four is global collaboration. To respond to your Malaysia cybersecurity… strategy, its vision is to establish a secure, trusted, and resilient cyberspace. It’s just not that, it’s actually supporting our Malaysia Digital Economy Blueprint, our IR 4.0 policy, as well as the other policies. One is our science, technology, engineering, and math policy, promoting students to go into these four fields, and some other strategies. So the reason that Malaysia’s cybersecurity strategy is very important, we see it as very strategic because it supports the other strategies and policies that have been established before.

Moderator:
If I can bring in His Excellency from Qatar, and if you can drive home, it’s very interesting, if I can use an analogy, Qatar was the little engine that could, right? It’s grown so rapidly off of the strategic decision in 1992 to develop natural gas, and then to have that pervasive development in the state. Your view on the link between a robust cybersecurity system, if you will, and the ability to foster growth on the ground locally, but how that makes Qatar a global player in this idea that Saudi Arabia’s building an international hub here. Qatar’s been doing the same. Why is the cyberspace component so vital, would you suggest, Engineer?

H.E. Eng. Abdulrahman Ali Al-Malki:
Thank you, John, for that. First of all, I would like to thank the organizers of this conference for all their efforts, and we all support the Saudi Arabia Cooperation Council to move forward in this field and become the leader in cybersecurity. Back to your question, Mr. John, in terms of cybersecurity, from a general perspective, everyone knows that cyber security is very expensive. Everyone says that securing the systems and securing the sites costs a lot of money. It leads to a shortage in budgets for some ministries or even for private companies. In terms of leadership, we see it in two ways. The first way is that if you have an appropriate budget for cyber security from the beginning, you can protect your assets or systems from the greatest risk, which is the constant losses after the attack. The losses lead to the return of the system or the systems to work again. This is a much bigger loss than the initial budget for cyber security. This is one perspective. The second perspective is that the countries that made big budgets for cyber security benefited from the short and medium term, and even the long term, by attracting global solutions and providing the appropriate infrastructure for new projects and new ideas that will be applied in the future. This led to the attraction of companies, because when companies study a new topic or a new project, the infrastructure is enough to protect their investments in this project. We see from this perspective that having a high budget is not a bad thing, it is excellent. In terms of attracting foreign companies to work in these countries, and at the same time, the protection of the very foundation that is inside the country from an attack and greater impact on the return of services.

Moderator:
And I’m sure that must have been a challenge of a lifetime from a cyber standpoint. So the preparedness afterwards, if you can think about it, I’d love to get your thoughts on what was set up to make sure you could withstand a global event of that sort of scale. Felix, you’re so respected in the business. It’s great to have you with us today. I would like to discuss the role of R&D, and you could use the Spanish example or extend it out to the European example. This is a cost, so what’s the cost-benefit analysis of making the investment in R&D and how it feeds into the rest of the Spanish economy? And how did you structure the institute? Because I think it would be wise here because the GCF has its own institute now, and I think that sort of information sharing could be very useful. Please.

Felix A. Barrio Juárez:
Thank you very much, and thank you for the invitation to participate in this amazing new edition of the Global Cyber Security Forum. Congratulations. First of all, in the European Union, we have, since three years ago, public policy, called Next Generation Action, that pretends how recovery of the economy can be boosted after the COVID pandemic. And in this time, we have learned that the main successful experience has been, in fact, to invest directly in research and development in digital transformation. In fact, in the case of Spain, one of each three euros invested through this program of next generation is allocated to this purpose of digital transformation, and in particular it is very important to invest in research and development in the SMEs. Small and medium enterprises is the successful vector for this catalysing of the market, because at this moment we depend to extend all delays of provision of services and solutions in cyber security in a peripheral movement. In fact, we lack of enough small and medium enterprises to reach all the requirements that we are putting on the table around the European directives. So important is that in three years, in Spain, we have moved from 12% of our national economic growth to the 22% of the growth is depending on this purpose of digital transformation and in particular cyber security. It’s very important. This year we have spent more than 224 million euros directly in research and development for SMEs, with more than 140 different projects, and the condition is you have to be led by a small and medium enterprise, and this is directly linked to something that Mrs Abu-Halef mentioned before. He said independence of the country. We have to talk about national sovereignty in terms of technology, and cyber security allows this.

Moderator:
So interesting. I’m glad you brought it up. And I think I’d love to have this question for the entire panel, so I just want us to be very direct. That was brought up in our opening plenary session today. How do you get the… balance right between international cooperation and protecting national sovereignty? And where does international cooperation really go deep enough to the challenge of today? This is, you’re introducing AI, generative AI, into a system when we don’t know whether we have the thresholds of protection ready. Do you want to touch on that, Waleed, and where you think collaboration, you came from an international defense player, so you know the role of international cooperation, you want to use that model?

Eng. Walid A. Abukhaled:
No, no, absolutely, Rick. I believe, not long ago, I’m not sure about the statistics now, but I know for a fact Saudi a couple of years ago was one of the most targeted in a country, maybe in attacks, cyber attacks. And maybe this is 10 years ago, I saw lots of statistics, and it was definitely one of the most targeted. I believe there’s lots and lots of lessons learned. And I hope we can set up here in the kingdom a command and control global or regional command and control centers, where there are various countries who are joined or part of this command and control, and they can all share threats, they can all share the attacks, the type of attacks. Because these days, the minute you identify an attack, and of course you put the prevention where there’s another one in the way, and that’s going to be continuous, nonstop. So if there is a regional stroke global command and control center set here, with various countries included, and where we can share regulatory reforms, where we can share the type of threats that’s coming, and I can assure you it varies. Some attacks here are common in other countries, but some are different. And really put some regulatory framework where how can we develop the talents of the future leaders when it comes to cyber, how can we share best practices, and so on. I believe this will be a win-win to all. and will definitely benefit. There is a direct relationship between safety and security and prosperity of any nations. Foreign investments always link to safety and security of any nation, so if a country wants to invest in another country, they look at the safety and security of that nation. Make no mistakes, the future is all about cyber, and this is the huge security about protecting strategic assets, protecting investments, and so on. So I totally recommend and support having a regional hub, stroking global, where they can share best practices and learn from each other.

Moderator:
Good. Does it make a difference? I think this is a great question for you, Dr. Magat. To have somewhere geographically that straddles east and west and north and south, and I’m thinking of Saudi Arabia, I’m very aware of the Islamic roots going down to Southeast Asia, so this is a commonality, right, on the spice route. Could you see the kingdom serve as a bridge between the U.S. and China where they compete fiercely on technology, where you can at least, as the engineer was suggesting here, have a commonality is that we have to have the common good of protection and to share knowledge. Is that possible that could happen here in your view?

Ir. Dr. Megat Zuhairy bin Megat:
Well, I think global collaboration is always the fifth pillar of Malaysia’s cybersecurity strategy. We have been communicating or collaborating with our cybersecurity entities around the world, the globe. You are already? Yes. Oh, that’s great to hear. We have been seen as the middle ground country. We have received threat intel from ASEAN, EU, the U.S., China, and however, although with the abundance of data information, we could only respond to that with the necessary capacity and capability. We have our command center in Malaysia. We share our intel for Singapore, Indonesia. and the rest of the world. However, without capability and capacity of us receiving the information, we will not be able to translate that, whether that is a real threat or not, for example. So, coming to that, I think, unless a point of view, we see that we need to invest a lot on capacity building. In fact, for a statistic, for example, we aim to have about 25,000 or 30,000 of cybersecurity knowledge personnel in Malaysia, but we only have about less than 15,000. So, to do that, we have to do certain initiative of promoting people or students coming into Malaysia. I mean, in Malaysia, choosing cybersecurity as their career choice and their education choice, that relates to, again, science, technology, engineering, and math, promoting students from primary school, or secondary school, to choose cybersecurity as their field, then going to the industry, and then we’ll be able to have enough knowledge personnel to then translate, to receive that intel and information from which we receive from the globe, so that that intel can be translated into a real decision. So, although global collaboration has been somehow successful in Malaysia, we have not get much from that value because we do not have enough talents to use that advantage.

Moderator:
Good. Very quick follow-up for you, then. What’s the relationship between the government, the private sector, and the universities? Because I’ve always seen successful PPP models where you have industry saying, I’m lacking that expertise, we need to put this in the curriculum. What are you doing on that front in Malaysia?

Ir. Dr. Megat Zuhairy bin Megat:
It’s good that we seize that, everything that we do right now. especially in digital transformation, anything related to new policies or new direction, collaboration with the industry’s academic institutions has always been part of the strategy. So, in fact, when we draft our cybersecurity bill, number one is always about getting inputs from the industries, getting feedback from the academicians to give inputs so that our cybersecurity bill does not just look into the aspect of governing, penalising, setting standards, setting direction, which government thought we could behave and govern the industries and the stakeholders. So, it is very important, in fact, collaborating with the industries. When we draft the Malaysian qualification agencies, when it drafted the requirement of approving certain programs in the universities, they must prove, the universities have to prove that there are inputs from the industries. So, without that, that program will not be approved.

Moderator:
Okay. For those who need the translation devices, I’m going to call on engineer Al-Maliki here. And the role of international cooperation, can you answer whether it’s real? Now, we heard two regional examples, the collaboration between Saudi Arabia, UAE, Qatar, for example, the GCC collaboration, even extending, I would imagine, to the Middle East, North Africa. Dr. Mergat talked about the collaboration in Southeast Asia and the ASEAN countries. Do we have a model that works in Qatar? And you see the international cooperation, and if you want to answer this question about the World Cup, what sort of cooperation were you getting internationally on such a major event? if you can

H.E. Eng. Abdulrahman Ali Al-Malki:
and the the the for the We started with the issue of putting a comprehensive plan to see what are the problems of the sovereign security at the level of Qatar. This vision was based on what they call the national framework, which was applied to all institutions, bodies, ministries, and even some private sectors or private companies that have direct contact with the government. We started the application, but it was not just a matter of putting a framework, or a national sovereign security framework. No, we put the framework and started to monitor it on a daily basis. There is a direct monitoring with all the parties that implement it or not. Until we got closer to the date of the round itself, or the World Cup. During this period, we started our contacts with friendly countries. We had a lot of friendly countries that wanted to participate with us in the event. We all participated with them. We shared the problems and the challenges we had. Thank God, we were able to provide a working team from some countries that were present in Doha during the World Cup. They provided us with support in many ways, especially in the case of the attacks coming from the countries themselves. They were always analyzed and gave us the data. In some countries, they shared their data with us directly. The good thing is that we are still in this relationship with these countries. We receive data from them and provide them with data on sovereign security.

Moderator:
Very interesting. I didn’t realize the level of collaboration was so great. Felix Barrio Juarez, I think it would be great to talk to you about can we move this conversation to the next level, right? What I mean by that is can we harmonize standards where we have this collaboration that we talked about here in the region, Southeast Asia, the European Union. which you singled out in your first answer. How do we get harmonization in the cyberspace where we’re speaking the same language, we don’t have redundant systems that we’re putting in, the investment has a channel where you see it’s gonna be robust for four or five years in a very changing markets. How do we share those harmonization ideas, do you think, Felix?

Felix A. Barrio Juárez:
Maybe it’s the main challenge we are facing at this moment in terms of reshaping of this global market that is the cybersecurity and the digital market in a broad perspective. Because standards maybe can become a kind of barrier for the entrance, not only for foreigner vendors and providers, it’s a threat in terms of we are setting some kind of barrier for small and medium enterprises. And this is the question. In European Union, we are boosting all the moment through the standardization process in order to establish a strong lay of requirements. This morning, President Barroso explained it very well, this and how this has a purpose to accelerate the digital change, but in other hand, we have to, we should to think on the third countries. This is very real, not only for North and South countries, but also inside European Union because it’s very different the market in the Eastern countries and the Western countries and we have to work in a level where standards allow new entrance of this new generation of SMEs. In the past debates around the MIS-2 directive, the European Union Act for Cyber Security, past November, it was suspected that we will need more than 150,000 new SMEs. in Europe in order to have the capability to provide this kind of new services in cybersecurity with these new requirements of standardization. And the problem is what happens if we set some kind of standard that is a barrier for this new very small company that is based, for example, in a small town, and you depend only about the foreigner providers and big companies, big firms. So we have to work in these two different ways in order to combine.

Moderator:
What a great point. If I can share this idea, and Dr. Magat, I see you want to interject, how do we make sure this is inclusive? Because you know, Asami is a beast, right? It’s running the military sector and you’re bringing, you actually made an acquisition of a cybersecurity company, which you can bring up. Dr. Magat, you know, you have this disparity of wealth and you don’t want, the SMEs create the most jobs, but you don’t want them vulnerable. Do you want to pick it up?

Ir. Dr. Megat Zuhairy bin Megat:
I think I would like to comment on the aspect of standards itself. Sure. Although standards may actually improve efficiency when it comes to communicating and information sharing. However, I would like to relate to, I’m from the engineering, before this I was in the construction industry. And we always, our reason of not moving or change to a different, in other words, innovating. Because in construction industry, standards is all about safety, health and quality. And when you want to move away from the standards, no, we cannot do that because we are compromising these three aspects. This is similar, I think, if we, however, the bad part of it is that it actually demotes innovation. Similarly, I feel that if we are too much focused on standards, although they’re positive. The advantage of that in terms of communication and efficiency, however, it may deter or demote innovation. So you wanted to keep the innovation engine moving is what you’re suggesting. Number two is that when you are, with the standards established, and we are actually exposing ourselves that the threats knows what the standards are, and we’re actually exposing ourselves for more threats. And they know that we are not innovating, we are not improving ourselves, we’re not transforming because we are too much focusing on standards.

Moderator:
So there’s a balance between the two is what you’re saying. What a great debate. Engineer Walid?

Eng. Walid A. Abukhaled:
No, no, sure. Look, SMEs in any industry, not only cyber, play absolutely crucial parts in supporting the bigger organization and the bigger mandates of any industry. Part of my career when I was working in defense once, I was with the global, one of the largest global defense company globally. And I was with the head of strategy and he said we’re going to go acquire a company so let’s go together and just take a look to start our due diligence. And I genuinely thought we’re going to go to a huge headquarter, a huge company, big factories. He ended up going to a home and that home had a garage and we went inside the garage to see an individual who built something that’s very innovative. Where was this? That’s in the US. Wow. It’s like a Bill Gates story. Genuinely. And that was a global defense company. So you can imagine, when it comes to cyber security industries, without support of strong small and medium enterprises, I think we can kill innovations. I can tell you we are big corporations. Innovation, we try to implement as much innovation as possible, but exactly as Dr. said, sometimes you have certain standards, certain compliance issues, quality and process and policies that prevent quick innovation, quick thinking and so on. So I believe we definitely have to develop SMEs, support them, and I think we should support them by regulations. And I hope we can implement a policy where you say, if we give a contract, one of our company, advanced electronic company, SESAME Advanced Electronics, that 10% of this contract should go in supporting SMEs or 15%, whatever. I hope that we can build this in the regulatory systems where we really encourage SMEs. They are the engines for any economic community or economic strength. So I believe that’s going to be extremely important.

Moderator:
Great. I’m going to do the final question, and I want you all to chip in on this final question with no more than a minute each, because then I want to ask a question about trust at the very end, which I think is very important. It’s like, how do you maintain consumer trust? If you get onto an app and you’re trying to do a business transaction or e-commerce for a small business, you don’t have trust in the system, because of cybersecurity, we have a problem. So think about it, because that wasn’t in our list of topics. But I think trust, we assume that the companies have our back, the government has our back, but the challenge is always changing. So would you say is your biggest priority, Felix, on your side today, if you’re going to look, if we sit down for GCF in 2024, what’s going to be the priority that you have accomplished this year?

Felix A. Barrio Juárez:
Yeah. Despite we need more than ever from the private initiative in order to build this level of capabilities in cybersecurity, we have to put all the public service focused in the more vulnerable sectors, and the consumer is the main. So we built three years ago a hotline, 017 telephone number, that attends every citizen, every small and medium enterprise, every professional is suffering some kind of cyber attack, or they are suspecting they can reach us every day of the year. This is very important. We receive more than 2,000 calling demands per week. And this is the way to say to the people the message that everybody is part of the solution. are not protected by the public sector. This is a very lucrative field.

Moderator:
Very interesting. It’s very consumer-facing, I think. Engineer Al-Maliki, do you want to tackle? What’s your key priority this year?

H.E. Eng. Abdulrahman Ali Al-Malki:
First of all, we need to understand, in order to know the important things, we need to know the risks, we need to study the risks and know where they are. Of course, the risks vary from one country to another. The risks for one country are not the same as the risks for another. In Qatar, we studied this issue. We had two directions. The first direction is to build capabilities. In addition, we need to find a mechanism to license workers in the field of cyber security, at the company level, at the level of the organization, and even at the level of the workers or engineers. This is the first part. After studying this, we discovered that the biggest risk we face today is the supply chain. The chain… I don’t know how to say it. Anyway, I think the previous session discussed this issue in detail. But we found that not studying the supply chain for any service or organization causes us the biggest problem. This has happened all over the world, but for us, we discovered that the smallest entity in the supply chain can cause a complete failure of the service.

Moderator:
Excellent. Thank you for the answer on that. The two of you are going to finish up, Dr. Magat and Engineer Waleed. Quite extraordinary. 60% of attacks are on airport infrastructure, so we take for granted that our skies are secure. 66% of healthcare organizations hit by ransomware attacks. Critical, right, if a hospital goes down, the threat. 86% of global CEOs believe there will be a catastrophic event in their cyber operations. So this is a trust game and it’s a race. How do you approach it as your priority? Dr. Magatan will finish with His Excellency Waleed. Thanks.

Ir. Dr. Megat Zuhairy bin Megat:
Malaysia always feels that it’s all about secure, trusted, and resilient cyberspace. My priorities right now is all about capacity and capability building. In fact, when you promote, Malaysia always promotes digital transformation, when we establish trust, more people will come into the cyberspace. More machines, people will be coming into cyberspace. It can be a positive is what you’re saying, right? Positive, but then we have to create more resilient, more approach, more people to protect, to establish a peaceful and resilient cyberspace. So capacity building, capability building is a continuous effort, we could not stop, we cannot stop because, again, innovation, the generative AI, establish a totally different cyberspace environment, which we may not know what the solution today. So capacity, capability building, that’s my priority.

Moderator:
Great. We’re going to have a session this afternoon, just after two o’clock, on widening the lens. What’s the role of media in the process of supporting government and the consumer? Because you have to educate people to know of the potential threat and the opportunity, as we’ve all talked about. Engineer Waleed, you have the last word.

Eng. Walid A. Abukhaled:
Thank you so much. Look, His Royal Highness, the Crown Prince, have been consistent from the day of launching Vision 2030. The biggest wealth the kingdom have is its people, the youth, the human capital. It’s all about developing talents, specifically I’m talking on the domain of cybersecurity, having the right talents. But we have issues. I have, and I don’t know how NCA can help us and help other companies in this. When I have a cyber security specialist Saudi nationals who probably four years of experience they ask for a salary They’re the same as mine as a CEO of this company We we have we have that’s true inflation. That’s true inflation. God bless them. I wish I wish life can go back I would have got into cyber security specialist, but genuinely developing the right talents And regulating the market and I think we need a lot a lot more and really when I discuss with my fellow CEO From global companies. It’s no exception. I mean this this issue is not only in the kingdom. It’s issues globally So so that’s something I hope we can put certain emphasis on I totally agree with capacity and developing the right talent but when you mention trust Trust as you know is gained rather than so so MCA can put all the regulations if and we can comply 100% but still if I’m always penetrated and There’s information Lost then there is an issue that we really need to look at it The same applies for any applications if I talk to my friend and this happened recently I was telling him I’m interested in buying new car lucid and all of a sudden all the advertisements appear about lucid Should I trust this application anymore that that’s listening to me? So it’s really in my view trust is gained. We need the right regulatory framework. I genuinely hope And I’m sure that this global cyber security forum Will let will learn a lot from it I think there are global mindsets in here and I truly believe this this has been extremely beneficial to all I look forward to the next one. Yeah knowledge is power absolutely, right?

Moderator:
Absolutely, and this is one of these things where I think we have to bring the consumer along for the ride you know because if they don’t know what the Their role is in this and you have to as you said earn their trust to make sure that the government But the private sector and academia has their back in a big big way Can I thank you again for the an excellent assembly of fantastically good minds? governor to tackle this from the cyber authorities, the institutes that we have here, the government standpoint in having such an important sector such as the military. Can we give them a nice round of applause? Thank you very, very much. Thank you. Thank you. Thank you so much. Thank you. Thank you so much. Terrifically done. Thank you. Excellent. Thank you. I appreciate it. Really excellent. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.