Tariq Al-Shareef is an accomplished cybersecurity expert whose journey unfolds with his commitment to fortifying the digital landscape. Armed with an electrical engineering degree from King Fahd University of Petroleum and Minerals, Tariq embarked on his career at the National Information Center, initially delving into Information Technology.
His career took a pivotal turn when he transitioned to the dynamic realm of cybersecurity, specifically as an Incident Response Analyst. This early exposure laid the foundation for his subsequent roles, including a stint at SITE as an Incident Response Consultant, where he played a crucial role in addressing national cyberattacks in Saudi Arabia.
Notably, Tariq’s trajectory extended to the financial sector, collaborating with ENBD, which ultimately paved the way for his current role as the Chief Information Security Officer (CISO) at SiFi. In this influential position, he navigates the complex landscape of cybersecurity, steering strategies to safeguard vital information.
Let’s delve into the tale of a lifelong learner and advocate for secure technological advancements!
Could you please tell us about SiFi and its inception story?
SiFi was founded by His Excellency Ahmed Alhakbani with the vision to revolutionize enterprise financial management in the Kingdom. SiFi offers a comprehensive suite of solutions that address the key challenges of enterprise finance management, empowering enterprises to grow and thrive.
What are the key challenges that organizations face in terms of information security today and how do you address them in your role as a CISO?
The cybersecurity landscape presents a formidable array of challenges, each with its unique complexities and varying degrees of severity depending on the organization’s industry and size. These challenges have fueled a global market worth an estimated 150 billion USD in 2021, as organizations worldwide strive to fortify their digital defenses against the ever-evolving threat landscape. While cybersecurity challenges manifest in diverse forms, certain issues transcend individual organizations, demanding a coordinated response at the national level. One such issue is the global shortage of skilled cybersecurity professionals, while another is the escalating cost of cybersecurity services and solutions.
As a CISO and cybersecurity expert, my paramount responsibility is to empower the organization to thrive while adhering to the applicable regulatory framework and ensuring the protection of information assets against cyber threats. This entails a comprehensive approach to identifying, prioritizing and mitigating cybersecurity risks, ensuring that these risks are effectively communicated to the executive management team. The overarching challenge I face lies in striking a delicate balance between compliance and risk reduction without unduly straining the organization’s resources.
How do you ensure the confidentiality, integrity and availability of sensitive data within your organization?
As a CISO in the financial industry, I am mandated to adhere to all applicable regulatory frameworks and industry standards. These frameworks and standards are intended to safeguard the confidentiality, integrity and availability (CIA) of our organization’s data and systems. It is my duty to ensure that all CIA controls are implemented, effective and measured and that comprehensive cybersecurity hygiene is adopted. As well as to translate the cyber risks into a language that is well-understood by the board.
What strategies do you employ to stay updated with the latest security threats and emerging technologies?
Cybersecurity is a rapidly evolving field, with new technologies and threats emerging at a rapid pace. This can make it difficult to stay up-to-date and maintain a comprehensive understanding of the threat landscape. However, several steps can be taken to maintain awareness of the latest developments in cybersecurity. One step is to read periodic reports published by cybersecurity companies and to follow new cybersecurity research. Additionally, reading cybersecurity blogs, following cybersecurity experts on social media and connecting with field experts can provide valuable insights into the latest threats and trends. Finally, participating in cybersecurity conferences can offer an opportunity to learn about new technologies and trends, as well as to network with other cybersecurity professionals.
Can you provide an example of a successful security incident response you have managed? How did you handle the situation and what measures did you take to mitigate the impact?
While I’m constrained from discussing specific incidents from my previous and current roles, I can share that I have extensive experience as a digital forensic and incident response consultant. In this capacity, I have assisted numerous clients in effectively responding to cyber breaches and remediating the damage caused by these attacks.
A common shortcoming observed during my experience is the absence of adequate monitoring on affected servers. This lack of visibility leaves critical systems vulnerable to undetected intrusions and potential data breaches. Additionally, the failure to promptly apply patches for known high-severity vulnerabilities creates exploitable entry points for malicious actors. These vulnerabilities, if left unaddressed, can serve as easy targets for attackers to exploit, potentially compromising sensitive data and disrupting operations. Furthermore, the lack of proper network segmentation and duty segregation can amplify the impact of breaches. By segmenting networks and implementing clear segregation of duties, organizations can limit the scope of potential damage and minimize the spread of unauthorized access.
How do you approach building a strong security culture within the organization and what steps do you take to ensure that all employees are aware of their roles and responsibilities in maintaining information security?
Creating a strong cybersecurity culture in an organization is a top-down endeavor. The CISO must ensure that the board of directors and executive management are fully committed to cybersecurity, as this is essential for employee adoption. Once this commitment is made, awareness programs should be established to educate employees about the threats posed by cyberattacks. This will help to create a culture of awareness and preparedness, which is essential for implementing and maintaining best cybersecurity practices.
In your opinion, what are the most essential security controls that every organization should have in place?
Many accredited standards identify the essential cybersecurity controls based on the industry. In Saudi Arabia, the National Cybersecurity Authority has developed the Essential Cybersecurity Controls, which outline the fundamental controls that organizations must implement.
Due to their limited resources, I believe that SMEs should prioritize security controls that reduce the attack surface and protect against automated attacks. This includes implementing a vulnerability management program, deploying essential security controls such as firewalls as well as web application firewalls and applying best practices such as hardening standards and configuration.
Additionally, organizations should enforce endpoint protection on all assets by implementing endpoint detection and response (EDR) and advanced antivirus solutions to protect against malware and ransomware.
How do you collaborate with other departments, such as IT, legal and compliance, to ensure a holistic approach to information security?
The collaboration should be embedded in the organization’s culture, working in a startup, which is a high-caliber environment, made this part easy for me. To make sure that people work together well, it is important to have clear rules and guidelines that explain everyone’s roles and responsibilities. This will help to avoid confusion and make sure that everyone is working towards the same goals.
It is also important to clearly explain tasks to each department so that everyone knows what they need to do and what the expected outcome is. This will help to avoid misunderstandings and make sure that everyone is working on the same page.
