businessmen at crossing during rush hour, Ginza, Tokyo, Japan My experience in the technology sector spans the Middle East. And in my opinion, there was no greater test to IT infrastructure in the region than during the Arab Spring.

Prior to the uprisings, many of those in the industry pondered if the IT infrastructure of businesses in the Arab region is ready to be exposed to risk? We also explored what measures companies can take to be ready for unplanned events? Is disaster recovery and business continuity a norm in companies in the Middle East?
In brief, the region wasn’t prepared.

Organizations in the Arab World, and certainly many across the globe, are exposed to various IT risks and none more serious than the cyber security risk. However, there is a prevalent wave of overconfidence across organizations, according to a recent study, on TMT Security. 88 percent of executives surveyed in the study did not see their company as vulnerable to cyber security threats. Yet, surprisingly, more than half of these executives acknowledged experiencing a security threat in the last year (59%).

In the region, there have been many successful cyber attacks, which left some key organizations with their systems down and loss of data. So, if this can happen to mature organizations, then we can safely say that the majority of organizations are certainly not ready nor secure.

From what I have seen, most organizations treat security as a technical discipline. They tend to ignore the overall security management, which is a set of continuous and integrated security processes to monitor, assess and improve the security posture of an organization. For the most part Senior Management also does not understand the security challenges and therefore provides limited support to information security functions.

But, one important thing that has come out as result of recent attacks is that finally cyber security has grabbed the attention of senior management. We are seeing heightened interest from the Boards, CEOs and Risk Management functions in understanding their organizational capabilities and whether they can either prevent, or at least respond, to such attacks. So hopefully, now and going forward, security will be treated as a business issue rather than just an IT issue.

As for business continuity and disaster recovery (DR), we have seen increased focus and investment in the last couple of years as evidenced from many big organizations taking a more formal approach to implementing end-to-end business continuity and disaster recovery programs and many hiring dedicated Business Communication Managers. Though, still most organizations have a long way to go to reach a stage beyond having just a documented plan mainly focusing on IT to looking at business continuity as a holistic approach incorporating people, facilities, equipment and suppliers’ recovery as well as crisis management plans that are regularly tested.

In the face of cyber-attacks, business continuity and disaster recovery has already taken an immediate interest with many organizations revisiting both their crisis management plans and IT DR capabilities. This is a good starting point to ensure that even if organizations are not able to prevent cyber-attacks, they are at least able to respond to such events and recover their systems quickly, thus minimizing the impact on business.

However, Information Security is not one size fits all. So it is vital that organizations perform a risk assessment. Only when they have fully understood their assets, the risks that threaten them and how these fit into the overall threat landscape can they determine the level of menace they need to defend against and where they draw the line to focus on limiting the impact of a successful attack. Once risk assessment has been done then, using the results, organizations should plan for governance structures to both, enhance and maintain, its preventative and detective security capabilities. This would include:

• Continuous investment in controls that protect their digital assets
• Leveraging the threat intelligence that is available to understand the internal and external threats to the organization
• Developing the ability to rapidly respond to an incident in order to limit any adverse impact on the organization.

Only then can we begin to feel more secure.

By Tariq Ajmal
Enterprise Risk Services partner in Deloitte Middle East