"Nigeria cyberspace is a neglected, unprotected territory" - ISACA President

Cyber security threats have shifted from hacking for fun to deliberate concerted efforts on a particular target to get financial information. Still some managers operate with an old mindset without preparing for new threats. How big are these threats in Nigeria?

Nigeria as a member of the global society and the country cannot be insulated from the opportunities and threats of globalization. Now, the use of IT is pervasive. Many oganizations in Nigeria are leveraging on the Internet to transact and interact with customers, employees, suppliers and partners. The internet has become imperative to address our collective capacity to respond to the inevitability of cyber threats, especially Advanced Persistent Threats [APT].

Primarily, the purpose of the majority of APTs is to extract information from systems—this could be critical research, enterprise intellectual property or government information, among other things. Talking about the shift in the motive for hacking (i.e. compromising the security profile of information systems), you will find that there is an evolution in the motivation for attacks.

Motivation for attacks can be explained as being attacked because you are on the Internet and you have vulnerabilities. Or because you are on the Internet and you have information of value; or because your former or current employee seeks financial gain from selling your intellectual property (IP) or because of who you are, what you do or the value of your IP. And these include state-sponsored attacks and corporate espionage. According to recent research, Cybersecurity is a top global concern. 82% of enterprises are expected to experience a cyber incident in 2015.

What can business and government do to prepare for the current threat?

Financial industry players like banks have strengthened their cyber resilience through implementation of adequate technology, adoption of process-oriented good practices and standards, and engagement of right skills and competencies. However, our government needs to consider a special vehicle to establish the framework to address cybersecurity issues strategically, tactically and operationally. This is because cybesecurity is a security issue, in fact a national security concern.

We need to understand that we cannot succeed by accident. The cyberspace is now recognized as the fifth domain of warfare in addition to land, air, sea and space. Unfortunately, in Nigeria, our cyberspace domain is still a neglected and unprotected territory. Yet, we have come to depend so much on mobile telecommunications, electronic banking and e-commerce for our socioeconomic survival.

In specific terms, there is a need for the government to declare an emergency in the cybersecurity education domain of the country in order to promote cyber security expertise and create a formidable “army” that will be able to ensure effective national cyber defense. The University Commission needs to update curricula development and accredit information security courses in our tertiary institutions.

Standards Organization of Nigeria needs to domesticate the information security related international standards. NITDA needs to wake up to her responsibilities as the governing body for IT-related security issues in the country. This is an unfamiliar territory to government bureaucracy and the bureaucrats need to have the humility to collaborate with the professional bodies like ISACA with over 2000 credentialed Nigerian members in the interest of security of the country and wellbeing of her citizens.

Where does ISACA fit into all of these? What are the objectives of ISACA? What are the landmarks of ISACA in Nigeria?

ISACA provides practical guidance, benchmarks and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit and assurance professionals worldwide. The COBIT framework and the CSX, CISA, CISM, CGEIT and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises. Nigerian banks depend on our members to man their audit, risk, e-business, operations and strategy department. CBN guidelines to the banks require them to use ISACA’s framework to align IT with Business strategy.

To become a member, you are required to register as a professional or student member. Membership gives you access to vast educational opportunities and international networks. Members are supported to earn professional credentials upon passing relevant exam and demonstrating verifiable work experience. ISACA operates three chapters in Nigeria- Abuja, Lagos and Ibadan. There are over 2000 members resident in Nigeria at the last count.

How can ISACA enable proven best practices to reduce the attack surface, and mitigate risks?

For over 40 years, ISACA has promoted trust in, and value from information systems. ISACA has published frameworks and standards related to information assurance, information security, risk management, and corporate governance of IT. We have been a global thought-leader on these issues.

In 2015, ISACA commenced a skill-based credentialing programme, Cybersecurity nexus CSX to develop and validate cybersecurity competencies. This programme is in recognition that the most advanced of cyber attacks are done by people and the defense side needs to have adequate competencies to reduce or eliminate opportunities for successful attacks. ISACA provides access to the knowledge and competencies for cybersecurity in over 180 countries of the world.

ISACA Abuja chapter will be 10 years this year. What are your plans to commemorate this? What are the preparations for the up-coming annual conference?

As part of our contribution to promoting the right use of information technology in the country, ISACA Abuja Nigeria has been hosting annual international conferences. The seventh edition coincides with our 10th anniversary. This conference theme is “CYBERSECURITY: Aligning Nigeria with the rest of the World”. The Chief Information Security Officer of the City of Atlanta, USA has accepted our invitation to be the keynote speaker. We are also drawing speakers from other parts of the world and from within the country.

As a social responsible professional body, we shall be donating IT-related books to tertiary institutions and libraries in Abuja. We have also planned a free seminar for students of tertiary institutions interested in cybersecurity profession. The platform is meant to provide mentorship to future cybersecurity professionals. To commemorate our 10th anniversary, we will be signing MOU with organizations that believe in our cause to make our cyberspace safe across the country and region.

READ: EMCOAN partners with NBC on digitization

Would you say Nigeria security professionals are adequately equipped with the requisite training and knowledge to build a strong core infrastructure, governance and risk management to combat digital security threats? What should be done to help update them with the required skill sets and technology on need basis?

According to CISCO, there are over one million unfilled jobs for information security roles worldwide. Another research estimates that more than 35% of enterprises are unable to fill open cyber security positions. I believe security professionals in Nigeria have not been able to gain the recognition they deserve and so they have not been able to express themselves through hands-on contributions to the economy and national security. Sadly, there is currently an incessant loss of our cyber security professionals to opportunities in the Middle-East economies. The brain drain will continue until we create an atmosphere to retain these skills. It happened to nursing and medical professionals in the 80’s, it is happening again to our cyber security professionals.

I think there are numerous opportunities for self-development for our professionals, but businesses and all tiers of government must begin to look to our citizens for cyber protection in order to fully engage and truncate the brain drain in the cyber security industry. I wish to suggest that government agencies and businesses should be involved in sponsoring cybersecurity events for professionals and students. An example is the cyberlympics organized by ISACA International. President Buhari will need to find a means to drive the cybersecurity agenda for the nation. Recently the US President issued an executive order on cyber security earlier in the year and the UK government recently made public her National Cyber Security Strategy.

Legislation is vital in the fight against security threats and cybercrime. Are you satisfied with the available laws? Which areas should the new National Assembly focus on? What are your strategies in lobbying the National Assembly in doing the needful?

Thankfully, the cybercrime bill was passed into law this year and there are attempts by the Office of National Security Adviser to promote a national strategic framework for cybersecurity. While that is a good step forward, we are still very unserious in providing a legal framework for governing our cyberspace. I mentioned earlier that our cyberspace is a neglected territory. Our laws should attempt to make Nigeria one of the most secure places to do business.

Until recently, Amazon.com would not ship to Nigeria. Paypal would not do business with Nigeria at all. While these organizations have modified their business models for Nigeria, their service package for Nigeria is still limited. This means that Nigerians are unable to take full advantage of international e-commerce. For instance, while a Nigerian can pay using the global payment platform, paypal, she cannot receive payment using the same platform. We need laws that will enable e-business not just punish cyber misdemeanor.

We are hoping that the members of the eight National Assembly will be open to working with experts in non-profit organizations like ISACA to help with research and case studies to make our laws appropriate and relevant to 21st century realities.

Globally, a trend is gradually emerging and is positioning the CISO over the CIO. The argument is that the CISO already knows infrastructure and the business and has a privacy and risk management mindset. Do you see organisations in Nigeria embracing the trends? What can CISO do to become very prominent in organisations?

The role of a CIO is to create value from the information asset of the organization while a CISO’s role is to preserve the value of the organization’s information asset. Information has become the most important factor of production over land, labour and capital. Therefore, information security is really about business security. The CEO is the one who will be held accountable for the protection of the most important productive asset of the organization, i.e. the information assets. He can delegate this responsibility to a CISO but he cannot delegate the accountability. A CISO therefore needs to recognize his role as someone responsible for business resilience and performance. His role is not just to implement controls but also to ingrain the enablers of business strategic outcomes.

As more organizations adopt cloud applications, how will today’s adversaries target corporate data in the cloud? What are the tools, techniques and tactics that are being used to achieve their objectives? How are they different from traditional on-premises attacks?

The primary information security objectives of confidentiality, integrity and availability are also applicable to the operating model we have come to know as cloud computing. It is important that supplier governance controls be imposed on cloud service providers, CSPs. Organizations have the responsibility to insist on having the right to audit the business continuity plans and compliance status to security standards of the Cloud Service Provider [CSP]. That is why cloud service providers such as Microsoft have adopted security standards like ISO/IEC 27001. Other considerations should include legal jurisdiction issues, the financial position and market recognition, and risk capacity of the CSP.

Social media has become ubiquitous in today’s business place; as more and more enterprises embrace its use for marketing, cost savings, lead production, and everything in between! But with its use also comes risk. What are the common pitfalls and risk associated with social media, and how can organisations mitigate them?

We have identified 5 potential risks including, viruses/malware propagation, brand hijacking, lack of control over content, unrealistic customer expectations of “Internet-speed” service and non-compliance with record management regulations. Organizations can no longer afford to block their employees from the cyberspace, instead they need to empower employees with social media governance principles which are available to registered ISACA members as part of ISACA body of knowledge.