Yasser N. Alswailem currently serves as the General Manager of Cyber Security for Saudi Telecom Group, and is responsible for establishing and maintaining the Group’s cybersecurity vision, strategy, and program to secure and enable the digital transformation journey in KSA in support of vision 2030. He has 15 years of applied experience in cybersecurity, enterprise risks management, corporate governance, technology audit and compliance.
Tell us about your journey in the field of cybersecurity?
My journey began when I graduated from King Saud University with a Bachelors of Science in Computer Sciences. I was fortunate being interviewed and selected by a new and innovative company called IT Security Training & Solutions or I(TS)2. The company was focused on leveraging security education and awareness to increase the maturity of the market. Through that experience which lasted almost 8 years, I was able to work across dozens of projects, consultancy engagements, security technologies, and attain many cybersecurity certifications and skills.
My tenure at I(TS)2 gave me a 360-degree view of cybersecurity ranging from training to consultancy, a vast portfolio of security technologies, and introduction to Managed Security Services long before it was mainstream in the region. After leaving I(TS)2, I enjoyed working with Dell Emerging Market, where I leveraged my expertise in digital forensics to architect solutions for very large enterprises and government agencies in Middle East. This eventually led me to a slightly different role working in Internal Audit for Mobily which the second leading telecommunications provider in Saudi Arabia. However, when the opportunity to go back and focus on Cybersecurity presented itself at STC, I joined in 2016 as the GM and since have been working to build a world-class practice and organization.
Can you throw some light on privacy and infrastructure security policies followed by Saudi Telecom Company, especially at a time when IoT-enabled devices has caused a surge in data usage?
STC has made issues like cybersecurity, privacy, and data protection top priorities to support the companies’ ambitious digital transformation journey. At STC, we work with our regulator, Communications & IT Commission (CITC) and Ministry of ICT as well as the newly formed National Cybersecurity Authority (NCA), to ensure our policies are protecting our subscriber and employee data. We are in the midst of a major cybersecurity transformation program which is preparing STC for all the new and innovative opportunities and challenges from IoT, Data Analytics, broader Cloud adoption, and more.
How does cybersecurity effectively align to your business goals?
Actually, I believe it is the other way around. We are working to ensure that our value to business achieving its goals are linked to cybersecurity. Through education, we have won support from the business and they have worked closely with us to align as they now understand that cybersecurity is an enabler to the new digital age. Without it, businesses and government agencies will fail to deliver the value propositions to their customers and citizens.
A number of telecom operators are looking to adopt cloud to improve efficiencies in business operations. How much is the industry aware of the cloud security and the cyber risk associated with it?
STC has invested in expanding its portfolio to provide cloud services to our clients as well as our group. We are investing in cloud security services including assessments and audits as well as CASB and other security solutions. The cloud like any other technology innovation is important for growing our business, so we continue to invest in our people to ensure they are aware of the challenges and risks so that we can mitigate them.
In a telecom company, a number of functions are outsourced. What are the checks that an organization should do to with the outsourced partners to ensure complete security?
Third Party Governance is critical when relying on partners and contractors to deliver critical functions in your organization. Therefore, we have strict contracts that include requirement for all our suppliers to adopt or adhere to security policies and protocols that are equal to or better than those of STC. We conduct regular assessments including site visits, simulations, and reviews as well as requiring independent certifications bodies to validate and affirm the security posture of a partner of vendor.
What would be your advice to a budding information security professional?
Read, then read some more. The amount of information and online content available to information security professionals now is significantly more than when I started my career. YouTube, Google, and so many free resources are available with valuable content. Furthermore, online labs and training can be found by credible sources for less than $150 in many cases. I’m always pushing my teams to read, get trained, pursue professional certifications because these are golden years in our profession and we must be prepared to meet the opportunities and challenges that come along.