Singapore

A Chat with IBM’s Manan Qureshi on Achieving Resilience Posture

Written by our inhouse editor, Lyndsay Turley, an experienced communicator and cybersecurity advocate.

Register for CISO 360 Asia & Oceania

Often when I speak to people about their initiatives, I wonder why what they are working so hard to build doesn’t already exist. This is particularly true with people working to advance cybersecurity as, despite higher-than-ever mainstream appreciation for the risks, they still struggle to gain support for what strikes me as obvious.

“We all understand that too many organisations are stuck in a reactive resilience posture; Organisations are geographically dispersed; They don’t have the visibility to do proper GRC. There is no single point of failure that can be easily identified, ”describes IBM’s Manan Qureshi, who is preparing to share various case histories of building cyber risk frameworks at the Pulse CISO 360 Asia & Oceania conference this September.

Manan has been embedding the management of cyber risk within enterprise and operational risk frameworks for many years, working within financial services, mining, manufacturing and now many others following his recent move to take on the opportunity of leading IBM’s Cyber Resilience Consulting practice in the AsiaPac region. Speaking with Manan, I get the impression his current role can be likened to an initiative designed to broaden the approach to cyber risk management. While he agrees that it can feel like he is on a mission to implement the obvious, it doesn’t mean it is an easy one.

“When I talk to clients, they often have no idea that they have a need for this: Everything is managed, but it is not glued together. This means there are only islands of resilience.”

His mission is also simple to articulate – the convergence of understanding of organisational risk within a single management framework; the elements needed for it, clear – a common taxonomy; standard operational procedures that are well connected, mechanisms for assessing the qualitative and quantitative impacts, and the like. The journey less clear for many.

“Organisations are living beings that evolve over time: Gaps are constantly opening up,” he continues. “We have developed the technical ability to identify what is happening, and the capacity to monitor.  Now it’s time for the hard part, aligning the organisation itself to develop that cohesive landmass, that cultural awareness that acknowledges the importance of what needs to be done so it isn’t written off as a nuisance or add on.”

Manan emphasises that he is not talking about replacing one approach over another but rather pulling the stakeholders together to discover the common concerns that are “always present” in disparately managed areas– physical, IT, operational, privacy, reputation, etc.

“So why hasn’t it been done already?” I ask.

“Organisations didn’t have the right paradigm to make it happen,” he responds. This is what is changing, not what needs to be done necessarily but the context in which we are working. In the end it is a cultural change,” he says, explaining that so many organisations are pushing the ‘reset’ button on just about everything as they struggle with the levels of disruption that digital capabilities have brought to their markets.

A New Context

Opportunity comes in the midst of this disruption: “Transformation is a very heavy word,” he says expressing concern that it has taken on a buzzword quality. “But I can see that organisations are admitting that their traditional siloes aren’t working as they focus on developing digital capabilities and move beyond the skin-deep, digital front-end to reinvent the company. It’s a three to five-year evolution, which also provides a new context – broad mandate – for assessing operational risks.

“As ever, we need to develop an appreciation for what the organisation wants, to be able to package what we do and present it in that context, including the financial impact, but we now have a real opportunity to embed it properly under the umbrella of risk,” he says.

The journey involves identifying existing, relevant siloes of management; acknowledging and debunking the well-established belief that some central security or risk department is managing their risks already; and then involving – via committee or some other independent mechanism, all those with an interest, whatever the business unit, in the construction and management of an overarching view.

“There are elements of audit, compliance, the Board, business units, not just security interests. It is different for every industry and every organisation,” he describes. “Everyone’s participation is essential to ensure an understanding of the objectives within the context of the transformation that all are working toward. This is why buy-in from the very top is essential.”

Manan’s message strikes a chord with me. The inability to break through organisational siloes was a constant theme coming out of this year’s CISO 360 Congress in Rome, from the gaps in addressing cyber physical risk to the management of AI and robotics, and the unprecedented levels of change hitting the CISO community today. Repeatedly, organisational siloes were identified as a barrier to progressing what was deemed to be obvious. I expect this conversation to continue for some time.

The conversation is set to continue at the upcoming CISO 360 Asia in Singapore on 25-26 September at The Westin Singapore, part of the international CISO 360 series of conferences that are developed and hosted by Pulse Conferences. Join us if you can. The more experience, the closer we get to resolution and move the agenda forward as communities.

Back to Pulse Conferences

You currently have JavaScript disabled!

This site requires JavaScript to be enabled. Some functions of the site may not be usable or the site may not look correct until you enable JavaScript. You can enable JavaScript by following this tutorial. Once JavaScript is enabled, this message will be removed.