The Geneva Centre for Security Policy podcast is your gateway to top conversations on international peace and security. It will bring you timely, relevant analysis from across the globe with over 1,000 multi-disciplinary experts speaking at 120 events and 80 courses every year. Click subscribe, download on your favourite podcast player, get notified each time we release our weekly episode.
Ms Ashley Müller: Welcome to the Geneva Centre for Security Policy Podcast. I’m Ashley Muller. This week’s episode explores some of the latest global issues affecting peace, security, and international cooperation.
Ms Ashley Müller: As the world navigates the coronavirus pandemic, we speak with two founding members of the Institute for Strategic Risk Management, Dr Hoda Alkhzaimi and Mr Kev Brear on what a crisis in the year 2030 could look like, and are we ready for it? We will discuss having a 360 degree approach to crisis response as well as explore different international standards on risk and crisis management.
Ms Ashley Müller: Welcome Dr Hoda Alkhzaimi, thank you for joining us here today with the GCSP. You are the Director of the Center of Cyber Security at New York University Abu Dhabi and President of Emirates Digital Association for Women. My first question to you is what does it mean to be the director of the Center for cyber security when what is a day in the life look like?
Dr Hoda Alkhzaimi: I took the directorship position I think four years ago, and prior to this, I worked in multiple R&Ds in UAE, Europe, Asia and I came into this kind of formulation that we really need to bring in a different model of where we build research and development. The Center for Cyber Security in New York University. Abu Dhabi is an interdisciplinary center of research that addresses issues of cyber security, but in a different way. We don't want to think that cybersecurity is a technological problem or a technological issue that should be addressed by computer scientists or engineers or people who would have a technical capacity and a specific scientific discipline. But we wanted a holistic approach to the problem. So we brought in the law practitioners, we brought in the social scientists and economists into the equation to make sure that we do have this kind of 360 approach to the problem. And at the same time, make sure that we in the long run address the issue of making sure that cybersecurity is an issue to be included in the DNA of building a solution.
Ms Ashley Müller: You're also the president of the Emirates Digital Association for Women. Are there crossovers for your job as a director or are they separate? What does that look like?
Dr Hoda Alkhzaimi: There are some crossovers the Emirates Digital Association for Women is the hard work for an amazing eight ladies who established this foundation around five to six years ago in UAE, the foundation is acknowledged as a non for profit Association under the Ministry of Social Development in UAE which is great, which is a great success for us. We get partial funding from there but we get also funding from all of the bodies in UAE to address building opportunities for the community, we did not want to say that we just built opportunities for women because women are always about a community and our members, our Member Body wants always to address the community address every kind of entrepreneurial needs that we could build for women or also research need that we could build for a woman as well. We started the foundation because we noticed that there is a global statistic that says women are underrepresented in the fields of STEM. And that's not the case in UAE. So we wanted our statistics that represent the Arab world or represents at least up to come out of our kind of community because we have been the actual experiment and we are the probability within the experiment. So that's what motivated us to start and what keeps us going is a mission to make sure that there are opportunities that exist and silences are broken for children, for women, and for men in different fields and providing competitive opportunities for all of them to learn and grow.
Ms Ashley Müller: My next question is, why have you decided to join in on the global advisory counsel with the board of the Institute for Strategic Risk Management is there crossovers?
Dr Hoda Alkhzaimi: The main reason I joined ISRM is the fact that we are again building a community and community that's based on a holistic approach of addressing the problem and not based on a specific perspective. Cyber is very dear to my heart. But it's a very dynamic and fragile kind of discipline. Fragile, because of the basis of risk that exists, the risks are too high, and addressing them is too expensive. We deal with attacks that can happen in a matter of seconds and standards that are built to address these attacks in a matter of three years. So we have a lag there in terms of providing solutions as sometimes. So breaking silos is to me is something that proved on and on throughout, you know, different experiments and different projects as an effective means of building a solution faster. Delivering, you know, effective results faster. So I think SRM is a platform that would, in the long run, build a holistic approach to addressing the global risks, not only cyber risk, and that's why we're here.
Ms Ashley Müller: What are the current standards that exist for cyber security at the moment? I mean, what would that look like based on an attack? Three years down the road, it gets sorted out. How does that work?
Dr Hoda Alkhzaimi: We do have information security standards through we do have different standards around different technologies. We do have an abundance of the standards around security elements that you're building in your organisation. However, they're not accurate enough on addressing dynamic attacks. The 360 approach again for cyber security is very difficult to put a point on because for example, I'll give you an example what we start with cyber security is actually building a threat model, the threat model would address your vulnerabilities would address your attacks and from these vulnerabilities and attack you will build a risk map and this risk map will tell you about the impact that you would have certain organisations, and from these impacts, you would build your contingencies, affordable contingencies that you can have within this crisis. Can you imagine what is the case if you build, for example, autonomous technology that is addressed to the mass, but this autonomous technology that is being addressed to be used by the mass did not consider cyber security from the get-go. So this model is collapsing, we have something and at the moment, that autonomous car, for example, do we have a risk management standard for autonomous cars? No, we don't. It is a technology that's being pushed into the market. And we don't have that mind as well. Blockchains that will be used for, for example, contracts, signing, and for other many other issues at the moment, they're being considered on smart cities and smart cities, this means accessibility to infrastructure, Do we have a risk management kind of a standard that would address the use of these kinds of emerging technologies in the field? We don't. So we really need to have an agile mechanism or a platform and building these policies and standards. If technology is leaping, you know, 300 miles an hour into the future, standards and policy needs to be leaping 300 miles in the future. And people who are building these standards need to be as well as the scientists, the technologists, the mathematician, and the policymaker together, so we could have this kind of holistic 360 view of it.
Ms Ashley Müller: Thank you Dr Hoda Alkhzaimi
Upcoming courses. How to lead effectively in a turbulent and fast-moving world? Register now for the online course "Crisis Management: Navigating the Storm 2020 - Reflection & Action, Act Now!"
Ms Ashley Müller: Mr Kev Brear welcome to the GCSP and thank you for joining us for this interview. You hold many qualifications, you are a founding member of Institute for Strategic Risk Management and Consulting Partner, Global Cyber Resilience Wipro, Project Lead ISO22361 an international standard on crisis management. My first question is it's a lot of numbers written down.How do you keep it all straight? How many working groups are there?
Mr Kev Brear: So in 292 we are the ninth working group. And it starts at working group one, which is terminology. And then there's working group two, which looks after business continuity and organisational resilience. Working Group three is Emergency Management, working group four eludes me at this precise moment. And then working group five is about urban resilience. And then one is around security for products. And so if you are making an expensive perfume or something like that it needs, it needs some anti-counterfeiting markers on it. And so they produce the standards around that. And then we just go through to working group nine, and we were formed in August of this year.
Ms Ashley Müller: What is working group on ISO 22361 hoping to achieve?
Mr Kev Brear: So the UK produced the business continuity standard called 25999 in 2006. whilst they were doing that work there was debating the committee around incident and crisis, and which terms should be used. And the decision was made in that British Standard that they would go with the term “incident” and they put up sort of footnote that someone foundations may refer to term “crisis”. And that's how that debate was resolved. However, after that debate, it was felt that there was a lot of information that was relevant to crisis management that could have gone into that 25999. And so the decision was made to produce a publicly available specification which was called BSI200. And then that was published in 2011. And it was sponsored by the UK government, the Cabinet Office, who are responsible for management of crisis at the government level, and that was well received by industry, but it was very, very focused on national emergencies, blue light type responses. Industry felt that it wasn't quite right for industrial needs. And so the decision was made to revisit that document and they produced that document, a revised document which BS-11200 on crisis management good practice and guidelines, and that was published in 2014. And that was very well received, and industry like that document and feedback has been very positive on that document. However, it was also noted that there wasn't much going on at European level in crisis management. The European Commission wanted to see standards on crisis management, and they produce mandate 487 from the Commission, asking for countries to produce documentation and in support of that mandate, we then took that British Standard into the European arena, and then we improved it and that became CEN-17091 that was published in November of last year, again, well received. However, people then said, Well, this is just the European view of the world. What about the rest of the world? And so the decision was made okay will elevate this to ISO or take this to ISO. we introduced the new proposal to them, the vote was had and it was successful. And then ISO appointed me as the convener of the work group and the project team leader. And so work actually commenced in October. And we had our first face to face meeting in Brussels, which was very well attended some great discussions, some good output and the programme to produce the standard. It's envisaged
Ms Ashley Müller: What's an example of this ISO standard?
Mr Kev Brear: So it's meant to be applicable to all organisations, whether they’re say, a small to medium enterprise business all the way through to big governments, the actual principles, the tenants are transferable, and the things that one has to think about are transferable it's just comes from sort of scale, that becomes the issue. So, in terms of the challenges, we're looking at the sort of things that that would possibly be of an existential nature to an organisation, something that the organisation because the impact of what happened, actually, it's very existence just drawn into it, or it could be a reputational matter. And, and there's the potential for serious reputational damage or more much to protect share value, and there's research that came out from Oxford University about 36 months ago, three years ago, that showed that after a crisis struck an organisation the share value would tumble and then once the crisis management process kicked in, normally, there are a couple of outliers, the share price would stabilise and then depending on how well the organisation was perceived to be managing the crisis, the share value would recover in line with how that recovery process was perceived. And, well normally, that worked. However, they also looked at those organisations that did nothing. And they found that those organisations that did nothing, the Share Value continued to plummet and so actually, really these sort of things have a financial value and have an importance to protect organisations. And so we're going to be talking things perhaps like the NotPetya virus, something of that scale, for an example, yes. Something that an organisation would possibly not have normally planned for it in its normal contingency planning and it comes along and it sort of generates those the strategic level challenges that they really have to sort of have that agile, adaptable, flexible type approach.
Ms Ashley Müller: For the ISO standard, what would be the rollout process?
Mr Kev Brear: So because we're building on a good foundation for the European document, they've given us the accelerated timetable of two years, I've been told that's an ambitious timetable. Normally these standards take about three to four years for them actually to get published, which when one thinks about it for something as important as this it’s quite a long time really. So when we put the proposal in, we asked for the accelerated timetable, because we think the world is at a point now where that sort of guidance would be welcome. There are a number of things going on in the world such as the fires in New South Wales, in Australia, and all sorts of challenges going on around the globe, where this information would be relevant. So we were keen to try and disseminate that information as widely as possible, as swiftly as possible. I think in terms of the take up and the usage, certainly for the BSI11200, it was one of the best selling standards in the BSI portfolio. So the actual take up from it was very, very good, which was pleasing to see, because it made the organisations where we're taking it on board, and the actual industry feedback to get that industry feedback that we received, went into 17091, the European iteration. And again, we're getting feedback from that 17091 piece, and from 11200. And that'll go into the ISO thing, the whole process is about constant improvement, getting better It has to be it has to be fit for purpose and do the job.
Ms Ashley Müller: For someone who's not well versed in crisis or ISO, for example, I think of international law or international humanitarian law, how do you guarantee that a state or company abides by certain international standards? Are there consequences if one does not respond or the more guidelines are encouraged people empower them to respond?
Mr Kev Brear: So most organisations do not have to follow ISO standards. However, in Europe, the European Union has said that where there's a stain standards applicable, or an ISO sense standards relevant, then that should be referred to so actually within the European arena, these standards do actually have the weight of law behind them. Whereas across the rest of the globe, they're sort of more voluntary. And the one thing that one may see if an organisation is subject to a civil action or litigation if they can then say, well, we followed the international standard, we did everything that they suggested was sensible that can possibly assist in defending litigation if they left to show that one was being reasonably diligent and following good practice and following accepted norms that can all help if one gets into a problem of the civil case, but generally they're not sort of written into legislation as a compliance tool.
Ms Ashley Müller: Thank you Mr Brear.
Ms Ashley Müller: That's all we have now for today's episode. Thank you to Dr Hoda Alkhzaimi along with Mr Kev Brear. Listen to us again next week to hear all the latest insights on international peace and security and don’t forget to subscribe to us on Apple iTunes, follow us on Spotify and SoundCloud. Bye for now.