Please introduce yourself and tell us a little about your journey in cyber security.
I’m Tim Nedyalkov. I bring over 17 years of multi-industry experience in IT and Cybersecurity across Europe, the US, Australia, and the Middle East. I am currently a Cyber Security Manager at SNC-Lavalin’s Infrastructure business sector in the Middle East.
As part of my role, I work closely with clients in transportation across the region to ensure their environments are resilient against the ever-changing cyber threats. Before this, I was an Information and Cyber Security Manager at the Australian Broadcasting Corporation (ABC), the largest public broadcaster in Australia, with more than 5,000 employees across over 70 locations around Australia and overseas.
I hold a master’s degree in IT Management from the University of Sydney and a bachelor’s degree in Computer Science/Applied Informatics. I am a Doctorate candidate in Information Assurance & Cybersecurity. My professional certifications include C|CISO, CISSP, CCSP, CEH, CISA, CISM, CRISC, CGEIT, CDPSE, ISO 27001 LA, CompTIA Security+, ITIL, and Agile PM.
I am a frequent speaker and panelist at industry-leading conferences. In 2019, I was nominated for the “Cyber Security Professional of the Year” award by the Australian Information Security Association for outstanding leadership, integrity, mentoring, and coaching in the industry.
My IT security journey, now cybersecurity, started in 2004-2005, dealing with threats and vulnerabilities for web applications and services. I come from a software engineering background, which gave me an opportunity to develop applications that handle large volumes of web traffic and millions of financial transactions. I had to deal with massive Denial of Service attacks, Brute-force attacks, and misconfiguration of applications. In November 2012, I took charge of multi-stage disaster recovery operations after Hurricane Sandy hit our data center in New York. Even with all possible disaster recovery plans and procedures, the basement of the building was flooded, and we had no electricity. It was a week-long activity to rebuild our whole environment in a new data center and the cloud. That was an eye-opening experience about the importance of cybersecurity, which enhanced my interest in the area.
Over the years, I had to handle all sorts of activities, including developing user awareness programs, establishing strategic partnerships with regulators, security investigations, and search warrants with law enforcement agencies. I was in charge of information assurance for large, high-profile events, reporting practices for board of directors, and delivery of strategic cybersecurity roadmaps in various industries. These experiences led me to the opportunity to work on some of the largest and most impactful projects that are shaping the future of the Middle East region.
1. How do you explain your job title to someone outside the cyber security industry?
Cybersecurity includes the ongoing application of best practices and experience to ensure the protection of digital assets and the safety of people and environments. We live in a highly-connected world where digitalization plays and will continue to play a vital role in the future of all industries. I consider myself an educator and digital security guard, focusing on protecting digital information assets in organizational ecosystems. As much as traditional security protects people and physical assets, I have to educate and ensure that people understand what they should and shouldn’t be doing while dealing with digital assets. It is also my responsibility to prepare them to respond and recover when something goes wrong.
2. From your findings, how is the pandemic reshaping the threats against critical infrastructures in the MENA region?
The MENA region has some of the largest industrial and infrastructure assets in the world. Over the past few years, we have seen several cyberattacks that led to the disruption of large production lines and critical processes. The protection of critical infrastructure in the MENA region was completed even before the beginning of the pandemic. What made it even more difficult was that the physical access to sites was limited or fully disrupted. This accelerated the enablement of remote working and remote management. Some of the processes for remote management implemented by critical infrastructure operators were the only way to maintain critical infrastructure. Remote working introduced an additional level of complexity and implications to workloads and processes.
The pandemic delivered a seismic shock to traditional working models in most organizations. During the initial stages of moving to remote work and ensuring people’s safety and security, the usual checks on security and privacy controls in some industries just took a back seat role. Therefore, the adversaries have shifted their focus from finding vulnerabilities of the environment to targeting people.
3. What are the biggest challenges associated with the protection of MENA critical infrastructures?
We have seen a significant uptake in social engineering activities such as phishing attacks, malware, and ransomware targeting the supply chain, sub-contractors, and even partnership organizations. Therefore, the organizations adjusting to the new normal have to focus on reevaluating their technology and controls to ensure long-term effectiveness and efficiency of their security practices. All the short-cuts that IT/OT teams had to take to ensure remote operations need to be reconsidered and brought to the security level required by regulators and organizational objectives. It is an excellent opportunity for critical infrastructure operators in MENA to provide long-term solutions for difficult security problems in their environments.
4. What do you think the role for government agencies and sector-specific regulatory authorities is in securing national critical infrastructures? What can be improved?
My observations from the MENA region are that the governing bodies have been making some good progress in enhancing the importance of cybersecurity. For example, here in Saudi Arabia, the National Cybersecurity Authority (NCA) has released several standards and frameworks that are useful for every industry. I was very pleasantly surprised that the NCA organized public consultations for the regulations that they were planning to release, which helped a lot to ensure relevance to the context where the regulations will operate.
However, these standards are just the baseline security posture that organizations have to demonstrate. Senior management and boards of the companies need to support and champion cybersecurity instead of seeing it as only another compliance checkbox. I think that the governing bodies should continue doing what they have been doing over the past few years. Over time, I believe that they will focus on providing guidance and assistance for small businesses and individuals. It will help ensure the whole ecosystem is reasonably aware of its cybersecurity responsibilities.
5. What is the best or worst security advice you’ve ever heard?
Some of the worst pieces of advice, unfortunately, come from security vendors. I’m always concerned when a vendor says they can do all the work, and everything will be fine. There is no such thing as 100% security, and there is no vendor that can deliver a 100% secure environment. Some big, bold statements made by vendors quickly ended a conversation.
The best security advice is something that I use as a guiding principle when developing my team’s culture. No matter how good or bad we are with our capabilities, the things that could go wrong will go wrong. Our mission is to ensure that we can respond, recover, and return the situation to normal as quickly as possible. When we work as one team and support each other, nothing can beat us.
6. What does the future hold for your industry?
The pandemic is and will continue to be a major driver for digital transformation. This enables people to deliver their services from all over the world. It will help to utilize local resources globally and ultimately drive efficiency. As organizations feel the economic impact of the pandemic, teams will be expected to do more with less. Therefore, technology will enable the industry to innovate and iterate on best practices.
We see that clients want to make sure their people are safe and still deliver what is expected. They see the need to optimize and simplify infrastructure, e.g., move to the cloud or use distributed delivery models. However, no matter what technology is available, it still requires capable people who know how to acquire, operate, and maintain the relevant technology.
It’s foreseen that there will be up to 2.8 million unfulfilled jobs by 2021, which is not far away, and the MENA region is not an exception. As a result, we have to build the capabilities as quickly as possible to ensure the technology for large projects in the MENA region is securely implemented. I believe the future will provide some great opportunities for young people from the MENA region to get involved in cybersecurity. No matter where they are now with their career path, they can start with the basics, such as network security, application security, data protection, security engineering, and web security. They could consider taking information security certificates, join industrial organizations, and attend conferences such as the CS4CA MENA 2021 Summit on 1st and 2nd February 2021. Events like this provide a great opportunity to watch and learn about the latest trends and insights from industry leaders in the MENA region.
Connect with Tim and learn more about how to prepare and secure critical infrastructure for the future of digitalisation as part of a in-depth case study at the upcoming CS4CA MENA Summit. This includes: How to set the foundations for the future of digitalized critical infrastructure, What the key initiatives are, how effectively identify and execute them, and how to ensure long-term protection of digitalised critical infrastructure.
Find out more and secure your place at CS4CA MENA online summit on 1st – 2nd February, for FREE using the complimentary discount code: SNCLAVALIN.
Book now at: mena.cs4ca.com/register/
*Offer is valid for end-users only. No vendors or consultants.
