Meet a FAIR Institute Member: Osama Salah, Founder of the Abu Dhabi Chapter
Welcome the United Arab Emirates to the FAIR Institute’s global network—the Abu Dhabi Chapter holds its first meeting this week, thanks to the work of organizer Osama Salah.
Readers of the FAIR Institute blog or LinkedIn discussion board may already know Osama for his engaging comments, posts and slide shows explaining FAIR (like this one, How to Create a Better Risk Matrix [Kind of…]).
One of his slide show presentations earlier this year at an ISACA meeting created so much interest in FAIR that he signed up enough members to start a full chapter.
Osama is an Egyptian raised in Germany, with an engineering degree from Egypt and an MBA from Scotland. He has a long career in the oil and gas sector in Abu Dhabi, for many years in InfoSec and more recently, IT operations.
Register to attend the first meeting of the Abu Dhabi Chapter of the FAIR Institute, 7 PM, Monday, December 11, 2017
Q: How did you discover FAIR?
A: I read about it back in 2007, and fired off an email to Jack Jones telling him ‘great work’. We exchanged emails and I kept asking him questions. Until this day, Jack has been very helpful. He often turns my questions into blog posts so it works out for everyone.
Q: What appealed to you about FAIR?
A: At that time, we were preparing to implement risk management more formally in the company so I started to read. I’m an engineer originally so I like to take things apart and put them back together again. Despite everything I read about risk, I was never really convinced by any of it. That’s why I kept digging until I found FAIR. I loved its clear structure and found it immensely helpful in risk analysis. It perfectly suited my need to ‘hack’ risk.
Q: Did you implement FAIR at your company?
A: I tried to get things moving in that direction. It was well received by my colleagues. Then the oil crisis came and priorities changed. But I still did not want to give up on FAIR. And that’s the reason I took the initiative and started this Abu Dhabi chapter—to expand and see what others are doing and improve by helping others.
At our company, we have to comply with the UAE’s risk management standard; it’s a qualitative standard and the FAIR ontology complements it nicely. So, I always encourage my colleagues to use the FAIR ontology and terminology to build up their understanding of risk.
Q: What’s the state of cyber risk awareness in the UAE?
A: The UAE government is very aware of cyber threats. For example, in statistics published on ransomware and cybercrime, the UAE is the second most targeted country in the Middle East. Then, of course, the oil and gas sector plays a vital role as part of the critical infrastructure. We have seen Aramco [the Saudi oil company] being disrupted by a cyber-attack in 2012 and then again other targets in Saudi Arabia in 2016. So, we are definitely a target and the government has taken several commendable steps to mitigate cybersecurity risks in the country.
Q: You identify yourself on LinkedIn as “InfoSec Professional Allergic to Snake Oil”.
A: We need to cut through all the hype the marketing departments are dishing out. In my career, I’ve made many mistakes believing in technology to solve our problems. You learn the hard way that it’s just one piece of the puzzle. That’s why I believe FAIR is so refreshing. Many of these products and solutions promise more than they can actually deliver. FAIR I think brings things into perspective; it creates some sort of realism.
Q: What advice would you give to a young person starting out in IT risk management today?
A: First, learning FAIR. I think you need to keep an open mind, be curious and question anything you read or learn about. Even FAIR itself, if you have questions, ask for help--that’s how you improve your understanding and maybe even contribute to changes to FAIR itself.
Risk management is at the center of a successful information security program and then of course you need skilled people in making it part of their own processes. If you succeed in implementing a good risk management program than you will find that everything else will fall seamlessly into place.
Read a lot of books that may not have “risk” in the title, books on psychology and cognitive bias. When I read a book I usually get interested in something it touches on and look for another book addressing that. I recently read an interesting book “The Field Guide to Understanding Human Error” by Sidney Dekker. There are many useful lessons to be learnt from safety that apply to information security.
Q: What are you doing for fun lately?
A: I kind of missed hacking on computers that I used to do years ago. So, I thought – let me see if I can still do this stuff. I’m studying for the OSCP certification [Offensive Security Certified Professional] at the moment and I’m having fun tinkering around!