Full Report
In this episode of The Cyber Express Podcast, Augustin Kurian, Editor-in-Chief of The Cyber Express, sits down with Zahid Altaf, Senior Manager of Data Protection and Security Awareness at Majid Al Futtaim, to discuss three crucial pillars of modern cybersecurity: 🔹 AI in Governance (AIGRC) – How artificial intelligence is shaping governance, risk, and compliance strategies.🔹 Third-Party & Supply Chain Security – The growing risks posed by external vendors and partners and how organizations can mitigate them.🔹 Cybersecurity Awareness – The importance of fostering a security-first culture within organizations. As AI continues to evolve, companies must balance innovation with risk management, ensuring their governance frameworks adapt to emerging threats. Meanwhile, third-party security remains a critical concern, with supply chain vulnerabilities increasingly exploited by cybercriminals. Zahid Altaf shares expert insights on how businesses can enhance their security posture through robust governance, vendor risk management, and ongoing awareness initiatives. Why Zahid Altaf Episode Matters Whether you're a CISO, IT leader, or cybersecurity enthusiast, this conversation delivers real-world insights on bridging the gap between strategy and execution. Zahid's experience across major industry sectors brings practical, tested advice on securing digital transformation efforts across large organizations. Tune in to gain valuable perspectives on securing the digital future! Listen to the full episode here
Analysis Summary
# Best Practices: Cyber Governance, Supply Chain Risk, and Security Awareness
## Overview
These practices aggregate expert insights on managing modern cybersecurity challenges, specifically focusing on adapting governance frameworks for Artificial Intelligence (AI), mitigating Third-Party and Supply Chain risks, and establishing a resilient security-first culture through continuous awareness programs. The goal is to bridge the gap between security strategy and practical execution, particularly for organizations undergoing digital transformation.
## Key Recommendations
### Immediate Actions
1. **Address Critical Vulnerabilities:** Immediately patch all publicly disclosed vulnerabilities, referencing CISA's Known Exploited Vulnerabilities (KEV) catalog (e.g., CVE-2025-30406, CVE-2025-29824) and urgent vendor advisories (e.g., the new Adobe Security Update).
2. **Review High-Risk Third Parties:** Conduct an instantaneous risk assessment on vendors or suppliers whose ongoing service access could pose a significant risk, especially if they handle sensitive data or provide critical infrastructure components.
3. **Reinforce Email Security:** Review configuration settings for email gateways, specifically against phishing and business email compromise (BEC), following recent incidents involving email breaches (e.g., U.S. Treasury breach).
### Short-term Improvements (1-3 months)
1. **Launch Focused Awareness Campaigns:** Implement mandatory, ongoing cybersecurity awareness training tailored to current threats, emphasizing phishing recognition, appropriate data handling, and incident reporting procedures.
2. **Establish AI Governance Checkpoints:** Integrate initial risk management considerations for new or evolving AI systems into the existing governance framework, focusing on data privacy and model integrity.
3. **Enforce Patch Cadence:** Formalize a streamlined, risk-based patching policy that prioritizes public-facing systems and critical infrastructure components, ensuring timely application of security updates.
### Long-term Strategy (3+ months)
1. **Develop Comprehensive Supply Chain Risk Management (SCRM) Program:** Formalize a multi-stage SCRM program that includes rigorous vendor onboarding security assessments, continuous monitoring, and clear remediation mandates for third parties.
2. **Integrate Zero Trust Principles:** Begin the architectural shift towards Zero Trust, prioritizing secure access control and micro-segmentation across the enterprise network, as highlighted in discussions around modern cyber defense strategies.
3. **Mature Cyber Governance Framework:** Establish formal Cyber Governance, Risk, and Compliance (GRC) structures that explicitly address emerging technology risks (like AI) and ensure alignment between business objectives and security posture, as advocated in AIGRC discussions.
## Implementation Guidance
### For Small Organizations
- **Focus on Essentials:** Prioritize basic cyber hygiene: MFA on all accounts, regular, tested backups (separate from the network), and immediate updates for common software (e.g., WordPress plugins, operating systems).
- **Streamline Vendor Vetting:** Use simple questionnaires to vet essential third parties, focusing on their data handling and incident response capabilities, rather than complex audits.
- **Human Firewall:** Institute monthly, short security updates focusing on one high-impact topic (e.g., password reuse avoidance).
### For Medium Organizations
- **Implement Formal SCRM Process:** Develop a tiered vendor management system based on the criticality of services provided, requiring specific security controls documentation (e.g., SOC 2 reports) for high-tier vendors.
- **Pilot AI Risk Assessment:** Begin analyzing the input data security and potential output bias for any AI/ML tools currently being piloted or deployed, documenting risks for governance review.
- **Establish Policy Enforcement:** Move from awareness communication to policy enforcement, ensuring compliance through automated checks or regular internal audits on patch levels and configuration drift.
### For Large Enterprises
- **Advanced AIGRC Integration:** Fully integrate AI governance into the established GRC framework, defining clear ownership for AI ethics, data residency, and model accountability across development and operational lifecycles.
- **Automated Supply Chain Monitoring:** Deploy solutions that continuously monitor the security posture of critical Tier 1 and Tier 2 suppliers, automating alerts when security scores drop below defined thresholds.
- **Structured Cybersecurity Culture Transformation:** Implement a continuous security culture program led from the executive level (CISO/CEO) that measures engagement and effectiveness through internal metrics (e.g., phishing click rates trending downward).
## Configuration Examples
*(The source material references general trends and high-level strategy rather than specific technical configurations. Therefore, configuration examples are inferred from the context of vulnerability management and threat trends.)*
| Area | Recommended Configuration Best Practice | Rationale |
| :--- | :--- | :--- |
| **Vulnerability Remediation**| Use vulnerability scanners to automatically prioritize patching based on CVE exploitability status (e.g., matching against CISA KEV list) rather than CVSS score alone. | Ensures immediate attention to actively exploited threats affecting patch cycles. |
| **TP-Link Tapo H200/IoT** | Isolate all known vulnerable IoT devices onto a dedicated, segmented network that has restricted outbound access and no internal network access permissions. | Mitigates the risk associated with information disclosure flaws impacting smart hub devices. |
| **Email Gateway** | Configure advanced anti-spoofing rules (DMARC, DKIM, SPF) set to 'p=reject' for the organization's primary domains. | Directly combats BEC and phishing attempts stemming from email account compromise. |
## Compliance Alignment
The themes discussed directly map to requirements within several major cybersecurity frameworks:
* **NIST Cybersecurity Framework (CSF):** Focus on **Identify** (Asset Management, Risk Assessment) and **Protect** (Access Control, Awareness and Training).
* **ISO/IEC 27001/27002:** Directly addresses **A.15 Supplier Relationships** (Supplier due diligence and management) and **A.7 Information Security Awareness, Education, and Training.**
* **Cyber Governance (AIGRC):** Aligns with principles of emerging technology governance outlined in modern regulatory expectations concerning data protection and ethical AI use.
## Common Pitfalls to Avoid
- **Treating Awareness as a Yearly Checkbox:** Failing to embed continuous, relevant training into the organizational culture; security awareness must be treated as an ongoing operational function, not an annual compliance event.
- **Vendor Lock-down without Lifecycle Management:** Only vetting suppliers during the initial contract phase, ignoring the continuous security drift that occurs over the life of the vendor relationship.
- **Ignoring Emerging Technology Risks:** Implementing AI solutions without corresponding governance to manage data input integrity, privacy implications, and algorithmic bias.
- **Patching Based on Severity Only:** Prioritizing vulnerabilities based solely on a generic CVSS score while neglecting vulnerabilities already confirmed to be under active exploitation in the wild.
## Resources
- **For Vulnerability Management:** Reference the CISA Known Exploited Vulnerabilities (KEV) Catalog for prioritized patching targets.
- **For Governance Guidance:** Consult standards related to AI Governance (AIGRC) and established frameworks like NIST CSF for integrating risk management into digital transformation.
- **For Awareness Training:** Utilize resources that provide practical, scenario-based training relevant to ransomware, phishing, and MFA best practices.
- **For Supply Chain Risk:** Review standards or best-practice guides for Third-Party Risk Management (TPRM) from major regulatory or standards bodies.