“Cybersecurity: Raising our Game and Guard”

CEO Amin Nasser in Cybersecurity Forum.

Remarks by Amin H. Nasser, Saudi Aramco President and CEO

Bismillah-al-Rahman-al-Rahim, and good afternoon. Your Royal Highnesses, Your Excellencies, distinguished guests, ladies and gentlemen, it is a real pleasure to be with you at the first ever Global Cybersecurity Forum here in the Kingdom, under the patronage of the Custodian of the Two Holy Mosques, King Salman bin Abdulaziz Al Saud. I would like to thank His Excellency Dr. Musaid Al Aiban, Minister of State and Chairman of the NCA, for this welcome addition to the calendar.

Cybersecurity: A Key Strategic Risk

Because, in my view, the constantly evolving and strategic nature of cybersecurity threats is still not fully understood by industry or receiving the attention it deserves. Governments, business in general, and individuals are all in the line of fire from cyber-terrorists. But critical industries like global energy - as well as water, electricity, banking, medical, and aviation - are particularly at risk. In fact, the more critical the target and sensitive the information, the more attractive it is to those who wish our industry harm. And they do wish us harm, right up to a digital Pearl Harbor.

Recent Industry Experience

Events on the ground have really brought this home. In August 2012, as the Eid holiday was starting, Saudi Aramco was hit by a serious virus attack. Thanks to our contingency and business continuity plans, and our broader resilience, our core operations continued and not a single process or product was affected. But other attacks have followed on other companies, in other regions, and the industry has indeed learned three particularly valuable lessons:

  • Perfect cybersecurity does not exist.
  • Like managing blood pressure, our battle with this equally silent killer is continuous.
  • And we need to do all we can to stay a step ahead.

Impact of Industry Modernization

In addition, while things like digitalization and Fourth Industrial Revolution technologies are opening up new opportunities, it is also expanding the cyber-attack surface and threat landscape. In just five years' time, more than 75 billion Internet of Things devices - I repeat - 75 billion devices, will be running critical applications and infrastructure at nearly 1,000 times the speed today. This is a wonderful development in many ways, connecting new industries, geographies, and communities in ways that will benefit society and the planet. But this desirable fusion of traditional physical assets with the digital world also increases the risk of serious physical damage, at a 5G speed.

Fortunately, the growing digitalization our enemies are using to attack us is also our strength and advantage in defense. In fact, our cybersecurity capabilities should digitalize in proportion to the sheer scale, complexity, and volatility of digital risks. At Saudi Aramco, we are increasing the pace of digitalization and state-of the-art technologies. We are also improving our situational awareness through predictive analytics to prioritize threat protection where it is needed most.

Taking Cybersecurity to a Higher Plane

But 91% of cyber-attacks start with a simple phishing email, and there is more private information on people's phones than in their homes or offices. So the human component will remain low-hanging fruit to cyber-terrorists unless people understand the seriousness of the risks, accept shared responsibility, and are trained to respond. That is why building a cyber-resilient culture at Saudi Aramco is a personal priority for me, and that starts at the top.

Cybersecurity is one of the top corporate risks we address in our Enterprise Risk Management Program, overseen by our Board. It puts cybersecurity on a par with market share loss, disruptive technologies, serious industrial accidents, geopolitical shocks, legal liabilities, and natural disasters. We also created the role of a Chief Digitalization Officer and a Chief Information Security Officer.

Importance of Collaboration

But company fences, and indeed national boundaries, are meaningless concepts in this domain. So aligning policy, collaborating on technology, and sharing information and experience beyond the fence is non-negotiable. Of course, there is a trade-off to be made between adequate cybersecurity and productivity, and therefore convenience, with each company needing to find its own balance.

But to beat a network, we need to be a network. That is why, for example, we are founding members of the World Economic Forum's Center for Cybersecurity. And last month we used the Forum to begin a new collaboration program called “Cyber-resilience in the Oil and Gas Sector”. That is also why digitalization and, by extension, cybersecurity are key themes of the Kingdom's G20 Presidency.

In addition, I believe three areas deserve special debate:

  • One, how can we promote real industry collaboration on cybersecurity, particularly in this region?
  • Two, how can industries work more effectively with governments and existing international frameworks?
  • Three, how do we deter cyber-terrorists by making the price of such reckless attacks too high to pay?

This third topic is highly complex, involving international consensus. But being able to defeat our enemies before they attack us (as well as if they do) would greatly strengthen our collective defenses.

Ladies and Gentlemen, let us make the future our ally, not our enemy. Let us embrace the wonders of the modern world, adapt new technologies, create new value, and meet the expectations of our customers, shareholders, and stakeholders. But let us also raise our game and guard to keep one step ahead of cyber-terrorists. Our bottom lines depend on it. Our facilities, assets, and businesses depend on it. Indeed, our futures, not just our safety reputations, depend on it.

Thank you.