Middle East cybersecurity: Is region’s big spend aimed at the right targets?

With Shamoon attacks earlier this year targeting several Saudi organizations, the region continues to face serious threats. Image: Getty Images/iStockphoto

Data published by Research and Markets earlier this year predicts that the Middle East’s cybersecurity market will almost double in the next five years, up from $11.38bn in 2017 to $22.14bn by 2022.

Much of this growth is driven by government expenditure, with protection of the oil, gas, and defense industries leading the charge. Healthcare, and recognition by smaller businesses of their own cybersecurity needs, will also play a role in this growth.

Research and Markets notes that across these sectors, the key drivers for this increased outlay are factors such as the “need to mitigate IT security risks and threats, including malware, ransomware, and advanced persistent threats, along with a rising enterprise mobility trend across organizations”.

Across the region, investment in cybersecurity is projected to grow at an average 14.2 percent compound annual growth rate over the next five years, with Saudi Arabia expected to be the largest national market.

Qatar, which is currently embroiled in the diplomatic and economic fallout from an alleged Russian-led cyberattack, is predicted to be the fastest-growing market for cybersecurity in the region, as it gears up for hosting the FIFA World Cup in 2022.

Despite these impressive numbers, Research and Markets nonetheless cautions that “the high cost of innovation and budget constraints of organizations limit the growth of the market”.

The impact of ‘oil shock’, which has dramatically reduced petrochemical revenues, is one contributor here. But other long-standing cultural and structural issues may also play a role.

Successive reports, such as those from PwC in 2016 and Strategy& in 2015, have previously identified the region’s cybersecurity frailties, noting challenges in areas such as cybersecurity governance, strategy, and skills.

PwC, for example, commented that “companies in the Middle East are in the top 10 in the world in terms of their investment in cybersecurity technology, but in the bottom 50 for education and training in this area”.

Meanwhile, Strategy& suggested that efforts “to create a secure digital environment” in the region are too often “fragmented, tactical and reactive”.

Jump forward to 2017 and progress is being made in some of these areas, notes Sevag Papazian, one of the authors of Strategy&’s 2015 report, although many issues remain.

“We’ve noticed that awareness of the importance of cybersecurity has increased in the region. Governments are actively seeking to act on this important topic,” Papazian tells ZDNet.

“Dubai has recently published its cybersecurity strategy,” he says, and the emirate “is planning to have a blockchain-powered government by 2020”.

But the region is still facing serious threats. “There have been several waves of attacks in the region, including the new wave of Shamoon attacks in January this year that targeted several Saudi Arabian organizations, including petrochemical companies and ministries,” Papazian says.

Alongside such attacks, as PwC reminded us last year, the region is also prone to cyber incidents that are “more often [and] more severe” than the global average.

“Despite the willingness to change, there haven’t been significant structural changes to proactively alter the national cybersecurity agenda,” Papazian says.

“One of our key recommendations in the [2015] report was to have a centralized national cybersecurity agency that reports to the highest authorities. In most countries, cybersecurity is still distributed across several government agencies, and there’s no empowered centralized entity that builds momentum and ensures collaboration.”

Addressing this, Papazian says, is important “due to the high levels of threat” faced by various sectors in the Middle East.

“Governments in the region have to act quickly in establishing foundational capabilities across all critical information infrastructure organizations. National governance models have to be enacted to make sure efforts are coordinated across various agencies. In addition, a centralized effort has to happen to equip organizations with a minimum set of capabilities.”

Governments alone will not be able to drive such a massive endeavor, Papazian argues. Partnerships, especially with “private-sector partners to deliver training, services and solutions across organizations”, will be fundamental to any successful cybersecurity strategy.

Partnership also means co-ordination to exploit “best practices, share lessons learned and avoid domino effects across sectors and countries,” as well as building “collaboration platforms that enable sharing information without compromising the identity of entities that have been attacked and their reputation”.

These recommendations will, in many instances, require a change in approach to cybersecurity issues but, as Papazian suggests, this shift will be essential if the digital transformation efforts being seen across the region are to be safeguarded.

“With the increase of digitization, vulnerability increases. The region has ambitious plans to have smart cities and leverage IoT. In such situations, the digital and physical worlds are converging, and the impact of cybersecurity goes beyond access to information. It can target facilities, homes, cars,” Papazian says.

Delivering on these ambitions will also have implications beyond building and protecting infrastructure. It also requires new skills, in both the labor force, and at a consumer level.

“There are several initiatives to update education curricula and prepare the future labor workforce,” Papazian says, but these efforts can take a long time to come to fruition.

“In the interim phase, regional countries have to rely on external capabilities. Governments have a role in localizing part of the expertise, to ensure that a sustainable workforce is being built up, [but] one of the key challenges in the region is the shortage of qualified talent.”

A further challenge is resistance to some types of digital activity.

“People in the region are still reluctant to engage in specific types of digital transactions, such as online payments, or contracts signed with digital signatures,” Papazian says.

“This requires the establishment of an ecosystem of trust, and delivered through cybersecurity capabilities, whether it is at a regulatory level or platform level.”

If the Middle East is to unlock the full benefits of this growth in cybersecurity spending, it is essential that countries in the region confront these issues, as well as the lack of training, the need for greater board level buy-in, and a more collaborative approach to cyber threats.

Efforts to create smart cities, digital government, and a more diversified economy, are common goals across the region. For them to be successful, as Papazian reminds us, “cybersecurity has to be considered as part of this transformation.”

This article was originally published on ZDNet.