Despite a continued increase in cybersecurity spending in the region, organizations in the United Arab Emirates (UAE) and Saudi Arabia remain ill-equipped to face the cyber-menace. This was the key finding in a global report released by Trellix, the cybersecurity company delivering the future of extended detection and response (XDR).
End-of-decade CAGRs for the GCC cybersecurity market have been revised upwards, from 5.9% in 2017 to as high as 7.6% last year. While this is a clear illustration of heightened interest in security matters at the board level, Trellix’s “Mind of the CISO” report shows that two-thirds (66%) of CISOs in the UAE and KSA still believe their organizations lack the right people and processes to be cyber resilient and almost three quarters (74%) believe their current technology setup is insufficient.
The research — which was conducted by Vanson Bourne across nine countries and surveyed 500 CISOs at companies with more than 1,000 employees — found that when it came to challenges around people, more than one in four CISOs in the UAE and KSA (26%) decried the lack of skilled talent, as well as their inability to recruit and retain this talent. More than one in five (22%) were concerned about a lack of buy-in from their board, and 30% cited a lack of buy-in from other parts of their organization.
From a process standpoint, some 38% of CISOs in the UAE & KSA said they lacked the freedom to communicate outside of their organization for learning purposes. A further 38% expressed frustration with their inability to respond quickly to changing regulatory frameworks and 18% said their processes were poorly designed or they were presented with too many sources of information to be adequately in control of their environment.
“The United Arab Emirates and Saudi Arabia rank consistently high on global maturity indexes for cybersecurity,” said Khaled Alateeq, Head of Middle East, Trellix. “This is because government entities have done a great job in laying out cybersecurity guidelines and regulations and introducing a wide array of skilling initiatives and incentives to attract top talent to the region. Now it is for talent but incumbent upon organizations to answer the call and support their CISOs. Our recent Mind of the CISO research is quite clear on what would make life easier for CISOs in the UAE and Saudi Arabia.”
Asked for suggestions on how their enterprise’s senior leadership could help them overcome their challenges, half of CISOs in the UAE and Saudi Arabia said better engagement from such stakeholders would be a good start. And 38% said better understanding from the rest of the organization on issues of cybersecurity would help, with 32% calling for a strong support team to assist in their defense efforts.
But predictably, technology continues to be the largest stumbling block between the regional CISO and their ideal threat posture. While two-thirds (66%) said people and processes are holding them back from being cyber-resilient, nearly three in four (74%) — a whopping 25 percentage points higher than the global average — said the same of technology.
The report showed further evidence that the strategy of multiple-point solutions is out of date. When asked about their experiences with their current security tools and platforms, 38% described them as outdated, 30% said there were too many, and 34% said they did not work well together. Almost all (92%) of those polled across the two Gulf nations said their organization was using anywhere between 11 and 35 separate tools.
“What comes across most in this study is not the lack of investment,” Alateeq added. “There are plenty of signs that commitments in this regard are on the rise, including the fact that only 36% of respondents cited budget and resource challenges. What emerges here is more of a misdirection of investment. We must ensure the right people and processes are in place for sure. But it is worrying is that amid all the budget increases, we are not yet seeing the right tech in place.”
Alateeq continued: “CISOs are telling us plainly that ‘more solutions’ is not the answer. They need a platform approach that is open and capable of learning and adapting to build a proactive defense. CISOs and their teams must be able to see, protect, and resolve. They must be able to maximize visibility and peer into every corner of the enterprise. They must be able to have coverage of every asset and be equipped with unrivaled discovery speed when picking up on potential threats. And they must be able to automate their response across this connected security ecosystem to keep their organization from becoming the latest victim of the threat landscape.”