A report by cybersecurity company Trellix has found that organisations in the UAE and Saudi Arabia remain susceptible to cyber-threats
Chief Information Security Officers (CISOs) across companies in the region said that their companies were ill-equipped to deal with cyber-menace. According to a report published by Trellix, 66% of CISOs in the UAE and Saudi Arabia still believe their organisations lack the right people and processes to be cyber resilient. 74% also believe their current technology setup is insufficient.
This is all despite the cybersecurity market witnessing a high of 7.6% CAGR last year, a sign of heightened interest in security matters at the board level.
More than one in four CISOs in the UAE and Saudi Arabia (26%) complained about the lack of skilled talent as well as their inability to recruit and retain this talent in the research, which was conducted by Vanson Bourne across nine countries and surveyed 500 CISOs at companies with more than 1,000 employees. More than one in five (22%) expressed concern about the board's lack of support, and 30% mentioned the organisation as a whole.
38% of CISOs in the UAE and KSA reported that they did not have the freedom to contact people outside of their organisation for educational purposes. A further 38% indicated dissatisfaction with their failure to react rapidly to evolving regulatory frameworks, and 18% claimed that their processes were poorly designed or that they were given access to too many information sources to appropriately regulate their environment.
Khaled Alateeq, head of Middle East at Trellix, said, “...government entities [in UAE and Saudi Arabia] have done a great job in laying out cybersecurity guidelines and regulations and introducing a wide array of skilling initiatives and incentives to attract top talent to the region. Now it is incumbent upon organisations to answer the call and support their CISOs.”
Half of CISOs in the UAE and Saudi Arabia who were asked for ideas on how their company's senior leadership could assist them in overcoming their issues stated that better involvement from such stakeholders would be a good place to start. Additionally, 38% of respondents said that the business as a whole should have a better awareness of cybersecurity-related concerns, and 32% called for the creation of a robust defence team.
But as is to be expected, technology continues to stand in the way of the regional CISO's ideal threat posture. While nearly three in four (74%)—a staggering 25 percentage points higher than the global average — claimed that technology is what is preventing them from being cyber-resilient, two-thirds (66%) answered that people and processes are the problem.
The research provided additional proof that the multiple point solution technique is no longer effective. 38% of respondents who were asked about their present security tools and platforms stated they were out-of-date, 30% said there were too many, and 34% said they didn't function well together. Nearly all (92%) of those surveyed in the two Gulf countries stated their company used anywhere between 11 and 35 different tools.
“What comes across most in this study is not the lack of investment,” Alateeq added. “There are plenty of signs that commitments in this regard are on the rise, including the fact that only 36% of respondents cited budget and resource challenges. What emerges here is more of a misdirection of investment. We must ensure the right people and processes are in place for sure. But it is worrying is that amid all the budget increases, we are not yet seeing the right tech in place.”
Alateeq continued: “CISOs are telling us plainly that ‘more solutions’ is not the answer. They need a platform approach that is open and capable of learning and adapting to build a proactive defence. CISOs and their teams must be able to see, protect, and resolve. They must be able to maximise visibility and peer into every corner of the enterprise. They must be able to have coverage of every asset and be equipped with unrivalled discovery speed when picking up on potential threats. And they must be able to automate their response across this connected security ecosystem to keep their organisation from becoming the latest victim of the threat landscape.”