Author: Talal Wazani, Head of Strategic Security Consulting, Help AG
The Middle East, and GCC in specific, remain a prime target for cyber-criminals due to the prominence and scale of the financial and energy services sectors that require a high degree of regulatory compliance. This is due to the inherent risk of loss of confidentiality and integrity, and unavailability of information which may lead to disruption of critical infrastructure services in the region.
According to the World Economic Forum (WEF) Global Risk Report 2019, cyberattacks were ranked as the highest technological risk followed by risks related to the breakdown of critical information infrastructure. The WEF has also warned of the increased likelihood of cyber attacks in the Gulf and especially in Saudi Arabia and the UAE. This increase of likelihood, which is evident in the past waves of attacks against Saudi Arabia in 2012 and 2017, has ensured that cybersecurity compliance makes it to the top of the agendas of government agencies in both countries, with the UAE launching its ‘National Cyber Security Strategy’ and Saudi Arabia envisioning a secure and resilient digital infrastructure as part of Saudi Vision 2030.
Saudi Arabia has introduced a variety of regulations and standards targeted at financial institutions, government entities and information technology providers to ensure a unified risk-based best practice approach to tackle the increase of cyberattacks and to create a cybersecurity culture amongst its citizens, residents and both private and government institutions.
The UAE has also revised the current National Cyber Security Standard, Critical Information Infrastructure Protection policy, is introducing Sector Specific Cybersecurity Standards and is working towards enhancing current cybersecurity laws.
This increase in regulations and standards may burden organizations in the short run in terms of financial, human resources and operational overheads. But it will no doubt contribute positively to the bottom line in the long term, by reducing the risk exposure of organizations and strengthening the trust of stakeholders who are looking to invest in this region.
The challenges businesses face when ensuring compliance
Human resources’ skills remain the main challenge for organizations that are looking to comply with the numerous requirements coming out of cybersecurity regulations and standards. It is essential for an organization to develop its resources regularly to meet the ever-changing threat landscape and compliance requirements. Cybersecurity skills shortage impacts more than 70% of organizations in the form of increased workloads on current staff as revealed by a global study conducted by the Information System Security Association (ISSA).
The shortage in skilled resources is leading organizations to be creative in their approach by outsourcing CISO functions (Virtual CISO) and embracing Managed Security Services (both technical and governance services) offered by leading cybersecurity firms.
Financial challenges are also contributing to delays in meeting compliance requirements thus increasing the risk exposure of organizations. This is mainly due to the lack of a mature risk-based approach, coupled with cost-benefit analysis, to cybersecurity which in turn ensures funds are diverted to where they matter the most.
Overcoming these challenges
Cybersecurity awareness training platforms are one of the essential tools used by organizations to reduce the human risk factor and ensure a positive organizational cybersecurity cultural change that contributes to reducing the likelihood of incidents materializing and helps fills the end-user skills gap by transforming users into contributors to the compliance journey.
One of the most ‘up and coming’ technologies in this region is GRC automation, as it enables organizations to overcome the resources shortage by streamlining most of the recurring governance and compliance activities and distributing the workload through the organization as a whole. This of course will require the organization to have an effective cybersecurity organizational structure in place while ensuring that departmental stakeholders are well trained to fulfil their duties as cybersecurity champions.
The role of regional governments
Regulators need to work hand in hand with industry leaders to define practical minimum requirements that ensure industry standards and best practices are in place without hindering business growth. This can be accomplished by engaging industry experts to assist governments in identifying threats in their respective areas and suggesting requirements to reduce the likelihood and impact of such threats, thus mitigating the associated risks.
Regulators will also need to lend a hand by investing in human resources development, public awareness, grants to cybersecurity research institutions and cybersecurity educational scholarships to bridge the current skills gap.