Cybersecurity Maturity in the UAE: A fast and continuous improvement process

What does the actual cyber maturity landscape look like in the UAE, and does it reflect the efforts that have been invested recently? In 2019, the country founded its National Cybersecurity Strategy. Then in 2020, Sheikh Hamdan bin Mohammed Bin Rashed Al Maktoum, Crown Prince of Dubai and Chairman of the Executive Council launched the Dubai Cyber Index, to help government entities on their cybersecurity journey.

Those were followed by several regulations, some broad like the Dubai Electronic Security Center’s Information Security Regulation (DESC ISR), and some more industry specific, such as the Abu Dhabi Healthcare Information and Cybersecurity Standard.

Andrew Schumer, director of tech and cyber advisory at Grant Thornton UAE, explains the reason behind this fast improvement: “While the maturity of cybersecurity in the UAE and the region used to be lower than that in Europe, countries in the GCC in general and the UAE specifically understood that their region faces a unique threat factor, and this makes them more at risk of attacks from Advanced Persistent Threats [APTs] than their peers in Europe.”

He adds that this led to the drafting and implementation of cybersecurity regulations which are world-class, and which have been benchmarked against their European counterparts : “This flux of regulations has certainly helped improve cybersecurity in the private and public sector, and clients no longer opt for checkbox audits, they are now looking for improvement not only on the compliance side, but on the security side as well, with cybersecurity budgets increasing greatly in recent years.”

One small downside to this is the rate at which companies need to work to meet the regulatory deadlines: “While companies used to take regulations and standards lightly and only think of them as nice to have, those regulations are now mandatory and organizations are now suddenly faced with deadlines which will be tough to meet, and a large number might be faced with fines or penalties.”

Moreover, regulatory deadlines are not the only obstacle organizations are facing. A regional manager in one of the largest cybersecurity service providers in the UAE who chose to remain anonymous discusses the challenges encountered by companies when it comes to cybersecurity: “The first and biggest problem remains staff augmentation, especially when it comes to SOC attrition. Level 1 SOC analysts are mainly hard to retain. They quickly move to a better opportunity since there is a big demand for Level 2 and Level 3 analysts.”

Another challenge lies in clients not being aware of applicable frameworks, standards, and regulations. The anonymous source points out that while clients focus on government-mandated regulations such as DESC’s [Dubai Electronic Security Center] and the ISR [Information Assurance Regulation], they often do not realize that they also need to implement other frameworks and regulations such as PCI-DSS [Payment Card Industry Data Security Standard], GDPR, and the Cloud Security Alliance’s Cloud Controls Matrix, by developing a unified controls framework which covers all applicable requirements.

Additionally, the source directs attention to another area of improvement: “Out of all the projects we engage in, only a small number is related to cloud security. Clients still do not realize that securing their assets in the cloud is as important as securing those on site.”

Challenges aside, the same source confirms that the UAE today is on par with other regions, if not even better. “The country’s cybersecurity maturity has reached very high levels across many domains, including operational technology. They have one of the most advanced CERT in the world. The country has invested in people, so skills and awareness are both there and salaries are generous. They have also invested heavily in cutting-edge and state-of-the-art technology. While the biggest investments in cybersecurity are seen in the defence, financial, telecommunication, and healthcare sectors, cybersecurity budgets across most organisations have recently increased.”

However, those investments need to be carefully planned and oriented. Marc Kassis, founder, and general manager of InoGates, believes this is not the case: “Most organisations in the private sector that are looking to invest in cybersecurity will invest first in implementing software and hardware solutions without necessarily having any consulting services as a first step. They will move for enhanced advisory afterwards when they still feel the threat and if they are big enough to have a budget for consultancy services.”

On the other hand, when it comes to the public sector, Marc Kassis adds that “the government of the UAE has been increasingly aware of the importance of investing in a holistic approach that also includes advisory and strategic planning for cybersecurity. In a nutshell, the cybersecurity maturity in the UAE public sector would be on par with European peers and in some cases even more mature due to highly available funding, while the private sector is definitely not yet comparable to its peers in Europe.”

On the partnerships between the UAE and France in the field of cybersecurity, Marc Kassis points out that the UAE government welcomes diversity and competitiveness in all sectors, and this is particularly true for cybersecurity and for companies from France. “This has been shown over several initiatives jointly built with the UAE French Business community as well as the French Embassy,” he said.

But for a French company to succeed in the UAE market, Marc Kassis lists several key points: “The French cybersecurity companies are most welcome in the UAE but need to digest a few elements about the local market and the way of partnering for a successful business. First, it is obvious that the UAE market is very competitive hence patience and investment must be available. Second, find the right go-to-market and stick to its development plan. Third, carefully choose the partnerships you are creating, support them and trust them. Finally, make sure you identify the solution or business value differentiators from existing solutions. Remember to be flexible and adaptable. What works in France might not work the same way in the UAE.”