MENA security spending on the rise as risk awareness expands

Gartner’s senior research analyst Sam Olyaei speaks to Pipeline Magazine’s Nadia Saleem about the company’s new research on security investment and insight into the Middle East oil and gas industry security risks

Security services will continue to be the fastest growing segment in line with global trends, especially IT outsourcing, consulting, and implementation services, Gartner said in a new research. The growth for security services will be driven by ongoing skills shortages in the information security domain as well as increased awareness of threats.

In a region where oil and gas industry is critical to many local economies, convergence of operational technology (OT), Internet of Things (IoT), and IT is pushing many organisations to start considering how to handle the potential new security vulnerabilities created. This will result in additional interest to invest in security products and services to mitigate these new risks that traditional information security practices are not accustomed to, Gartner said.

What is Middle East’s portion of the global spend on cyber security investment in 2017? What is driving the growth?

MENA has spent US$1.8 billion in 2017 on security, seeing an 11 percent increase over the year before. Worldwide, there will be a total $86.4 billion spent on IT security in 2017. In MENA, we expect another double-digit per cent growth in the next two years, with risks driving the spending.

IT security risks are a primary driver of security spending in a majority of organisations, especially due to two main factors: an increased awareness of threats, and an ongoing skills shortage in information security. While organisations cannot control the threats, they can control the security risks to their own environment.

As a result, Middle East organisations need to implement a risk-based security program – especially addressing basic security and risk processes. Leaders need to invest in patch management, vulnerability scanning, centralised log management, internal network segmentation, backups, and systems hardening.

Meanwhile, security outsourcing is becoming the largest security service market in 2020, as companies, especially for SMEs that have smaller recruiting budgets and talent pools. The main cause of security outsourcing is that there is a massive talent shortage in security – leading to gaps in implementing security programs, gaps in coverage, stalled projects, and increased risk of breaches. To address the talent need, organisations will need to adopt new recruiting processes. However, with emerging technologies such as the Internet of Things requiring skills that do not exist yet, many organisations are turning to innovations such as advanced analytics, business algorithms, and machine learning to ramp up security processes.

In the convergence of IT and OT with the Internet of Things, and the Industrial Internet of Things, we are seeing both privacy and safety implications. For example, an incident in an oil and gas firm’s IT environment could cause the loss of some data records and potentially a fine. But an incident in the OT environment could potentially cause loss of life or a safety hazard.

What is the breakdown for the oil and gas sector specifically?

We don’t publish a figure for this breakdown. Middle East oil and gas companies are investing in cyber security solutions at a higher rate compared to the global average of oil and gas firms.

In oil and gas, where are most of the spending focused?

Most of the oil and gas spend is focused on protecting critical infrastructure, securing the convergence of IT/OT/IOT, incidents that if successful can force plant shutdowns, utility interruptions, monetary loss and even human hazard at its extreme.

However spend is mostly focused on perimeter security technologies. There isn’t enough investment in detection/response techniques nor is there in people and process.

Where are the vulnerabilities yet to be addressed?

Attackers are using exploits to gain access to critical infrastructure and sensitive data and most of these exploits are either commonly identified or released, or are have been known by the organisation for at least a year. Again the biggest vulnerabilities right now for oil and gas is in its critical infrastructure and OT environment.

What is the risk scenario - is it increasing, or becoming more sophisticated?

Threats are always on the rise. In the Middle East we see a combination of monetised and weaponised malware that spreads mainly through phishing and social engineering. The motivation behind these threats can be grouped into either Nation State Attacks/Entities associated with nation states that intend to destruct, or individuals that are looking for monetary value or ransom.

However, it’s important to note that the risk scenario is less about the external threats and more about the specific risks that an organisation itself faces. All enterprises should treat state threats as part of the usual advanced threats. While certain verticals and industries need more focused actions, much of being prepared for state-sponsored threats and ransomware comes down to best-practice level safeguards.

Ransomware can also be prevented across basics such as system patching; EPP updates, configurations, and extensions; endpoint detection and response solutions; network perimeter and segmentation; administrative and system protection; and backups.

At what level is awareness for cyber risks and how does the Middle East tend to approach it?

Awareness of cybersecurity risks/attacks is becoming better but the region still lags behind North America and Europe. Cybersecurity is still not a priority for executives/board members and is being treated as a function of IT when in reality it should be a business function.

Similarly, we are not spending enough on people and process. In this region specifically, we try to solve every problem with a technology or a product. We need to educate our people/employees, provide them with the right tools to succeed and formalise processes around these tools. Often times, it is not the lack of spend, but rather the lack of process that causes an incident to wreak havoc.