If 2022 was the year of risk and resilience, then many observers feel 2023 is the year of sustainability and security.
As the corporate world embraces digital transformation in the face of an economic downturn, the emphasis for all organisations is to survive and thrive – and that can only be achieved with greater cloud adoption and enhanced security.
These sentiments are highlighted in The Future of Cloud Security in the Middle East – a research report produced by Cyber Magazine in conjunction with sister publication Business Chief.
We surveyed cloud professionals and IT decision-makers across the region in an extensive survey, and discussed those findings in two roundtable events held in Dubai and Abu Dhabi, sponsored by Huawei.
Cloud security – the current threat landscape
Cloud adoption in Middle Eastern countries has been growing rapidly in recent years, driven by increasing digitalisation, the need for improved IT infrastructure, and the desire to reduce costs and improve efficiency. According to Blueweave Consulting, the regional cloud market is growing at a CAGR of 21%, and will reach US$9.8 billion by 2027, up from US$2.7bn in 2020.
The COVID-19 pandemic of 2020 accelerated digital transformation as entire nations were forced to adapt to a new way of working and way of life. However, this rapid acceleration brought with it greater risk – due to the sheer scale and rate of transformation – which sometimes saw security lag behind.
That was painfully clear around the globe, not just in the Middle East. According to a report by cybersecurity firm Kaspersky, the number of ransomware attacks in the Middle East increased by 57% in the first quarter of 2021 compared to the same period in 2020. Another survey by Cybereason said cyberattacks rose 71% in the UAE in 2021, with 84% of UAE companies paying a ransom – a figure that is 20% higher than the global average.
It is not just the number of cyber attacks that is the problem, rather the sensitive data and critical infrastructure that is now hosted in the cloud – making it a potential target for cyber criminals. Finance and healthcare, for example, have been hit particularly hard in the region.
According to a report by cybersecurity firm Group-IB, the Middle East saw a 25% increase in financial cyberattacks in 2020, at a cost of US$18.5bn. Group-IB adds that the credentials of more than 690,000 users in MEA were stolen by malware in 2022.
The new research report captures a snapshot of cyber and cloud security professionals’ insights, gauges their opinions on the state of their own organisations, and their future intentions when it comes to making their business more sustainable and secure.
The rise of the CISO
Traditionally, the Chief Information Security Officer (CISO) has always been seen as a back-office role or one filled only when there was an audit issue or a need to find IT support. They were seen and not heard, and rarely featured within the executive management team, let alone as a permanent agenda item in the boardroom.
As the cloud and cyber threat landscape becomes even more disruptive, cloud security professionals are clearly being listened to, and heard.
Two third of those surveyed for our report say they have an increased voice in the boardroom, almost three quarters say cloud security is taken seriously enough, and a similar number say they are included in strategic decision making at their organisation.
This is welcome news for security professionals and suggests a change in perception for a role that was seen as functional rather than strategic – and integral to the sustainability and success of the organisation.
“In order that we appear among the other members of the board, you really have to talk business, and security as a business enabler. The only way out of troubled waters is with the CISO as the captain of the ship.”
Sovereign cloud on the rise as more critical data held in the cloud
One of the key discussion points from the roundtable events was sovereign cloud – due in no small part to rapid deglobalisation and new barriers of entry as a result of geopolitical tensions. These have motivated the need for nations to be self-sufficient and for data to be kept within geographical boundaries.
The survey also found that more than two thirds of cloud professionals in the region believe that government regulation has improved the quality of cloud provision – but the fact that a third say it has not means there is clearly more work to be done as the challenges increase.
Governments – especially in the UAE and Saudi Arabia – have enforced regulation on cloud and continue to add layers of protection for their citizens and their sovereign data.
“You will have your own cloud service provider within each country and already countries are adopting that culture – be it in the UAE or Saudi Arabia or any other country in the region. The reason is to make sure that the cloud service providers are compliant with all these regulations.”
It was reassuring from the survey to see that when it comes to choosing a cloud provider, security (43%) was the most important factor, far ahead of cost (19%) in second place, and reliability (12%) in third spot.
“They have a maturity and acceptance towards security. When it comes to security versus cost – in this region – security comes first.”
Blockchain ‘not a silver bullet’
Survey respondents were asked what technologies they had already implemented at their own organisations, and what they planned to implement more.
The results here were interesting – blockchain, secure deletion, and multicloud were the only security practices listed in the survey that respondents plan to invest more in. Blockchain shows the largest increase, from 8% to 27% – a considerable shift with more than three times as many leaders planning to invest in the technology.
“Blockchain is a solution to a few issues. It's also not a silver bullet,” says Sultan Al-Owais, Digital Lead, Prime Minister’s Office, UAE.
“Many of the use cases where people suggest blockchain assume that it will fix something. What I would have wanted to hear in the answer to that question is simplicity. Our problem is that it is horrendously complex today and therefore has a lot of dark corners that are difficult to secure. It has to become much simpler if it's going to be securable.”
“What blockchain really brings to the table is zero trust, and I think this is very important as a security professional – knowing how reliable are your controls and how verifiable those things are at the level that there is irrefutable evidence. So blockchain can certainly help. The bottom line is the preservation of integrity – the three properties of data integrity, confidentiality, and availability.”
Looking further into the future, cloud professionals were asked what their top priorities were going to be for the next 12-18 months. Zero trust was the top priority (56%), followed by data & privacy at 43%, and regulatory compliance following at 42%.
“With the movement towards AI, security is going to be one step behind technology,” suggests Shivani Jariwala.
“Cloud was meant to be something else. Change, like geopolitical issues, have changed the way we now think of cloud. I think we need some form of standard global approach towards cloud security but it will never happen, as the technology keeps changing. So I think our focus is on catching up with the technology and securing those – that is where a lot of our energy will go.”
Pendić saw a bigger challenge coming from the lack of talent available not only in the region, but globally – with an estimated 4.5 million vacant cyber security roles.
“Leadership needs to invest in fully understanding the security of the organisation,” he says. “When it comes to security, we need to be more sharply focussed on what is relevant. We need to see security through the lens of a business rather than as a security professional because ultimately we serve the business.”
“We need to go back to basics,” concludes Dr Cheang. “When putting our heads in the cloud, we need to keep our feet firmly on the ground. We need to focus on the low-hanging fruit that we can accomplish together.”