Information security teams understaffed, say UAE CISOs

The cybersecurity threat landscape is constantly in flux. But there are some constants, and the IT skills gap is chief among them. Much-discussed but hard to remedy, it’s a global problem – and it’s particularly severe in the UAE.

Digital transformation and adoption of new technologies are booming in the UAE. McKinsey’s ‘Digital Middle East’ report ranked the UAE government number one in digital adoption among Middle Eastern countries, with advancements spreading ‘at an accelerating speed’. But rapid growth in any sector requires a solid foundation in terms of infrastructure and human resources to support it.

And that doesn’t seem to be the case in the UAE. Though the IMD World Competitiveness Center recently rated the UAE 4th globally for the talent of its workforce, a survey last year found that only 35% of IT professionals in the GCC region (most of whom were based in the UAE) felt that their IT teams were fully staffed.

Our research, based on input from over 150 information security professionals, bears out those findings.

35% of participants said that their organisation’s information security team had two or fewer participants. Even at companies with over 5000 employees, fewer than half had information security teams of more than five members.

The most worrying statistic, of course, is those who replied with ‘0’. Given that participants were members of AKJ Associates’ community of information security professionals, that clearly doesn’t mean that information security isn’t bothered with. However, it does most likely indicate that no one at the company is responsible for information security on a full-time basis. While half of these responses came from companies with fewer than 20 employees – making this an understandable staffing decision – the other half were from companies with over 1000 employees. In these cases, perhaps rather than meaning that information security is just one of the IT team’s many shared responsibilities, it is possible that information security functions have been outsourced.

Unsurprisingly, industry had a lot to do with information security team size. The participants who reported company size of over 1000 employees but no information security team worked in education. While this is a sector with access to substantial amounts of personal information – much of it sensitive – as well as substantial amounts of valuable intellectual property in some institutions, it’s often one where resources are stretched. By contrast, government, banking/finance, electronics/telecommunication and professional services were the sectors with the largest information security teams.

We also saw a strong correlation between size of information security team and participants’ confidence that they had enough board support to effectively safeguard against the threats their company faced. Though only 15% of participants overall said that they were fully confident that they received sufficient support, two thirds of participants with teams of 50 or more members reported full confidence. Two thirds of participants with teams of 21-50 members were mostly or fully confident, as were three fifths of participants with teams of 11-20 members. The lowest levels of confidence were among participants with no information security team, followed by those with only one or two members.

So how can smaller teams make up for what they lack in numbers?

Many have hailed automation as the answer, and that’s clearly reflected in the rapid growth of artificial intelligence in the region – according to a report by PwC, AI technology will account for almost 14% of the UAE’s GDP by 2030.

Other companies are outsourcing some or all of their cybersecurity workload, engaging the services of Managed Security Service Providers (MSSPs) or virtual CISOs. When asked whether they would prefer to outsource to an MSSP, our participants’ responses were split almost exactly 50:50, with a slim majority saying they would prefer not to. However, when comparing responses to this question on the basis of information security team size, there was a much more visible split, as can be seen in the accompanying chart. Information security teams with fewer members were far more likely to express a preference for using an MSSP, whereas those which were already well-staffed were less likely. However, it is interesting that a not-insignificant proportion of very large teams were pro-MSSP. This may be due to the financial cost of maintaining an in-house information security of such a size.

Participants who reported particularly small or large information security teams also showed different priorities when it came to choosing a solutions provider. All participants who reported that their organisation had no one in its information security team told us that quality of customer support was a top priority. It was also the second most frequently-chosen priority among teams of 1-2 members, second only to ‘integration with existing systems’, which was the top priority among all participants, for understandable reasons. Participants in teams of 50+, however, were more likely to prioritise reputation and client testimonials, and technical priorities such as scalability or ease of patching. The same was true of those who reported teams of 21-50, who prioritised speed of response to new developments over quality of support.

The pace of digital transformation in the UAE shows few signs of slowing at present – in such a rapidly changing landscape, particularly when it comes to cybersecurity, there is always new information and technology to keep on top of. However, it’s still relatively early days. As mainstream awareness of cybersecurity and its importance grows, and a new generation of ‘digital natives’ enters the workforce, we may see the skills gap decrease and board-level commitment to security increase. But until then, compensating for the difficulty of finding (and retaining) cybersecurity talent will remain one of the top challenges facing the UAE’s CISOs.

Researcher, writer, recovering medievalist. Currently particularly interested in the cybersecurity solutions market, cyber insurance/risk modelling, and IoT security.

Related posts

Your thoughts