How would you rate the maturity of the cybersecurity sector in the UAE and the wider region?
Cybersecurity is a nascent sector in the Middle East, and the discourse around it is still in the making. I would dissect the question of its maturity along three layers: framing the discussion, formulating sound strategies, and executing them effectively. When you are talking with policy-makers or industry leaders, they understand the issue's importance. At both the federal and emirate levels in the UAE, for example, the consideration of cybersecurity is starting to take root in policy and strategy development, with the first federal strategy emerging in 2010. Anchoring the discussion on cybersecurity within the most senior circles of government and business is crucial. In terms of strategy readiness, I would qualify it as a work in progress. This is not specific only to the UAE, but something we see around the world. The reason is two-fold. Cybersecurity is a developing field, but on top of that, it is a field whose technologies, practices, and implications move at a speed unseen in other sectors. Discussions about strategy need to be well-crafted, and we need to know we have a handle on the cybersecurity agenda, both in the public and private sectors; only then can sound policies be made. After that, we come to the third layer, which is the need to make sure policy is executed clearly, with the right checks and balances in place. What we are observing around the world is that in countries with a higher cybersecurity threat level, there is an incentive to take on a more advanced posture. The UAE is in this group. The country has been a formidable and progressive socioeconomic platform in a region where geopolitical tensions are prevalent. Therefore, the UAE needs to have a robust posture from a cybersecurity standpoint, to defend both the nation and its private institutions. With the right policy and execution, we can have the peace of mind that there will be business continuity. Cyber-threats try to interrupt the way we do things. Whether it is a public or private entity, if it is on the receiving end of a cyber-attack, the end users will measure the impact in terms of business continuity. Overall, the sector is a work in progress across the board. What is rewarding is to see that the issue is taking center-stage on the agenda of policy-makers, and I would say that the UAE is more advanced than other nations.
What role should the private sector play in securing a country's attack surface area?
As countries' economies and societies digitize, the threat landscape is going to expand exponentially. Fascinatingly, the bigger threat we see is that as we digitize work and daily life, mobility itself becomes a treat. It is one thing to digitize work tools that are on your premises, and it is another when it happens in cars or mobile devices. For every dirham we are investing in digitizing the way we work, we are not investing commensurately in securing this digitized experience. Rather, it is an afterthought. We are a cycle behind. When you analyze threat vectors, it is the 'digital individual' that is most at risk, via their mobile devices. Attacks on these devices are on the rise, they are by far the least protected, and it is through them that you can trigger other vectors, such as social networks. We need policies and regulations, but there is no one panacea. For example, there are policies in many countries saying companies must protect data from being accessed by a third party, but there has to be something that requires them to give us assurances that, at any given point in time, the management of that data is compliant, and its integrity preserved from any tinkering. Regulations should not be too constraining, but they still have to drive these outcomes. This is how we should think about it. The General Data Protection Regulation in Europe is a good case in point. It mandates that a company protect the data and privacy of the data of its organization and its clients. If it does not follow these laws it will be fined a percentage of its revenue. The private sector can further the agenda by companies and C-level executives in every sector considering cybersecurity not just a priority, but an obligation. Shareholders should expect a company to clearly articulate its cybersecurity position, and what it is doing to ensure business continuity. If they do not have this prepared, it is an accident waiting to happen. The end goal is to achieve cybersecurity resilience and dynamic adaptability. In the defense industry, a good army is one that can evolve alongside the threat landscape.
Societies are increasingly centralizing their data. Does this make them more vulnerable from a cybersecurity perspective?
The discipline of applied analytics tells us that the bigger the dataset, the more useful it is going to be. If, for example, I want to determine the best way to develop and drive investment to a city, or to maximize livability, I need to be able to access data related to different sectors to see where transformation is required. In the end, the most efficient way to do this is to federate the data. Whether you are a CEO or a president, your number-one responsibility is to make informed decisions. By design, or by accident, data will increasingly have to be federated and made available on platforms accessible to both the public and private sectors. The more we do this, the better our solutions to problems. The key is to ensure proper checks and balances, because the last thing you want is to make the data totally transparent and exposed to manipulation. That's the worst-case scenario, and countries have to rise to a correspondingly high standard with the help of the private sector. DarkMatter was created with the view that there is so much that the government can do from a digitalization and cybersecurity standpoint, but there has to be a contribution from the private sector. We do not see this as a one-sided effort.
What is the most important thing to keep in mind for companies looking to enter the UAE market and stay resilient?
Companies coming to the UAE are entering an economy that is highly digitized. They need to come in prepared to enter such an ecosystem. The bar is already high, so they cannot come in with the traditional ways of doing things. They have to have the cybersecurity checks and balances in place, and they need to connect with the relevant agencies. You need to develop an understanding of the different players in the ecosystem, and know that no one entity has the silver bullet.