Paul Mee
Hello and welcome to a conversation on cyber. I have with me two esteemed colleagues from the Middle East. We’re going to talk about some of the challenges in that area and some of the great innovations that we’re seeing as regards to cyber defences and cyber risk management. So, gentlemen, can you introduce yourselves?

Souheil Moukaddem
I’m Souheil Moukaddem, I am the leader of the cyber platform at Oliver Wyman and I’m very happy to be here.

Ziad Nasrallah
And I’m Ziad Nasrallah. I’m leading the cybersecurity platform for IMEA.

Paul
So, just to jump right in, tell me what it’s like in IMEA when it comes to cyber defence and cybersecurity. How would you characterise it?

Souheil 
We’ve been doing this for a few years and it’s been an interesting journey. I would say that the level of maturity, being an emerging market, isn’t quite there compared to some of the more developed markets. And so most of our work is really to the left of the value chain. Operating on developing policies, governance. Just really laying the foundations for what’s coming in terms of cybersecurity.

Paul
How are countries dealing with this? Is it top of the agenda for governments, for corporations? How do people think about cyber as a risk in this part of the world?

Ziad
Absolutely. They really have been taking it very seriously. And there’s been a lot of work done, especially in the last six, seven years. A lot of the countries have established national strategies. Specifically, to give examples, Saudi Arabia and the UAE have probably led the way. They've put together authorities. There's a national cybersecurity authority in Saudi Arabia. They put a national strategy regulatory framework in place, and are really monitoring the risk posture of the country and focusing on critical national infrastructure.

Paul
Tell me what the three biggest things are. What are the biggest challenges when you think about the region having to deal with cyber risk, cyber defences, in a part of the world where there could be natural frictions anyway?

Souheil
I think really the first biggest priority is really raising awareness, whether it is on the public sector on the government side, or on the private sector side. As Ziad has said we’ve seen a lot of strides moving in the right direction to try to build the foundations against cyber-attacks. The other one, of course, is a global problem, but it's particularly exacerbated in the Middle East, which is really the shortage of cyber talent. And what you see really is as the professionals become more experienced, they tend to migrate to other geographies where the pay is better, and the jobs are better.

Paul
That first problem about awareness. Do you have the magic bullet for this? Do you have a view on how that can be solved?

Souheil
I don't think that there's a magic bullet. It's got to be a multi-pronged I would say, attack on the problem. On the awareness on the government side, I think regulators are the ones that need to start pushing down some of the enforcement and some of the alignment with their standards and regulations. I think also inside the companies, the CEO, and in particular the COO, need to drive that agenda as well over awareness. I think we've seen that the largest majority of attacks start with phishing attacks. And I think it behoves the leaders to kind of really raise the awareness. As you know, at Oliver Wyman we have a 22-point checklist that we go through to ensure that you're actually putting in place and enforcing some of those standards. And as well as repeat exercises, because this is not a onetime thing. It's a continuous effort to kind of make sure that the standards are up to date, that the behaviour is aligned. And it's a continuous cycle of maintaining that readiness against cyber-attacks.

Paul
From your observations, are there any other kind of fundamental issues in the region that make things that much harder for cyber defence?

Ziad
The talent issue is a big one. The other one is proper cybersecurity intelligence, threat intelligence. And I think this is a lot of intelligence that we see is important, not necessarily contextualized to the region, or to sectors in the regions. The threat actors in the Middle East are different. The geopolitical situation is different. So there's different patterns of attacks that we've seen. I think proper monitoring and capturing of that information and sharing it across when it comes specifically to critical infrastructure, I think is important. And this will help organizations be more proactive, do proper threat hunting, be more aware of situation, and not just being a bit more generic as they are today.

Paul
So let’s do talent then. Probably the trickier question.

Ziad
Well talent is very tricky. And I think there's over a 3 million job gap globally today.
And when it comes to national cybersecurity strategies, there's I would say three components in developing the ecosystem. The one part is having the proper authority that's regulating the markets and then you need to have the talent management being set up and then you need to have technology ecosystem of building cybersecurity technologies and start-ups within a certain country. And I think that's the maturity that you would look for at a national level. When it comes to talent specifically, we've seen long longer-term strategies of setting up an academy, trying to implement it within schools, getting the youth interested through cybersecurity and hackathon events, introducing it into the curriculum and in the K-9 school systems. But those are all longer term, I would say, solutions. On the short term, I think there has to be a bit more thinking about how to pull resources together, introduce a lot more shared service. And the other is using technology and AI where you can, because it’s a lot of tedious and repetitive work.

Souheil
That gap is supposed to increase at a 15-20% rate year on year, so it needs to be addressed and it needs to be addressed quickly. Exactly as Ziad was saying I think with a set of actions that need to go into place to make sure that one; you’re looking at creative ways of pulling resources using technology where you can to kind of replace humans with automated processes, but really it needs to be tackled because as the gap gets bigger, the problem is going to get bigger as well.

Paul
Tell me about technology because one of the big issues that we see in other geographies is this mixture between operational technology and information technology and fast moves in the digital space. So how much of that is a challenge in the region here?

Ziad 
I think it's a very big challenge, specifically when it comes to the oil and the energy sector. Whether it's oil and gas rigs or refineries where they have a lot of old industrial control systems, legacy systems that they use, and they're becoming digitized. It’s a time where we're connecting all these legacy systems, and they're not necessarily built to deal with the threats of today. They don’t have the patching systems. It’s very few people who really understand that technology and how to run it. Some of them are getting older and retiring. So really understanding the risks of that environment becomes very challenging, especially given that energy makes up a large chunk of the GDP. So those assets become very vulnerable.

Paul
Souheil, you’ve got challenges with the technology of being old and young, getting the right regulation in place. So are you bullish or bearish about the region? Where is it headed?

Souheil 
I think we've got silver linings. As in any developing market, you have the opportunity to kind of leapfrog and kind of get quickly over the pains and the lessons learned of some of the more developed countries where you can just import either learnings or technologies that kind of accelerate your learning capabilities. I'm actually optimistic in that we're going to be able to learn from some of those that were ahead of us.

Paul
And you have the same opinion or are there more things still to watch out for?

Ziad
No, absolutely. I think definitely a lot of things to watch out for, but very excited to be building cybersecurity in the region because we're just part of that that growth story that's happening right now. We feel like we've contributed to the maturity that exists today.

Paul 
Is there any physical things where you go “We are the guys to help you with a given problem” in the region?

Souheil 
We're certainly the guys to help you with a given problem in the region. I mean, the breadth and the depth that the team brings, and the years of experience, I think having been involved intimately in the setup of some of the most advanced agencies in the region, and our deep understanding of what the problems are. As Ziad was saying earlier, some of the solutions that will come are not necessarily contextualized or tailor-made for the region and having been in the region and worked in the region we understand what the specifics are to which these programs need to be tailored.

Paul 
Give me the sales, why should people call you and what are you going to bring?

Ziad
Companies that should call us are companies or organizations that are really trying to improve their security posture. We see a lot of companies that see cybersecurity as a regulatory headache and are just trying to go through the checklist.
And I think others are really concerned about the risk and how they can address it and mitigate it, and those are the types of clients that we want to go after, because we can really add value and help them understand the risk and how they can invest in the right places.

Souheil 
As you say Paul, most of the people that get it well; cybersecurity, usually get involved after an attack or after an event. The idea is really to be ahead of that curve to kind of either prepare or mitigate against such attacks.

Paul 
Well gentlemen this has been amazing. Thank you very much for your insights. And thanks everyone for watching, we’ll conclude here.

This transcript has been edited for clarity.