Getting Beyond the hype –Middle East insights from GISWSDr. Adrian Davis, CISSPManaging Director EMEA, (ISC)2

Growing Influence in the Middle East

• Members work for major corporations & governments – Oil, & Gas, Finance, Healthcare, Tech

• Safe and Secure Online Internet Safety

• Annual Secure Summit• Advisory Council – CISO

roundtables, working groups

• 8th Bi-annual study, first released in 2004 – Developed by the Centerfor Cyber Safety and Education in partnership with Frost & Sullivan

• 19,600 - 12,300 were (ISC)2

members and 7,300 were non-members surveyed June 2016 –August 2016

• 518 Middle East; 330 GCC; 149UAE

Global Information Security Workforce Study

Varied Reports

• Feedback from professionals regarding certification, training and educational requirements

• Track trends/issues as seen by practicing professionals

• Understand potential gaps in organisational security and workforce requirements

• 518 Middle East - 330 GCC; 149 UAE

Three questions for todayWhat are the hot topics?Are they what really matters?How do we move forward?

Losing ground

60 % or more report worsening position for Security Incidents:

• Having systems in place

• Ability to discover a Breach

• Ability to Recover

Time to discover and recover

Less than half a day

Don't know

Two to seven days

Immediately

Within one day

Eight to twenty days

Six weeks or more

Three to five weeks

0% 5% 10% 15% 20% 25%

Discover

Series1

0% 5% 10% 15% 20% 25% 30% 35% 40%

Two to seven days

Within one day

Don't know

Eight to twenty days

Three to five weeks

Six weeks or more

Recover

Top concerns: ransomware/data exposure

0%10%20%30%40%50%60%70%80%90%

100%

No concern at all Low concern Medium concern

Does experience match concern?

0%10%20%30%40%50%60%70%80%90%

100%

Very uncommon Somewhat uncommon Neither common nor uncommon

Trends driving risk/false sense of security• Over reliance on tech

solutions • Consumer trust in big

brands• Component; device-centric

security• Cyber insurance for day to

day issues

• Volumes of exploitable IoT traffic flooding infrastructures –healthcare, smart cities

• Automated cybercrime; competitive crime groups

Trends impacting security strategy

0%10%20%30%40%50%60%70%80%90%

100%

The move tocloud and

applicationdriven services

Roll out of newsystems or

applications

More hostilethreat landscape

Protecting our IP Changinglegislativelandscape

Reactions topast breaches

Mobile,telecommuting,

andcollaborative

work practices

BYOD/A Security AwareManagement

New productdevelopmentssuch as IoT or

robotics

Prefer not to answer Not at all important Somewhat unimportant

Neither important nor important Somewhat important Very important

Professionals Struggling to Gain Security Oversight

Attacks attribute to known vulnerabilities31% don’t knowOnly 5 % say allOnly 19% said more than half10% said about half22% said less than half12% said none

That doesn’t mean we aren’t improving

• 63 % say security posture is better than a year ago

• Improved security awareness

• Assessment of threats/risks• Higher spending

0%10%20%30%40%50%60%70%80%90%

But it’s not enough…

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Not enough qualified professionals available

Security awareness is still too low

Inadequate funding for security initiatives

Poor understanding of risk management withingovernment

Inability to keep pace with threats

Ineffective security guidance or standards

Mind the GAP The recruitment challenge in cyber &information security

16

Job Market Concerns• Global workforce gap up from 1.5 to 1.8 million by 2022.• Unemployment tightening: 2% (4% in 2012); 84% ME are

permanent employees.• High churn in ME 21% changed jobs while still employed

(Global 18%; Europe 16%)• Higher for under 29s 32% (28% global; 30% Europe)• 62% of ME respondents report too few skilled people

today!• Salaries rising – 60% ME salary increase;

15% higher than 10%

Workforce Profile518 Middle East330 GCC149 UAE

Roles in the ME

• Managers & Strategists –34% (13% report to BoD)

• Builders – 15%• Operators –

10% • IT Focus -10%

0%2%4%6%8%

10%12%14%16%18%20%

Demographics

• Younger than global average -11%in ME under 29

• Top 3 Employers:• Consultancy (27%)

• Finance (20%)

• Government (10%)

• Large organisations (> 10,000 employees) make up 23% of employers

• 95% male

19

11%

27%

39%

23%

Under 29

30 - 34

Over 40

Other

Characteristics• 50% over 10 yrs experience• 95% university; 39 % masters• 86% worked in IT previously• 50% comp sci; 33%

engineering degrees• 19% non comp Sci or

engineering degress• Varied professional affiliations

20

40% information security professionals;19% security consultants; 13% IT professionals;11% cybersecurity or risk; Engineers, auditing, IA, software, data privacy …

Market indicatorsSpending, hiring, training,

Spending on the Rise

0%

20%

40%

60%

80%

100%

120%

Value Don'tknowValue Remainthe same

22

Significant Team Growth

59% hiring mangers in ME sample; 22% adding at least 20% to teams

Rising Investment in Training

• 50% received more training than in the previous 12 months/only 15% decreased

• 60% (62% UAE) expected an increase in the next 12 months

• 43% say their organizations do not provide adequate professional and training for their infosec workforce (compared to 33%/37% Europe/Global)

0%

10%

20%

30%

40%

50%

60%

Value

Cloud Computingand Security

Governance, riskmanagement, andcompliance (GRC)Risk assessmentand management

Incidentinvestigation andresponseVirtualization

InfoSystems andsecurity operationsmanagement

Talent Pool Not Growing With Need

• 15% non-managerial

• 17% entry level

Why the Gaps

47%, 23%

46%, 22%

46%, 22%

34%, 16%

31%, 15%3%, 2%

It is difficult to find thequalified personnel werequire

Business conditions can'tsupport additionalpersonnel at this time

Feeling the Impact

• At least 50% say shortage significantly impacts each of:• Infosec workforce• Number of breaches• Organisation as a whole• Customers

Job Market BarriersMyths, priorities, habits

Limited Understanding

• Over reliance on the technical concepts that are easy to understand

• Dominance of ‘buy-in rather than train culture’

• Lack of Maturity• No clear routes to join• Difficult to assess raw talent• Churn creates disincentive to train

Mismatch of priorities – Global

30

54%45%

39%35%34%

31%31%

28%

Cloud Computing…

Risk assessment and…

GRC

InfoSystems and…

Incident…

Data centric…

Communications skills

Analytical Skills

Millennials66%

59%46%

38%37%35%34%

30%

Communications skills

Analytical Skills

Risk assessment and…

Cloud Computing and…

InfoSystems and…

Platform or technology…

GRC

Data centric approaches

Hiring Managers

New Thinking Needed

94% Middle East!

0%

10%

20%

30%

40%

50%

60%

70%

Where recruiting

New Thinkingtalent, incentives, and more

Untapped Talent

11 % under 29 years

Only 5% are female

16% non-IT background

Young workers value

• Gravitating away from traditional hierarchy

• Perks over pay• Mentoring & Leadership• Training & prof certs• Flexibility & job diversity

35

21 % millennials aspire to primary role as consultant

Gender Wage Gap – Growing

Widest at operational levels

Support works

Behavior & choice rather than policy leads

to inequity

Technical expertise not prerequisite

• Expand recruitment horizon• Recognize dominance of ‘buy-in rather than

train culture’ • Remove barriers to entry, inequities and

develop support programs• Sell the profession - communicate true

requirements and opportunity – not just the technical

• Demystify the technical – it is more accessible than many think

Call to Action

Experience can no longer be core

criteria

Answering the call to action

• New routes to join - International Academic Programme; apprenticeships

• Associate Programme – one of the fastest growing classes of membership in Europe

• Chapters welcoming newcomers• Scholarships/commitment to continued

research• Showcasing talent