Securing the region: An interview with Wael Fattou...

Securing the region: An interview with Wael Fattouh, Middle East Partner, PwC


What are the most critical IT security issues facing the GCC landscape currently?

Given its geographical, political, and economic position, the Middle East continues to be a hot target for many cyber criminals and the number of major incidents targeting the region continues to grow.

The security landscape is constantly shifting and the issues facing organisations are very different depending on the sector and size of an organisation.  However if I am to pick some of the most common security trends for 2017, I would say that ransomware, security resourcing, mobile security, and critical infrastructure security are on top of the agenda for many organisations in the Middle East.

How will the rise in IoT change the GCC IT security landscape?

A recent global analysis by PwC on the growth of IoT devices predicts that by 2020 we will have over 30 billion IoT devices worldwide.  As exciting as that is from the perspective of integration and automation, it also presents a unique and challenging set of security problems that must be addressed.  Many manufacturers are scaling up production to keep up with demand with little attention to security standards or protection.

With more IoT devices getting interconnected across a large number of networks, it will be easier for an attack to have a large and significant impact.  In addition, the lack of standards between these devices will significantly increase the risk of backdoors and vulnerabilities that can be exploited by attackers. These issues will only escalate in the coming years as more of these IoT devices find their way into enterprises and critical infrastructure.

Are threats from inside the organisation as harmful as external threats? What measures can companies take to protect their organisation internally?

In many cases, internal threats are more dangerous and have a bigger impact than external ones.  Internal threats can bypass many of the security measures implemented in an organisation as those measures usually tend to be outward focused.  In addition, the existence of these internal vulnerabilities and threats makes it easier for external ones to impact the organisation as they create backdoors and weak points that attackers can easily exploit.

Every organisation should take a measured and balanced approach to their security and improving the security maturity level across all aspects of technology, processes, and people. These different aspects of the security chain must align and complement each other to be effective.

For example, having the best technology and implementing the best practices is not going to be effective if the people within the organisation are not appropriately trained to use and follow what is implemented.  Similarly the best trained individuals will not be effective without the proper tools and processes in place. It’s critical to always remember that security is an end-to-end issue and ignoring any part of the chain can compromise the effectiveness of the implemented measures and create a false sense of security.

How prepared are GCC firms for an increasingly connected data age? What minimum measures must be put in place to protect data?

The level of maturity on that front varies significantly across the region.  Some sectors are way ahead of others, while many still struggle to deal with new challenges presented by the data revolution we find ourselves in the midst of.  Data has become one of, if not the most, valuable assets an organisation has.  Ensuring its proper protection and care should be the priority for any successful entity.

The first step is to get a real and accurate picture of the current level of maturity not only in protecting the data, but also in utilising it for the benefit of the organisation. Once that assessment is complete a data strategy should be formulated to define and articulate the key goals of the organisation and align them with the overall strategic direction. Finally, a roadmap is put in place to close the gap between the “as is” and the “to be” with clear milestones and ownership for the progress of that mandate.  Given the unique nature of the data generated by each organisation and the different needs that organisation will have, there is no “one size fits all” answer to the data challenges, and therefore, a constant analysis and examination of the data strategy and roadmap is necessary.

How will the age of big data and IoT change the region for the better?

The possibilities are endless and we are only just now starting to realise how huge that potential can be.  With the constant advancements in machine learning, and the increased integration of smart technology into our everyday life we are truly at the start of a revolutionary change in the way we live, work, and see the world around us.  The Middle East region is experiencing all this from the front row seats, as we see smart cities become a reality and many of the iconic global projects and advancements take place here in our own backyard.