New security opportunities emerge as organisations race up the maturity curve

Dubai: Organisations in the GCC have long struggled to effectively manage IT security. The most common challenges cited during my discussions with CIOs throughout the region include setting up basic security infrastructure, identifying and evaluating the right products, finding the right skill sets, implementing effective incident and event management, and even maintaining security infrastructure.

Generally speaking, these challenges are caused by a lack of IT maturity, flaws in security strategies, missing or loose security policies, implementations of incorrect solutions, and a long-standing shortage of skilled IT security staff.

So how are such issues set to shape the GCC’s IT security landscape over the coming years and what opportunities are likely to open up for providers looking to capitalise on the sense of vulnerability felt by so many organisations across the region?

IT security remains one of the top priorities for organisations in the region, but with the emergence of disruptive tech concepts such as bring your own device (BYOD), enterprise mobility, cloud services, big data analytics, and social platforms introducing new levels of complexity into their IT infrastructures, ensuring effective security management is becoming more difficult than ever before.

In addition, high-profile attacks on national infrastructure and resources have triggered alarm among many GCC organisations, making them sit up and take IT security even more seriously. Cyberattacks in the region are becoming more targeted, complex, and frequent with each passing month, and the response has been strong growth in spending on IT security services, with demand rising across all four categories — systems integration, consulting, operations (including managed security services), and education and training.

As is the case in many other markets around the world, systems integration continues to form a large chunk of the total GCC services market. This is primarily because organisations in the region are rapidly moving up the maturity curve and continuously adopting the latest security technologies in a bid to address perceived vulnerabilities in their security infrastructures. Many of these investments have involved implementing new security solutions, refreshing legacy systems, and leapfrogging the product adoption cycle, all of which are spurring spending on systems integration.

In light of this growing maturity, I am finding that the region’s traditional product-centric approach to security is gradually changing, with organisations starting to realise that addressing IT security goes beyond mere products and that having proper policies and processes in place is as important as having the right solution. This changing customer mindset has given a significant push to demand for security consulting services, with this segment of the market growing significantly over the last couple of years.

Indeed, I am increasingly seeing GCC-based organisations employ specialised resources to help them assess their IT security requirements, test Web applications, ensure compliance, train their IT teams, conduct internal IT audits, set up labs, and become certified in various industry best practices. And with security becoming an integral part of their adoption road maps, a growing number of these organisations are hiring consulting services providers to help them formulate and validate their security strategies.

The region’s outsourcing market has come a long way in recent years, but the concept of outsourcing security operations is still nascent. Few organisations have actually adopted managed security services, either on-site or remote, with many of them still not comfortable with having their data hosted outside their country of operation. Service providers have traditionally been reluctant to bow down to this pressure, as setting up a security operations centre (SOC) is very expensive, but the number of SOCs in the region is now steadily growing. And as adoption of these services increases, the market for managed security services will see a sudden spike in growth, although I expect this will take some time.

In terms of education and training, demand is being spurred by the ongoing shortage of skilled IT security professionals in the region. Given the acute need for skilled resources, organisations are increasingly procuring these services to train their own employees in various technologies, processes, and product platforms, and to facilitate effective crisis management. Training services are also helping to generate greater awareness of IT security policies and practices among the workforce in general.

Given the fact that organisations are looking to leapfrog the technology adoption curve and are quickly embracing new concepts such as cloud, BYOD, enterprise mobility, social platforms, and big data analytics, security strategies will become more important than ever before. This shift will boost demand for security consulting services in particular, while systems integration services will continue to represent a major share of organisations’ security services spending. In addition, managed security services will receive increased interest from entities in verticals that are not hamstrung by data-locality regulations and compliance issues.

This final point is particularly pertinent, as those providers that can identify and enter niche areas such as SOC, security incident and event management (SIEM), application security, and database security stand to gain an early-mover advantage and be in a position to demand higher margins. As far as IT security opportunities in the GCC are concerned, the early bird will not only be able to catch the worm, but also charge a healthy premium for doing so.

The columnist is group vice-president and regional managing director for the Middle East, Africa, and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC).