02 Jun Saudi Vision 2030: digital challenges and opportunities
Dan Norman, Regional Director, EMEA for the ISF, looks at the challenges and opportunities Saudi Vision 2030 presents.
Saudi Arabia’s Vision 2030 is arguably one of the most ambitious and innovative long-term transformational projects ever undertaken by a country; launched in2016, the Saudi Arabian government’s plan is to invest vast sums of wealth to diversify its economy. By expanding and developing a portfolio of sectors, and creating entirely new industries and services, the goal is to diversify away from oil and gas and unlock the Kingdom’s potential. It has been eight years since the launch of the project and tremendous progress has been made, with smart cities like Neom, Red Sea Global and Al Ula creating new jobs, investment opportunities and value to citizens and beyond. The next seven years will be exciting – digitally progressive and technologically advanced. As the nation transforms, the risk landscape changes –none more so than the cyber threats that will target new infrastructure, immature sectors and citizens alike.
Technological greenfield sites
One of the tremendous opportunities that Saudi Vision 2030 presents is that many new projects, including the GIGA projects, do not have to navigate the challenge of overcoming or integrating old, legacy systems with the new; this is one of the main issues developed nations like the USA, UK, France and Germany have to deal with – from weaving old systems with dated code into emerging technical infrastructure, to designing new architecture that doesn’t break or overwhelm technology, Saudi Vision 2030can focus on developing solutions that are progressive, powerful, scalable and secure. Essentially the GIGA projects and beyond are full of opportunity and less historical challenges to overcome. The opportunity to develop a rich and meaningful set of progressive governance, risk and compliance solutions to secure the enterprise against a range of threats should be leveraged and nurtured – senior management leading these projects have a unique chance to build security solutions into technical and physical infrastructure from the start – something that western leaders can only dream of
A blend of unique cybersecurity challenges
With that said, this greenfield site presents a variety of challenges that organisations will have to overcome quickly. As the GIGA projects digitise and expand, and new sectors receive billions in investment, cyber criminals and nation states alike will turn their attention to disrupting systems, performing espionage, stealing intellectual property, or conducting ransomware attacks. Essentially, GIGA projects, and beyond become the new target. Why? Because Saudi Arabia is cash-rich, will likely experience ‘growing pains’ associated with digital transformation, and will have a number of vulnerabilities that attackers will aim to compromise or exploit. One such challenge will be threats across the supply chain. Integrating a range of international companies ‘infrastructure together in a homogenous environment is a challenge for organisations globally, but when you are essentially weaving systems together for the first time, whilst maintaining a holistic perspective of the threats associated with suppliers, the level of risk will grow. Organisations must use this unique opportunity to develop a robust vendor risk management system, building security requirements into contracts from the start and not doing business with organisations that may not fit into the risk appetite of the business. Western nations are struggling significantly with this challenge, having to readdress old contracts, finding it difficult to continuously monitor suppliers over time, and providing a risk-based perspective to senior management.
The next challenge will be to identify and maintain a strong security workforce. It is no secret that the cybersecurity industry is struggling to fill jobs associated with cyber risk management, technical security, and beyond. From CISOs, to risk managers, to incident response analysts and security architects, the workforce gap is widening and could potentially pose a short and even long-term dilemma for organisations across Saudi Arabia. Organisations must make their pay packages and opportunities attractive for individuals in the cybersecurity industry, with ample training and development. This is key to attract and secure top talent.
One additional challenge that is becoming evidently clear as organisations in Saudi Arabia mature is aligning their information security management systems (ISMS), and wider governance approaches with international standards. Many Saudi companies, like western nations, see certifications and aligning with standards as a unique selling point – something to base their cybersecurity on, and an attraction for suppliers and clients to do business. However, identifying the right standard to leverage is a challenge. ISO typically lends itself to European companies, whereas NIST lends itself to North American companies. A strong, global alternative is the Standard of Good Practice for Information Security, which has comprehensive, holistic coverage of all requirements across international standards such as NIST, ISO, PCI-DSS,CSA, CIS, etc.
Many Saudi Arabian companies are choosing to leverage this standard to build their ISMS instead of individual standards, meaning they can demonstrate compliance to all standards rather than just one. Saudi Arabia desires to be a beacon for the Arab world and beyond – a bold and audacious nation that hits and exceeds all expectations, using its vast wealth to push humanity forwards in its pursuit of excellence. Technologically innovative; full of opportunity to become a world leader in business, sustainability, tourism, hospitality, healthcare and domestic quality of life. This unique opportunity presents a variety of rare opportunities to avoid historical challenges faced by western nations – but as the nation itself innovates, develops and matures, the threat landscape will diversify, rapidly scale and could potentially overwhelm.