Overall, it is not clear what the local
share of the global cybersecurity market – estimated by Gardner at $81
billion in 2016 – is or might be. Estimates and
anecdotal evidence suggest, however, that the local market is still
small. Salah Rustum, president of local firm Commercial & Industrial
Enterprises of Lebanon (CIEL) and a veteran in the data protection
business here as partner with electronic signatures authentication
services company GlobalSign, estimates the market at currently “around
$10 million” when queried by Executive. Other decision makers in
Lebanese cybersecurity consultancies and network operating companies say
they prefer not to make any estimate about the current size of the
cybersecurity market, citing the known dearth of reliable statistics in
the country. Beirut-based cybersecurity stakeholders
also have only vague estimates on the number of qualified competitors
that they face in the Lebanese market or on the number of highly skilled
analysts with the required expertise to staff a Security Operations
Center (SOC) – not currently existing in the country – as top-level
forensic experts. General agreement, however, among stakeholders is that
this specialist subsector of the information technology (IT) industry
is set for substantive growth – at least double-digit year-on-year –
over the coming years and that the biggest challenge is not to find new
customers but to obtain qualified engineers that either already have or
can obtain cybersecurity skills.
One example for this dichotomy between
expected demand growth and missing manpower is Crystal Networks, a
Beirut-based regional IT company of 75 employees, which according to
co-founder and general manager Esper Choueiri does 40 to 45 percent of
its business domestically and the remainder in the Arab region, with
Saudi Arabia as the main business driver there. Choueiri tells Executive that his company
filled five new engineer positions in 2017 that were all in the
security department of the venture, which has five departments. “In many
cases, experienced engineers cannot be found and new engineers need to
be trained in-house for cybersecurity. My biggest challenge is finding
the right people, and at the same for all my customers,” he says. In many cases, experienced engineers cannot be found and new engineers need to be trained in-house for cybersecurity
Lack of local expertise
To operate a high-grade Security
Operations Center, or SOC, requires teams of engineers with three levels
of expertise. Engineers need between a minimum of one year of
experience to perform well on the first level and at least five years on
the top level, Choueiri says. By his estimate only one fifth of needs
for top-level SOC experts are currently filled in Lebanon.
Also in the view of Jens Muecke, senior
partner in the roughly four-year old IT security consultancy Krypton
Securities in Beirut, a shortage of local experts is holding back
cybersecurity development in Lebanon. “From my opinion and what we have
seen in our team, many banks and companies over here are way behind. One
reason is missing expertise – it is really hard to find good people
here, given the instability of [this country] and the whole region.
Everyone who is acquiring the skill [of
a cybersecurity expert] and a
reputation for having such, is getting out of here to take up a
well-paid job in Europe or the US,” he says.
German-born Muecke joined Krypton after
having worked with leading consultancies and international internet and
software providers in the United States. The company, which has a team
of seven employees in Beirut and its nominal home in Dubai, according to
him has half the major banks in Lebanon among its clients, as well as
some smaller companies. Krypton does about 80 percent of its business
here as its expansion in other markets such as Jordan, Cyprus, and Saudi
Arabia is still in the early days. It will take a few more shocks for
markets in this region to fully awaken to cybersecurity. “What I think
is that this region needs a few more bad examples when things happen
tragically and somebody has to pay the price before they all realize
what they need,” he says.
Judging from his observations, local companies to this day tend to approach cybersecurity with the same mindset with which in
earlier years they entered in other quality certification procedures.
With such a mindset, companies emphasize assurance of their compliance
with regulations. After they are promised cybersecurity on the cheap,
they become compliant on paper but don’t achieve the knowledge transfer
that they should get, Muecke says: “They have a paper saying ‘it is
compliant’ but it is not. They don’t have the process and don’t do
updates regularly. They don’t evaluate all reports as they should. They
live day to day and hope nothing is going to happen.”
The notion that risks extend far beyond
the financial sector in also the view of Tony Feghali, general manager
of Potech Consulting, based at Berytech. His security company does not
have exact numbers and statistics on the extent of internet-related
damages at Lebanese companies but he says that in their experience,
banks are not the only targets here. “They are definitely a very
interesting target because that’s where the money resides, but today
we’re seeing a lot of cyberattacks – especially ransomware or other type
of attacks – targeting every type of business,” he says.
Huge growth potential
The growing likelihood of being targeted
does not mean that local companies radiate universal awareness of their
risks. According to Choueiri, awareness levels are extremely unequal.
“To be realistic the banking sector is most advanced when it comes to
cybersecurity and most aware among the Lebanese enterprise sector. Any
company that is not IT-related is in my personal opinion totally unaware
of security risks,” he says. Along with other experts he notes that
besides missing awareness, it is often difficult to assess the real
number and magnitude of cyber breaches and security damages in Lebanon
because of widespread reluctance of breached companies to come forward
and discloses their misfortune, mostly due to fear of reputation loss.
This phenomenon, however, is global and
not particular to this country or region, experts agree. The phenomenon
also does not deter cybersecurity companies from expecting double-digit
business growth, or better, for the next few years. Choueiri expects
demand to increase between 35 and 40 percent year-on-year and has
important expectations for 2017. “I have [a] feeling that this year will
be the year of cybersecurity. Everybody is talking about it,” he says.
CIEL’s Rustum sees year-on-year growth as
upwards of 10 percent and even believes that more is in the cards.
“[Growth] will be exponential in Lebanon, because the more people know
about it, the more they are going to use cybersecurity,” he says. He
moreover is not worried that there could be too much competition for the
market to carry but on the contrary believes that there is room for
more cybersecurity players. “There is enough cheese for everybody. The
idea is to stir up the people and tell them that if they want to go on
the internet, they have to protect themselves,” he elaborates.
Rustum’s main worry is bringing the legal
framework in Lebanon up to speed. When his business working with
digital signatures was established in the 1990s, the country was praised
as one of the first in the world where the technology was introduced,
but thereafter it slipped every year down in rankings for technology
adaptation as the draft law on digital signatures was put to rest in
government drawers. “Time is really passing us by. What I am afraid of
is that by the time Parliament approves the law, it is already
obsolete,” he laments.
As Executive did not find any
comprehensive study on security market data in the country, it seems
difficult to assess realistically, with or without legislative
innovation, what chance local companies might have for rising through
international ranks, whether by expertise or by business volume related
to cybersecurity. However, there can be no doubt about the growing role
of cybersecurity companies in global markets, which is documented by the
rise and overall growing valuations of international specialist
companies. The largest firms globally in the sector are based in Silicon
Valley but a few are not far from our geography in physical terms (see
box below).
What I think is that this region needs a few more bad examples when things happen tragically and somebody has to pay the price
Work operators see threat
Local companies that are active
stakeholders in the market involve not only security consultancies but
also network operators. A rising hub of cybersecurity activity seems to
reside in the Holcom Group of companies where Executive encountered not
only Crystal Networks but also ICT company and network operator
GlobalCom, which confesses to the aim of developing its own cyber SOC in
partnership with global player, British Telecom (BT).
“We first have a duty to protect our
networks and then we have a duty to help our customers protect
themselves,” says Habib Torbey, GlobalCom Holding’s chief executive
officer and general manager of its data carrier unit GlobalCom Data
Services (GDS). Torbey tells Executive that the investment into the
cyber SOC will be in the multi-million dollars. Although Lebanon by his
observation so far has mainly seen attacks from small-time hackers, he
reasons that the investment into a cyber SOC is warranted because
attacks are getting more and more sophisticated, affecting more and more
markets.
“We don’t need to wait for a disaster
before we start protecting ourselves. No one in this field can fight the
battle alone, and in the same way that pirates are cooperating to make
their attacks more sophisticated and more successful, the good guys need
to cooperate,” he reasons, explaining that GlobalCom partnered in this
task with BT because there is a long-standing collaboration between the
companies since the 1990s and because BT “is one of the best in
cyberdefense.”
According to Torbey, GlobalCom has a
network that comprises backbones and over 150 sites; it carries 70
percent of corporate traffic in Lebanon through GDS. The holding also
entails the Internet Services Providers IDM and Cyberia. According to BT
representatives who came to Beirut for an event last month, Lebanon is
regarded as one of several priority countries in Middle Eastern new
markets. The multinational company has
started to address the local cybersecurity market in 2016 in
partnership with GlobalCom and wants to serve the country’s 20 to 30
largest entities with cybersecurity services.
Outsourcing security
Outsourcing cybersecurity to specialist
companies would be legally feasible for local banks, although compliance
with banking secrecy laws requires that they would use a cyber SOC that
is located in Lebanon, asserts Torbey. “Some customers who do not
understand how cybersecurity works may have a tendency to think that we
can see the content of their traffic and their trade secrets. No, we
don’t look at the content and we don’t want to look at the content. We
just want to look at the technical specs of the traffic in order to see
if there is an attack or not and how to defend against it if there is an
attack,” he explains.
While operation of a cyber SOC will
require running investments, Torbey says this is a necessary cost and
expresses the hope to additionally turn it into revenue opportunity by
selling its services. Coming from a low base in cybersecurity revenues,
he expects double-digit growth of revenues and is not afraid that
cyberattacks would create digital disasters for operators who know what
they are up against in facing cybercrime. He says, “Once you become
aware of the risk and help your customer become aware of the risk, the
future is not scary. You can do something about it.”
