With over 27 million consumers, Saudi Arabia is the largest ICT market in the Middle East

With over 27 million consumers and a number of global enterprises, Saudi Arabia is the largest ICT market by far in the Middle East. For example, the Saudi telecoms and information technology industry represents about 51 to 55% of the total Middle Eastern market.

Interview with Ahmad Y. Alkhiary, CEO of ITS2

Ahmad Y. Alkhiary, CEO of ITS2

With over 27 million consumers and a number of global enterprises, Saudi Arabia is the largest ICT market by far in the Middle East. For example, the Saudi telecoms and information technology industry represents about 51 to 55% of the total Middle Eastern market. It is a huge ICT market. What is the outlook for the market? What are the latest trends that we see in Saudi Arabia?

Firstly, the Saudi economy is undergoing a major transformation from being a petrochemical based economy to a knowledge based economy. That demands a major change in the complete structure of the economy. The national ICT plan was developed and out of that. Today the transformation taking place in the government domain is being led by the E-Government program since its inception in 2005; it is taking place in a very systematic manner. The government is transforming from services to e-services in a disciplined institutional approach with various layers. The commercial domain is also transforming from commerce to e-commerce. Today the digital society in Saudi Arabia, the whole structure, is ahead of the government and the commercial sector. Their demands are a lot more than what is being offered by the government and the commercial sector. The society is ahead of the offering from both sectors in the country. The transformation is taking place and it is impacting the spending and overall transactions taking place in and out of the country.

A recent rating by the Cisco sponsored global IT readiness report where Saudi Arabia ranked 35th. That being said, the UAE were ranked 23rd, Qatar was ranked 27th, and Bahrain was 30th so Saudi Arabia is still behind some of these countries. Do you see that this is going to change significantly in the future?

The report is actually measuring three different things; they are not measuring the e-transformation component of the government alone. If you measure that alone, we are ranked number 19. If you look deeper inside the report, on the e-services part alone we are number 19. However, they also look at the level of literacy in the country and if you look at a country with a few hundred thousand people and another one with a few tens of millions, the differentiators and metrics are different. They look at the number of people who do not have enough education or do not have enough bandwidth as they also measure the broadband availability for everybody in the country and in the major cities. Once they measure all of this, we rank number 35 which is consistent growth with no hopping around. If you noticed, in 2007 for example we were ranked number 103, then consistently every two years when the report is measured and produced you will notice that we moved up from 103 to 72, then to 57, then to 43 and now to 35.

It is a consistent growth based on a clear plan. There is no going up and down, it is not a game that we are playing, and we have a consistent plan to continuously grow and try to develop all three sectors: the broadband availability, the literacy and the eservices availability. However if you take the e-services alone, we are ahead of the others. I think that will continuously improve.

The FTTH Fibre to the Home is still lagging behind, a lot more can be done yet most people can have access to 4G or 3G services and so many people have access to the internet on their mobile.

That’s true but not only on their mobiles: the broadband availability through the GSM network in principal is readily available and available in high speeds. The mobile coverage and the data coverage is a lot more than FTTH and will be until the proper infrastructure is laid out throughout the country. The main 7 links for fibre optic are already laid out through the consortium created in early 2003. The universal fund created by CIDC which is the regulatory authority for the ICT industry in the country, created in 2010 or 2011, is continuously improving the availability of broadband. However can anybody say that they don’t have any form of broadband in the country? I don’t think anybody can claim that 100% accurately. Broadband is available in different forms. The sustainable, very reliable service of fibre to the home and office has a lot of space for improvement.

Are you fully satisfied with the level of infrastructure in Saudi Arabia?

There is good space for improvement. The spread mobility is demanding a lot more bandwidth than what is available today but I think everybody is connected. 3G is the minimum available, 4G is covering about 89% of the country and fibre is a much lower percentage.

There are many applications in the medical sector so if you have proper internet you can have an online doctor appointment with doctors based in Riyadh, so they can treat people in the villages. There are many applications that can be used.

That is true. In the education domain as well, e-Learning seems to be a hyper activity today. We already had the Arab Open University in the past and today we have the Saudi Electronic University and it is a good successful engagement; a lot of men and women have joined the Saudi Electronic University and they have successfully completed their first round of graduates in a good number of subjects such as law, business administration, IT and others.

Of course with the IT there comes a security threat. In the revolving world of security threats, local or global threats, alert has increased 14% year on year from 2012 to 2013 and that was the highest ever level reached according to a study from your security report. Cyber security is becoming a big issue not only in the outside world but in Saudi Arabia. Other statistics say that Saudi Arabia is one of the largest sources of spam. What is your take on the level of cyber security in Saudi Arabia? What are the areas that are problematic and what should be done to improve them?

I believe that the concept of information security and the impact of information security on different people and domains in the country are quite variable. If we look at the impact of information security on the brand, it is tremendous and actually beyond the existing conception or the way the leaders in the country today comprehend the impact of information security on their brand. Information security can impact the brand which is probably the highest thing that anybody in any organisation wants to protect, down to the deepest part of any organisation which is the data repository. If you have the proper layers of protection such as data protection, application protection, identity and access management, electronic channels as your end point protection and the proper governance, risk management and compliance around all of that, then you would probably claim that you have done what is necessary and the risk is then in the hands of Allah.

You go to the doctor and you take the medicine but the actual healing comes from Allah. You go to school and you learn but the actual knowledge and the value you extract from your learning is a blessing from Allah. You put your effort in and then you pray; you should not just pray without putting in the effort and you should not put in the effort without praying because actually the balance of success comes from both.

In principal you need the leadership, the medium management and the specialist know-how. The risk of the organisation in any government or commercial sector is to understand the impact of information security on what they do because IT is not a supporting function anymore as it used to be in the 70s and 80s. It used to be a luxurious component to differentiate one organisation from another. Today it is the way to deliver your services and eservices; without it you might not be able to have any customers. It is a must to have IT and with that comes the importance of information security on the various aspects from branding all the way to data.

We improve the awareness on the various levels. Then we focus on improving the availability of individuals who are specialised in this domain. We have the academy in the information security domain which produces a lot of people who work as Chief Information Security Officers; they are information security specialists and architects inside and outside of the country. We also have additional programs like the security expert program to develop a pipeline for bringing people from outside of the domain of information security and making them walk into that track or bringing in fresh graduates and producing security analysts who then go into consultancy roles, then expert matters roles and finally into a Chief Information Security Officer role where they think, plan and are a part of the strategy of information security of an organisation.

Especially in the aftermath of the WikiLeaks scandal, Saudi Arabia really recognised the importance of information security and even the importance of localising the datacentres. They are now building massive datacentres here and so Saudi Arabia could become the regional data hub. Of course with that come a lot of security issues. How can you help companies? How do you fit into this puzzle?

We fit actually in different aspects. Firstly, comes the design phase, we have to ask: what is the right combination of layers of security that a datacentre needs? Which community is the datacentre trying to serve? What kind of a sector focus does it have? What is the nature of the applications it plans to have? We can plan together the layers of protection needed around any datacentre, which normally covers the confidentiality part, the privacy part, the integrity part, the availability part and so on. There are various aspects that need to be planned well. Then we come to the actual development part where you put together the various layers to protect that datacentre and to protect all the applications hosted by that datacentre and all the data flowing in and out of it whether it is in a still phase or in transit phase or at the endpoint phase, be that endpoint a kiosk machine, a home PC, a laptop, a smartphone, a wearable device etc. any endpoint device that can reach data applications provided by the government or commercial sector.

In principal we work with various datacentre hosts in various aspects. An important part of the service we provide is that a datacentre requires continuous monitoring which is the SOC (Security Operations Centre) function to make sure that what is happening is what should be happening, that there are no anomalies or strange behaviour around the data traffic or the application traffic. Some organisations find it either too expensive or too time consuming to develop a full SOC so we provide a virtual SOC, which is SOC as a service through our Raqeeb MSS service which started in 2008 and which is a managed security service.

You could go with a managed security service on the spot and it takes 5 working days to have a fully functional SOC which includes all of the 5 layers of functions that need to be inside any SOC, which includes the people part for a 24/7 operation. You need a minimum of 4 teams, then you need the process part to follow what should happen and what you should do every step of the way throughout the SOC lifecycle.

The third part is the technology part which is the heart of the actual monitoring and notification, management engines etc. That should go into the SOC. The fourth layer is the various feeds of information that should come into the SOC because you are not isolated; you are working within a larger group of people and sources so you need external sources to tell you what is happening outside your SOC or your datacentre so you could become a part of that larger consortium. You need to know what is happening in other datacentres, locally, regionally and internationally, specifically for the kind of customers that you serve whether they are military, in the financial sector, in education, healthcare etc.

The last and no less important component is the intelligence component; how you analysis the large amount of data that flows into the SOC and correlate it together and produce tangible ideas, actions and concepts needed to react or pro-act against any attack or possible attack. All of this is available through our Raqeeb MSS service and it is a unique service that we are proud of. It is all of this combined. An important part is the human factor: the people. It is very hard to hire people in the security domain and it is much harder to retain them because their market value changes very quickly after every course and every engagement. We provide staff augmentation to organisations that need to staff their operation either end to end or partially. This staffing function comes in three different flavours; it comes in the long term, normally something like one to three years, or medium term where you need short term staff augmentation like for one month to 3 months, when you have for example migration or new projects or a group of people who have left your organisation and you need to substitute them quickly.

The third form is the SWAT team, when you are under attack or if you want to migrate from system to system or you are installing a new system and you want someone to help you with the protection layers to make sure nothing wrong could happen. The SWAT team is our shortest engagement type, normally it ranges from a few hours to a few days to resolve a specific issue. All of these forms are available today and are a broad collection of services which we call the end to end security services.

You mentioned datacentre security and IT training, what are the other services that you offer the market?

When we look at the offerings in principal, we have five primary complimenting services. The consulting component is discovering where you are and where you want to be, whether it is architecture review or source code review or vulnerability assessment etc. Whatever function you need to tell you where you are today and where you want to go is a consulting function.

Then we go onto building capacity and building human capital which is the academy component and the second most important part, where we improve the awareness and certification and knowledge for the individuals and for organisations. Individuals need to move from basic knowledge to advanced knowledge or from advanced knowledge to even deeper, more specialised knowledge and to become certified because every one of the courses comes with an internationally recognised certificate. Or we can focus on an organisation that needs to improve their compliance with international standards like their ITSM (IT Service Management) so you go with ISO 20000, for improved secure infrastructure you go with the ISO 7001, for business security you go with the ISO 22301 and so on.

So for whoever wants to improve their compliance and their readiness to deliver services on a 24/7 basis, there are certain standards that they need to comply with and we provide all of that from the initial assessment all the way to the final certification.

Then comes the solutions part which is finding and closing the gap of whatever you have today and whatever is supposed to be there. It does not always translate into injecting new hardware or software. Sometimes it is just integrating what you already have; sometimes it is reconfiguring what you already have and so on.

The fourth track is the outsourcing part or the staff augmentation part which I mentioned earlier. It comes in long term engagement, medium term or short term engagement.

The fifth part is the managed security services, which is the Raqeeb service. If you do not have a SOC we can provide you with one in a few days rather than spending the time and going with the full Capex to establish a full SOC, you could have one in just a few days which is a very unique service. If you do have a SOC then we can provide you with supporting functions like for example for some organisations that have two different layers of services, core services and supporting services; the core services may have their own SOC to monitor and manage, but for the supporting services they want someone else to manage it and normally that is where we would step in.

It is all of these five factors combined. There are of course additional offerings that will be coming soon which is a new version of business continuity that the country and the region needs and which is slightly different from what everybody believes which is that if I have a DR then my business continuity is high where in fact, no it is not.

The human factor is a critical component which is underestimated. People walk out of your organisation every day and they are one of the most important assets that any organisation could have and they have a lot of knowledge in their minds. If that knowledge is not properly documented inside the knowledge repository of the organisation so that it is searchable, usable and reusable by everybody within the organisation and its clients then that knowledge is considered tacit knowledge and if that guy walks out or resigns or something happens to him, you have lost it.

That is something to consider and there are many such examples inside organisations based on the nature of their business. We look at all of these things. Business continuity is one of the new offerings that we have and we take it seriously. We look at it at various levels inside the organisation not only in the technology level.

Is there anything else that you would like to add?

I cannot emphasise enough the importance of every one of us taking a moment to think “what am I doing and why am I doing it?” If you are sharing information, using WhatsApp, publishing posts on Facebook, tweeting or putting information online on dropbox or any other form: think! Whatever leaves your own private machine is not yours anymore. Think twice before you share anything. It is important to share because you can get a lot of knowledge from researching on the internet and learning from it.

It is important to share but you must be careful what you share, you must think about what you may not want to have on the internet. Be careful of the format you put online. Think and be wise about the way you share, don’t simply think that you have the media in your hand and you can share everything and then stop it later on. You cannot. Be careful. Be wise. Think about the importance of your own personal privacy. Think about your family’s privacy and your business´s privacy.

When you go into any conference, hotel, resort or restaurant and sign into their Wi-Fi network, make sure that your devices are properly protected especially if you hold a middle management or top management position where corporate data is at your fingertips and it could be at the fingertips of someone else.

Scroll to top
Close