Shortly after Thanksgiving, we packed our bags and ventured off to Riyadh, Saudi Arabia for the inaugural @Hack cybersecurity event. We were invited to exhibit at the SecureLink booth, who we recently partnered with to expand NetSPI’s services to the Middle East and Africa (MEA).
Over the past two years, the Kingdom of Saudi Arabia has gone through accelerated digital transformation, driven heavily by its Vision 2030 reform plan. And with this digital transformation, comes expanded attack surfaces and more exposure to cyber threats. This was a key theme and concern during the event – and a large part of why the event was organized in the first place.
It was exciting to see the energy and enthusiasm around technology and cybersecurity (almost as exciting as when we realized that @Hack was synonymous with “attack”). @Hack organizers estimated that more than 14,000 people from 70 countries were in attendance, many of which we spoke to at the NetSPI stand about the state of security in Saudi Arabia, penetration testing, cybersecurity education, cybersecurity jobs, and more.
As we packed up to head to our next destinations, we took time to reflect on our conversations, the people we met, and the key themes we observed on the show floor.
Cybersecurity Maturity in the Kingdom of Saudi Arabia
The Kingdom of Saudi Arabia has only recently focused on transforming their technological infrastructure and has invested in becoming a technological powerhouse in the region. At the conference itself, we saw the use of QR codes, mobile payments, digital sharing of contact information, and more. Although their technology adoption is very high, there is an opportunity for the region to mature its understanding of and focus on cybersecurity challenges.
One of the younger attendees came from Egypt and participated in the “bug bounty” challenge. He came in 2nd place and mentioned how the challenge to him was simple compared to what he was used to in his home country. To us, this indicates that security is not necessarily at the forefront of Saudi Arabia’s considerations when acquiring or deploying technology, and there is some catching up it needs to do to ensure security keeps pace with its technological developments.
We also recognized that most of the cybersecurity work performed is based on what is mandated by the Kingdom of Saudi Arabia government. Penetration testing services are not a large part of that discussion today, but we anticipate security testing activities – pentesting, secure code review, threat modeling, red team, design reviews – will be part of the requirements very soon.
The State of Penetration Testing
At the event, we were surprised to hear that the concept of penetration testing is new to most people and organizations in the region. In many of our conversations, we heard that they were interested in purchasing products and software solutions that could take care of all security concerns. But, as we know, even the largest technology companies can make security mistakes (see: Microsoft Azure CVE-2021-4306).
There were a number of misconceptions about penetration testing that we helped to address at the show. Notably, the difference between penetration testing and simply running an automated scanner tool or a monitoring solution.
The explosion in technology adoption over the last few years has caused many companies to rapidly seek new and innovative security solutions, however, the adoption of pentesting services in the Middle East will be largely driven by regulation.
Youth and Women in Cybersecurity
@Hack brought a diverse group of people together. Students as young as 11 stopped by our booth and were eager to learn from us. It was incredible to see the younger generation’s interest in cybersecurity careers and education. Questions we were asked include, “how can we learn more?”, “where can I find more resources?”, “what resources should I look at to become a pentester?”, and “can you hire me and train me?”
A large portion of those coming into the industry are students who have learned from global online communities, including bug bounties, capture the flag, and online forums. For continued reading, this Arab News article highlights some of the young attendees involved at the event.
Across the globe, there are initiatives to get women more involved in cybersecurity. Cybersecurity Ventures and WiCys predict that women will hold 25 percent of cybersecurity jobs globally by the end of 2021, up from 20 percent in 2019. This was evident @Hack.
Women were equally, if not more, involved at the conference than their male counterparts in terms of communication, interest, types of questions they were asking, etc. The transition to more progressive ideologies in the region has clearly resulted in a large influx of highly educated and motivated women wanting to break into the space.
Overall, the event was a great opportunity to connect and share information with security peers across the globe and we hope they will put on @Hack next year. With our new SecureLink partnership, we’re excited to continue educating the region on the benefits of penetration testing and the value it brings when done well. Want to connect with us at the next big cybersecurity event? We’re heading to RSA Conference in San Francisco, February 7-10, 2022. Schedule a meeting with us!