Cybersecurity Vendors in Emerging Markets

The emerging markets find themselves on the front line of geopolitical conflict and are feeling the brunt of new innovations in adversarial action by cyber actors embracing the latest in artificial intelligence. Choosing the right cybersecurity vendor is more important than ever to protect yourself from not only today’s threats, but the ever-evolving threats of tomorrow as well. No emerging market exemplifies this more than the Middle East, where we are witnessing digital transformation confront advancements in AI-driven impersonation – further complicated by increasing regulation and limited access to the latest in cybersecurity tooling.

With this context, here are some best practices to inform your vendor selection process:

‍

Understand Your Organization’s Needs

‍

Before you start evaluating potential vendors, it is vital to conduct a comprehensive assessment of your organization’s specific cybersecurity needs. This includes the table stakes requirement to analyze current infrastructure and critical assets in light of the types of threats most likely to face your systems. Additionally, industry-specific standards should be considered with respect to compliance with regulations such as the UAE National Electronic Security Authority (NESA) standards, Saudi Arabia's SAMA Cyber Security Framework, or Qatar's National Information Assurance Policy.

Be realistic with the degree of security required for each asset class, given the potential impact of a breach. It is okay for certain categories of attack surface area and corresponding vulnerabilities to meet the standard of “good enough” compliance with local regulations. The consequences of adversarial action against others that are sufficiently impactful, regardless of regulatory or compliance requirements, may warrant best-in-class solutions to mitigate at extraordinary cost. Only a seasoned, qualified cybersecurity professional is equipped to make this determination that aligns cybersecurity spending with business priorities.

Research Vendor Reputation

‍

A vendor’s reputation is one of the strongest indicators of its reliability and effectiveness. To narrow down choices, start by researching several of the top names in reputable industry reports, using resources such as Gartner’s Magic Quadrant, Gartner Peer Insights or Forrester Wave. These reports will help identify peak performers based on their technological capabilities and market presence.

But buyer beware: accolades from independent review boards are seldom sufficient. The real potential impact of a potential capability is best understood by speaking with others who have directly benefited from the same. This most often comes from peer reviews in the same industry and is facilitated by peer-to-peer networking groups, such as those that meet at conferences such as GISEC, Global Cybersecurity Forum, and Black Hat and participate in the various Information Sharing and Analysis Centers (ISACs). The best sources of insight are sector-specific, often invite-only sessions led by CISOs and division leads.

Best of Breed Platforms v. Good Enough Point Solutions

‍

When evaluating vendors for cyber security solutions, consider the context and deliberately decide between best-in-class point solutions, “good enough” platforms, and everything in between. There are no ipso facto wrong answers here – so long as the context is understood and the decision is deliberate. One additional consideration especially pertinent for the emerging markets is support: even the best, most economical solutions can be nightmare decisions if access to qualified support personnel is unavailable in your region.

First, a quick reminder of the natural course of innovation in cybersecurity: A hallmark of the cybersecurity industry is the pace of innovation, with the majority of the thousands of venture-backed cyber companies focusing on a narrow (“point”) capability and competing predominantly (though not always) by providing the best method of defending against a very specific type of attack. As discussed in our last post, a precious few of these companies gained sufficient scale to broaden into platform providers. In time, their pace of innovation naturally slows under the weight of maintaining a much broader capability set. It ultimately leads them to acquire best-in-class point solutions as their source of innovation.

For the cybersecurity buyer, this forces a trade-off between the convenience afforded by platform solutions addressing multiple threat vectors and the advanced protection afforded by best-of-breed point solutions specifically crafted to mitigate a sophisticated threat. The decision is ultimately driven by the severity (impact x likelihood) of the risk for a given organization, with platforms given preference to address the broad range of lesser risks and cutting-edge point solutions being sought after for the most severe risks. For those interested in learning more about such trade-offs, we highly recommend checking out Ross Haleliuk’s Venture in Security for additional details here.

With that said, and especially for point solutions serving markets geographically distant from the vendor’s home market, support is equally crucial to consider. In geographically dispersed regions throughout emerging markets, where IT may be spread across multiple countries and time zones, vendors must be equipped to provide 24/7 support with rapid response times to ensure any security incident has minimal impact. Buyers should require vendors to walk through their onboarding process. Does the vendor support your team with training and support to ensure they can effectively operate solutions in place? Where an intermediary (value-added reseller) provides access to a point solution, verify the escalation process between the reseller and vendor. Then, ask to speak with references who have experienced this hand-off (ideally ones using the same value-added reseller).

Consider Pricing and Scalability

‍

When it comes to pricing, don’t focus solely on finding the cheapest option. Ensure that price (cost) is commensurate to the value of the service being offered given the severity of the risk(s) being mitigated. Determine those vendors that have clear and transparent pricing models with no hidden fees. Consider any additional cost incurred for training, customization, or support so that you're not surprised later.

Scalability is another key criteria. As the size of your business grows, so will your security needs. Make sure the solution can adapt and scale commensurate with your organization. This is particularly important for companies that expand across the emerging markets and need to navigate the complexities of delivering reliable services across different locations. Be sure that your vendor has a track record of working with businesses at the scaling and expansion stage, and be sure to discuss how they tackle new integrations when your technology stack changes.

Prioritize Data Sovereignty and Compliance

‍

Data sovereignty has become an emerging concern globally, nowhere more so than the Middle East. During the selection process of a cybersecurity vendor, ensure that the firm understands and keeps abreast of all the local regulations regarding data sovereignty. This is increasingly extending to the data processing layer in cloud applications, where regulators are broadening the definition of sovereignty to the complete data lifecycle. This is particularly true for sectors deemed critical for national security, including critical infrastructure and financial service providers.

Vendors that have architected their products and platforms to be cloud-agnostic have a leg up on the competition in this area. Those that support specific cloud environments, and especially those limited to a single cloud deployment, are often reliant on cloud native services that may not be available to sovereign cloud applications. To its credit, Microsoft has taken great strides to ensure its Azure Cloud for Sovereignty maintains essential parity of services with its public cloud tier. Other providers have deliberately segregated their sovereign and public cloud environments to more cleanly address the demands of sovereign regulators.

Conclusion

‍

The cybersecurity landscape across emerging markets is rapidly evolving, with businesses facing increasingly sophisticated threats. Choosing the right cybersecurity vendor is more complex than identifying the right, comprehensive service provider. Best-in-class security is now defined by adopting a flexible cybersecurity architecture with the right collection of partners able to address today’s threats in a modular manner that can evolve commensurate with the changing regulatory and threat actor landscape. Organizations must make informed decisions and partner with vendors that can offer reliable, scalable, and compliant solutions with round-the-clock support. These are the criteria through which we screen the companies listed on our marketplace and the architecture we have adopted with our Unified Defense Platform. We’d be honoured to tell you more through our conversations on LinkedIn here and through the Contact Us page on our site here.

‍