ARP_InformationSecurityLandscape_Report (1)

Applied Research Project (ARP)
On
“Information Security Landscape in Dubai”
Submitted in partial fulfillment of the requirement of
Global Masters in Business Administration (GMBA)
SUBMITTED BY: MENTORED BY:
Akshay Walia Dr. Dhrupad Mathur
(GAPR11IT040) Director Industry Interface, SPJCM
Neha Vashisht
(GAPR11IT062)
Nipun Jaiswal
(GAPR11IT065)

Information Security Landscape in Dubai
Applied Research Project
S . P . J A I N C E N T E R O F M A N A G E M E N T Page 2
ACKNOWLEDGEMENT

DECLARATION

COPYRIGHT ASSIGNMENT

TABLE OF CONTENTS
Executive Summary.................................................................................................................................8
1. Introduction ..................................................................................................................................11
1.1 Risk Management........................................................................................................................12
1.2 International Security Standards and Regulations ........................................................................13
2. Research Methodology..................................................................................................................16
2.1 Problem Definition.......................................................................................................................17
2.2 Research Objectives.....................................................................................................................17
2.3 Benefits of Research ....................................................................................................................17
2.4 Research Design...........................................................................................................................18
2.4.1 Secondary Research ..............................................................................................................18
2.4.2 Primary Research ..................................................................................................................23
2.5 Sampling......................................................................................................................................24
2.6 Data Collection ............................................................................................................................25
2.7 Data Analysis ...............................................................................................................................25
2.8 Research Limitations....................................................................................................................26
3. Findings.............................................................................................................................................28
Demographics ...................................................................................................................................28
Practices............................................................................................................................................30
Key drivers and trends in Information Security Spending ...................................................................37
Brand Awareness...............................................................................................................................45
PEST Analysis.....................................................................................................................................46
Qualitative Analysis ...........................................................................................................................48
Perception about Information Security ..............................................................................................48
Security Postures of Organisations.....................................................................................................48
Recommendations ................................................................................................................................52
Opportunity for solution providers and consultants...........................................................................55
ANNEXURE ............................................................................................................................................56
1. Bibliography ..................................................................................................................................57
Questionnaire – Information Security................................................................................................58

TABLE OF FIGURES
Figure 1: CIA Triad .................................................................................................................................11
Figure 2: International Standards...........................................................................................................14
Figure 3: Research Methodology ...........................................................................................................16
Figure 4: Research Design......................................................................................................................18
Figure 5: Practices performed................................................................................................................20
Figure 6: Drivers for Data Security .........................................................................................................21
Figure 7: Training & Development .........................................................................................................22
Figure 8: Technological Risks .................................................................................................................23
Figure 9: Operational Definition.............................................................................................................24
Figure 10: Organisation Category...........................................................................................................43
Figure 11: PEST Analysis ........................................................................................................................46
Figure 12: Information Security Perception............................................................................................48

EXECUTIVE SUMMARY

Executive Summary
The CEOs and top management should be on top of their game in order to navigate the
treacherous waters of information security in an increasingly interconnected world. And to be on
top of their game and take decisions concerning information security an understanding of the
key practises in the industry and industry trends is essential. The research aims to aid corporate
decision making by providing valuable insights into the information security landscape of Dubai.
On the basis of the research we found out that information security is still seen as an IT centric
function in this geography and there is a reluctance of sharing information on various
organizational aspects of information security. Amongst the drivers that influence spending
decisions on information security, Business continuity and disaster recovery planning take the
top spot. There is high awareness about disaster recovery planning and the plans effectively
implemented. The industry is following a cautious approach as far as information security
initiatives and budget allocation is concerned. The research also throws light on the banking and
finance sector‟s perspective on information security and what factors influence its decision
making and why. On the basis of the research we categorised the companies based on their
spending capacity (low, mid, high) on information security. We found out that companies that
have high spending capacity, have high requirements from information security products. And
there lies opportunity for security product vendors and service providers. We also categorised
the organizations and based on their effectiveness and approach towards implement security
practices („The confident practitioners‟ and „The reactive fire fighters‟) and found that both
groups prefer to keep their security expenditures constant, but the fire fighters are more likely to
clamp down on information security expenditures and defer projects.
We have also compared our regional findings with the information from global information
security landscape and with the information that we captured through expert interviews. This
has helped us to build a better and comprehensive understanding of the market.
After studying the information security industry we have found out areas of improvement and
suggested recommendations. We recommend that organizations should stop looking at
Information Security as an IT-centric department. Organizations should increase awareness

About information security amongst the employees and take a proactive approach rather than a
reactive one. We also suggest that getting certified should not be the final goal but a stepping
stone to better information security management. Organizations should proactively strategize
against and implement plans to handle new areas of risk such as Web 2.0, cloud computing and
mobile devices. The Dubai government should set up a body such as ADSIC, which was set up
by the Abu Dhabi government.
These can go a long way in increasing the overall information security posture and effectiveness
of the industry, make it a safer and encourage growth and prosperity.

INTRODUCTION

1. Introduction
Information security deals with the protection of the valuable data from unauthorized access,
misuse or modification. The technological advances that are happening at an accelerating pace
today are providing us with an opportunity to seamlessly communicate anytime with anyone
regardless of our location. Digitization is driving the heavy demand for flexibility and availability
of data. Hence this has called for the need to place a good information security system that can
back up the business operations by protecting the information.
Entities today are increasingly storing the data on the machines.
All the information such as employee and client details, pay check
information, bank details etc. Protection of this data is extremely
critical to any organisation. As if fallen in the wrong hands it can
prove to be extremely damaging. Hence the key challenge faced
by any organisation is to have an impelling information security
system in place to protect the important information from harmful breaches and the damages.
The organisations have to make sure that data is not being misused internally and the
employees follow proper code of conduct.
Information security has the primary goal of protecting the confidentiality, authenticity and
integrity of the information. (Known as CIA triad) (The CIA Triad)
Figure 1: CIA Triad

 Confidentiality means maintaining the confidentiality of the critical data and protecting it
from unauthorised sources.
 Integrity refrain the modification of the data, the data should not be modified when it is
being transmitted from any malicious source.
 Authenticity maintains the goodness of the data. With the increasing use of e-business
and so many transactions being carried out on the web we want to make sure that our
data is authentic.
1.1 Risk Management
There is a great amount of risk associated with the
increase use of technology. As the technology is
advancing at a fast rate, the ways to breach into the
security walls of a system is increasing at a faster rate.
Over the last few years we are observing a major
growth in the adoption of latest technologies such as
mobile computing and social networking. Hence the
organisations need a good risk management approach
to defend their information resources from the threats.
(ISO)
The likelihood that something damaging can happen to
my data is called as risk. The risk should be minimized by spreading it out and constantly
monitoring it as the business environment today is so dynamic.
The most critical decision in the information security implementation is the recognition and
mitigation of the risks affecting a business. Risk mitigation involves Business Continuity and
Disaster Recovery process. These methods help prepares the organisations for unpredictable
sudden unexpected calamities like earthquakes, hurricanes, fire breakage.
Business Continuity Process (BCP) suggests the implementation of certain processes that
ensure the smooth continuity of business functions during and after the disaster. It helps in

preventing the disruptions in the critical operations and a fast recovery in establish the
functionality in case a disaster occurs. (BCP) (Business Continuity Planning)
Disaster Recovery Plan (DR Plan) lists down the strategies followed by an organisation in
recovering the failures that have occurred. The plan gives a checklist of maintaining some
action plans at the disaster site and ways of recovering business functions at a different
location. (Business Continuity Planning)
1.2 International Security Standards and Regulations
The business entities today are also facing a pressure from the regulatory bodies and the
government legislations to remove the vulnerabilities of threat as primary responsibilities. A
large number of standards as well as the compliances have dramatically changed the way
organisations perceive information security. This has led to adoption of information security in a
more serious manner by the organisations. The security standards like ISO 27001, ISO 9001,
BASEL, PCI DSS, and ISO 20000 (ISO) are implemented by the entities as per their business
requirements. Globalization has completely transformed the way business works today, the
borders are shrinking and a large amount of transactions are happening in the world. Hence
compliance with these international standards provides you the credibility in the business world.
ISO (International organisation for standardization) is a global body which publishes down the
international standards.
 ISO 9001: It stipulates the primary requirements that business organisations must adapt
for a Quality Management System (QMS) and its ability deliver high quality products and
services which increases customer satisfaction.
 ISO 27001: It is also known as Information Security Management System (ISMS). It
intends to bring a methodical approach towards information security practices. It expects
the management to assess the information security related threats and design an
extensive suite of information control.
 BASEL: This international standard is issued by the Basel Committee on Banking
Supervision. It specifies the banking regulations that help bankers in knowing how much
capital they need to be keeping aside to protect against the financial risks. This standard

can protect the bank in the volatile economic situations like the collapse of major banks
on Wall Street. (BASEL)
 PCI DSS: Payment Card Industry Security Standards provides the additional security to
the cardholders by controlling the credit card frauds. It further confirms that the
merchants have the minimum security installed when they transmit the cardholder‟s
data.
ISO 27001 PCI DSS
BASEL ISO 9001
International
Standards
Figure 2: International Standards

RESEARCH METHODOLOGY

2. Research Methodology
Figure 3: Research Methodology
Research Objective
To understand the information security
practices followed within the
organisations and understand the key
drivers in spending. Also to study the
awareness of risk consultants .
Research Design :
Secondary research from the sources on the
internet like global information security
reports, papers along with the questionnaire
based primary research
Sampling/Data Gathering :
The research is based on convenience sampling
technique with 30 samples representing the
organizations from various sectors in Dubai.
Data Analysis:
Data gathered was analysed with the help of
statistical tools such as SPSS, Statpro and
microsoft excel.
Conclusion and Report:
Based on our analysis and findings we have listed
down our conclusions and have also given
recommendations to the various organizations
implementing information security.

2.1 Problem Definition
Information security industry in Dubai is at a very nascent stage as compared to the global level.
The constantly changing technological advancements and the increasing business interactions
with the other parties are posing a threat to the organisations. The factors such as regulatory
compliance, security standards and client requirements have made it imperative for the
organisations to have a stringent information security system. In Dubai there is still a lack of
awareness pertaining to information security.
2.2 Research Objectives
Following are the objectives of the research:
 To study the information security practices within organizations
 To understand the key drivers and trends in information security spending in this
geography
 To study the awareness of risk consultants and security services providers
Research on these three objectives would give valuable insights into the information security
landscape of Dubai.
2.3 Benefits of Research
It‟s not easy to be an information security manager. To be a successful CISO you should be a
brilliant tactician, flawless executioner, and a good politician. Our research aims to help
corporate level decision making pertaining to certain key decision points on information security.
The research can help organizations compare their practices with that of the industry and gain a
better insight into the information security industry in this region. The research would give an
understanding about the key security processes and practices being followed in the industry, the
trends related to budgeting and spending on information security and how various factors
impact the spending and investment decisions. After a rigorous study the research would give
recommendations on areas of improvement which can be very useful for the overall industry. All
these factors along with the lack of information pertaining to information security in this region
prompted us to carry out a research in this area.

2.4 Research Design
We carried out both the secondary and primary research for this project.
Figure 4: Research Design
2.4.1 Secondary Research
The collection of data internal to an organisation or some third party
research material published on the internet or other resources is known as
secondary research. We referred to the data databases like Zawya, MEED
and data monitor for studying about the Information Security industry in
Dubai. While doing our secondary research we came across Global
Information Security Survey (GISS) conducted by PricewaterhouseCoopers (PWC) and its
results further inspired us to study the scenario of information security industry in this
landscape. We also did secondary research by referring to the various websites and joining
various forums about information security.
Research Design
Primary
Research
Secondary
Research

Literature Review
The Global Market
In today‟s world of globalization, change is the only constant. This statement holds its worth in
the world of Information Security to a great extent. Information Security is greatly influenced by
the current trends, and the latest happenings in the market. With advent of new technologies,
arrive new risk avenues and hence the need for implementation of Information Security.
Organizations that successfully align themselves with the changing trends are more likely to
succeed than those resist the change.
Outsourcing - A Trend
Outsourcing as an option has emerged in the recent years. Numerous firms have employed
offshore security experts to implement various Information Security practices in their
organizations.
One of the major reasons for this trend is the lack of expertise in the field of Information
Security. With the ever increasing demand for security implementers, companies find it difficult
to acquire the desired workforce for in-house
implementation of security projects. In addition, as
the new trends emerge in Information Security, so
does the need for implementers to keep themselves
updated. Keeping up-to-date with the latest trends
proves to be cumbersome for the existing workforce.
The need for the workforce with latest skill sets and
new practices are contribute to outsourcing of
Security projects.
This increased trend in outsourcing, however, leads to a debate of compromise in overall quality
of the projects. Some argue that outsourcing leads to lack of responsibility among the solution
implementers. This has to be addressed by forming clear contract agreements, and by
meticulously defining the responsibilities as well as boundaries of the outsourced team. The
accountability of the teams has to be laid for while drafting the contract.

Indian companies, for example, sign a Non-Disclosure agreement or a Confidentiality
agreement before they sign a contract with service providers. A research conducted by Deloitte
in 2010, lists the various practices ensured by Indian companies when entering a third party
contract. The research also depicts an increasing trend towards these practices. (Delloite)
Figure 5: Practices performed
Continuity Management
The last decade has been an exponential rise in the awareness and compliance of Information
Security practices among the organizations. Much of this can be accounted to increasing risk to
business due to terrorist attacks and fluctuating climatic conditions. Post 9-11 there emerged a
sudden urge toward Business Continuity and Disaster Recovery Implementations. In recent
years, many modern information systems have evolved to become the core of businesses. They
are no longer considered as support systems or cost avenues, instead as revenue centres.
Hence, the security and continued access to the Information Systems and to critical data is of
the topmost priority.
Addressing the issue of Business Continuity, organizations have been investing drastically in
Disaster Recovery Projects. Duplicate data centres, fail over servers, multiple work locations,
shared responsibilities have emerged as the key practices. Some organizations conduct regular

DR test, as frequently as every six months, to make sure that they are adequately equipped for
any disaster that may arise.
External Threats
Studies demonstrate that the organization associate a great deal of risk to the external factors
like hackers and software viruses. A research conducted by KPMG concludes that companies
amount a greater risk to external factors than any other, when it comes to data security (KPMG)
Figure 6: Drivers for Data Security
The Extent of damage that these external factors can cause to an organization is huge. Hackers
can not only leak sensitive information and disrupt the functioning of an organization, but also
cause serious threat to the reputation and brand image of the organization. Also malicious
internet elements like viruses and worms can bring critical functions to standstill. Hence, there is
an increased awareness among companies towards these malicious attacks.
Increased focus on Training and Development
Human resources are the prime factor in combating the evils of threats. Organization throughout
the world, hence focus on the quality of people that they trust with their security. As we
discussed earlier, the ever changing world of Information Security requires individual to keep
themselves up-to date with the latest trends and current happenings. Companies, therefore, lay
extra emphases on the training of their security staff. A survey conducted by Deloitte in India in
2010 (Delloite) addresses this issue. As a part of their research, they surveyed various companies

and accumulated data on the
competencies of the security
implementing team. The data of
Indian companies was
compared with global firms.
Globally, around 41% of the
organizations were extremely
confident of the competencies
that they possessed. However,
companies throughout the globe
identify the need for training and
development. 24% believed that
addition training and development was required.
Also, the employees implementing Information Security projects have easy access to
critical data. So it becomes essential while recruitment that the ethical standards of the
individual are checked. Not only intentional, an employee unknowingly may also pose
threats to the organizations critical information. Hence organizations take to practices
like USB disabling, personal laptop antivirus restrictions etc.
Mobile Computing – The new kid on the block
With the increase in the mobility of today‟s workforce, companies face a greater challenge in
managing the flow of information in and out of organizations. Employees not only prefer to “work
from home”, but also the increasing use of
laptops, tablets and multimedia enabled
Smartphone‟s, gives employees access to critical
information almost anywhere.
Cloud Computing has emerged as the latest trend
in the field of technology and software
applications. With the economic downturn, the IT
departments face diminishing budgets and low
cost avenues. As a result, an expansion in the
Figure 7: Training & Development

services offered by cloud computing has made it a major trend these days.
Needless to say, it brings with itself a whole new suite of risk areas and attack streams.
Economic Denial of Service is one such Cloud attack.
A study conducted by Ernst & Young in 2010 (Borderless Security – Ernst & Young‟s 2010 Global Information Security
Survey), identifies the degree of awareness among the security implementers for the various risk
avenues of cloud computing. Although there is an increased awareness in areas like Data
leakage risks, a lot remains to be addressed.
Figure 8: Technological Risks
2.4.2 Primary Research
Primary research was conducted to collect the original data for our research. This research
helps in gathering the information which is nonexistent. We have used
quantitative and qualitative technique for our primary research.
Respondents were interviewed with the help of a questionnaire. A well
structured questionnaire was prepared for this process. The questionnaire
was created using funnel technique wherein we first asked the
demographic questions followed by the behaviour questions like drivers for
information security spending, factors responsible for choosing risk
consulting vendors and factors affecting choice of a security product.

We interviewed the top management officials such as CIOs, CISO, IT Director, IT security
heads who are responsible for Information security practises in an organization. We also
interviewed the Risk management consultants of various firms. We also conducted 5 expert
interviews for qualitative analysis.
The data gathered from the questionnaire was then hard coded in a coding sheet which was
further used for analysis.
2.5 Sampling
It is the process of selecting the target respondents who would be the subset of the entire
population. These target respondents will be representative of the entire population for our
research.
2.5.1 Operational Definition
The following criteria were used for identifying our target respondents.
Figure 9: Operational Definition
The purpose for choosing respondents having operations in Dubai is that we are studying the
information security in this region. Also our target respondents would be the personnel operating
in this domain. We are conducting this research which will aid in corporate decision making so
we are targeting the middle or top level management who makes the decision for an
organisation.
Respondents should be companies which implement information
security practises and measures.
Respondents should have operations in Dubai.
Respondents should be middle or top level management involved in
information security decision making.

2.5.2 Sampling Technique
Sampling is the technique for selecting the target respondents who can best represent our
population. The sampling techniques can be further divided into two methods: Probabilistic and
Non Probabilistic sampling. In our research we have used Non Probabilistic Sampling
technique.
2.5.3 Convenience Sampling
Convenience sampling is a non probabilistic sampling which involves interviewing respondents
who were readily available and convenient to meet. We contacted our alumni‟s working at good
corporate positions, professionals on linked in and also the searched on the internet for some
references. We have conducted some face to face interviews and some voice conference calls
as well.
2.6 Data Collection
Data of 30 samples were collected by conducting field research and interviewing the target
respondents. We contacted approximately 150 respondents through various avenues such as
Alumni‟s, EMBA (Executive MBA program batch) and LinkedIn. We visited organisations in
Dubai Internet City (DIC) and did cold calling in order to get respondents. We sent emails to the
alumni and the EMBA people and followed up continuously with them till we got a successful
respondent. Follow up and reminders were necessary as we were contacting middle and senior
level executives who had very busy schedules and very little time. The restricted work hours in
the month of Ramadan posed a big challenge for us. We created an online questionnaire and
conducted face to face expert interviews. Face to face interviews helped us in
gauging the practical perspective of information security industry in this region.
2.7 Data Analysis
The data collected through our interviews was hard coded in a coding sheet as
per the standards. We have performed frequency analysis and in depth analysis using cross
tabulations, regression analysis and quadrant analysis using SPSS tool.

2.8 Research Limitations
o There is a reluctance to share information regarding information security
practises in organizations because such information is considered confidential.
Therefore we could not ask certain type of questions which we would have
ideally wanted to and had to frame our questions in a less specific way.
o Because of lack of time on the behalf of respondent the qualitative answers were
not fully answered in some cases
o Time constraints due to the month of Ramadan.
o Stratified quota sampling could not be done as it would have been the ideal
scenario.

ANALYSIS & FINDINGS

3. Findings
The data gathered during the field research highlight some facts and insights about the current
scenario of Information Security Industry in Dubai. We categorised our respondents in 3 broad
categories – Security Provider, Security Implementer and Consultants. These respondents are
spread across various industries domain which further helped us in studying the trend across
these industries.
Demographics
We interviewed a total of 30 respondents during the data gathering stage of our research. 53%
of our respondents are security implementers, 23% are security providers and 10% are the
consultants.
The purpose was to study the different business requirements and perspectives of these
different categories. The research was spread across various industries which helped us
capturing the trends and the needs and requirements across these industries. Our majority of
the respondents are from BFSI domain followed by IT, Telecom and the government sector.
10%
23%
53%
13%
Categorisation of Respondents
Consultancy
Solution Provider
Security Implementer
Other

The above pie chart shows the split of respondents on the basis of their industries. It is evident
from this chart that maximum of our respondents (39.3%) are from the BFSI sector and followed
by the IT, Telecom and Government sectors with equal distribution among themselves.
The target respondents of our research are middle or top level management executives such as
CIOs, CISOs, and IT Security Heads. These executives are aware of the information security
practices within their organisations.
Bankingand
Finance,39.3
%
Telecom, 10.7
%Hospitality,3.
6%
Retail, 3.6%
Government,
10.7%
IT, 10.7%
Logistics,7.1
%
Other, 14.3%
3%
10%
20%
27%
7%
17%
17% CIO
Consultant
Sales Manager
IT Security Head
CISO
IT Manager
Others

Practices
Finding #1
In most organizations Information Security heads report to the CIO,
and not the CEO
Our research shows the organization structure of the Information Security division in a
company. What stands out in the research is that the Head of the Information Security
department invariably reports to the Information Technology Officer. This indicates that
Information Security is primarily seen as an IT initiative and IT centric function.
Only 10% of the organisations have a Chief Information Security Officer (CISO). Almost 58% of
the firms have the Security Officers reporting to CIO or other IT management.
A considerable number also report to the middle management of IT managers (26%), respective
Business managers (10%) or Audit Managers
(6%).
We found out that majority of the organizations
(66%) have dedicated staff employed in the
Information security division. But the structure of
the Information Security Division within the
organization may vary.
16%
26%
32%
10%
10% 6%
Organizational Reporting
Top management
IT Manager
CIO
BusinessManagers
CISO
Audit Manager
“Information Security is always
seen as an IT initiative. However,
it doesn’t just restrict to IT. It is a
business initiative. And IT is one
component of business initiative”
- Kamal Setty, IT Security Head, R&P

Some organizations have an Information Security Officer, representative from every
department. He is responsible for the Information Security of his division. This committee of
Information Security officers report to the management directly.
Additionally, 68% of the organizations believe that the Information security department has been
adequately staffed. Only 14% of the respondents expressed that the current Information
Security department was understaffed.
Finding #2:
Security standards that enjoy highest degree of compliance are:
 ISO 270001
 ISO 9001
After studying the compliance of Dubai market to the Global standards and practices, we found
that the global standards of ISO270001 and ISO 9001 are the most compliant among the
industry. UAE region has also seen formulation of new security standards such as AECERT.
AECERT is the security breach response team, which also ensures the adherence to the
security practices.
The compliance, however, varies across different industries. BASEL compliance is found the
most in Banking and Finance domain (55%). Banking and Finance Industry also enjoys a
considerable higher compliance of BS25999 (45%), but low ITSM compliance (1%), as
compared to the industry average.
ISO27001 BS 25999 BASEL PCI DSS ITSM (ISO
20000)
ISO 9001
68%
26%
16%
26% 26%
42%

Finding #3
Management Commitment and Openness on Information Security
practices are the Top Requirements of the Industry
The biggest challenge that the Information Security Departments face today are not threats due
to incompetencies or lack of skilled workforce, but commitment of the decision makers to
address the issues of Information Security. The Top Management should stop viewing Security
as a Cost centre, instead, data security and information management should be considered as
one of the core practices. The reserach shows that only 50% of the respondents were satisfied
with the commitment of their top management.
While discussing the information security implementations in the industry, people often become
become defensive and secretive. Our studies show that experts call for openness and honesty
among the security implementers while discussing the security breach occurances. The fair
discussion would help the organization to resolve the short comings, but also develop set of
localized best practices.

Finding # 4: Employees (current and former) are the top reasons for
security breaches in the organizations.
The organisations in this geography are quite prone to the security breaches as reported by
44% of our respondents. The breaches that have occurred in the last 1 year are in the range of
1-5 (40% of the respondents have fortified this fact).
The unawareness of these security breaches is also quite significantly high.Out of total 28% of
our respondents don‟t know the number of security related events happening around them.
This shows that still there is a high degree of unawareness among the top management about
these security related events.
The findings are quite shocking , as per our research the top reason for the security breaches
are the employees. It is an often misconcieved fact that hackers are usually responsible for
breaking into the security walls of an organisation and damaging/misusing the data. We have
found out than an organisation is most vulnerable to the internal security threats.
 Employees: 39% of our respondents feels that the top reason for the security
breaches are the employees of an organisation.Out of which 1/4th
of the
respondents feels that current employee are the reasons of these breaches
 Hackers: The second important reason for the breaches in this region are the
hackers(18%).
28%
40%
4% 28%
0 1 to 5 5 to 10 Don’t know
Security Breaches in past 12 months

We have also found out the quite a significant number of respondents( 21%) don‟t even know
what the most likely source of these breaches are –(Current employees, Former employees
,Hacker etc). This shows that organisations have to go a long way in creating the awareness
about these events and the reasons for them.
Out of 40% of our respondents who says that 1-5 breaches have occurred in the last 12 months
50% belives that current employees are the reason for these breaches.
Business impact of the breaches
After getting the above results we further tried to find out the business imapct of these breaches
on a organisation. According to our respondents the key impact of the security breaches is on
the brand image of the organisation.35% of our respondents say that the most important impact
of is brand imaged compromised followed by the financial losses( most likely on banking
industry).
25%
14%
18%
21%
14%
0 0.05 0.1 0.15 0.2 0.25 0.3
Current Employee
Former Employee
Hacker
Dont know
Other
Reasons for the breaches

We further conclude our findings of security breaches by saying that “Out of 40% respondents
who says that 1-5 security breaches have occurred in this region , 40% says that the business
impact of these breaches is the brand image being compromised of an organisation.
Upon further comparing our findings about this geography with the global information security
survey we have come up with some interesting facts. We have found that in Dubai 35% of our
respondents believe that the most important business impact of these breaches is the damage
to the brand image of an entity as compared to only 14% at the global level. The results are
aligned in terms of financial losses. Therefore finacial losses are considered to be the common
business impact of the security breaches.
Brand Image Compromise Financial Losses
Dubai Global Dubai Global
19%
8%
35%
27%
12%
Business impact of the breaches
35%
14%
19% 20%
Key Observation:
The key reasons for
information security
breaches are internal to an
organisation i.e. Current &
Former employees are
responsible for these
breaches

“We are in the same industry;
we are fighting the same
people. We should not be
embarrassed to share
experiences.”
Finding # 5
The Industry today faces a dearth of knowledge sharing
We found that many of the respondents were hesitant in sharing information on various aspects
of Information Security. Many chose „Prefer not to Disclose‟ as the response to some questions.
This goes on to show the lack of willingness to share information when it comes to Information
Security.
Through our expert interviews, we progressively found that Security heads and the CISOs were
beginning to open up to the idea of knowledge sharing on threats and breaches. They believed
that if organizations honestly discuss the incidents that they have experienced in the recent
past, the extent of losses incurred, and the measures
that they post the incident; such information would not
only help the industry, but us be better equipped for
any future malicious attacks.
How many
breaches have
occurredin the
last 12 months
What was the
Impact of security
breaches
What were the
reasons for
security breaches
How would you
describe the
Staffing Structure
Adequecy
28%
36%
27%
18%
Prefer Not To Disclose

Key drivers and trends in Information Security Spending
Finding #1
Business continuity and Disaster recovery planning emerges as the
most important driver influencing information security spending
The 3 top drivers of information security spending are:
1. Business continuity & Disaster recovery plan (reported by 83.3% of respondents)
2. Adherence to Industry standards (72%)
3. Threat of Security Breaches from external sources (70.8%)
Implementing a business continuity (BCP) and disaster recovery
(DR) plan has the strongest influence on spending decisions
taken by organizations in Dubai. BCP/DR refers to a company‟s
ability to recover from disasters, unexpected/disruptive events
and continue operations. Disaster recovery is a subset of
business continuity as DR focuses on IT systems and business
continuity caters to all aspects of business functioning.
70.8
33.3
62.5 64.0 66.7 68.0 72.0
40.0
83.3
Percentage of respondents who identify the following factors as the
most important drivers of information security spending in their
organization
Key Observation: BCP and
DR planning – is a top
driver of information
security spending on a
regional as well as global
level

Occurrences of natural disasters in the middle-east region, such as a cyclone called Gonu
(2007, Oman) compel organisations to invest in BCP/DR solutions that protect important
customer/business data and ensure undisrupted functioning of business. According to
The United Nations, one of the biggest threats to middle-east is the changes in sea level.
Therefore, the top rank given to this factor showcases the importance that companies in Dubai
associate with this.
„Adherence to Industry standards‟ getting the second spot
showcases that companies put a lot of importance in bringing
their information security practises at the level of competitors and
the industry overall. In fact it has got more percentage as
compared to „regulatory compliance‟. This shows that
organizations feel that spending on implementing compliance
standards set by regulators is a given rule, but over and above
that they also need to be at par with the competitors and overall
industry.
What is surprising is that „Economic conditions‟ has got the
lowest percentage of respondents. It is surprising because the
world has recently seen the greatest economic downturn on a
global level. And the economic and global market situation
currently is also not strong all at with the S&P downgrade of the
US debt rating and the continuous fear and lack of confidence in
the Euro zone.
Finding #2:
High awareness and effectiveness of Disaster recovery plans
Our research shows that 88% of organizations implement DR planning and that 90.5% of the
organizations do DR recovery testing at least once a year.
According to the global
information security survey
2011 by PwC, CIO & CSO
magazine, Business
Continuity and disaster
recovery planning also
features in the top 3
factors influencing
spending on a global scale
as well. This shows that
this factor has a great
influence on CIOs and
CISOs when they plan on
budgeting and when
actual spending
decisions are taken

This shows that organizations are aware about the importance of disaster recovery and practise
frequent testing to ensure that their DR plan is effective so that critical applications are restored
in a timely manner following a disaster occurrence. This finding further fortifies our previous
finding that Business continuity and disaster recovery planning is the topmost driver of
information security spending.
Finding# 3
Budgeting: A balance between Admonition and Optimism
Financial caution exists in the in industry as executives keep a tight lid on the information
security spending. There 20% respondents who said that their year-on-year spending is
increasing. This is a sign of optimism.
Yes
88%
No
12%
Organizations implementing DR
plan (yes/no)
47.6%
42.9%
4.8%
0%
4.8%
Every 6 months
Once a year
Once every 2 years
Once every 5 years
Not implemented
Percentagebreak up of organizationsbased on
frequencyof DR testing
0% 10% 20% 30% 40% 50% 60% 70%
Increasingas a percentage of total
expenditure
Decreasingas a percentage of total
expenditure
Relativelyconstant
Organizational spending on Information security
initiatives

Majority of the respondents reported that their budget for information security (as a percentage
of total budget) is between 6-15%.
"No one ever became famous for preventing a security attach, and few CFOs get promoted for
authorising spending that gives no immediate benefits”
Awareness about the importance of information security has a key role to play in this
geography.
Perception of the Banking and finance sector
Cross tabulation analysis of the respondents from the Banking and finance sector was done
against the factors which influence spending. The column on the right (in table below) shows the
percentage of respondents from the banking and finance sector who rated each of these factors
as most important.
As compared to the other sectors, more than 40% of the respondents from banking and finance
sector rated security breaches from internal sources, protection of brand image and regulatory
compliance and the most influential strategic drivers of their security spending.
Factors influencing spending
Security breaches from internal
sources 46.20%
Protection of brand image 44.40%
Regulatory Compliance 41.70%
Auditing regulations 37.50%
3.3%
16.7%
36.7%
23.3%
3.3%
3.3%
10.0%
3.3%
Less than 1%
1 to 5 %
6 to 10%
11 to 15%
16 to 20%
Greater than 20%
Not sure
Prefer not to disclose
Percentage of overall budget allocated for
information security

Security breaches from external
sources 35.70%
Industry standards 28.60%
Business continuity plan 28.60%
Insurance requirements 25%
Economic conditions 20%
The IT professionals working in a bank, by the nature of their jobs, know where the bank's
vulnerabilities lie, and if they are disgruntled or unsatisfied with the bank then they can seek to
take vengeance. Therefore security breaches from internal sources can lead to huge losses.
This is why banks rate this factor highly.
Why protection of brand image is so important for banks?
The second factor that impacts the banks greatly is the high profile of security attacks. Once a
banks security image gets compromised it can lead to a cascading effect of further
consequences. The banking system is based on TRUST and people see banks s a safe haven
to save their money. However, once the security of a bank is compromised and the brand image
is tarnished, worried clients (most of whom who had not gone to a local branch since a long
time), would be queuing up outside the bank early morning to withdraw their savings. The press,
newspapers and TV would aggravate the situation more. And once this happens the entire
banking system goes down like a house of cards.
Moreover, Hackers, cyber terrorists etc are also seek attention and fame. Once they hack a
famous bank they want to show off to their „achievement‟ to the world. Thereby degrading the
banks brand image further. This shows why banks rate “protection of brand image” highly on
their radar of strategic decision making for spending.
“Major business for information security consulting services comes from banking and finance
sector in Dubai”- Mohit Saraswat, KPMG Dubai (Information security consultancy)
Global Environment
50 percent of respondents from financial services enterprises in India cited compliance as the
primary driver for adopting IT security (According to the Symantec Security Check – Indian
Financial Services Industry 2011 report)

This goes in sync with our finding that regulatory compliance is one of the top drivers of banking
industry.
Finding # 4
Companies having high spending capacity have high requirements
from information security products
Companies were categorised into three classes (Low, Mid and high budget) based on the
budget allocated on information security as a percentage of the overall budget.
Cross tabulation analysis of the 3 budget classes was done with the attributes that companies
look for in an information security product/solution. These attributes are performance of the
product, availability, ease of use and detailed audit logs. These attributes were rated by the
companies on a scale on importance1
(1 to 5).
Percentage of overall budget
allocated for information
security Performance Availability Ease of use
Detailed
audit logs
Low Budget (less than 5%) 20% 7.70% 11.10% 15.40%
Mid Budget (6-10%) 26.70% 23.10% 22.20% 30.80%
High Budget (greater than
11%) 26.7% 38.5% 44.4% 38.5%
It can be seen from the table that the companies under the high budget segment have a higher
level of expectation from security products/solutions. Moreover, companies in the low spending
capacity segment had a comparatively lower level of expectation.
Categorising the Organizations
We categorised the respondents into two types based on the responses given when they were
asked they felt about the information security practices in their organization.
Those who percieve their Information security management system and practices were –
1
The percentages show the respondents who answered ‘most important’. For example: 20% of the respondents
who rated most important to performance belonged to the low budget segment

Figure 10: Organisation Category
Overall the practitioners gave higher importance to most of the factors as compared to the
firefighters. This shows that the practitioners are more cognizant and appreciative of these
factors as compared to firefighters.
Amongst the two categories , the security breaches from internal sources is the major reason
driving spending decisions for the confident practitioners whereas it has a low influence the
firefighters.
Interestingly, threat from external breaches drives the firefighters more towards spending as
compared to practitioners.
Factors influencing spending on information
security2
The confident
practitioners
The reactive
fire-fighters
Security breaches from internal sources 71.40% 33.30%
Regulatory compliance 57.10% 50.00%
Protection of brand image 57.10% 16.70%
Security breaches from external sources 57% 50%
Auditing regulations 42.90% 16.70%
Industry standards 28.60% 16.70%
Economic conditions 14.30% 50.00%
Insurance requirements 14.30% 16.70%
2
The percentages show the respondents who answered ‘extremely important’

Both the groups prefer to keep security expenditures constant
Overall the spending on information security initiatives has remained constant for both the
categories. One reason is that the groups do not see the value of results by spending more.
Another reason could be that they are comfortable with their current strategy and would spend
more on what matters most.
The firefighters are more likely to clamp down on information security
expenditures and to defer security projects/initiatives
The percentage of practitioners for whom the spending is increasing is comparatively more than
the fire-fighters. This shows that there is more willingness to on spend information security for
the category of companies which already have effective practices in place. Possible reason is
that since they have high awareness and a better understanding of the importance of
information security so they are more effective, active and serious in terms of implementing their
initiatives/ projects without deferring them. The benefits that they get from implementing
information security could also be a reason for their increasing spending and lower deferral.
Spending Trend
The confident
practitioners
The fire-fighters
Increasing as a percentage of
total expenditure 28.60% 16.70%
Decreasing as a percentage of
total expenditure 14.30% 16.70%
Relatively constant 57.10% 66.70%
Has your company deferred
information security projects?
The confident
practitioners
The fire-fighters
Yes 14.30% 33.33%
No 71.40% 50.00%
Not sure 14.30% 16.70%
Comparison with global scenario
Nearly half (46%) the respondents (companies) deferred their security initiatives according to
the PWC Global information security survey (GISSi3
2011). This shows that the companies in
3
(PricewaterhouseCoopers)

this geography are more active and serious about implementing their security initiatives and not
deferring them.
Brand Awareness
Finding # 1
Awareness of big global players is high, but when it comes to
working…
We asked our respondents on the major consultants and security implementers that are present
in the Dubai market, both local and global.
We asked them of the players that they were aware of, and of the players that they have worked
with.
In awareness, the big global players like Deloitte, Infosys and Wipro emerged as the leaders,
something which was expected. But the revelation came when we analysed the „worked with‟
players. Local players such as Paramount and eHosting Datafort emerged as the leaders. This
points us towards the fact that somehow the industry perceives the local players as a safer
option when implanting Information Security, rather than the global giants.
Aware Of Worked with

PEST Analysis
This analysis was done to study the external factors affecting Dubai‟s Information Security
industry.
Political Forces: The Political conditions in Dubai have remained relatively stable. The UAE
government is taking initiatives to improve the security posture of this region by setting up a
strict regulatory environment and formulation of bodies such as AECERT.
Figure 11: PEST Analysis

Technological Forces: Technology is growing at an accelerating speed and its adoption rate is
also quite high amongst the organisation. Higher the technology higher is the risk of
vulnerabilities of threats. Through new technologies like mobile computing, Web 2.0, Cloud
computing the information is flowing across the walls of an organisation. Hence necessary
actions should be taken to protect IS by implementing latest security solutions.
Economic Forces: As the Economic uncertainty continues the security capability is declining.
According to the organisations in Dubai economic conditions are less important factor affecting
their spending on information security. Hence Information Security either takes a backseat or
goes inside a protected list in economic downturns.
Social Forces: Client requirement has become one of the strategic reasons for implementing
information security. Some of the organisations are forced to implement security solutions as
other giant players are doing it.

Qualitative Analysis
Perception about Information Security
Figure 12: Information Security Perception
Security Postures of Organisations
Perception
Needs
improvement
Integral Part
IS is a
business
intiative
rather than IT
initiative
Security
related
accident
needs to be
controlled
Budget
Constraints
Awareness
Implementation
Training & Development
Management commitment
Linking Security to other domains than just IT

Represented below are the key findings from in‐depth interviews with the industry experts.
What is your view on the Information Security
Landscape in Dubai?
It is quite under practised and there not much focus on
info security. It is on bottom of a company‟s agenda
and there is an extremely reactive approach. It is an
extended arm of IT functions and not independent
function. There is not much representation on board
level and has conservative budgeting and more IT
focussed.
Mr. Emad Maisari, Director Information Security,
Jumeirah Group
Mr. Emad Maisari, Director Information Security, Jumeriah
Group
What are the major challenges that you see in information
security today?
Awareness is the first major challenge. The approach is
second. The drive for implementation & adoption of
information security policies should come from the top
management and not just from the IT head or the security
head. The general culture of the people is also very critical
along with adoption to technology.
Mr. Rajeev Dutt, Director, Interlace MENA

Q: What are the new key trends that you see in information security in this
Dubai?
All the areas of technology aspect have some tools to address the security
issues of that technology. Traditionally more emphasis was laid on the
technology aspect of information security. Now we see a switch in trend
where risk aspects drive the information security based on the risk appetitive
and business requirement drive decisions.
Kamal Setty Iyappan, Information Security head, Retirement Pensions and
Benefits Fund
What do you see is the major cause for security
incidents and breaches?
80% of the security incidents happening across
the world originate from within the organization.
This is because internal controls are not well
implemented within the organizations such as
segregation of duty is not there. So, most of the
breached happen from within.
Mr. Mohit Saraswat, Senior Consultant, KPMG
What are the drivers of your spending and budgeting
on information security?
In the banking sector it is the fear to the damage of
reputation that drives banks in investing and
implementing information security.
Mr. Harshit Jain, Emirates NBD bank

RECOMMENDATIONS

Recommendations
Idea 1: Increase Awareness among the employees
Face to face training sessions should be the prime weapon of awareness building. Non
interactive awareness mechanisms such as internet articles, emails, posters and publications
should be used to reinforce the important messages.
Idea 2: Check on the awareness created
Conducting awareness sessions is not sufficient enough. After every awareness session, take
the feedback from trainees about the topics covered and lessons learnt. The feedbacks help
meet two objectives. First is to gauge the effectiveness of the training sessions. Second is to
demonstrate the seriousness of the organizations towards Information Security.

Idea 3: Information Security should not be an IT-centric department.
The lack of independence of Information Security department poses a major concern to the
Information Security Industry today. When other top managers like CEO and CFOs should also
be responsible and accountable for the Information Security practices of the organization.
Information Security should not be seen as cost centre of the IT department. It should be seen
as more aligned to the business centre, rather than IT
Idea 4: Getting certified should not be the final goal but a stepping stone to better
information security management
Companies should take inputs and follow standards such as ISO 27001 to establish their
security practices. However, there is a need to focus on proactive mechanisms such as threat
modelling and bringing innovation in the security initiative.
ISO 27001 certificate provides assurance that the security management system is in place, but
says little about the total state of information security within the organization. And as per the
experts interviewed in the industry, the certifications are easy to get. Therefore getting a
certification should not be the final frontier but just a stepping stone to better information
systems management.
Idea 5: Commitment of the top management
Top management‟s seriousness about the adoption of Information Security practices, makes a
big difference. This can be achieved by increasing awareness among the top executives, of
what Information Security brings to the table. It is time to “turn on the lights” and illustrate the
financial loses and brand image loses that happen due to lack of Information Security.
The latest case of Sony is a clear example of how a breach into the data security of a system,
can not only cause huge financial burden, but the repercussion can be felt in the Goodwill of the
company.
Idea 6: Engage in Discussion Forums
Experts from the industry believe that the demon of Information Security can be combated only
through collaboration and collective thinking. More open discussions, where experts and
security implementers discuss not only the measures they have implemented, but also the
reason for implementing a certain security measure. Every security practice that is implemented
is an effect of a certain cause, or a breach. It is hence, vital, to discuss the cause, as well as the
effect.

Idea 7: Shift from reactive firefighter to proactive front-runners
Companies should follow the approach of having an effective information strategy in place and
proactively executing the plans rather than reaching to situations, breaches and threats in a
reactive manner. “Pre-emption is better than cure should be the mantra”
Idea 8: Dubai government should set up a body such as ADSIC
ADSIC stands for Abu Dhabi systems and information centre. It is an organization set up by the
Abu Dhabi government to enable modernisation of government services through Information
Technology.
Some important tasks performed by ADSIC
 Developed the Abu Dhabi Information Security Policy and Standards (Risk Management
Overview, Risk Assessment, Information Security Planning etc)
 Published Emirate‟s first Information Security Policy, which established uniform
information security requirements, roles, and responsibilities across the Abu Dhabi
Government
 Launched the Information Security Programme and awareness campaign
Having such body would go a long way in bringing up the overall quality of information security
in the Dubai industry.
Idea 9: Handling new areas of risk such as Web 2.0, cloud computing and mobile
devices
Latest upcoming technologies such as social networking and mobile computing are increasing
becoming an important part of the business. With implementation of these technologies emerge
new risks and companies should therefore be aware and proactive about strategizing and
implementing plans and should continuously evolve and improve.
Idea10: Tightening the regulations
The Dubai central bank should issue stricter information security regulations for banks. For
example: In India, RBI has mandated two factor authentication at banks for all delivery
channels. Such measures should be proactively taken by the central bank.

Opportunity for solution providers and consultants
Information security solution providers or vendors: if they are targeting the high budget segment
then they should offer premium products which are high quality and performance on all these
parameters. Consequently they can charge a higher price too (more margin) as they target
client has a higher spending capacity.
Similarly, while targeting the low budget segment the solution provider/vendors can offer
products which have lower cost and may not be as high performing as the products offer to the
high budget segment. But at the same time the products should be sufficient on all parameters
and robust enough to do a good job.
It can be inferred that since the practitioners have effective information management systems so
they are aware of the danger of breaches from internal sources such as current employees. On
the contrary, the firefighters may not be aware of this and hence have given less importance to
this factor.
The consultants and service providers while targeting the firefighters segment can first
showcase them the threat from internal breaches such as those from malicious / disgruntled
employees and corporate espionage. The can make them aware of internal data breach
methods such as podslurping (Usher) and bluesnarping.
Strategies:-
 Subsequently, the consultants can suggest strategies such as:
 Develop strict policies for restricted USB usage on a user specific basis
 Keep track of breaches and breach attempts through audit trails
Products & Solutions:-
Software‟s which provide more granularities in terms of setting policies by the IT administrator
and detect breaches can be recommended. For example: allowing only “read only” access for
certain devices.

ANNEXURE

Bibliography
BASEL. Basel Comittee on Banking Supervision. September 2011 <http://www.bis.org/bcbs/>.
BCP. Business Continuity Planners Association. September 2011 <http://www.bcpa.org/>.
“Borderless Security – Ernst & Young’s 2010 Global Information Security Survey.” 2010.
September 2011
<http://www.ey.com/Publication/vwLUAssets/Global_information_security_survey_2010_advi
sory/$FILE/GISS%20report_final.pdf>.
Business Continuity Planning. September 2011 <http://disasterrecovery.org/>.
Delloite. “Delloite_2010_Global_Security_Survey_India_Report.” 2010.
ISO. International Standarization Organization. September 2011 <http://www.iso.org>.
KPMG. “KPMG_DSCI_Banking_Survey2010.” 2010.
<http://www.dsci.in/sites/default/files/DSCI%20-
%20KPMG%20Banking%20Survey%20Report%20-%20Final.pdf>.
Perrin, Chad. The CIA Triad. September 2011 <http://www.techrepublic.com/blog/security/the-
cia-triad/488>.
PricewaterhouseCoopers. “Global information security survey.” 2011.
Usher, Abe. How to: Simple Podslurping. September 2011
<http://en.wikipedia.org/wiki/Pod_slurping>.

Questionnaire – Information Security
 Good morning/ Good Afternoon/ Good Evening. We are Global MBA students at the SP
Jain Center of Management. We are conducting a survey to understand the Information
security landscape in Dubai. Would you be willing to answer some questions for us?
 This research is for academic purpose
Section A – Screener Questions
==================================================================================
Q1) Does your company provide/implement Information security
 Yes (1)  No (2)
Q2) Does your company have operations in Dubai?
 Yes (1)  No (2)
Section B – Demographic Questions
==================================================================================
Q3) Which industry does your company belong to
 Banking & Finance (1)  Telecom (2)  Hospitality (3)
 Retail (4)  Healthcare (5)  Airline Industry (6)
 Government (7)  Military (8)
 Others (9) (Please mention _________________ )
Q4) You are a
 Consultancy (1)  Solution Provider (2)  Security Implementer (3)
 Others (4) (Please mention _________________ )
Q5) What is your designation
 CIO (1)  Consultant (2)  Sales Manager (3)
 IT Security Head (3)  Other (4) (Please mention _________________ )

Section C –Behaviour
==================================================================================
Q6) Which of the following best describes the Information Security structure of your organization
 Dedicated staff within the organization whose primary job function is information security (1)
 Staff within the organization with a secondary job function of information security (2)
 Outside experts through an outsourcing agreement (3)
 Dedicated teams within the organization and outside the organization through outsourcing agreements
(4)
Q7) How would you describe your information security staffing?
 Understaffed (1)  Staffed at about the right level (2)
 Overstaffed (3)  Prefer not to disclose (4)
Q8) To whom does the Security Head report in your organization?
 IT Manager (1)  Audit Manager (2)
 Organization Top Management (3)  Respective Business Manager (4)
 CEO (5)  CIO(6)
 CISO (7)  Others (8) (Please Specify _______________ )
Q9) On a scale of 1 to 5, rank the overall importance of Information Security perceived by your firm today
(1-Least important, 5-Most important)
1 2 3 4 5
Q10) On a scale of 1 to 5, rank each criteria that influences spending on security initiatives? (1-Least
important, 5-Most important)
Security breaches from external sources 1 2 3 4 5 (1)
Economic Conditions 1 2 3 4 5 (2)
Auditing regulations 1 2 3 4 5 (3)
Regulatory Compliance 1 2 3 4 5 (4)
Protection of brand or institutional image 1 2 3 4 5 (5)
Security breaches from internal sources 1 2 3 4 5 (6)
Industry standards 1 2 3 4 5 (7)
Insurance requirements 1 2 3 4 5 (8)
Business Continuity Process/DR Process 1 2 3 4 5 (9)

Q11) Approximately what percent of your organization's overall IT budget is allocated for information
security?
 Less than 1% (1)  1 to 5 % (2)  6 to 10% (3)
 11 to 15% (4)  16 to 20% (5) Greater than 20% (6)  Not sure (7)
 Prefer not to disclose (8)
Q12) Which statement most appropriately describes your organizational spending on information security
initiatives in the last financial year?
 Increasing as a percentage of total expenditure (1)
 Decreasing as a percentage of total expenditure (2)
 Relatively constant (3)
Q13) During the last financial year, has your company deferred any information security projects?
 Yes (1)  No (2)  Not Sure (3)
Q14) Is your company compliant with any of the following standards? (Please feel free to mark multiple
options)
 Information Security Management System (ISO27001) (1)  BS 25999 (2)
 BASEL (3)  PCI DSS (4)
 ITSM (ISO 20000) (5)  Quality Management System (ISO 9001) (6)
 Others (7) (Please Specify _______________ )
Q15) Does your organization implement a Disaster Recovery Plan?
 Yes (1)  No (2)  Not Sure (3)
Q16) If the answer to the above question is Yes, What is the frequency of Disaster Recovery Testing in
your organization?
 Every 6 months (1)  Once a year (2)  Once every two years (3)
 Once every 5 years (4)  Not implemented (5)

Q17) Does your organization segregate/differentiate the documents, based on confidentiality level?
 Yes (1)  No (2)  Not Sure (3)
Q18) Does your office have an authenticated access (card access)?
 Yes (1)  No (2)
Q19) Are you allowed to work from home?
 Yes (1)  No (2)
Q 20) What authentication techniques are used when you connect from home? (Please feel free to mark
multiple options)
 Password Authentication (1)  Authentication Key (2)
 Secure-ID (3)  Other (4) (Please Specify _______________________ )
Q21) When choosing a security product or technology, on a scale of 1 to 5 rank each of the following
attributes in order of importance?
Performance 1 2 3 4 5 (1)
High availability 1 2 3 4 5 (2)
Integration with existing networks and hosts 1 2 3 4 5 (3)
Ease of use 1 2 3 4 5 (4)
Multilayered access control 1 2 3 4 5 (5)
Detailed audit logs 1 2 3 4 5 (6)
Q22) On a scale of 1 to 5, how satisfied are you with the following attributes towards Information Security
in Dubai Industry? (1-Least important, 5-Most important)
Management Commitment 1 2 3 4 5 6 7 8 9 10 (1)
Openness/Discussion Forums 1 2 3 4 5 6 7 8 9 10 (2)
Budget Allocation 1 2 3 4 5 6 7 8 9 10 (3)
Training & Development 1 2 3 4 5 6 7 8 9 10 (4)
Staff Competencies 1 2 3 4 5 6 7 8 9 10 (5)
Global Standards 1 2 3 4 5 6 7 8 9 10 (6)
Q23) On a scale of 1 to 10, what is the overall satisfaction of Information Security perceived by your firm
today (1-Least important, 5-Most important)

1 2 3 4 5 6 7 8 9 10
Section D – Brand Awareness of Information Security Solution providers
==================================================================================
Q24) On a scale of 1 to 5, rank each criteria that influences the selection of an Information security and
risk consulting services vendor? (1-Least important, 5-Most important)
Complete suite of Information security and risk consulting services 1 2 3 4 5 (1)
Revenues from risk consulting and information security services 1 2 3 4 5 (2)
Size of investment in their service offerings 1 2 3 4 5 (3)
Size of client bases 1 2 3 4 5 (4)
Host of completed consulting, advisory and assessment engagements 1 2 3 4 5 (5)
Number of dedicated consulting, advisory and assessment consultants 1 2 3 4 5 (6)
Q25) Which of the following companies come to your mind when thinking of Information Security solution
providers and consultants?
Consultant First Mention Other Mention Aided Mention
BlackSafe 1 1 1
Deloitte 2 2 2
Ducont 3 3 3
eHosting Datafort 4 4 4
Ernst & Young 5 5 5
HP 6 6 6
IBM 7 7 7
Infosys 8 8 8
KPMG 9 9 9
Nanjgel Solutions 10 10 10
NXme 11 11 11
Paramount 12 12 12
Protiviti 13 13 13
PWC 14 14 14
Safenet 15 15 15
Wipro 16 16 16
Others
Q26) Which, among the following companies, have you worked with for Information Security?
Consultant First Mention Other Mention Aided Mention
BlackSafe 1 1 1
Deloitte 2 2 2
Ducont 3 3 3

eHosting Datafort 4 4 4
Ernst & Young 5 5 5
HP 6 6 6
IBM 7 7 7
Infosys 8 8 8
KPMG 9 9 9
Nanjgel Solutions 10 10 10
NXme 11 11 11
Paramount 12 12 12
Protiviti 13 13 13
PWC 14 14 14
Safenet 15 15 15
Wipro 16 16 16
Others
Q27) How many security breaches have occurred in your company in the past 12 months
 0 (1)  1-5 (2)  5-10 (3)  >10 (4)
 Dont know (5)
Q28) What was the major cause of the data breaches that occurred in the last 12 months
 Current Employee (1)  Former Employee (2)  Hacker (3)
 Customers (4)  Partners and Suppliers (5)  Dont know (6)
Q29) What according to you was the business impact of the data breaches
 Financial Losses (1)  Theft of Intellectual Property (2)
 Brand Image Compromised (3)  Dont know (4)
Q30) What do you feel about the Information Security and Risk Management practices in your
organization?
___________________________________________________________________________
___________________________________________________________________________
Q31) What according to you, could improve the security posture of your company?
Some measures like Penetration Testing, Technology Implementation, Employing Security Staff, Improving Security Awareness
___________________________________________________________________________

ARP_InformationSecurityLandscape_Report (1)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ARP_InformationSecurityLandscape_Report (1)

Similar to ARP_InformationSecurityLandscape_Report (1) (20)

ARP_InformationSecurityLandscape_Report (1)