CNME Editor Mark Forker spoke to Michael Heering, VP of Marketing for EMEA & APAC, at SANS Institute during GISEC 2024. Heering outlined the growth SANS Institute has enjoyed across the Middle East as part of their mission to bridge the skills gap that currently exists across the cybersecurity ecosystem in the region. 
SANS Institute was formed in 1989, as a think tank for thought leadership within the security domain.
Their mission statement remains the same now as it did back in 1989, and that is to empower and equip cybersecurity professionals with the practical skills, knowledge and expertise they need to make our world a safer place.
SANS Institute strives to achieve this through their high quality training, certifications, scholarship academies, degree programs, cyber ranges, and resources to meet the needs of every cyber professional.
The challenges that currently exist in the cybersecurity landscape have been well documented – and the ramifications for a company hit by an attack can be devastating, both from a financial and brand perspective.
During GISEC 2024, the world’s leading security vendors were demonstrating the solutions and services they are providing to help businesses fight back against cybercrime.
However, we know that one of the biggest challenges in the cybersecurity industry is the skills gap.
SANS Institute has enjoyed phenomenal growth across the Middle East over the last number of years, and they too were onsite at GISEC showcasing the courses and products they have that can empower security professionals with the tools they need to better protect themselves against constantly evolving threat actors.
At GISEC, CNME Editor Mark Forker caught up with Michael Heering to learn more about SANS Institute.
He said their large presence at this year’s edition of GISEC was actually indicative of the growth they have enjoyed in the region.
“We’ve been participating at GISEC for the last 6-7 years, and we’ve grown a lot across the region during that time. Our growth is reflected in our participation at GISEC, as we’ve gone from having a very small corner booth to what we have here today. We’re also trying to position our instructors more, and we’ve been working closely with DWTC and the cybersecurity council to get more of our SANS Institute instructors in the region to help build the knowledge and share the expertise that we need to really improve the cybersecurity landscape,” said Heering.
At this year’s GISEC, Heering explained how it was the first time they had brought their SANS CISO network event to the Middle East region.
“What is new for us this year is our SANS CISO network session that we are hosting, and that is really tailored and geared towards bringing that cybersecurity community across the UAE together. Essentially, we are showcasing that we provide core training, and we want to show that we really are a training partner fundamentally. We want to have conversations at the highest level, and demonstrate how we can partner with organisations in terms of assessing skills and examining the risks and gaps that they have in order to determine the role we can play in helping to close those gaps,” said Heering.
In terms of really tackling that skills gaps, security analysts have said that it is critical that the next generation are exposed to the industry during their formative years.
SANS Institute has been praised for its role in attempting to encourage young people to pursue a career in cybersecurity.
“We have very advanced training in the area of penetration testing and forensics, but, last year, we developed a top table exercise for executive leaders which simulates situations that CISOs will encounter in real life like a data breach, and that is a program that we are starting to expand on, and we really want to bring it to the region to bridge the gaps that exist. However, I think if we are really serious about addressing the skills shortage then it has to start with getting young people within the age bracket of 15-18 to actively want to learn about cybersecurity. We have a new course called Cybersecurity Foundations, whilst we also have CTFs. In 2015, we partnered with the UAE government on a program called Cyber Quest, that was ultimately designed to enthuse young people to get into cybersecurity and consider a career in that industry. This is the path we have to take to really meet the requirements and demands that we can foresee emerging within this space,” said Heering.
It has been said for years that CISOs have been unable to get a seat at the top table at an executive boardroom level, but Heering believes that due to regulations being implemented across the United States, Europe and the Middle East, that is now changing.
“What we have heard for a long time is that CISOs don’t have that seat at the top table, but I do think that this is starting to change. I think a key driver for that is the change in legislation that we’re seeing on a global level, especially in the United States with the rulings we’ve seen with the SEC, and also more on a federal level. In Europe, we have seen the introduction of the NIS2 directive, so there’s been a sea change across the board. In KSA, they are also looking at new cybersecurity regulations, and that enables CISOs to showcase to the board that they are now being held more accountable, so it’s imperative that they give their CISO the ability to create that environment that gives their organisation a stronger cybersecurity posture,” said Heering.
Generative AI can provide security leaders with response strategies based on successful tactics used in past incidents, which can help speed up incident response workflows.
But again, it comes back to skills, knowledge and expertise, and ultimately being able to harness the capabilities of AI.
Once again SANS Institute is leading the charge in this regard, and has launched a course entitled AI Security Essentials for Business Leaders.
Heering went into more detail about the course, and the SANS approach to AI learning.
“The AI Security Essentials for Business Leaders course has come about very quickly, and that was primarily born out of a necessity to learn more about how you deal with AI within the cybersecurity domain. In that course, we are attempting to determine what are some of the best practices in our industry when dealing with AI, how do you train your team and your entire organisation on which applications to use, and the importance of being mindful when it comes to how attackers might use AI for their motives? In addition to that course, we are also introducing new modules that cover AI and the different threats and developments it brings with it throughout our entire curriculum. The AI Security Essentials program is primarily for security leaders, as it gives them a high-level overview in terms of how to deal with AI. The other AI modules are incorporated into our other training programs and that provides other practitioners with the knowledge on how to deal with AI, so are trying to cover all levels across the board,” said Heering.
Heering conceded that there are valid concerns with Gen AI when it comes to data privacy, but stressed that people must be allowed to experiment with the technology as long as they adhere to the guidelines and regulations that have been built around it.
“I think when a new technology arises there are always valid concerns that come with it. The key is to learn about it and determine the best way businesses can incorporate it into their existing systems and applications, but they need to do that by using proper guidelines and best practices. You need to allow for experimentation, and not rush to forbid people from using the technology. If you do that then you create the same problem as shadow IT, where people do it, but they don’t let you know they are doing it. You want people to be transparent about it, and try it out, but again it is critical that when they are doing that, they are operating within the guidelines provided,” said Heering.
Heering concluded a great conversation by declaring that it was the responsibility of SANS Institute and the security industry as a whole to work together to make training and awareness a more common thing.
“There are so many opportunities now for cybersecurity leaders and practitioners to improve and make cybersecurity awareness, and in our case training more common for organisations. The mindset needs to shift, and that’s something we have to continue to strive for and we will,” said Heering.
