Middle East urged to prioritise prevention as cyber workforce gap hits 300,000

As cyber attacks accelerate and organisations expand their digital footprints, security leaders are being urged to prioritise prevention and zero-trust architectures over expectations that AI will close the region’s growing skills gap

The Middle East’s cyber security workforce shortage is deepening at a time when organisations are accelerating cloud adoption, deploying applications powered by artificial intelligence (AI) and expanding digital services. According to Mastercard’s latest Cyber pulse report, the MENA region faces a shortfall of more than 300,000 cyber security professionals, while 43% of organisations report being understaffed.

For Danny Jenkins, former ethical hacker and co-founder and chief executive of ThreatLocker, the issue is not a lack of awareness around cyber risk, but a shortage of capacity within already stretched security teams. “Most organisations understand the risks they face, but they simply don’t have enough skilled people to investigate every alert,” he said.

“We regularly see security teams responsible for thousands of endpoints with only a handful of staff. That forces them into a reactive mode where they’re constantly responding to incidents instead of reducing risk.”

The result, he said, is increasing alert fatigue, while many security tools and controls remain underutilised or poorly optimised. In fast-growing digital economies such as the UAE, the challenge is becoming more acute as organisations adopt new technologies faster than they can recruit and train cyber professionals.

AI is creating more work for security teams

While artificial intelligence is frequently positioned as a solution to talent shortages, Jenkins argues that the technology is actually raising demand for cyber security expertise. “AI is not reducing the need for cyber security professionals. It’s increasing it,” he said.

According to Jenkins, AI is lowering the barriers to entry for cyber criminals by enabling them to generate sophisticated phishing campaigns, malicious websites, malware and reconnaissance activities with far less technical expertise.

“Activities that once required skilled attackers can now be carried out by a much larger pool of threat actors,” he said. At the same time, organisations are creating new attack surfaces as they deploy AI models, agents and AI-enabled business processes.

“Every new AI tool, AI integration and AI-powered business process introduces a new attack surface. The AI itself needs to be secured, and the entire environment needs to be secured from agentic AI misbehaving.”

Photo of Danny Jenkins, former ethical hacker and co-founder and CEO of ThreatLocker

“Every new AI tool, AI integration and AI-powered business process introduces a new attack surface. The AI itself needs to be secured, and the entire environment needs to be secured from agentic AI misbehaving”

Danny Jenkins, former ethical hacker and co-founder and CEO of ThreatLocker

Despite advances in automation, he believes human expertise remains essential because AI still lacks the contextual understanding required for security decision-making.

“AI still cannot determine intent,” he added. “A program backing up files to the cloud may be a legitimate business application, or it may be data exfiltration. The activity looks similar, but the intent behind it is completely different. Understanding that context still requires human judgement.”

As enterprises increasingly invest in AI-enabled security products, Jenkins believes many organisations risk overestimating the value of AI-powered detection tools.

“I think there’s a false narrative emerging that you need AI-powered threat detection to defend against AI-powered attacks. Detection has value, but by the time a detection alert is generated, the attack has already begun. The goal should be to prevent malicious activity from happening in the first place, not simply detect it faster,” Jenkins said.

He advocates for security architectures built around denial by default, least privilege access and just-in-time permissions. “Those principles have been battle-tested for years and can significantly reduce the impact of both AI-driven attacks and traditional cyber attacks,” he said.

Attackers are moving faster

Jenkins believes the biggest shift security leaders need to prepare for over the next 12 months is AI-assisted vulnerability discovery and exploit development.

“The concern is no longer just AI-generated phishing emails or malware,” he said. “It’s how quickly AI can identify vulnerabilities and help turn them into usable exploits.”

He added that advances in AI models capable of identifying weaknesses in software are forcing defenders to act faster. “If AI can help attackers find vulnerabilities faster, defenders need skilled cyber security professionals who can find and fix those weaknesses first,” he said.

“Whether an attack is created by AI or by a human, it still has to execute code, elevate privileges, move laterally or access data,” he said. “AI may change how attacks are created, but it doesn’t change the fact that organisations must stop unauthorised activity from executing on their systems.”

Digital ambitions driving cyber hiring

The UAE’s push to become a global digital economy is also contributing to demand for security talent across multiple sectors.

“I don’t think the biggest driver is any one sector. It’s the UAE’s ambition to become a global leader in digital services,” Jenkins said.

As organisations migrate more infrastructure to cloud environments, demand is increasing across government, financial services, healthcare, telecommunications, energy and critical infrastructure.

Jenkins said many organisations are struggling to recruit cloud security engineers, security operations centre analysts, incident responders and operational technology specialists. Rather than relying solely on hiring, however, he believes organisations should redesign security operations to reduce workloads.

“There simply aren’t enough qualified cyber security professionals available,” he explained. “The first move I’d recommend is implementing zero-trust controls based on denial by default. If unapproved software can’t execute, you’ve immediately eliminated a huge percentage of potential attacks.”

His second recommendation is to enforce least privilege and just-in-time access, while the third is to work with experienced implementation partners to accelerate deployments. “If you do those three things, every cyber security professional on your team becomes more effective because they’re spending less time responding to preventable incidents and more time focused on genuine threats.”

Read more about cyber security

Read more on Hackers and cybercrime prevention