And What I Learned from My First Assignment in the Region
In 2015–2016, I had my first client in the security sector: a North American company specializing in airport security and cybersecurity. Their goal was simple—get access to government-level opportunities in the UAE and Saudi Arabia. What made this project unique was how short and efficient it turned out to be, thanks to the network and local market knowledge I had already built over the years.
Step One: UAE – Knowing Who to Talk To
The company asked me to help them reach a senior government stakeholder in the UAE who could become their stakeholder and further advise on available business opportunities. Within two to three weeks—through a few trusted contacts—I was able to identify the right person. I initiated communication over WhatsApp and email, introduced my client, and soon had everyone corresponding directly.
We then spent over a month trying to schedule a face-to-face meeting between the client and the decision-maker. Due to busy schedules on both sides, coordination was difficult. But because of the sector’s sensitivity, a face-to-face meeting was essential to move things forward.
Eventually, a preliminary phone call was arranged to align expectations before committing to a formal meeting. I wasn’t part of the call, but afterward the client informed me that they would not proceed further with the meeting. No deal was made, but a connection was built—and a clear signal received about what it takes to succeed in the UAE security sector.
Step Two: Saudi Arabia – Regulatory Realities
I then shifted focus to Saudi Arabia. After speaking with a few contacts, I quickly discovered that my client’s proposal would not be accepted by any government agency due to specific legislative restrictions. Without disclosing confidential details, I can say that even back in 2015, the cybersecurity sector in both countries was highly regulated, opaque, and difficult for newcomers to navigate.
Ten years later, not much has changed—except that the system has become more transparent, more clearly structured, and more openly regulated.
What’s Required Today: Saudi Arabia
Today, in Saudi Arabia, cybersecurity firms must:
- Register with the designated authority (such as the National Cybersecurity Authority – NCA)
- Establish a local presence, in most cases
- Have 100% local ownership for the most sensitive projects
- Demonstrate a strong track record, prior relevant projects, and proper classification to qualify
What’s Required Today: UAE
The UAE follows a similar approach. Government contracts in cybersecurity and critical infrastructure are subject to strict eligibility criteria, including:
- Local licensing and sometimes majority local ownership
- Approvals from relevant ministries and security bodies
- Due diligence on the company’s previous experience in similar sectors
The Strategic Path for Foreign Firms
Despite these restrictions, foreign cybersecurity firms can still access the market—but usually through sub-contracting partnerships with licensed local entities. This is often the most viable and compliant route, especially for companies just starting to explore the region.
This is also the first piece of advice we give to any foreign cybersecurity company reaching out to us for assistance on the GCC markets – build alliances, identify reputable local partners, and be prepared to transfer know-how in a compliant, strategic manner.
Looking Ahead
With the rise of AI, the expansion of data centers, and new personal data protection regulations, demand for cybersecurity services in the GCC is growing rapidly. But the road to success requires:
- Deep knowledge of local laws and norms
- Strategic communication with stakeholders
- A well-structured local presence
- And above all, timing each move correctly
My 2015–2016 assignment didn’t end with a signed contract—but it laid the groundwork for everything I’ve learned (and advised) in this complex, sensitive sector ever since.
