Egypt’s cyber system: lofty ambitions, but capabilities yet to be built

Egypt has a clear objective: to become a ‘robust, resilient and secure’ country in the digital sphere. This is set out in the National Cybersecurity Strategy 2023–2027, which aims to protect critical infrastructure, foster the growth of a local industry and create skilled jobs. However, there is still a gap between ambition and reality: the industrial landscape is fragmented, training provision is out of step with the market, and the skills gap remains far too wide.

The regulatory framework rests on two pillars: the Cybercrime Act (2018) and the Personal Data Protection Act (2020). However, there is no comprehensive cybersecurity law – which is still being drafted – to ensure the consistent application of standards. On the operational front, the focus is on EG CERT, the national incident response team: a point of reference for critical infrastructure and the public administration, but with a scope that struggles to cover small and medium-sized enterprises, the backbone of the Egyptian economy.

Most providers are based in Cairo, often with fewer than 50 employees. iSec stands out as one of the few players with regional ambitions, capable of offering both offensive services (red team, penetration testing) and defensive services (SOC, security operations centre, and incident response). Alongside iSec, companies such as Keys Cyber, Absega and WASS cover specific niches: from risk management to 24/7 monitoring, right through to cloud security. The overall picture, however, is that of a fragmented market, with limited capacity to scale up in response to major incidents without the support of international vendors. This dependence can, in times of crisis, slow down the response and increase costs.

As far as education is concerned, there is a wide range of courses on offer, but they are often too theoretical. The major public universities – Cairo University, Ain Shams, Alexandria, Mansoura and Menoufia – incorporate security modules into their computer science and engineering courses, but there are few dedicated full-degree programmes. Exceptions include structured programmes such as that at the Université Française d’Égypte (cybersecurity & communications engineering) or the Arab Open University, which focus on specialised curricula and international exchanges. The Ministry of Communications has launched e-learning initiatives, and certification schemes (including the EC Council, amongst others) operate in the country. Yet companies continue to highlight the need to train new recruits in-house for 12 to 18 months before they are fully operational.

The crux of the matter is the mismatch between what is taught and what is needed in the field. Companies are looking for skills that can be put to immediate use: SOC and SIEM (security information and event management) management, threat hunting, incident response and malware analysis; on the offensive side, advanced red teaming and exploit development capabilities; in the cloud, secure multi-cloud architectures, container security and DevSecOps (integrating cybersecurity into the software development lifecycle). There is also growing demand for professionals capable of coordinating the various roles involved in detection and automated response. Added to these are essential soft skills: risk communication, critical thinking, and project and stakeholder management. It is in this area that many graduates lack operational skills.