is existential. In the speaker’ s words: if you cannot recover, the company is‘ dead’.
The resilience stack: people, process, technology
Resilience requires layered investment across the stack.
At the top, boards must own the risk and fund it appropriately. Several attendees advocated for regulatory pressure that targets directors personally to ensure budgets flow to the right capabilities. That mirrors emerging European regimes that force critical entities not only to improve security, but to prove they can recover core services within defined tolerances.
At the operational layer, leaders urged a pivot from purely reactive SOC metrics to proactive, threat-informed exercises. Ali AlKhamis, CISO, Raya Financing, a CISO from Saudi Arabia with two decades’ experience, argued for integrating Cyber Threat Intelligence into daily operations and testing against the top five active threat actors targeting the sector and region. He stressed rigorous focus on MTTD and MTTR, backed by realistic tabletop and red-team / blue-team scenarios tied to adversary TTPs.
Senior security and IT leaders unpack how governments and enterprises across the Middle East can evolve from compliance-first security to resilience by design, balancing regulation, budgets, culture and technology to withstand escalating nation-state activity and sophisticated cyberattacks.
At the data layer, the group converged on a hard truth: backup is your last line of cyberdefence. Tape is unfashionable, but air-gapped and immutable copies can be the difference between Business Recovery and business obituary.
Leaders repeatedly referenced the 3-2-1 rule and went further: include isolated, non-routable copies and test restore paths often. As one speaker noted, too many organisations answer‘ yes’ to‘ do you have backups?’ but go silent when asked‘ when did you last test a full restore?’.
As Joergen Floes, VP, Distinguished Engineer – Kyndryl, put it, the most sobering recent lesson came from Ukraine in 2017.“ The purpose of those people who did this attack was not to earn money. It was to destroy.”
Floes was involved in major recovery efforts after NotPetya:“ They didn’ t have any keys to unlock your encrypted systems because they didn’ t care.”
That point reframed the discussion – prevention remains essential, but the ability to recover quickly
Critical infrastructure is different by design
Participants emphasised that critical infrastructure is a different discipline to enterprise IT.
Legacy Operational Technology( OT) dating back decades was not built with security in mind. Patching is constrained by safety, availability and vendor certification. Cloud-native telemetry may be impossible on air-gapped networks. Downtime windows are rare and change must be surgical.
The prescription is defence-in-depth around the crown jewels. If a 1980s-era controller runs an irreplaceable process, you wrap it with robust
Multiple leaders warned against equating regulatory compliance with actual protection.
WWW. INTELLIGENTCISO. COM 25