Cyber Resilience: A Board-Level Priority in the Gulf Region
Cyber resilience has emerged as an essential focus for organizations across the Gulf Cooperation Council (GCC). Amidst heightened regional tensions, rapidly evolving cyber threats, and the swift adoption of artificial intelligence (AI), organizations are rethinking their enterprise risk strategies. Yahya Kassab, the senior director and general manager for Gulf and Saudi Arabia at Commvault, emphasizes that recent geopolitical developments have acted as a wake-up call, prompting businesses to fortify their recovery capabilities and safeguard critical data assets.
Shifting the Focus from Compliance to Cyber Resilience
Historically, many organizations viewed backup and data protection primarily through the lens of compliance. However, as Kassab points out, cyber resilience demands a transformative approach involving different processes, technologies, and recovery strategies. Traditional disaster recovery methods prioritize recovery point objectives (RPOs) and recovery time objectives (RTOs), yet the stakes change dramatically in a cyber incident.
“When facing a cyber attack, the fundamental question shifts to how swiftly one can restore a clean copy of the data,” Kassab states. He explains that if the production environment falls victim to a breach, the disaster recovery environment could be compromised as well. Without robust cyber-resilient capabilities, restoring operations becomes an exceptionally arduous task.
Awareness: The Achilles’ Heel of Cyber Resilience
Despite substantial investments in cybersecurity technologies throughout the GCC, Kassab identifies a critical lack of awareness as one of the region’s most significant challenges. Many organizations mistakenly equate disaster recovery with cyber resilience, leading to precarious gaps in their preparedness.
“Some organizations believe that having a disaster recovery plan equals protection from cyber threats,” he adds. In reality, effective cyber resilience necessitates additional controls and specialized recovery capabilities. Recent high-profile incidents have compelled many IT and security leaders to reassess their vulnerability to ransomware attacks and other disruptive cyber activities. Kassab notes a marked uptick in inquiries from organizations seeking guidance on cyber recovery planning and resilience assessments.
The Double-Edged Sword of AI
The rapid integration of AI technologies into both government and enterprise sectors introduces new complexities to cybersecurity and data protection strategies. Kassab cites the UAE government’s ambition for agentic AI as illustrative of the significant transformation underway. “While AI is crucial for digital transformation, it also brings complexity,” he cautions. Organizations now face the challenge of managing larger volumes of data, new AI-driven identities, and entirely novel operational frameworks.
Commvault approaches AI from three distinctive angles: simplifying operations and threat detection, enhancing visibility and governance of enterprise data, and protecting AI models themselves. The protection of these AI assets is gaining paramount importance, as organizations make significant investments in AI models and their training data, which are vital as any other critical business resource.
As the deployment of agentic AI continues to rise, ensuring the security, governance, and recoverability of AI systems is set to become a top priority for Chief Information Officers (CIOs) throughout the region.
The Rise of Hybrid Cloud as the Default Model
With ongoing digital transformation initiatives and increased investments from hyperscale providers, cloud adoption in Saudi Arabia and the UAE is accelerating at a rapid pace. Kassab suggests the debate has morphed; it’s no longer simply about choosing between cloud and on-premise infrastructure. “Today, the question is not cloud or non-cloud,” he asserts, noting that hybrid cloud models are becoming increasingly prevalent.
Organizations are now evaluating cloud adoption on a granular, workload-by-workload basis. Sensitive applications and data often remain on-premise, while other workloads transition to public cloud environments. “The decision is workload-dependent,” Kassab states. As complexities multiply, there is also a rising demand for unified data protection and cyber resilience platforms capable of securing workloads across diverse environments.
National Transformation Agendas and Cyber Resilience
Gulf governments are vigorously pursuing ambitious digital transformation programs, compelling technology suppliers to adapt their strategies in alignment with local regulatory and sovereignty demands. Kassab mentions that Commvault is closely collaborating with governments across the region to ensure compliance with national cybersecurity frameworks and data residency requirements.
Beyond mere compliance, Commvault is committed to developing local skills and enhancing cybersecurity capacity. The establishment of an Innovation Excellence Centre in Abu Dhabi will focus on research, development, and training for the next generation of cybersecurity professionals. “The goal is to bolster local cyber resilience capabilities,” explains Kassab.
For CIOs in the GCC, the takeaway is clear: cyber resilience is no longer confined to the IT department but has evolved into a crucial business continuity issue. As organizations quicken their cloud strategies, embrace the potential of AI, and navigate a more volatile threat landscape, the ability to swiftly recover trusted data has become just as vital as defending against attacks in the first place.
As the trends continue to unfold, organizations must prepare for a dual approach—developing robust disaster recovery plans while simultaneously investing in cyber recovery solutions. The capacity to recover clean, actionable data and continue operations is arguably one of the highest indicators of an organization’s overall resilience today.