Cybersecurity Is No Longer Just About Prevention. It's About Recovery
The most consequential cybersecurity investments may no longer be those that strengthen the perimeter, but those that reduce the cost of failure.
News
- Anthropic Joins Frontier, Signaling AI's Entry Into Carbon Removal Markets
- 42% of Middle East Employers Are Drowning in AI-Generated Job Applications, Survey Reveals
- SpaceX to Buy Cursor Parent Anysphere in $60 Billion Stock Deal
- Nvidia's Jensen Huang Wants a New Social Contract for AI
- OpenAI's Cash Burn and Shrinking Market Share Reflect a Maturing AI Industry
- Saudi Arabia Bets Big on Digital Government Services; Pours $8.53B in 2025
[Image: Chetan Jha/MITSMR Middle East]
Key Takeaways
01
Threat has moved inside organizations. The strategic shift is a faster recovery after a breach.
02
The organizations closing the gap fastest are those that built response architecture before the breach.
03
Meeting regulatory requirements tells you what you must have in place, not how fast you can contain, communicate, and recover.
In 2024, a group of Chinese hackers known as Salt Typhoon infiltrated at least nine US telecom firms and numerous companies worldwide in an extensive cyber-espionage operation. They not only stole call metadata but also gained access to court-authorized wiretapping systems. US intelligence reports indicate that this infiltration had been ongoing for a couple of years before it was detected.
The breach serves as a reminder that cybersecurity is entering a new era. The question is no longer whether attackers can penetrate complex systems, but whether organizations are prepared for what happens when they do.
Cybersecurity concerns date back to the 1980s, but it was not until the 2000s that organizations began treating it as a critical business issue. Over the past decade, most organizations ramped up their defenses with firewalls, compliance frameworks, endpoint protection, and security operations centers. The idea was that a strong perimeter would keep the organization safe.
Over time, cybersecurity became focused on prevention. Today, every part of that infrastructure still exists, but it is no longer enough.
AI has reduced costs and increased attack speeds, with current geopolitical tensions intensifying the pressure. Organizations can no longer evade these threats; they must improve their preparedness. The key question is: how can organizations adapt to endure this harsh reality and recover swiftly before the damage worsens?
Evolving Cybersecurity Pressures on Regional Firms
In the backdrop of the US and Israel-Iran conflict, the UAE and the wider Gulf have been hit with intensified cyberattacks targeting financial services, government platforms, ports, and utilities, temporarily disrupting business activity. The UAE continually faces threats, with numbers rising fourfold from approximately 200,000 to nearly 800,000 since the conflict began on February 28, according to the UAE Cyber Security Council.
Even before the conflict, the UAE was facing significant digital threats. Microsoft data revealed it ranked 9th globally and 2nd in the Middle East and Africa for cyber incidents in the first half of 2025. In June 2025, the ransomware group Gunra claimed to have stolen sensitive data from the American Hospital Dubai (AHD), affecting as many as 450 million patient records.
Randolph Barr, Chief Information Security Officer at Cequence Security, says a lot has changed in the threat landscape in the past 12–18 months. “The stuff that used to take a real adversary weeks of work: recon, picking tools, and finding the right vulnerabilities, is now a fast-moving,” he says, adding that while previous technology shifts gave them time to catch their breaths— attacker had to grind hard by doing real manual work of hand-picking tools, finding the right vulnerability, writing or adapting exploit code—AI hasn’t.
“The threats themselves aren’t new. What’s new is how little time we have to deal with them.”
AI is being used to automate, accelerate, and enhance malicious activities, allowing attackers to operate at machine speed and scale by generating hyper‑realistic phishing emails, creating deepfakes, scanning for vulnerabilities, and developing adaptive malware.
In the Gulf, cyberattacks are now more targeted and persistent. “Adversaries are increasingly taking advantage of how regional digital environments operate, including routing dependencies, shared infrastructure, and visibility gaps across complex networks—particularly across critical infrastructure, financial services, telecoms, and government‑linked organizations,” says Gaurav Mohan, SVP Sales, APAC, India & Middle East, Netscout.
Government-linked platforms and critical sectors like financial services, utilities, ports, and legal systems have been hit hardest. Several government bodies, such as the Dubai Land Department, Dubai Courts, and the Roads and Transport Authority, have reported incidents. There have been attempts to breach the Sharjah Electricity, Water and Gas Authority and the Ministry of Climate Change and Environment.
Most breaches have resulted in temporary disruptions rather than permanent damage, but concerns about risk to core databases and business continuity systems persist.
When organizations can determine which systems are affected, how the attacker moved, and whether containment has been successful within minutes rather than days, they significantly reduce dwell time and limit operational and reputational impact.
— Gaurav Mohan, SVP Sales, APAC, India & Middle East, Netscout
Uzair Gadit, CEO of Secure.com, points to three structural shifts that have made attackers more effective:
1. Collapse of Dwell-time Advantage
Vulnerabilities are now weaponized within days of disclosure rather than weeks or months. The patching cadence most organizations operate at — monthly for routine updates, quarterly for major changes — is now structurally behind the attacker.
2. Third-party Blast Radius
The dominant breach pattern of 2024–25 is no longer “company gets attacked directly.” It’s a “shared SaaS provider or vendor gets compromised, and dozens of downstream customers find out months later.” The breach surface has migrated outside the perimeter most security teams are still defending, into the supplier ecosystem, the API integrations, and the SaaS platforms they depend on but don’t control.
3. Regulatory Acceleration
Three years ago, many major jurisdictions gave organizations 30 to 60 days to disclose a breach after discovery. That breach-disclosure window has compressed dramatically, now operating on 24-, 72-, or 96-hour clocks. In such a short timeframe, organizations often lack clarity on how far attackers reached, what data was touched, whether they’re still inside, or how they entered. If the window wasn’t short enough, a hefty price is paid for missing it.
Research Context
- Salt Typhoon Breach (2024-25): Chinese state-linked hackers infiltrated at least nine US telecom firms and numerous global companies, stealing call metadata and breaching court-authorized wiretap systems. The intrusion reportedly went undetected for roughly two years.
- World Economic Forum, Global Cybersecurity Outlook 2026: Roughly 85% of organizations in the Middle East and North Africa say they trust national capabilities to manage cyberattacks on critical infrastructure, versus 37% globally— the highest regional confidence level worldwide.
- Microsoft Threat Data (H1 2025): The UAE ranked 9th globally and 2nd across the Middle East and Africa for volume of cyber incidents.
What’s Holding Firms Back From Responding Faster
Knowing a breach is coming and being ready for it are two different things. Is investing in threat intelligence feeds, vulnerability assessments, and compliance audits enough? The gap may not be technological, but organizational. There may not be a one-size-fits-all approach. Our experts point to a set of constraints slowing response times: budget, talent, tools, and a lack of executive mandate.
For Barr, it’s “all four, to be candid.” However, he acknowledges that leadership support has improved substantially. “I’m not really fighting for the budget anymore.” “The harder tension is that the same leadership team is also pushing us to move faster on AI, and unless you’re in a regulated environment with a clean answer to point to, any pushback from security gets read as a speed bump on innovation.”
Gadit offers a different view, saying it’s “none of the four—though all four are real.” “The single biggest constraint is the integration layer between them, which most organizations have underinvested in because no individual category owns it.” For him, the real issue is the lack of connection between these parts.
He calls for a layer that turns these four into coordinated outcomes. “Tooling produces signals; talent triages them; budget funds both; executive mandate sets the priority,” Gadit calls for organizations to invest explicitly in the connective layer.
Responding fast and being wrong is arguably worse than a slower but accurate response, says Mohan. For him, the biggest constraint on swift, accurate responses is often fragmented visibility across security and network environments.
“Most organizations have invested heavily in security tools, but many of those tools operate independently and provide only partial views of activity. During any kind of incident, teams often spend precious time correlating alerts, investigating inconsistent data, and trying to establish a shared understanding of what actually happened and what is happening now in real-time.” This, combined with attackers using multiple techniques—lateral movement, credential misuse, reconnaissance, and legitimate admin tools—that can look harmless in isolation, may result in teams seeing individual alerts without understanding the broader attack path or business impact.
“This creates both a technical and operational challenge. Delays in investigations affect not only containment but also executive decision-making during high-pressure situations. While budget and skills shortages are real concerns, even highly capable teams are constrained if the underlying data is incomplete, fragmented, or unreliable,” he adds.
The Response Architecture Leaders Need to Build
What does a fast response look like in practice? Hussam Sidani, VP – Middle East & North Africa at OPSWAT, vouches that speed cannot be the answer. “What determines whether an organization can act in time is whether the alert carries enough telemetry to support a confident decision in a live production environment.”
Developing a layered detection pipeline—consisting of threat reputation checks, dynamic behavioral analysis, threat scoring, IOC extraction, and threat hunting—that generates high-confidence verdicts rather than high-volume alerts is the key.
“Each layer gives the next the context to be decisive. An internal efficacy analysis (Q2 2025) showed that reputation alone captures 48.7% of threats. Include sandboxing, and you reach 99.3%. Now, add in the full pipeline with ML similarity search, and you reach 99.97%,” he says.
So, what should leaders do differently to eject harmful actors more quickly and more securely?
The most dangerous assumption in security, Sidani says, is believing that last year’s detection rules still work against today’s tactics, techniques, and procedures (TTPs).
The Future of Regional Cyber Strategy
The organizations that will define the next decade of regional business—in financial services, energy, telecommunications, and government services—will not be those that successfully kept attackers out. They will be those who built the internal architecture to survive, contain, and recover when attackers get in. The strategic advantage in the current threat environment does not lie in the best-defended perimeter; it lies in the fastest recovery. And speed alone cannot execute this strategy. It needs to be backed by an intricately designed framework.
Cybersecurity goes beyond organizational plans, with countries actively adopting a proactive stance. According to the World Economic Forum’s Global Cybersecurity Outlook 2026 report, approximately 85% of organizations in the Middle East and North Africa trust their national capabilities to handle cyber incidents targeting critical infrastructure, the highest percentage globally, compared to 37% worldwide.
In the end, the lesson extends far beyond telecommunications. Salt Typhoon demonstrated that even some of the world’s most sophisticated organizations can remain compromised for years without realizing it. In an environment where determined attackers may eventually find a way in, resilience is increasingly defined not by the ability to prevent every breach, but by the ability to detect, contain, and recover quickly from one.
What Leaders Should Do Differently
C-suite | Reframe cybersecurity as a recovery-capability question, not a prevention-budget one. Designate accountable owners across detection, response, visibility, and cross-team alignment—and define what “contained within 24 hours” means for your organization before a breach forces the answer. |
Functional leaders | Audit your security stack against integration depth, not breadth of coverage. If analysts are correlating fragmented alerts rather than acting on high-confidence verdicts, invest in the connective layer between tooling, talent, and decision-making before adding more point solutions. |
Boards and governance | Require response-readiness assessments for every cybersecurity investment proposal. Scrutinize third-party and SaaS vendor exposure as closely as internal controls, and approve scaling budgets only for initiatives that can demonstrably reduce dwell time and meet your jurisdiction’s disclosure window. |
