In my previous columns for The Financial, I explored Oman’s bold tax reforms and how governance is evolving in family businesses and SMEs across the GCC (Gulf Cooperation Council). This article continues that journey, but through a more personal lens.
I write not as a cybersecurity expert, but as a finance and governance professional who is still learning the ropes of cybersecurity. And the more I learn, the clearer it becomes that cybersecurity is no longer just the IT (Information Technology) team’s job. It is a core business issue.
Today, cybersecurity risks are not just technical problems; they are risks to trust, reputation, and business survival.
Across the world, cyber threats are growing more complex. Countries are using cyberattacks as part of their political strategies. These threats don’t involve bombs or bullets but silent, hidden attacks on data systems.
Artificial intelligence (AI ) has changed the game. Cybercriminals and even state-sponsored hackers are using AI to learn faster, scan systems for weaknesses, and launch targeted attacks. These threats aren’t just about stealing passwords anymore, they are about long-term infiltration, often without anyone knowing.
In today’s world, where AI is reshaping how we work and communicate, businesses are more exposed than ever. The more digital we become, the more vulnerable we are. Boards and business leaders must step up, not just the IT department.
If leaders don’t take cybersecurity governance seriously, they risk more than a data breach. They risk their credibility, investor confidence, and the future of their business.
A Timeline of Cyber Governance: From Technical Fix to Boardroom Priority
- Pre-2013 :
Cybersecurity was rarely discussed at the board level. It was seen as an IT task, focused on firewalls, antivirus software, and system patches. Boardrooms were more concerned with compliance checklists and financial reporting.
- 2013–2021: A Wake-Up Call
This period saw several major cyberattacks that changed how businesses viewed cybersecurity. These events showed that a breach could disrupt operations, damage reputation, and wipe out shareholder value.
- Target (2013): Hackers accessed 40M+ customer records via a third-party vendor. Boards were sued, setting a legal precedent.
- Sony Pictures (2014): Confidential data and emails were leaked, creating internal chaos.
- WannaCry (2017): Ransomware shut down hospitals and public services in 150+ countries.
- SolarWinds (2020): Thousands of firms and government entities were compromised through a software update.
These incidents proved that cybersecurity isn’t just an IT issue; it’s a strategic business risk.
- 2022–Present: Governance Gets Serious
Governments and regulators began holding boards directly responsible:
- In the United States of America (USA), the SEC (Securities & Exchange Commission, USA) now mandates public disclosure of cyber incidents and board-level oversight reporting.
- The European Union (EU)’s NIS2 (Network & Information Systems Directive 2) expanded board accountability and legal responsibility for cyber failures.
- Countries like Singapore, Australia, Japan, and the United Kingdom (UK) strengthened their cyber governance regulations, requiring risk planning and executive awareness.
This global shift makes one thing clear: Cyber governance is now a non-negotiable responsibility for every leadership team.
The Middle East Responds: Progress, Frameworks, and Leadership Gaps
In the GCC, national digital ambitions have made cybersecurity a boardroom priority, but at different levels of maturity across countries.
- United Arab Emirates (UAE)
The UAE has one of the most structured approaches in the region:
- The National Cybersecurity Council sets sector-specific rules for telecom, healthcare, and finance.
- Entities must follow standards like SOC2 (Security Operations Centre), ISO 27001 (International Standard for Information Security Management), and NIST (National Institute of Standards and Technology).
- Quarterly risk reports are expected by regulators like the CBUAE (Central Bank of UAE) and TRA (Telecommunications and Digital Government Regulatory Authority).
- Companies in DIFC (Dubai International Financial Centre) and ADGM (Abu Dhabi Global Market) must appoint a Chief Information Security Officer (CISO) and conduct regular penetration testing.
- Saudi Arabia
Saudi Arabia has institutionalised board involvement:
- The SAMA (Saudi Central Bank (Saudi Arabian Monetary Authority) Cybersecurity Framework requires:
- Cyber risk reviews at the board level every quarter.
- Formal cyber governance policies.
- Independent CISOs who report directly to leadership.
- National Cybersecurity Authority (NCA)’s Essential Cybersecurity Controls (ECC) Framework adds:
- Third-party access controls
- Remediation tracking and maturity assessments
- Other GCC Countries (Qatar, Bahrain, Kuwait, Oman)
These countries are moving in the right direction, but face challenges with enforcement and Small and Medium Enterprise (SME) readiness.
- Qatar has a national strategy, but board-level mandates are still maturing.
- Bahrain’s Central Bank of Bahrain focuses on open banking resilience, but smaller companies are underprepared.
- Kuwait has formed a cybersecurity centre but lacks industry-specific rules.
- Oman’s OCERT (Oman Computer Emergency Readiness Team) provides guidance, but private sector compliance is still evolving.
The frameworks exist, but true effectiveness requires leadership to go beyond minimum requirements. Boards must treat cybersecurity as a business priority, not just a compliance checkbox.
India’s Cyber Journey: A Personal Reflection
As someone born in India, I follow the country’s digital evolution with both pride and urgency. India is tackling cybersecurity on two fronts: public awareness and institutional reforms.
- Since May 2025, Telecom Regulatory Authority of India’s amendment mandates that every commercial SMS (Short Message Service) carry a traceable Identity. This improves transparency and prevents phishing.
- The Securities and Exchange Board of India (SEBI) Cybersecurity Framework for financial institutions requires:
- 24/7 SOCs.
- Board-approved cyber policies and biannual audits
- Breach reports within 6 hours of detection
- Mandatory cyber drills and dedicated CISOs
These steps show intent, but like in the GCC, India’s challenge lies in ensuring board-level engagement across all sectors, not just financial services.
Southeast Asia and the Rest of the World: Diverse Models, Shared Risks
- Southeast Asia: Fast Progress, Focused Scope
- Singapore is a regional leader, with the Monetary Authority of Singapore (MAS) enforcing strong board engagement, vendor risk audits, and incident simulation drills.
- Malaysia, Indonesia, and Thailand are developing national frameworks, primarily focused on banks and telecom providers.
While policies are improving, consistent board education and SME participation remain challenges.
- China: State-Led but Opaque
China treats cybersecurity as a matter of national security:
- The 2017 Cybersecurity Law and 2021 Data Security Law require strong internal controls and data classification.
- Oversight is high, but breach transparency and public accountability are limited.
- Africa: Gaining Ground
- Countries like South Africa (Protection of Personal Information Act (POPIA)) and Nigeria (National Cybersecurity Policy and Strategy (NCPS)) have data protection laws, but skill shortages and budget constraints limit enforcement.
- The African Union’s Convention on cybersecurity remains under-ratified.
- South America: Strong Laws, Mixed Adoption
- Brazil’s LGPD (Lei Geral de Proteção de Dados (General Data Protection Law)) is similar to Europe’s General Data Protection Regulation (GDPR) and has increased board awareness of data governance.
- Mexico and Chile are enforcing stricter breach disclosure rules in financial sectors.
In all regions, the story is similar: Frameworks exist or are emerging, but success depends on how involved business leadership becomes.
From Awareness to Action: What Boards Must Now Do
With $10.5 trillion in projected global cyber losses and over $2.75 billion lost in India alone in 2024, cyber governance has become a board-level imperative.
Here’s how leadership teams can respond:
- Boards Must:
- Make cybersecurity a standing agenda item.
- Review risk dashboards and KPIs quarterly.
- Appoint a qualified CISO with independent reporting access.
- Participate in simulation and recovery drills.
- CEOs Must:
- Promote a culture of early breach reporting without fear.
- Sponsor staff awareness training and playbook drills.
- Oversee clear, tested incident response plans.
- CFOs Must:
- Link cybersecurity budgets to business risk and ROI.
- Audit vendor payments and validate cyber hygiene.
- Quantify cyber exposure in financial disclosures.
- Function Heads Must:
- Embed cyber hygiene in daily operations.
- Lead team-level phishing simulations and audits.
- Be accountable for reporting anomalies.
Final Reflection: Cyber Governance Begins with Curiosity
I didn’t start my career thinking I’d need to understand cybersecurity. Like many leaders, I focused on numbers and compliance.
That changed at Emitac when a phishing scam hit us, not because IT failed, but because cyber governance wasn’t on our radar.
That incident woke me up. Since then, I’ve made it a point to learn more. I’m still learning.
I now understand: You don’t need to know how to code. You just need to care.
Cybersecurity isn’t about tools, it’s about trust. When your data is breached, you lose more than information. You lose your reputation. And you might lose your business.
Whether through IMA webinars, LinkedIn discussions, YouTube explainers, or even ChatGPT, there are ways to stay informed and to lead.
Cyber governance doesn’t begin with IT. It begins with leadership. And leadership begins with awareness.
If this piece has one message, it’s this:
Don’t wait for a breach to act. Governance begins with awareness. And cyber governance starts with leadership.