Issuu

Building Trust, Reducing Risk.

Unlocking value, reducing risk and building resilience across your business. We help organisations like yours navigate today’s complex cyber risk landscape with confidence.

Our services are designed to assess, strengthen, execute and optimise your risk management capabilities so you can focus on what matters most – growing your business securely.

Scan the QR Code to learn more.

As we head to our 19th edition of Cyber News Global, we will be attending BlackHat 2025 in Riyadh Saudi Arabia for the first time. Cyber Resilience, Ai, Global cyber threats are just a small amount of the many topics that will be discussed over the 3-day event. With this focus comes great opportunity to collaborate where capability is required, BlackHat will huge opportunities for the thousands of companies attending and will also present amazing capabilities to the tens of thousands of visitors looking to expand their knowledge and access to expertise.

The UK Pavilion will be front and centre for the very first time at BlackHat in Hall 2 showcasing the best of the best from the UK, come along to Hall 2 and say hello.

Global experts will come together to share knowledge, capability, and experiences to help shape the future of Cyber Security and the advancements of Ai and Quantum.

Cyber News Global will be there to capture every opportunity that will be presented, we will meet the experts, hear their views, and share their ideas, this is the start of something truly extraordinary, we have the entire Saudi Cyber eco system to thank for such events as BlackHat, truly a world leading event.

With the advancements in Ai and its use being embraced so widely, it’s no surprise that Ai Governance has become a critical process to ensure that everyone understands their responsibility when utilising Ai to expand their capability.

Quantum computing plans to revolutionise industry like never before, with that in mind CNG has yet another excellent Quantum focused article explain the challenges now facing every sector.

So dear readers, don’t loose sleep, know that there is an army of cyber and Ai warriors out there looking at the future.

OT Security - Not Just IT with a Hard Hat On - By Tim Harwood, CEO at Siker Cyber

F1 Cyber Escape Room - By Vanessa Porter, Osp Cyber Academy

The Art of Cyber Attack Prevention- Dr. Ruth Wandhöfer’s A Year of Power Women Leading the Cyber Frontier

Editorial Design

Advertising Events & Partnerships lucy@lucyharveyprcomms.co.uk

marketing@cybernewsglobal.com

media@cybernewsglobal.com

claire@consilioevents.co.uk

CONTRIBUTORS

Disclaimer:

While the GDPR also specifies ‘special category data’, the PDPL’s list is arguably broader in scope, particularly in areas relating to security and public order.

2. Legal Bases for Processing: Consent vs Multi-Basis Flexibility

One of the most significant operational differences between the PDPL and GDPR is how they approach the lawfulness of processing.GDPR: A Flexible Six-Basis Model (for non-special category data) The GDPR lists six equal legal bases for processing personal data:Consent

1. Contract

2. Legal obligation

3. Vital interests

4. Public task

5. Legitimate interest

For most private-sector organisations, legitimate interest is a critical mechanism for justifying processing without requiring consent. This makes GDPR relatively flexible for commercial activities, provided the controller can demonstrate that its interests do not override individuals’ rights. PDPL: Consent as the Default

Under the PDPL, consent is the primary legal basis for processing. Exceptions exist, including:

1.If processing is necessary to fulfil an agreement

2.If required by law

3.If a public entity processes data for security or judicial needs

4.If vital interests are at stake

5.If the controller has a legitimate interest that does not involve sensitive data

On the surface, this appears similar to the GDPR. However, the PDPL’s legitimate interest basis is significantly narrower, especially because it cannot be used for processing sensitive data, it requires that the legitimate interest does not prejudice the rights of the data subject, and it may be further restricted by the implementing regulations.

Organisations operating under the PDPL should therefore anticipate a heavier dependence on consent, particularly for marketing and customer analytics.

3. Data Subject Rights: Similar Names, Different Reach

Both the PDPL and GDPR grant a suite of rights to individuals, including:

• Right of access

• Right to correction and update

• Right to erasure (with limits)

• Right to data portability

• Right to be informed about processing activities

Yet, the GDPR provides a significantly broader and more enforceable set of rights. Rights missing or limited under PDPL include:

• Right to object to processing

• Right to restrict processing

• Rights related to automated decision-making and profiling

• A fully-fledged right to be forgotten

Saudi Arabia’s PDPL does allow individuals to request destruction of data when it is no longer needed, but this is narrower than GDPR Article 17.

The PDPL’s right of access is also more qualified and can be restricted in several scenarios, including national security, public interest, and where access would compromise other individuals’ privacy. This reflects the PDPL’s balance between individual rights and broader state interests, a theme that is consistent throughout the law.

4. Governance and Accountability: Alignment with Some Distinct Differences

Both laws place a strong emphasis on accountability, requiring:

• Data protection policies

• Records of processing

• Security measures

• Personal data breach notification

• Vendor (including processor) oversight

• Organisational and technical controls

• Privacy impact assessments for high-risk processing

The PDPL mandates many of these activities, and the 2023 amendments strengthened the requirement for impact assessments, aligning it with the GDPR’s DPIA requirement.

However, a crucial difference emerges in the authority that regulates data protection.

5. Regulatory Oversight: Stronger State Control Under PDPL

Under the GDPR, each EU country has an independent supervisory authority. These regulators must act independently of government influence, aligning with the EU’s constitutional principles.

By contrast, the PDPL is overseen by a “Competent Authority”, initially the Saudi Data and Artificial Intelligence Authority (SDAIA). The governance structure empowers the authority to:

• Conduct audits

• Request records

• Mandate corrective measures

• Maintain a national database of controllers

• License auditing bodies

• Oversee cross-border transfers

This oversight model reflects the centralised governance priorities of Saudi Arabia, where data protection is closely tied to national cybersecurity and digital transformation strategies.

Organisations operating in Saudi Arabia should expect more direct authority-led oversight compared to Europe.

Saudi Arabia’s PDPL vs the EU’s GDPR: A Comparative Analysis of Two Global Privacy Regimes

6. Cross-Border Data Transfers: A Key Divergence

Cross-border data transfers are one of the most challenging compliance topics globally.

GDPR Approach

Transfers are allowed under:

• European Commission adequacy decisions

• Standard Contractual Clauses (SCCs)

• Binding Corporate Rules (BCRs)

• Derogations for specific scenarios

The GDPR is primarily concerned with ensuring equivalent protection for individuals’ data in the receiving jurisdiction.

PDPL Approach

The PDPL also requires an adequate level of protection, but introduces additional conditions:

•Transfers must not prejudice national security or Saudi vital interests.

•The Competent Authority decides which countries have adequate protection.

•Transfers must meet specific lawful purposes, such as contract fulfilment or serving Saudi Arabia’s interests.

•Emergency exceptions apply only where necessary to protect life or vital interests.

This framework makes PDPL transfers more state-centric than GDPR transfers, which are rights-centric. For organisations, this means data localisation concerns have reduced with the 2023 amendments, but cross-border transfers still require careful regulatory alignment and due diligence.

Saudi Arabia’s transfer regime is designed to ensure control over national data flows, reflecting broader geopolitical and economic considerations.

7. Public Sector Exemptions: A Major Structural Difference

Under the GDPR, public bodies may rely on specific legal bases for processing, but they are not broadly exempt from the regulation.

Under the PDPL, however, public entities receive significantly more flexibility, particularly in:

• Processing without consent

• Access restrictions

• Disclosure control

• Sharing data for security or judicial needs

• Exemptions from certain prohibitions

For example, the PDPL permits public entities to process data without consent if required for national security, public interest, or legal matters.

This distinction reflects Saudi Arabia’s prioritisation of state security, public order, and governmental efficiency, which is consistent with its broader digital governance framework.

8. Security Obligations: Shared Principles, Contextual Differences

Both laws require controllers and processors to implement:

• Organisational measures

• Technical controls

• Incident response

• Access controls

• Encryption practices where appropriate

• Risk-based security governance

The PDPL mandates that breaches be reported to the Competent Authority and to the affected individual, if their rights or interests may be harmed.

This closely mirrors GDPR’s Articles 33 and 34. However, timelines and specific thresholds will be further clarified through implementing regulations and guidance

9. Penal Consequences: Administrative vs Criminal Enforcement

One of the clearest differentiators between the GDPR and PDPL lies in penalties.

GDPR Penalties

•Administrative fines up to €20 million or 4% of global turnover.

•No criminal penalties within the regulation itself. However, EU Member State Data Protection Acts do implement criminal penalties.

•Member States may introduce criminal sanctions separately (but limited in scope).

PDPL Penalties

•Criminal penalties for the unlawful disclosure of sensitive data, including up to 2 years imprisonment and fines up to 3,000,000 SAR.

•Administrative penalties up to 5,000,000 SAR, which may be doubled for repeat offences.

•Public sector employees may face disciplinary action.

This introduces a significantly more punitive environment for certain violations, particularly around sensitive data misuse. While GDPR penalties are often financially larger, PDPL penalties carry personal criminal liability, representing a different risk profile for executives and practitioners.

10. The Reality for Organisations: Operational Impact

Organisations operating in the EU and Saudi Arabia face both opportunities and challenges.

Where PDPL compliance aligns well with GDPR compliance:

•Data inventories and records of processing

•Security frameworks

•Vendor and processor due diligence

•Privacy notices and transparency mechanisms

•Data subject request handling

•Breach management

•DPIA-like risk assessments

GDPR-compliant organisations have a strong starting point.

Where PDPL may require additional controls or adjustments:

•Consent dependency for common processing activities

•Cross-border transfer restrictions

•Documentation of legitimate interest assessments

•Additional public sector requirements

•Specific rules for processing credit data or health data

•Potential appointment of Saudi-based data protection officers (once regulations clarify the criteria)

Organisations should also note that PDPL compliance is closely tied to national digital policy and may evolve quicker than GDPR, whose legal framework is well established.

11. Strategic Implications for Cybersecurity Leaders

For CISOs, DPOs, and compliance leaders, understanding these two laws is not merely an academic exercise, it’s a strategic imperative.

Cybersecurity program alignment

Both PDPL and GDPR require risk-based security, yet PDPL emphasises state interests, meaning organisations may need to:

•Align with national cybersecurity standards.

•Ensure localisation or controlled transfer for critical datasets.

•Prepare for more direct regulator engagement.

Technology procurement and cloud strategy

Cross-border restrictions may influence:

•Cloud vendor selection.

•Data residency planning.

•Encryption and key management architectures.

Consumer trust and market expectations

Saudi Arabia is emerging as a major digital market, and PDPL compliance will become a competitive differentiator, just as GDPR compliance has in Europe.

Global interoperability

As data protection and privacy laws proliferate globally, organisations must think beyond bilateral compliance. PDPL and GDPR interoperability strategies will be essential for streamlining governance, reducing operational cost, and minimising regulatory risk.

12. Conclusion: Privacy Convergence with Distinct National Identity

The Saudi Arabia PDPL and the EU GDPR share many structural similarities. Both laws enshrine individual rights, impose obligations on controllers and processors, require transparency, and mandate strong security. They reflect a global consensus that privacy is a fundamental component of modern digital society.

Yet the differences between the PDPL and GDPR are equally important.

The PDPL is more state-centric, with broader exemptions for public entities, emphasises consent over other legal bases, has stricter conditions for cross-border transfers, includes criminal penalties, and tailors its rules to Saudi Arabia’s national security and economic ambitions.

The GDPR is more individual-centric, with expansive data subject rights, flexible legal bases, multiple established transfer mechanisms, and independent supervisory authorities.For organisations, the message is clear: compliance with one does not guarantee compliance with the other. But GDPR compliance offers a strong foundation, one that can be extended, adapted, and strengthened to meet PDPL standards.

As global data flows expand and digital economies evolve, understanding and navigating the interplay between regional privacy laws is becoming a core competency for cybersecurity and compliance teams alike.

The PDPL / GDPR comparison is just one case study in this broader trend, but it is a critically important one for organisations operating across Europe, the GCC region, or in the global digital marketplace.

CYBER FZ - LLZ RAKEN, United Arab Emirates

OSP

Siker Believe learn

Siker is a leading cyber security firm specialising in training, consulting, and professional services for industries where security is missioncritical. Since 2013, we have been committed to equipping professionals with the knowledge and skills needed to perform their roles securely, ensuring the protection of Critical National Infrastructure (CNI), Oil & Gas, Nuclear, Government, Water, and Transportation sectors against evolving cyber threats.

Awareness & Training Workforce Development

Empowering engineers, OT professionals, and safety teams with industryleading cyber security knowledge

Our experienced staff will conduct a full Learning Needs Analysis (LNA) or Training Needs Analysis (TNA) Based on the findings we will deliver a suite of training courses to suit all your needs

Consulting & Compliance

Identifying vulnerabilities, ensuring compliance, assessing against risk frameworks and strengthening security posture

WHY SIKER?

OT & IT Security Integration

Bridging the gap between IT and Operational Technology for comprehensive protection

ining – Practical cyber security education tailored for engineers and safety professionals

c Expertise – Deep understanding of CNI, Oil & Gas, and OT environments

https://sikercyber com

https://www linkedin com/company/siker-cyber @sikercyber

https://www facebook com/SikerCyber

https://www youtube com/@SikerCyber2013

OT Cyber Security - Not Just IT Security with a hard hat on!

By Tim Harwood, CEO at Siker Cyber

Many years ago I was asked by a very senior executive in a large oil and gas company whether they should really be bothering with cyber as a risk because it ‘just gets in the way of getting oil out of the ground’. I managed to persuade them that there was indeed a substantial risk and I explained it in terms of safety, which of course, they understood.Fast forward to last year (2024) and I had a similar conversation with another energy executive but this time they said ‘I understand we have a cyber risk but the subject is now so large, where do we begin?’ I thought for a while and said ‘Start with these three things:

•Assets (both inventory and configuration)

•Staff awareness and training (who needs what and why it is important to the business)

•A position of incident response (because the bad guys are not going to wait for you to be ready before they attack you)

The executive thought for a while and said ‘hmm sounds like a normal risk type discussion’. The reality is that it is exactly that – we should be talking about this as a form of business risk and not in terms of security. Robert Lee (the CEO of Dragos) once said ‘we should always remember that security isn’t the mission in OT, safe and reliable operations is’ and he is right. Therefore we should always be approaching this as a form of assessing the risk to the process/organisation which is a constantly moving target. We need to be assessing the cyber risk to the process/system in line with appropriate standards such as ISA/IEC 62443-3-2 as well as the Cyber Process Hazard Analysis (PHA) under IEC61511.

In addition, if we are talking about a new project, cyber assessments should always be part of both FAT and SAT as this helps to establish a baseline to refer to when assessing anomalies.

In order to carry out these activities efficiently and effectively, the OT Cyber consultants need to be capable of speaking the language of business. Any findings that emerge from the analysis have be offered and discussed in terms that the business understands including the risk to the organisation.

This can only be done if all sides speak the same language. When discussing areas such as Incident Response you will not progress very far if all the sides involved have a differing view of what an incident is! Therefore, one of the very first activities is to build a common understanding of terminology and acronyms.

If all sides use the same acronym but it means different things to each team, everyone nods when the discussion occurs but they will be thinking about it in very different ways. A good example is the acronym TTL. In IT terms it is used for ‘Time to Live’ in terms of networks, in OT terms it is used for ‘Transistor/Transistor Logic’ and in Physical Security terms it is used for ‘Threats to Life’. Each meaning is correct for the audience but if only the acronym is used things can get very confused!

As with any form of risk, it is all about understanding what you together with how it can be harmed/broken and what the impact of that event is.

However, in OT it is viewed in a slightly different way than IT. The controls used to measure risk in IT may be considered an actual risk in OT. An example of this is illustrated below:

ISO 27001/2 11.2.9 Clear desk and clear screen includes locking the screen when leaving the workstation. However, in OT locking the screen can cause or create unsafe conditions so ISA/IEC 62443-2-1 User 1.18 may actually exclude OT Operator screen lock to avoid slowing down safety response times.

With this in mind, a measure of risk is considered in terms of reducing the risk to a level which can be considered ‘As Low As Reasonably Practicable (ALARP)’ which will allow a certain amount of risk acceptance in order to continue the safe and reliable operation of the process.

Therefore, there will be a differing set of risk analysis methodologies depending on the process and these may include:

• HAZOP (Hazardous Operations)

• PHA (Process Hazard Analysis)

• LOPA (Layers of Protection Analysis)

• QRA (Quantitative Risk Analysis)

Which of these to use may be dictated (or strongly recommended) by the Regulator. The two main risk assessments to start with as described above are:

• ISA/IEC 62443-3-2 can either be high-level or detailed and is used to establish the security level for zoning and communication channels between the zones and produce a structured plan to mitigate risks to an acceptable or tolerable level

• IEC 61511 8.2.4 and 11.2.12 which assesses the risk of a cyber event on the system SIS (Safety Instrumented System)

While all of this sounds very time-consuming and complicated (and potentially very damaging if done incorrectly!) this activity is one that should not be ignored as the worst case scenario in an OT Incident can be very destructive and expensive. A steady approach is needed as well as a true understanding of what ‘Good’ looks like. There is an old English saying that states ‘ do not let the pursuit of perfect get in the way of achieving good’ and this applies to risk assessments in OT.

The last part is, as always, communicate to everyone who needs to know and ensure that they actually understand what you are informing them about. You do not want them misunderstanding what you are saying.

‘The single biggest problem in communication, is the illusion it has occurred’

George Bernard Shaw, British author

CYBER ESCAPE ROOM

When Cyber Security Experts Forget Everything They Know

By Vanessa Porter, OSP Cyber Academy

An escape room designed for security professionals reveals an uncomfortable truth: under pressure, expertise disappears.

The door closes. The clock starts counting down. Twenty minutes to save everything.

Welcome to a cyber security escape room unlike any training session you have attended before. This is not a lecture hall. This is not a simulation on a computer screen. This is a physical room where experienced security professionals must work together to solve a crisis before time runs out.

I have watched hundreds of cyber security professionals enter this room with confidence.

Twenty minutes later, they leave shaken, laughing, and asking themselves one question: “How did I not see that coming?”

The scenario places participants inside a Formula One racing team. A cyber attack has locked them out of their systems.

They have no access to their data. The race starts in twenty minutes. To restore their systems, they must find a six-digit code hidden somewhere in the room. If they fail, they lose the race and cannot exit the building. The pressure is immediate and real.

This escape room was originally designed to teach data protection and cyber security awareness to people who are not interested in security topics.

The experience makes learning fun and memorable. But something unexpected happened when we started running sessions for security professionals themselves. These are people who should know better. Chief Information Security Officers. Security operations teams. Incident response specialists.

They made every mistake they teach others to avoid. What I have learned after running this experience dozens of times is this: knowledge disappears when stress arrives.

The Challenge

The task seems straightforward. Work as a team. Search the room. Find the clues. Solve the puzzles. Enter the code. Save the data. Win the race.

Find the clues. Solve the puzzles. Enter the code. Save the data. Win the race. Exit the building.

Every participant who enters the room is a security professional. Many of them are Chief Information Security Officers. Others work in security operations centers. Some lead incident response teams. These are not beginners. These are people who train others on security protocols, who design defense strategies, who know exactly what to do when systems are compromised.

Yet within minutes of entering the room, everything they know seems to vanish.

What We Observe

The first thing that happens is that rational thought leaves the room. I have watched someone walk in circles holding a book clearly labeled “Passwords” while desperately asking their teammates, “Where are the passwords?” The answer was in their hands. They could not see it.

Communication breaks down immediately. Team members stop talking to each other.

the group. The team structure disappears.

One team, a group of cyber security specialists whose job is to prevent attacks, decided to become what they called “the brute force guys.“ They pulled locks apart. They tried to break open safes. They entered random number combinations hoping to get lucky. When I asked them about it afterwards, they laughed. They said, “We know the most sophisticated tactics are not always the most appropriate.“

They were right, but they missed something important. While they were busy breaking things, they ignored the simpler solutions right in front of them. They also ignored me.This happens with almost every group. I walk around the room. I offer hints. I point to objects they have

The Power of Distraction

The most interesting part of this exercise is how easy it becomes to distract people. I use a technique that every security professional warns against: social engineering.

I approach someone who is close to solving a puzzle. I hand them a random object. I wink at them. They immediately stop what they are doing. They examine the object closely. They turn it over in their hands. They look for hidden meanings. They have completely forgotten what they were working on sixty seconds ago.

Their focus becomes so narrow that they cannot process new information. They are trapped inside their own stress

This should not work on security professionals. They teach others about social engineering attacks. They know that attackers use distraction and misdirection. They have sat through countless training sessions on this exact topic.

Yet it works every single time.

The Security Violations

The irony becomes clear during the debrief. These security experts, who spend their days preventing breaches, make every mistake they would criticize in others.

Cyber Escape Rooms - When Cyber Security Experts Forget Everything They Know (Contd:)

They share passwords openly. When they find a piece of paper with login credentials, they read it aloud to the entire room. They leave sensitive information scattered around instead of securing it. They trust strangers (me) without verification. They click on things without checking if they are safe. They bypass security protocols because they are “in a hurry.“

One participant said afterwards, rushing to meet a deadline. “I just realized I do some of these things at work when I am rushing to meet a deadline.“

The Moment of Recognition

When the exercise ends, participants are energized. They have had fun. They are laughing about their mistakes. The room is full of noise and excitement.

Then comes the reflection session. This is when the energy changes.

I ask them to think about what they did. How did they behave? What choices did they make? How did they work as a team?

The room becomes quiet. You can see the realization moving across faces.“I was completely distracted by something that did not matter.“

“We thought we worked well as a team, but we fell apart immediately.“

“I ignored information because I was convinced I already knew the answer.“

“The pressure took over. I stopped thinking clearly.“

The most powerful moment is when someone says, “This is what happens during a real incident, is it not? We stop thinking clearly. We make mistakes. We miss obvious signs.“ Yes. Exactly.

Why Traditional Training Fails

Most cyber security training follows a pattern. An expert presents information.Participants take notes.

Everyone nods their heads. Someone asks a few questions. The session ends. People return to their desks.

Two weeks later, nobody remembers what was taught.

This approach fails because it does not create the conditions that exist during real security incidents.

Training rooms are calm. There is no pressure. There is time to think. The brain remains in learning mode, not survival mode.

When a real attack happens, everything is different.The pressure is immediate. The stakes are real. Time is running out. This is when training should matter most. This is exactly when it fails.

The escape room works because it creates the same conditions.

The brain releases specific chemicals during stressful, engaging experiences. These chemicals help information stick.

When you feel the pressure, when you make mistakes, when you see the consequences, your brain remembers.

More importantly, you remember how you behaved. You cannot forget the feeling of walking in circles with the answer in your hand. You cannot forget how easily you were distracted.

You cannot forget how pressure made you ignore your training.

The Reality Check

Most teams complete the challenge. I provide encouragement. I offer hints. I guide them toward the solution. They escape with seconds remaining. They celebrate.Then I remind them: during a real cyber attack, I will not be there to help. And while this exercise has time pressure, real attacks are more intense. The consequences are more severe. The attackers are not offering hints.

If experienced security professionals struggle in a controlled environment with support available, what happens during a real incident? This question stays with people long after they leave the room.

The Path Forward

Security awareness training needs to change.

Contact for Escape Room Enquiries: training@ospcyberacademy.com

We cannot keep teaching people in comfortable environments and expecting them to remember during crisis situations.

We need to create experiences that show people how they actually behave under pressure. The escape room is one approach. There are others. What matters is creating situations where people feel the pressure, make the mistakes, and learn from the experience while the stakes are still low.

For conference organizers and security leaders looking for training that creates lasting impact, the question is simple: do you want people to learn about security, or do you want them to learn how they behave when security matters most?

The escape room teaches both.

SCAN ME

techUK is the trade association which brings together people, companies and organisations to realise the positive outcomes of what digital technology can achieve.

Cyber security and resilience underpins the technologies we depend on every day, driving and enabling the growth of the global digital economy. Our Cyber Resilience Programme creates a channel for industry to engage with commercial and government partners, promoting the adoption of cyber technologies and services across key sectors in the UK and internationally.

We provide our members with access to strategic insights to empower them to anticipate challenges and seize emerging opportunities, as well as a platform to help shape a positive regulatory and policy environment with government stakeholders. techUK also collaborates with wider initiatives to strengthen and grow the UK cyber sector, ensuring the ecosystem continues to thrive and deliver long-term value.

The Art of Cyber Attack Prevention

By Dr. Ruth Wandhöfer

Blackwired: A New Kind of Cyber Intelligence Company

The heritage of Blackwired goes back over a decade. Its founder, Jeremy Samide, who worked with U.S. intelligence, began building an intelligence apparatus designed to replicate the tradecraft of military-grade analysts. His goal was to create algorithms that think and act like experienced threat hunters. After more than 10 years of continuous refinement, the result was a machine with unmatched visibility into adversarial behaviour.

In 2022, this capability transitioned into the commercial sector with the formation of Blackwired. Today, the company is positioned as a cyber innovation leader. While specialising in threat intelligence, Blackwired is not confined to it. The company’s philosophy centres on precision, context, and proactive defence—qualities that are often missing in the broader cybersecurity market.

About Dr. Ruth Wandhöfer

Dr. Ruth Wandhöfer spent more than 23 years in financial services—an industry where cybersecurity resilience is fundamental. Much of her career was at Citigroup within global transaction banking. She is an experienced Non-Executive Director and previously chaired the Cyber Security Payments Group of the European Payments Council, working closely with Europol and industry leaders. When introduced to Blackwired during a career transition, she recognised a company doing something fundamentally different.

Ruth is also a Visiting Professor at Bayes Business School (formerly CASS) and advises central banks on projects such as Central Bank Digital Currencies, where cyber resilience is a paramount requirement.

The Problem with Cybersecurity

Cyber losses now run into the trillions annually, despite more than $200 billion invested every year in cybersecurity solutions. According to Ruth, the world has entered what can only be described as a “machine cyber war”—a new era driven by the widespread availability of AI to fraudsters, criminal syndicates and nationstate actors.

Traditional cyber defence remains dominated by detect-and-respond approaches. Organisations often discover threats only after they have already caused damage. The downstream effects can be enormous: a single compromised company can trigger supply chain disruption, impact financial markets, and even shave percentage points off national GDP – Jaguar Land Rover being a case in point.

High-profile cases in the UK and abroad illustrate that this is no longer a matter of isolated ransomware hits or opportunistic phishing. It is systemic probing of national defences, and this demands a paradigm shift to ‘Predict, Prevent and Defeat’.

What Makes Blackwired Different

Where most cyber intelligence models operate after an attack has begun, Blackwired focuses on understanding adversaries before they execute. This s grounded in the Aim–Ready–Fire (ARFi) methodology that mirrors how cyber actors plan, prepare and deploy their campaigns.

Traditional intelligence sharing—often based on open-source data—is inherently right-ofbang. It is reactive. It tells the industry what has already happened.

What Is Direct Threat Intelligence?

Blackwired instead concentrates on adversarial behaviour:

•Who is preparing an attack

•Where they are operating

•How their infrastructure is evolving

•Which organisation or sector they are targeting

•How quickly their campaign is moving from readiness to execution

By identifying attacks in their build and preparation phases, Blackwired enables organisations to block threats at the moment of formation—not after.

Head of European Markets at Blackwired

Dr. Ruth Wandhöfer

The company feeds this verified, evidencebased Direct Threat Intelligence into an organisation’s security stack via API-based orchestration, preventing cyber weapons from reaching their targets. This level of proactive defence is now essential, especially for major corporations whose ability to operate is increasingly threatened by hostile cyber activity.

ThirdWatch: A Breakthrough in Proactive Defence

ThirdWatch, Blackwired’s intelligence platform, visualises the entire adversary ecosystem in 3D - showing how different campaigns interconnect and how quickly they approach execution, including identification of zero detection malware and ransomware.

Key Differentiators

1. A vast and continuously updated cyber weapons data lake ThirdWatch includes millions of malicious artefacts collected from the surface web, deep web and dark web. Because attackers often reuse or adapt existing malware families, this historic dataset enables rapid pattern recognition and variant identification.

2. AI trained on true intelligence tradecraft The platform’s models learn adversarial behaviour—not only signatures or IOCs—allowing them to map campaigns, predict progression and understand intent.

3. Zero-day identification and deep darkweb collection Blackwired specialises in identifying malicious assets and infrastructure before they are deployed, often long before they appear in commercial threat feeds.

4. Zero-touch, external visibility The platform never requires access behind a customer’s firewall. It observes the adversary space externally, then uses an API to orchestrate intelligence into endpoints with speed and precision.

5. No false positives All intelligence is evidence-based and verified. This eliminates the costly human verification burden that overwhelms many SOC teams.

These elements combine to create Direct Threat Intelligence—intelligence derived not from compromised systems, but from observing adversaries themselves in real time.

ThirdWatch

ThirdWatch is the only cyber securityplatform capable of producing Direct Threat Intelligence (DTI), i.e. cyber threat insights and analysis specific to an organization at global, regional, country and organizational levels.

The Platform’s Third Party Risk Intelligence Module enables organisations to score third party and supply chain risk, based on priority and operational importance, whereas the enhanced Attack Surface Management Module (eASM) maps the direct, external threats facing an organisation to its known vulnerabilities, delivering rapid prioritisation.

Using graph technology, ThirdWatch visualises the entire adversary ecosystem in 3D—showing how different campaigns interconnect and how quickly they approach execution.

What’s Next for 2026?

Looking ahead, Ruth emphasises that 2026 will be a challenging year. Anticipated developments include:

•Greater nation-state and organised crime led cyber-attacks of critical national infrastructure

•Continued growth of ransomware and extortion models

•Escalation in deepfake-driven fraud

•Rising dependency risks in third-party and cloud ecosystems

•The emergence of “shadow AI” inside organisations

•Increased targeting of crypto, DeFi and stablecoin markets

•The growing urgency of quantum-resilient encryption

Yet Ruth also stresses that the defensive use of AI—when deployed at the right architectural level—offers a route to resilience. Understanding where attackers sit across the OSI model, and spotting malicious behaviour long before execution, will define the organisations that remain secure in the years ahead

INNOVATING

GRC:

GOVERNANCE . RISK . COMPLIANCE SERVICE & CAPABILITY ASSESSMENTS

TRANSFORM YOUR BUSINESS WITH GRC WORKSHOPS

ISMS & PIMS, RELEVANT FRAMEWORKS & BEST PRACTICES

RISK MANAGEMENT APPROACH SETTING UP GOVERNANCE WITHIN YOUR ORGANISATION

COMPLIANCE EFFORTS

BLACKHAT Hall 2 UK Pavilion

Irene Coyle OSP Cyber Academy

CONNECT, COLLABORATE AND GROW IN NORTH EAST ENGLAND

What makes North East England the ideal destination for cyber, data & AI businesses?

Backed by a strong mix of industry, academic and technical cyber security, data & AI capability, North East England is leading innovation and growth in the sector.

The region’s world-leading skills, assets and facilities provide a unique environment for prestartups, startups and trading businesses.

With the UK Government’s recent designation of the North East as an AI Growth Zone , the region is leading the AI revolution. The rapid expansion of the AI sector will require significant support from the cyber security sector, and North East England is poised to seize the opportunity.

Home to more than 100 businesses delivering cyber services and a region-wide ecosystem supporting sector growth, cyber security companies based in North East England benefit from a collaborative network and an established infrastructure, making it the ideal location to develop the technologies of the future.

Newcastle upon Tyne

CyberNorth

The region’s dedicated cyber security cluster is spearheading the growth of North East England’s cyber security ecosystem.

What support is available?

North East AI Growth Zone

Designated by UK Government as the first AI Growth Zone, North East England is at the heart of the UK’s AI future.

CyberNorth

The region’s dedicated cyber security cluster is spearheading the growth of North East England’s cyber security ecosystem.

An established ecosystem

Market-leading companies including Sage, Accenture, Waterstons, Aspire Technology Solutions and Arctic Wolf are all based in the North East.

World-class research and talent

Newcastle, Northumbria, Durham and Sunderland universities are global leaders in computing, data science and cyber research.

Invest North East England

The first point of contact for companies looking to locate and invest in the region.

The team connects businesses to the region’s network of specialist organisations and individuals and provides the information, support and advice essential for businesses looking to locate in North East England.

A pipeline of future talent

Thousands of students graduate in the region each year with computer science, cyber and IT-related qualifications.

How CyberNorth supports cyber security, tech and AI businesses.

Bringing together business, academia and the public sector across cyber, AI and data, we create the conditions for innovation to thrive, talent to grow and collaboration to deliver real impact.

Ecosystem

We’re the glue that holds the region’s cyber community together, connecting people, projects and purpose to deliver lasting change.

CONNECT, COLLABORATE AND GROW IN NORTH EAST ENGLAND (CONTD:)

Innovation

We help ideas take off. From startups to established organisations, we connect innovators with the support and partnerships they need to scale and lead.

Skills

We open doors and develop talent, creating pathways for people and businesses to grow today and tomorrow.

TRADE MISSION BUSINESS

Hicomply is the compliance automation platform built for fastgrowing businesses that want to crush audits, unlock revenue and stay ahead of risk, without the stress.

Whether you’re working towards ISO 27001, SOC 2, ISO 42001, GDPR or juggling multiple frameworks, Hicomply automates the heavy lifting and keeps you compliant over time.

Real-time risk dashboards. Autoassigned tasks. Instant evidence. One platform. Zero drama.

Adam Dixon - Senior Vice President of Sales

E: adam.dixon@hicomply.com

M: +44 (0)7903 789710

W: www.hicomply.com

We turn collaboration into action.

TRADE MISSION BUSINESS

Punk Security help companies build secure software through expert consultancy, online and in-person training events, penetration testing and embedded resourcing.

Simon Gurney - Managing Director

E: simon.gurney@punksecurity. co.uk

M: +44 (0)7419 832573

W: www.punksecurity.co.uk

Their consultants are all experienced developers, with the security expertise required to integrate security throughout the software development process.

The company has found a real sense of belonging in the North East, which is amazingly supportive of the growing cyber industry. Cyber North, and more recently the North East Combined Authority, have been the key drivers behind this community.

Trade Mission Business

Barbara Spooner MBEE:

E: barbara.s@ds-cic.com

M: +44 (0)7419 832573

W: www.ds-cic.com

The Digital Safety mission is to empower people and communities to live, work and play with safety and confidence in a digital world.

All Digital Safety services are designed to adapt to the evolving needs oforganisations and communities, integrating technical expertise with practical, people-focused strategies. We provide clients with the knowledge to build robust cyber resilience, develop their teams’ capabilities, and keep pace with a rapidly changing world. Each project is tailored to the client realworld risk, providing guidance and support at every stage.

We help organisations achieve Cyber Essentials (CE) and CE Plus certification, identify and resolve website vulnerabilities, and perform penetration testing in both IT and OT environments.

Mark Addis

E: mark.a@ds-cic.com

M: +44 (0)7419 832573

W: www.ds-cic.com

Our other services ensure GDPR compliance, provide CISO-level strategic advice and develop security processes tailored to clients’ operations. We also have a team of experts who deliver training, based on real world scenarios, in Digital Safety, Cryptocurrency, OSINT, and all levels of Leadership.

Dr Ameer Al-Nemrat

E: cyber@ds-cic.com

M: +44 (0)7976 90295

W: www.ds-cic.com

CONNECT. COLLABORATE. GROW. Contact: hello@cybernorth.biz www.cybernorth.biz

Your Trusted Global Partner in Data Protection & Privacy Compliance

Data protection is no longer just a European issue — it’s a global business imperative. Across the Middle East, organisations are adapting to new data protection laws such as the UAE PDPL, KSA PDPL, and DIFC DP Law 2020. At XpertDPO, we help you navigate these evolving regulations with clarity, confidence, and integrity.

As experienced Data Protection Officers (DPOs) and GDPR specialists, our team brings international expertise and local understanding to ensure your organisation meets compliance requirements — efficiently and ethically.

Our Services

Outsourced and Fractional DPO Services

Gain access to senior data protection expertise without the cost of a full-time hire. We act as your independent DPO, advising on compliance, monitoring obligations, and liaising with regulators across Europe and the Middle East.

Training and Awareness

Build your organisation’s data protection culture through bespoke workshops, leadership briefings, and employee awareness sessions.

Specialist Data Protection Support

Enhance compliance function with expert support in:

- DPIAs – Data Protection Impact Assessments

- DSARs – Data Subject Access Requests

- Regulatory & Audit Response

- Due Diligence for M&A

- GDPR & PDPL Alignment

Industry Expertise

Trusted by clients in finance, healthcare, education, and technology, including organisations managing clinical trials and cross-border data transfers.

Why Organisations Choose XpertDPO

• Global Expertise, Local Insight — Deep understanding of both EU and GCC data protection frameworks.

• Ethical & Transparent — No fear-based selling, just honest, practical advice.

• Pragmatic & Results-Focused — Compliance that supports your business, not hinders it.

• Trusted & Independent — A proven European partner now supporting clients across the Middle East.

Protecting Your Data. Strengthening Your Trust.

At XpertDPO, we combine legal precision with business practicality — helping you manage risk, demonstrate compliance, and earn the trust of your customers and regulators.

We don’t just help you meet regulations — we help you build confidence through compliance. XpertDPO — Ethical. Pragmatic. Trusted.

DRONES ARE USING YESTERDAY’S LOCKS ON TOMORROW’S THREATS: THE QUANTUM ENCRYPTION EMERGENCY

In an era where unmanned aerial vehicles (UAVs), or drones, are becoming increasingly integral to industries ranging from logistics and agriculture to defence and surveillance, a new cybersecurity threat is emerging. The advent of quantum computing is rapidly approaching a reality that could render our current encryption standards obsolete. This article explores the imminent dangers of quantum computing to drone security, the critical need for a cryptography readiness assessment, and the urgency with which organizations must act.

The Unseen Threat: Quantum Computing vs. Drone Encryption

The security of modern drones relies heavily on classical cryptographic algorithms to protect communication channels, control systems, and data. These encryption methods, such as RSA and Elliptic Curve Cryptography (ECC), have been sufficient to ward off conventional cyberattacks. However, quantum computers are poised to shatter this foundation.

Quantum computers operate on quantum mechanics principles, solving certain complex problems exponentially faster than classical supercomputers. Shor’s algorithm, a quantum algorithm, will be able to break widely used encryption protocols in hours or minutes once a sufficiently powerful quantum computer is built.

For drone operations, the implications are profound. A quantum-capable adversary could potentially:

• Intercept and decrypt sensitive data transmitted from drones, including real-time video feeds, surveillance imagery, and proprietary information.

• Hijack drone controls, leading to unauthorized flight paths, mission sabotage, or even the weaponization of commercial drones.

• Spoof communication signals, tricking drones into communicating with malicious ground stations and compromising entire fleets.

• Examples of Potential Quantum Attacks on Drones

To better understand the real-world implications, consider these potential attack scenarios:

• Man-in-the-Middle (MitM) Attacks: A quantum adversary could intercept the communication link between a drone and its operator. By breaking the encryption in real-time, they could inject malicious commands, such as altering the drone‘s flight path to cause a collision or divert it to a new location for capture.

• Data Theft and Espionage: A military surveillance drone transmitting encrypted video of a sensitive location could have its data intercepted and decrypted by a quantum computer. This would expose classified information to an enemy, compromising national security.

• Fleet-wide Disruption: In a drone delivery network, a quantum attacker could break the encryption used to manage the fleet. They could then issue commands to ground all drones, reroute them to incorrect destinations, or cause them to drop their payloads, leading to massive logistical chaos and financial loss.

Once the adversary gains access to a cryptographically relevant quantum computer, they use it to break the encryption on the stored communications, revealing the drone’s control protocols, flight patterns, and vulnerabilities. With this knowledge—and the ability to forge signed firmware— they can now both spoof operator commands and install custom malicious firmware on a similar drone in the fleet.

Shor’s algorithm, a quantum algorithm, will be able to break widely used encryption protocols in hours or minutes once a sufficiently powerful quantum computer is built.

A Case Study in Quantum Vulnerability: The

Takeover of a Critical Infrastructure Drone

Imagine a scenario where a specialized drone is conducting a routine inspection of a national power grid. The drone uses industry-standard RSA encryption to secure its command-and-control communications— encryption that is considered safe today. However, a sophisticated adversary has been recording all the drone‘s encrypted communications for months as part of a “harvest now, decrypt later” strategy.

This threat extends beyond communication links. Drones run on embedded firmware, which may contain latent vulnerabilities. While manufacturers cryptographically sign and encrypt firmware updates to ensure authenticity and prevent tampering, this trust model is still based on classical cryptography. Under a “sign today, forge tomorrow (STFT)” quantum threat model, an attacker who stores these signed firmware packages today may later use a cryptographically relevant quantum computer to forge valid signatures. This would allow them to push a malicious firmware update—one that appears legitimate—to a drone via its normal over-the-air update channel or through a compromised ground-control computer.

The consequences are catastrophic. The attacker could crash the drone into a critical substation, causing a widespread power outage affecting millions of people and costing billions in economic damage. They could also use the drone’s own sensors to gather intelligence on the grid’s weaknesses for future attacks. What was once science fiction is now a tangible risk for any organization that fails to transition both communications and firmware-signing workflows to quantum-safe cryptography.

Gauging Your Defences: The Cryptography Readiness Assessment

Given the quantum threat’s gravity, organizations must conduct a cryptographic readiness assessment to understand their vulnerability to quantum attacks and develop a secure transition strategy. This assessment comprehensively evaluates current cryptographic systems and organizational ability to adapt to quantum-resistant standards.

A crypto readiness assessment typically involves the following key steps:

DRONES ARE USING YESTERDAY’S LOCKS ON TOMORROW’S

THREATS: THE QUANTUM ENCRYPTION EMERGENCY (CONTD:)

1.Cryptographic Inventory: The first step is to create a complete inventory of all cryptographic algorithms, protocols, and keys used across your drone fleet and supporting infrastructure. This includes communication links, data storage, and command-and-control systems.

2.Vulnerability Analysis: Once you have a complete inventory, you can analyze which of your cryptographic assets are vulnerable to quantum attacks. This will help you prioritize which systems need to be upgraded first.

3.Agility Assessment: This step evaluates your organization’s ability to transition to new cryptographic standards. It assesses the flexibility of your systems, the expertise of your personnel, and the resources available for a large-scale cryptographic migration.

4. Migration Roadmap: Based on the findings of the previous steps, you can develop a detailed roadmap for migrating to post-quantum cryptography (PQC). This roadmap should include a timeline, budget, and a prioritized list of systems to be upgraded.

The Urgency: Why You Must Act Now

The quantum threat is not a distant problem. According to the 2024 Quantum Threat Timeline Report from the Global Risk Institute, a credible quantum threat could emerge between 2028 and 2035. This may seem like a comfortable timeframe, but the reality is that the danger is already here. Adversaries are likely already engaging in “harvest now, decrypt later” attacks, where they collect encrypted data today with the intention of decrypting it once a powerful quantum computer is available. For organizations with sensitive data that needs to remain secure for many years, this is an immediate and critical threat.

The transition to PQC is complex and time-consuming, involving updates to hardware, software, and protocols organizationwide. Waiting until the last minute will be more expensive and disruptive while leaving organizations vulnerable. Starting now ensures a smooth transition to a quantumresistant future.

Securing the Future of Drone Technology

The drone revolution is just beginning, and its potential to transform our world is immense. However, to fully realize this potential, we must address the security challenges that lie ahead. The quantum threat is one of the most significant challenges we face, but it is not insurmountable.

By taking a proactive approach to cybersecurity, conducting a thorough crypto readiness assessment, and beginning the transition to postquantum cryptography, we can ensure that our drone fleets remain secure and that the future of drone technology is a safe and prosperous one.

References

Global Risk Institute. (2024, December 6). Quantum Threat Timeline Report 2024. Retrieved from https://globalriskinstitute.org/ publication/2024-quantum-threattimeline-report/

Navigating the Complex Landscape of AI Governance: Implementation

Challenges and Regulatory Fragmentation -

The rapid proliferation of artificial intelligence across organizational functions has created an unprecedented governance challenge for enterprises worldwide. While AI promises transformative benefits ranging from operational efficiency to enhanced decision-making capabilities, the absence of mature governance frameworks and the emergence of fragmented regulatory requirements pose significant risks to organizations attempting to harness these technologies responsibly.

The complexity of AI governance extends beyond traditional IT governance models, requiring organizations to navigate technical, ethical, legal, and operational dimensions simultaneously while contending with an evolving and often contradictory regulatory landscape.

The Multifaceted Nature of AI Governance Challenges

Organizations implementing AI governance face a fundamental challenge in defining the scope and boundaries of their governance frameworks. Unlike traditional IT systems where inputs, processes, and outputs are deterministic and predictable, AI systems exhibit probabilistic behaviors that can evolve through continuous learning.

VIJAY VELAYUTHAM Principal Information Security Officer Cyber Security Unit

This characteristic makes it exceptionally difficult to establish fixed governance parameters. Organizations struggle to implement controls that can adapt to the dynamic nature of AI while maintaining sufficient rigor to ensure accountability and compliance.The technical complexity of modern AI systems presents another significant barrier to effective governance.

Machine learning models, particularly deep learning architectures, operate as “black boxes” where decision-making processes remain opaque even to their developers.

This lack of explainability creates substantial challenges for governance teams attempting to implement oversight mechanisms, conduct risk assessments, or demonstrate compliance with regulatory requirements that demand transparency in automated decision-making processes.

Organizations find themselves caught between the competitive advantages offered by sophisticated AI models and the governance requirements for interpretability and auditability.

Data governance has quickly emerged as a particularly acute challenge within AI governance frameworks. AI systems require vast amounts of data for training and operation, yet organizations often lack comprehensive visibility into their data landscapes. Issues surrounding data quality, lineage, bias, and privacy become amplified when data feeds into AI systems that make consequential decisions.

The challenge intensifies when organizations must reconcile data governance requirements across different jurisdictions, each with distinct perspectives on data sovereignty, privacy rights, and permissible uses of personal information in AI applications.

The skills gap represents another critical implementation challenge. Effective AI governance requires a rare combination of technical expertise, regulatory knowledge, ethical reasoning, and business acumen. Most organizations lack sufficient personnel who understand both the technical intricacies of AI systems and the broader governance implications. This shortage extends beyond the governance function itself; board members and senior executives often lack the necessary understanding to provide meaningful oversight of AI initiatives, creating governance vulnerabilities at the highest organizational levels.

Organizational and Cultural Barriers

Beyond technical challenges, organizations face substantial cultural and structural barriers to implementing effective AI governance.The pace of AI innovation often conflicts with traditional governance processes designed for stability and control. Development teams operating under agile methodologies and rapid deployment cycles frequently view governance requirements as impediments to innovation. This tension between innovation velocity and governance rigor creates friction that can undermine both objectives if not carefully managed.

The distributed nature of AI adoption within organizations complicates governance efforts.

Unlike centralized IT systems, AI capabilities increasingly embed within business functions through low-code platforms, automated tools, and shadow AI initiatives. This democratization of AI, while beneficial for innovation, creates governance blind spots where AI applications operate outside established oversight mechanisms. Organizations struggle to maintain visibility and control over AI systems that proliferate organically across departments without central coordination.

Risk assessment for AI systems presents unique challenges that traditional risk management frameworks inadequately address. AI risks span multiple dimensions including algorithmic bias, model drift, adversarial attacks, privacy violations, and reputational damage from AI failures.

These risks often manifest in unexpected ways and can cascade through interconnected systems. Organizations find their existing risk assessment methodologies insufficient for capturing the full spectrum of AI-related risks, particularly those emerging from the interaction between AI systems and complex operational environments.

Navigating the Complex Landscape of AI Governance: Implementation Challenges and Regulatory Fragmentation -

By VIJAY VELAYUTHAM Principal Information Security Officer Cyber Security Unit

The Regulatory Maze: Navigating Multiple and Overlapping Requirements

The regulatory landscape for AI governance presents organizations with a complex web of requirements that vary significantly across jurisdictions and sectors. The European Union’s AI Act establishes comprehensive requirements for high-risk AI applications, while the United States adopts a more sectoral approach with different agencies imposing distinct requirements. Meanwhile, countries in Asia-Pacific and the Middle East are developing their own regulatory frameworks, each reflecting unique cultural values and governance philosophies. Organizations operating globally must navigate this patchwork of regulations, often finding themselves subject to conflicting or incompatible requirements.

The overlap between AI-specific regulations and existing compliance frameworks creates additional complexity. Organizations must reconcile AI governance requirements with established regulations such as GDPR for data protection, sectoral regulations for financial services or healthcare, and broader cybersecurity frameworks. These overlapping requirements often address similar concerns from different perspectives, creating redundancies and contradictions that complicate compliance efforts. For instance, transparency requirements under AI regulations may conflict with intellectual property protections or competitive considerations that organizations must balance.The temporal dimension of regulatory compliance adds another layer of complexity. Regulations evolve at different rates across jurisdictions, with some regions rapidly updating requirements while others maintain static frameworks.

Organizations must build governance structures flexible enough to accommodate regulatory changes while maintaining operational stability. This challenge intensifies when organizations deploy AI systems trained on historical data that must comply with regulations enacted after system development began.

Regulatory uncertainty represents a particularly acute challenge for organizations attempting to implement forward-looking AI governance. Many jurisdictions remain in early stages of AI regulation development, leaving organizations to anticipate future requirements without clear guidance. This uncertainty complicates investment decisions, system design choices, and governance framework development. Organizations must balance the risk of over-engineering governance structures against the potential consequences of regulatory non-compliance as requirements crystallize.

Practical Implementation Challenges

The translation of governance principles into operational practice presents numerous practical challenges. Organizations struggle to implement meaningful accountability mechanisms for AI decisions, particularly when multiple stakeholders contribute to system development and deployment. Establishing clear lines of responsibility becomes complex when data scientists, engineers, business analysts, and external vendors all influence AI system behavior. The challenge intensifies for AI systems that learn and adapt post-deployment, raising questions about ongoing accountability for system evolution.

Monitoring and auditing AI systems require sophisticated technical capabilities that many organizations lack. Traditional audit approaches prove inadequate for examining AI systems that process millions of decisions with complex, non-linear logic.

Organizations must develop new audit methodologies, tools, and skills while ensuring audit functions maintain independence from development teams. The dynamic nature of AI systems necessitates continuous monitoring rather than periodic reviews, demanding resources and expertise that strain organizational capabilities.

Recommendations for Organizations

Despite these challenges, organizations can take concrete steps to build effective AI governance frameworks. Establishing a dedicated AI governance function with crossfunctional representation ensures comprehensive oversight while maintaining agility. This function should report to senior leadership and have authority to influence AI development and deployment decisions across the organization.

Regular training programs can address skills gaps, while partnerships with academic institutions and consultancies can provide specialized expertise.

Organizations should adopt riskbased approaches that prioritize governance efforts on high-impact AI applications while allowing experimentation with lower-risk systems. Implementing technical solutions such as model registries, automated bias detection, and explainability tools can provide the infrastructure necessary for effective governance.

Most importantly, organizations must foster cultures that view governance not as an impediment but as an enabler of sustainable AI innovation.

Conclusion

The challenges of implementing AI governance reflect the transformative nature of AI technology itself. Organizations must navigate technical complexity, organizational barriers, and regulatory fragmentation while maintaining competitive positioning in rapidly evolving markets.

As organizations accelerate their AI adoption initiatives, AI governance has emerged as arguably the most pressing challenge they face—more critical than technical implementation, talent acquisition, or even funding considerations. Without robust governance frameworks, organizations risk regulatory violations, ethical failures, and loss of stakeholder trust that can derail entire AI transformation efforts. Success requires recognizing that AI governance cannot be achieved through traditional approaches but demands new frameworks, capabilities, and mindsets. As regulatory requirements continue to evolve and AI capabilities expand, organizations that invest in robust, adaptive governance frameworks will be best positioned to realize AI’s benefits while managing its risks. The path forward requires sustained commitment, continuous learning, and recognition that effective AI governance is not a destination but an ongoing journey of adaptation and improvement. Indeed, the ability to implement effective AI governance may well determine which organizations successfully harness AI’s transformative potential and which fall victim to its risks.

WiCSME 2025: A Year of Power, Presence, and

Women Leading the Cyber Frontier

2025 marked a turning point for women in cybersecurity across the Middle East. It was a year where WiCSME — Women in CyberSecurity Middle East — expanded its presence across borders, amplified women’s voices in global forums, and drove national-level cyber transformation programs across the GCC and beyond.

From the UN Head Quarters in New York to GFCE’s Annual Summit in Geneva, and across the national cyber ecosystems of Kuwait, UAE, Egypt, Qatar, Bahrain, Saudi Arabia, Oman, and Jordan — WiCSME women were at the heart of the region’s most impactful cybersecurity milestones. This is the story of WiCSME’s most influential year yet.

GLOBAL PRESENCE & RECOGNITION

Women of the Middle East on the World Stage

At the United Nations

In a historic moment, Dr. Reem Faraj AlShammari represented WiCSME (the 1st UN’s accredited Women in Cyber non-profit entity) as WiCSME Chair and delivered WiCSME’s statement at United Nation’s Open-Ended Working Group (OEWG) on security of and in the use of Information and Communications Technologies 2021-2025 in its11th Substantive Session July, 2025— representing +3000 Women across 22 Arab nations and reinforcing the region’s leadership in global cyber diplomacy.

At GFCE Geneva

At the Global Forum on Cyber Expertise (GFCE) Annual Summit, Irene Corpuz, WICSME Head of Communications and Governance represented WiCSME in conversations on million cybersecurity roles worldwide.

WiCSME was highlighted as a blue print and a practical model for regional capacity building.

World’s Top 20 CyberSecurity Woman of the World – WiCSME in the Global Top 20

2025 became the year WiCSME secured its strongest global recognition yet, with Eight WiCSME Women (out of 20) had been named among the World top 20 Women in CyberSecurity. Thus receiving one of the world’s highest honors for cybersecurity leadership, and with Dr. Reem Faraj AlShammari delivering the Award’s Keynote speech. Included in the Top 20 were Priyanka Chatterjee, WiCSME’s Head of Operations, and Afra AlMansoori — UAE; Basma Ahmadush , Founding Partner at WiCSME and Prof. Fatemah Alharbi and— Saudi Arabia; Abeer Khedr, Founding Partner at WiCSMEand Heba Farahat — Egypt, Dr. Khoula Al Harthy — Oman, and Dr. Reem AlShammari- Kuwait.

Feature Article • CNG Magazine, Blackhat Middle East and Africa 2025 Edition

The Middle East became one of the strongest regional blocks represented in this Global Top 20.

SheInspires UK — Manchester Honors WiCSME

WiCSME’s impact reached Manchester, UK, where three leading members were recognized:

•Dr. Reem AlShammari — Person With a Mission

•Heba Farahat — Global Digital Woman of Impact

•Irene Corpuz – Woman of \ Courage Alongside WiCSME Member Nuha Amin as a Judge in the Award’s Esteemed Judging Panel.Another moment of global celebration for WiCSME at the global stage. Where literally when She Rise, All of WiCSME Rise along her side.

CyberShe Regional Program — A Landmark Collaboration with EC-Council

In 2025, WiCSME strengthened its partnership with ECCouncil to elevate CyberShe into a fully structured regional program. Kuwait eBacked by a unified curriculum and globally recognized certifications, the initiative now carries a bold, transformative mission: to certify 1,500 women in cybersecurity over the next three years across six countries — Kuwait, UAE, Saudi Arabia, Oman, Qatar, Bahrain and Jordan.

With Dr. Reem AlShammari’s leadership as the Director of CyberSHE Regional Program alongside supervision of Priyanka Chatterjee (WiCSME Head of Operations), this regional program stands as one of the Middle East’s most ambitious women-in-cyber capacitybuilding efforts, blending ECCouncil’s technical rigor with WiCSME’s community-driven mentorship and support.

It is a powerful blueprint for developing a skilled, diverse, and future-ready cybersecurity workforce across the Arab world.

KUWAIT: A CYBER POWERHOUSE ON THE RISE

Kuwait emerged as one of the region’s biggest cybersecurity success stories.

WiCSME 2025: A Year of Power, Presence, and Women Leading the Cyber Frontier(Contd:)

CyberSHE Kuwait — A Nationally Aligned Program

Now positioned as a national program aligned with Kuwait Vision 2035, CyberSHE Kuwait delivered hands-on labs, training bootcamps, leadership coaching, job readiness and mentorship. Kicking off the first cohort in May 2025 with Dr. Fatemah AlSuwaidi as Kuwait’s CyberSHE Lead and supported by Dr. Reem AlShammari (Director of CyberSHE Regional Program). The initiative became the blueprint for CyberShe expansion across the Middle East.

1st Kuwait Black Hat MEA Chapter Meetup

In partnership with Black Hat MEA, Kuwait hosted its firstever official Kuwait’s Meetup under leadership of Dr. Reem AlShammari as Board Director of Black Hat MEA Kuwait Chapter, and with the supervision of Dr. Fatema Al Suwaidi - creating a powerful bridge between global cyber expertise and local female talent.

UNITED ARAB EMIRATES: Innovation, Talent & Technical Excellence

The UAE continued to be a regional engine for cyber capability building. CyberShe UAE — A Strategic Collaboration with the University of Dubai as the Program’s Academic Strategic Partner is the second leg of the program’s roll-out.

OSINT Masterclass

One of the most impactful technical sessions of the year, the OSINT Masterclass, was led by Heide Young, WiCSME’s Head of Strategy, providing women with critical investigation and intelligence-gathering skills.

Purple Team Workshop

The UAE Affiliate led by Irene Corpuz, with support of Dr. Reem AlShamamri (WiCSME Chairperson) also coordinated a hands-on Purple Team Workshop delivered by Bryson Bort, driven entirely by volunteer leadership Naveen Fatma and Oghale Akpobome.

THE FUTURE BELONGS TO WOMEN WHO BUILD IT

2025 was more than a collection of achievements. It was a declaration. A declaration that women in the Middle East are leading, innovating, speaking, training, mentoring, transforming nations, and reshaping the cybersecurity landscape WiCSME has become more than a community — it is a regional movement, a global force, a Strategical amplifier of empowerment and a story still being written. And the women of WiCSME aren’t just keeping pace with the future. They are building it. They are stronger, together.

The workshop strengthened women’s operational capabilities in both offense and defense — a rare opportunity of a face-to-face training delivered alongside the GISEC. It was kindly sponsored by the DCI Part through the support of Dr. Bushra Al Blooshi, Director of Cybersecurity Governance Risk Management Department at Dubai Electronic Security Center.

QATAR: A Rising Voice in Regional Cybersecurity

Qatar amplified its role in regional cybersecurity through active WiCSME representation and community-building supported by Engr. Dana Yousif Al-Abdulla (Director of National Cyber Governance and Assurance Affairs, Qatar’s National CyberSecurity Agency), including, conference representation, national dialogue contributions, and a dedicated visibility presence at major National cybersecurity events with WiCSME members supervising the booth under leadership of WiCSME Qatar’s Affiliate Lead Dr. Noura Fetais and supervision of Salma Mulla.

BAHRAIN: Leadership in Industrial Cybersecurity

Bahrain continued to strengthen women’s representation in OT/ ICS security.Fatema Fardan represented WiCSME at ICS Bahrain, contributing to national conversations on securing industrial systems and critical infrastructure.

SAUDI ARABIA: Expanding Influence

Saudi Arabia maintained strong participation in cyber events with Norah Aldeghaim particiapting in the prestigious OPSWAT conference in Riyadh, reinforcing WiCSME’s role as a key contributor to the Middle East’s cybersecurity evolution.

EGYPT:

A Landmark Honor

A proud moment for WiCSME and Egypt came when Heba Farahat was honored by Egypt’s First Lady, Mrs. Entsar El-Sisi, as one of the country’s most influential women during International Women’s Day

OMAN: Laying the Groundwork for 2026

Oman is preparing for greater integration as WiCSME continues active discussions with national authorities and cyber academies to bring CyberShe and other empowerment programs into the country.

JORDAN: Growing the Network

Jordan laid the foundation for future collaboration through community engagement with women-in-tech and cybersecurity groups. Their recent Panel titled: “Voices of Impact: CyberSecurity Relationships- From AI to Governance” that was coordinated by Jordan Affiliate Lead Nada Khater where she hosted Jordan females leaders where they had shared their valuable insights and showcased their enriching expertise.

Don’t Duck with your Cybersecurity.

The world’s first zero-touch, non-invasive technology to visualize the threat.