As the GCC undergoes a massive transition to an AI-driven digital economy, a disconnect is emerging as organizations rush to deploy machine learning, fundamentally unaware of the threats that already exist within their networks. In this article, Rob Lee, Chief AI Officer and Director of Research at the SANS Institute, SANS 2025 GCC Cybersecurity Threat Landscape Report Explore the double-edged sword of AI and how to defend against AI-powered adversaries while managing internal “shadow AI” risks created by engaged employees.
For more information, 2025 GCC Cybersecurity Threat Landscape CXO Priorities Report (in collaboration with SANS Institute) here.
what was its main goal SANS 2025 GCC Cybersecurity Threat Landscape Report?
Fundamentally, it is important to obtain a high-fidelity snapshot of regional organizational behavior. As with any rigorous threat landscape research, our objective is to decipher how companies are interpreting disparate data points and identify which metrics are truly critical to executive decision-making. “Cybersecurity” is a term that is used almost as often as a marketing term, but it is actually an ever-evolving field.
Understanding these changes allows organizations to conduct robust peer analysis. This forces leaders to ask difficult questions: Are our vulnerabilities inherent or systemic? Is our strategic perspective aligned with the broader market, or are we missing important vectors entirely? This form of comparative analysis is essential. This provides the empirical evidence organizations need to re-evaluate and, if necessary, realign their comprehensive security strategies in line with industry trends.
Approximately one-third of respondents were unaware of the number of attacks they had experienced. What does this visibility gap tell us about the state of detection capabilities in the region, and why is this more important than the attack itself?
When you scrutinize these numbers, especially the one-third of organizations reporting a lack of visibility, you think the reality is much more sobering. There is an inherent reluctance in our industry to acknowledge “digital blindness.” The basic axioms remain. You can’t defend against what you can’t see. But we are now entering a paradigm where we only recognize what is already known, and we are dangerously exposed to novels.
The proliferation of AI-powered attacks has transformed the battlefield. The speed and sophistication of these attacks has increased significantly, threatening to widen the existing “visibility gap” into a chasm. Most regional networks suffer from a chronic lack of telemetry. They simply cannot distinguish important signals from background noise.
This is a challenge similar to airport security. When managing large volumes of flows, security teams naturally focus on known, documented threats. But as we often see, something unknown or very sophisticated can slip through the cracks.
The other side of this coin is perhaps more concerning. It’s an organization that believes it knows the exact number of attacks, but operates on a false sense of security. We need to ask what “accurate” really means, are we benchmarking ourselves against similarly misinformed peers, or are we chasing a definitive metric that is completely elusive at this point? In this evolving landscape, the pursuit of true visibility is no longer an IT goal, but a strategic necessity.
About a quarter of respondents rated cyber risk as “very low,” and an equal number in the same region rated cyber risk as “high.” What is causing the differences? Which groups should we be more concerned about?
The wide variation in risk perception across the GCC countries is very worrying. This polarization reflects the vast differences in cybersecurity maturity among organizations responding to the same environmental threats.
The “very low” risk cohort is particularly notable. While this group may include some mature programs that have successfully mitigated damage, it may also include organizations that simply cannot recognize the attacks they are facing. Given the documented 32% visibility gap, it is almost certain that the majority of these respondents fall into the latter category, equating a lack of data with a lack of risk.
Conversely, a “high risk” group could represent organizations with good telemetry that are witnessing a real amount of threats reaching their perimeter, or perhaps organizations that have recently been stymied by a breach.
The most surprising thing here is the complete lack of convergence. The even distribution of these four risk categories suggests that there is no shared baseline for assessing cyber risk within the region. Without a common language on risk and a unified approach to visibility, the GCC remains a landscape of heterogeneous silos, with resilience across the region on an uphill climb.
Just over 25% allocate less than a quarter of their security budget to detection and response. Given that ransomware is a major and growing threat, how are the remaining costs being absorbed?
At the heart of the problem is the deployment of prevention technologies that fail to mitigate the most important risks. We are witnessing a dynamic where organizations “throw money at the problem” but do not scrutinize the diminishing residual profits. Standard business decisions are being applied incorrectly. Many companies continue to pour capital into stagnant areas, reluctant to double their investment for just a 2% increase in effectiveness.
Budgets are typically absorbed by traditional perimeter defenses, compliance-driven endpoint protection, and network hardware that is deployed but not properly tuned. I see identity projects stalled for years. However, modern adversaries’ business models are built almost entirely on post-initial access activity.
If an organization allocates 75% of its resources to preventing initial access and only 25% to detecting lateral movement, privilege escalation, and data breach staging, it has optimized to the wrong threat model. The entities that most effectively combat ransomware are not necessarily those with the largest budgets, but those that are rebalancing towards detection and response. They have moved past the fallacy of total prevention and accepted the reality that breaches are about when, not if.
As AI/ML proliferates as a top emerging security challenge, organizations in key sectors need training providers to develop new content. Is your security team looking to defend against AI, deploy AI, or both at the same time?
While the cybersecurity industry often fixates on nation-state actors, we are currently overlooking a more pressing risk: shadow AI. Employees uploading sensitive corporate financial information to unauthorized tools like ChatGPT is often more likely to result in a data breach than a ransomware attack. Security teams struggle to manage the responsibilities of untrained employees who operate outside of traditional governance.
We are effectively fighting on three fronts: monitoring AI-powered attacks, deploying defensive AI, and protecting internal AI systems. These require completely different skill sets. Adversaries such as China leverage AI to move through networks in seconds instead of days, but our defensive responses are still hampered by a lack of depth. 22% of organizations seeking AI/ML training are the only ones to be honest about their limitations. Frankly, this number is dangerously low.
To close this gap, security leaders must look beyond traditional silos. AI transformation budgets often include untapped risk and governance funds. By setting aside 5% to 10% of these broader AI budgets, security teams can significantly increase their headcount of trained specialists. In markets where automation tools are not yet mature, the only viable “stopgap” remains the highly trained human element.
While cloud security specialists and penetration testers are in equal demand, security architects are less in demand. Given that architecture is a top training priority, why aren’t organizations hiring accordingly?
A bias toward the short term is a recurring theme in cybersecurity recruitment. Cloud specialists and penetration testers solve tangible problems with tangible deliverables. Recruiters know exactly how to evaluate their performance. In contrast, security architects are the strategic foundation of an organization. They design systems to stay ahead of emergencies, but their impact is very difficult to quantify because their success is often “invisible” by the absence of a crisis.
There are obvious contradictions in the GCC situation. While security architecture is a top training priority, with 19% of organizations looking to upskill existing staff, hiring practices tell a different story. When a role is vacant, management often defaults to a tactical hire because the fire is burning. Additionally, good architects are rare and expensive. It is much easier to hire a penetration tester at market rates than to pay the premium required by an architect.
The long-term result is a cycle of technical debt. Without architectural oversight, organizations continue to build weak infrastructure, only to hire more tactical staff to solve completely predictable problems. Until we value architects the same way we value firefighters, we will remain stuck in a loop of reaction.
System vulnerabilities and patching are top concerns for ICS/OT. How do organizations address this challenge in environments where patches often cannot be applied without shutting down the production environment?
Global events such as the strategic disablement of power grids demonstrate that attackers are targeting OT networks with near-perfect guarantee of success. These systems represent one of the most difficult dilemmas in cybersecurity. We frequently manage SCADA environments built on outdated foundations like Windows XP, which are now effectively “hard-coded” into the infrastructure.
These systems were never designed for modern times and are “unpatchable”, but they are also irreplaceable. To go beyond this, organizations must adopt a three-pronged defensive posture:
- Compensation control: Implement strict network segmentation and strict access protocols to isolate legacy nodes.
- Risk-based prioritization: Identify critical assets that require tailored protection when traditional patching is not possible.
- Enhanced monitoring: Develop the telemetry needed to detect “problems” as they occur, rather than after a dynamic failure.
This challenge is further exacerbated by niche talent markets. Critical utility companies often lack the capital to acquire rare professionals trained in both legacy OT and modern security. In this environment, constant vigilance is not just a goal. That is the only alternative to total system failure.
In regions with documented national threat activity, nearly one-third of organizations check for local threats at most quarterly. What realistic exposure window does this create?
The report highlights surprising oversights. Many organizations still only monitor nation-state activities on a quarterly basis. I think some respondents may have misunderstood the question, but the implications of such a window of visibility are dire. In an age where AI is shrinking attack timelines from months to days and soon minutes, a three-month gap in monitoring demands continuity.
The GCC has become a prime target for sophisticated nation-state actors focused on long-term espionage and pre-planning for future conflicts. These enemies are patient. They don’t “turn over tables” like typical robbers. Instead, they operate silently and wait for a specific trigger. If you only check your perimeter every 90 days, an attacker could get in, install a persistent threat, and disappear before the next audit is scheduled.
This is where AI becomes a necessity for defense. While human monitoring can be monotonous as you walk around, AI provides the continuous high-frequency telemetry needed to capture these subtle movements. 35% of organizations that perform daily or weekly checks are facing rising costs, but only they have a fighting chance. To achieve true resilience, organizations must move beyond routine audits and adopt AI-powered proactive threat hunting as an ongoing operational standard.
