Skip to content
MA

Hi, I'mMohammed AlYahya

Cybersecurity Leadership

A Signature Approach

FALAQ

A KSA inspection-aware method for building and operating cybersecurity governance in NCA, SAMA, and CST-regulated organizations.

الفلق · the break of day

The Premise

Cybersecurity programs in Saudi organizations fail in predictable ways. They buy platforms before they understand their own assets. They write aspirational policy nobody can measure. They try to enforce every control at once. They produce KRIs that look serious but never drive a decision. They build twin copies of the same work in compliance, audit, and IT, none of them quite agreeing. And they treat resilience as a document, not a tested capability.

FALAQ is how I avoid those failures. Five gates, in order, each producing an artifact the next depends on — wrapped in an operating loop so the program does not just stand up, it survives an inspection cycle and improves between them.

What FALAQ Is — and Isn’t

FALAQ does not replace NIST CSF, ISO 27001, COBIT, or the Three Lines Model. It translates them into what actually decides a Saudi program’s fate: passing an NCA assessment or a SAMA examination, on the regulator’s calendar, with evidence that holds. It is a methodology for building a program and keeping it running — not a SOC runbook or a BCM playbook, but not silent on them either. Incident response, resilience, and third-party risk are carried as live tracks, not parked in someone else’s remit.

The Five Gates

The gates are non-skippable — you cannot anchor what you have not framed, or quantify what you have not anchored — but execution iterates as new assets, suppliers, incidents, and regulatory findings arrive. Mandatory gates, iterative execution.

F

Framing & Foundation

Mandate and risk appetite first; then inventory what must be governed.

F0 — Framing: regulatory scope and applicability, board mandate, risk appetite and tolerance, the critical services the business actually runs on, and the decision rights that govern them. You cannot classify an asset, or compute a residual risk, before you know what you are accountable for and how much risk the board will accept.

F1 — Foundation: an asset, data, and service inventory — owner, sensitivity tier, criticality, refresh cadence, evidence owner, and source-of-truth system. Foundation work is unglamorous. Skip it and every downstream control is fiction.

Artifact: a documented mandate + risk-appetite statement, and a maintained asset/data/service inventory tied to critical business services.
A

Anchor

Short, enforceable policy with every clause tied to a control — in Arabic where the work happens.

Policy is the contract that lets every other control hold. It must be short enough to be read, operationally enforceable (no aspirational language nobody can measure), and traceable — every clause maps to a specific NCA control, SAMA expectation, ISO requirement, or PDPL article, and onward to its procedure, owner, and evidence. KSA programs fail when English policy exists but the Arabic operating procedure does not.

Artifact: a policy-to-procedure chain with clause-level traceability (obligation → clause → control → owner → evidence), including PDPL breach-notification and data-transfer obligations.
L

Layering

Controls deployed in dependency sequence, staged to the inspection calendar.

A common failure mode is trying to enforce all controls at once. Classification precedes handling rules; handling rules precede exception processes; detection without response is theater. Layer controls in the order the dependencies require, and stage the rollout against the audit timeline so adoption can be measured before it becomes a non-conformity. Incident response, BCM/DR, SOC monitoring, and third-party/cloud controls are sequenced here — not as an afterthought.

Artifact: a sequenced controls roadmap with explicit dependencies, including IR, BCM, and third-party/cloud control clusters mapped to the inspection calendar.
A

Alignment

Three Lines of Defence and board reporting unified at the data layer.

If audit, compliance, and IT each maintain their own version of the same risk, you have three problems, not three perspectives. Alignment unifies the underlying data model so one risk record produces views fit for the assessor, the treatment owner, and the board — without re-keying or reconciliation — with unique IDs linking asset, data set, service, control, obligation, risk, evidence, exception, supplier, and incident.

Artifact: a single source of truth for risk records under a defined data dictionary, with audience-specific views.
Q

Quantification

Risk scored against appetite — a number that changes a decision.

Most KRIs reported to boards are vanity metrics, large numbers detached from any decision. Quantification means scoring residual risk against the appetite set in Framing, with Key Risk Indicators (what changed) and Key Performance Indicators (whether controls work) in the same workflow — so every record resolves to a decision: accept, remediate, transfer, defer-with-expiry, or escalate. This is disciplined risk scoring; full probabilistic quantification comes later, once the data supports it, and is never a day-one promise.

Artifact: a risk register where every record carries KRI, KPI, residual-risk score, and an appetite-based decision.

The Operating Loop

A program that is built once and never operated becomes its own anti-pattern in a regulatory environment that shifts every year. The five gates are wrapped in a loop — Plan → Operate → Test → Evidence → Improve — that re-enters on regulatory change, audit findings, incidents, and M&A.

  • Operated, not just installed. Incident response, BCM/resilience, SOC monitoring, third-party/cloud, and privacy breach handling run as continuous tracks through every gate, tested and exercised on the cadence SAMA and NCA ECC-2 expect. A control deployed once and filed is not a capability.
  • Improvement is built in. The Quantification gate feeds a backlog that re-triggers Framing and Foundation, so the program earns its maturity level rather than asserting one.

Maturity & Scoring

The score that matters is the regulator’s, not mine. FALAQ’s job is to move you up the scale the assessor actually uses — a FALAQ transformation level is a narrative overlay, never a substitute.

LayerWhat it isAuthority
Score of recordSAMA CSF maturity (0–5; Level 3+ expected) · NCA compliance % from the national assessment toolThe regulator
FALAQ overlayReactive → Defined → Aligned → Quantified → Adaptive — a transformation story mapped to the score of record (e.g. “NCA 78%, SAMA avg 2.8, FALAQ Level 2.6 → 3”)Internal narrative

KSA Regulatory Applicability

Saudi Arabia is not one stack. The first deliverable of any engagement is deciding which obligations actually apply — before a single control is written.

If you are…Primary obligationLikely add-ons
A regulated bank / fintechSAMA CSF (+ BCM, CRFR)NCA ECC, PDPL, CCC (cloud)
Government / public sectorNCA ECC-2:2024DCC (data), CCC, PDPL, NDMO
Critical national infrastructureNCA CSCC (+ ECC)CCC, DCC, sector rules
Cloud / telecom / hostingNCA CCC-2:2024, CSTdata localization, ECC
Anyone processing personal dataPDPL + Implementing Regs (SDAIA)transfer rules, NDMO data mgmt
An Aramco supplierSACS-002ECC, third-party assurance

How It Maps to the Canon

FALAQ is not a new taxonomy — it is the canon, sequenced to the KSA inspection calendar and operationalized in Arabic. Stated plainly, because hidden relabeling reads as ignorance and declared translation reads as fluency:

FALAQ gateMaps to
Framing & FoundationNIST CSF 2.0 Govern + Identify (ID.AM) · ISO 27001 Cl. 4–6 (context, scope, risk)
AnchorISO 27001 policy + Statement of Applicability · COBIT management objectives
LayeringISO 27001 risk-treatment plan · NIST Protect / Detect / Respond / Recover
AlignmentIIA Three Lines Model · COBIT single integrated framework
QuantificationKRI / KPI / residual-risk scoring against board-set appetite

The original contribution is not the components — it is the order (govern before inventory), the sequencing to the inspection calendar, and the Arabic operating layer.

KSA-Specific Principles

  • The regulator is the authority. International best practice (NIST, ISO) is necessary but not sufficient. NCA, SAMA, CST, and SDAIA define the rules of the game; everything else informs.
  • Sequence with the inspection calendar, not the project plan. NCA inspections and SAMA examinations do not move. The rollout must.
  • Arabic operational documents alongside English policy. Staff procedures are read more often in Arabic; policy templates that ignore this fail at adoption.
  • PDPL is newer than NCA. Staff data-handling habits formed under pre-PDPL norms persist. Awareness must account for the gap.
  • Hierarchy is an asset. A named executive sponsor, a steering cadence, and clear sign-off chains accelerate adoption when used deliberately, not as a bottleneck.

Anti-Patterns

Buy the platform, fix the program
Tools amplify a working program; they do not create one.
Aspirational policy
“We strive to” cannot be audited.
Big-bang rollout
Adoption fails when staff face too many new rules at once.
Board theater
KRIs that do not change decisions waste board attention.
Unlocalized framework adoption
Importing ISO/NIST without NCA/SAMA tailoring and Arabic procedure produces gaps.
Replace before re-engineer
Tool migrations consume years; in-place workflow design ships in months.
Audit-sprint governance
A program that only moves before an inspection is a program that has none.
Tool as source of truth before data governance
A GRC platform populated with ungoverned data industrializes the mess.

Where to Start

Most organizations I work with arrive at the regulator’s Level 1–2 with the budget and the will to reach Level 3 operating discipline. A realistic target is 18–24 months for in-scope domains — subject to executive mandate, data quality, tooling maturity, supplier complexity, and remediation budget. The order matters. Frame first. Anchor second. Anything else done before those two collapses under audit.

See FALAQ applied — three real KSA programs, problem to outcome →

Operating depth — PDPL records-of-processing and breach playbooks, exception/waiver governance, the evidence-pack standard, and metric-quality rules — sits beneath each gate and is available on request.

Working on a KSA GRC program?

If your organization is preparing for an NCA assessment, a SAMA examination, or a PDPL rollout, I’m open to senior security leadership roles: CISO, Director, or Head of Security.

Discuss a Role