The organization was preparing for its first compliant assessment against the National Cybersecurity Authority’s ECC framework. On paper there was a security function, training programs, and tooling. On the ground, the most fundamental control was missing: nobody could tell me, with confidence, what we owned, who owned it, or how critical it was.

You cannot defend, classify, or assess risk against assets you cannot enumerate. Every other control in the ECC framework — access management, vulnerability handling, incident response, supplier risk — assumes an asset inventory exists. We had spreadsheets in different formats across IT, legal, and procurement, no agreed definition of an “asset,” and no system of record. The first compliant assessment was less than twelve months away.

Rather than negotiate a perfect inventory standard with five departments, I built one. I designed the organization’s first end-to-end asset management tracker from scratch, with three principles I refused to compromise on: every asset has an unambiguous owner; every asset has a sensitivity tier defined by the data it processes, not by hardware cost; and every asset has a refresh cadence so the inventory could not silently rot.

I conducted interviews, pulled data from procurement, network discovery, and Active Directory, and reconciled what they disagreed on by forcing decisions in the room rather than guessing. The tracker started simple. It stayed simple on purpose.

• Became the source of truth that 25+ NCA-mapped controls referenced.
• Directly enabled the organization’s first compliant ECC assessment.
• Gave every subsequent risk assessment, vulnerability program, and audit cycle a stable foundation — auditors stopped asking “are you sure this is everything?”

I joined as Data Security Specialist with a simple mandate and a complex reality: bring the organization into full alignment with the NCA framework, SAMA expectations, and ISO 27001 — within six months. The audit score at intake was 62%, with twelve critical non-conformities and no organization-wide data policy.

Authoring a policy on its own is not hard. Getting it adopted is. In any organization, the gap between “policy approved by the board” and “every staff member actually compliant” is where most compliance programs fail. I had six months, a critical audit window, and twelve non-conformities that were each an entry point for regulatory penalties.

I wrote the organization’s first organization-wide data policy from a blank page, anchored on three deliberate design decisions:

• Short and operationally enforceable. No aspirational language nobody could measure.
• Every clause traceable to a control. Each line tied to a specific NCA control, SAMA expectation, and ISO requirement, so adoption tracked compliance directly.
• Sequenced rollout, not big-bang. Classification first (because everything else depends on it), then handling rules, then exception process — staged against the audit timeline.

I ran the executive workshops, designed the staff awareness program, and built the compliance tracking myself — so I could see week-by-week where adoption was lagging and intervene before the audit window closed.

• 100% staff compliance with the data policy within six months.
• Audit score lifted from 62% to 94%; all 12 critical non-conformities eliminated.
• Deployed DLP and File Integrity Monitoring across 1,200+ endpoints, reducing insider-threat exposure by an estimated 60%.
• The policy became the governance baseline that the subsequent NCA, SAMA, and ISO 27001 work all built on.

I lead enterprise-wide risk assessments across IT and cybersecurity at a SAMA-regulated bank, aligning 200+ controls with the SAMA IT Governance Framework. The bank had a mature risk function: established Jira-based workflows, a long history of regulatory examinations, and three Lines of Defence active in parallel. The challenge was not to build something from scratch — it was to make something mature run measurably better.

Mature operations have hidden costs. Risk assessment cycles were taking too long. Documentation lived across audit, compliance, and IT in slightly different versions. Risk treatment decisions used Key Risk Indicators but rarely tied them back to Key Performance Indicators or residual-risk scoring. From a board perspective the data was correct but the picture was fragmented. From an operations perspective the same risk was being reviewed three times in three forums.

I re-engineered the Jira-based risk workflow rather than replacing it — which would have forced a years-long migration and likely failed. Inside the existing toolchain, I embedded KRIs, KPIs, and residual risk scoring directly into the risk record, so a single workflow produced data fit for three audiences: the assessor, the treatment owner, and the board.

I then unified risk treatment documentation across audit, compliance, and IT into a single source of truth, eliminating the divergence that was wasting cycle time and creating reconciliation work. To close the loop with the threat side, I integrated threat modelling and asset sensitivity data into the risk register so control-mapping accuracy improved without adding new tooling.

• Risk assessment cycle time reduced by 40%.
• Critical audit findings reduced by 35% across 200+ controls.
• Board-level risk posture reports moved from a periodic exercise to a near-real-time view — contributing to a clean regulatory examination.
• Three Lines of Defence reporting became consistent for the first time.