Context
The organization was preparing for its first compliant assessment against the National Cybersecurity Authority’s ECC framework. On paper there was a security function, training programs, and tooling. On the ground, the most fundamental control was missing: nobody could tell me, with confidence, what we owned, who owned it, or how critical it was.
Challenge
You cannot defend, classify, or assess risk against assets you cannot enumerate. Every other control in the ECC framework (access management, vulnerability handling, incident response, supplier risk) assumes an asset inventory exists. We had spreadsheets in different formats across IT, legal, and procurement, no agreed definition of an “asset,” and no system of record. The first compliant assessment was less than twelve months away.
Approach
Rather than negotiate a perfect inventory standard with five departments, I built one. I designed the organization’s first end-to-end asset management tracker from scratch, with three principles I refused to compromise on: every asset has one owner, a sensitivity tier driven by data not hardware cost, and a refresh cadence on a calendar.
I conducted interviews, pulled data from procurement, network discovery, and Active Directory, and reconciled what they disagreed on by forcing decisions in the room rather than guessing. The tracker started simple. It stayed simple on purpose.
My role: I designed the asset schema and ran the cross-functional reconciliation; IT, procurement, and the network team supplied the source data.
Outcome
- Became the system of record that 25+ NCA-mapped controls drew their evidence from.
- Stood up the inventory the organization’s first compliant ECC assessment was built on — the prerequisite every other control depended on.
- Gave every later risk assessment, vulnerability program, and audit cycle a stable base. Auditors stopped asking “are you sure this is everything?”
What I Learned
In compliance-heavy environments, teams jump to implementing the headline controls (DLP, SIEM, IAM) without fixing the foundation underneath. Inventories you actually maintain beat perfect ones that no one updates. Build the boring thing first; everything else gets cheaper.
Context
I joined as Data Security Specialist with a simple mandate and a complex reality: bring the organization into alignment with the NCA ECC framework, PDPL, and ISO 27001 within six months. Compliance against the control set sat at 62% on intake, with twelve critical non-conformities and no organization-wide data policy.
Challenge
Authoring a policy on its own is not hard. Getting it adopted is. In any organization, the gap between “policy approved by the board” and “every staff member actually following it” is where most compliance programs fail. I had six months, a fixed audit window, and twelve non-conformities that were each an entry point for a regulatory finding.
Approach
I wrote the organization’s first organization-wide data policy from a blank page, anchored on three deliberate design decisions:
- Short and operationally enforceable. No aspirational language nobody could measure.
- Every clause traceable to a control. Each line tied to a specific NCA control, PDPL article, and ISO requirement, so adoption tracked compliance directly.
- Sequenced rollout, not big-bang. Classification first (because everything else depends on it), then handling rules, then exception process, staged against the audit timeline.
I ran the executive workshops, designed the staff awareness program, and built the compliance tracking myself, so I could see week by week where adoption was lagging and close the gaps before the audit window shut.
My role: I authored the policy and mapped every clause to its NCA, PDPL, and ISO control; the SOC and endpoint teams ran the DLP and FIM rollout.
Outcome
- All 12 critical non-conformities closed and verified at re-audit.
- Compliance against the NCA ECC control set rose from 62% to 94% over six months (self-assessed against the national control set).
- Policy rolled out to every staff member, with adoption tracked weekly so lagging areas were fixed before the audit, not after.
- Deployed DLP and File Integrity Monitoring across 1,200+ endpoints — the organization’s first real view of where data was actually leaving.
- The policy became the governance baseline the later NCA, ISO 27001, and PDPL work all built on.
What I Learned
Policy is the contract that holds the rest of the control stack up. If it’s too long to read, it doesn’t get followed. Keep it short, tied to controls, and adoption tracks compliance.
Context
I lead enterprise-wide risk assessments across IT and cybersecurity at a SAMA-regulated bank, aligning 200+ controls with SAMA’s Cyber Security Framework (and the IT-governance controls with SAMA ITGF). The bank had a mature risk function: established Jira-based workflows, a long history of regulatory examinations, and three Lines of Defence active in parallel. The challenge wasn’t building from scratch. It was getting something mature to produce sharper data without breaking what already worked.
Challenge
Mature operations have hidden costs. Risk assessment cycles were taking too long. Documentation lived across audit, compliance, and IT in slightly different versions. Risk treatment decisions used Key Risk Indicators but rarely tied them back to Key Performance Indicators or residual-risk scoring. From a board perspective the data was correct but the picture was fragmented. From an operations perspective the same risk was being reviewed three times in three forums.
Approach
I re-engineered the Jira-based risk workflow rather than replacing it, which would have forced a years-long migration and likely failed. Inside the existing toolchain, I embedded KRIs, KPIs, and residual risk scoring directly into the risk record, so a single workflow produced data fit for three audiences: the assessor, the treatment owner, and the board.
I then unified risk treatment documentation across audit, compliance, and IT into a single source of truth, eliminating the divergence that was wasting cycle time and creating reconciliation work. To close the loop with the threat side, I integrated threat modelling and asset sensitivity data into the risk register so control-mapping accuracy improved without adding new tooling.
My role: I re-engineered the workflow, embedded the KRI/KPI/residual scoring, and unified the documentation; the wider risk function drove adoption across the three lines.
Outcome
- Cut risk-assessment cycle time by roughly 40% — from weeks to days — by automating the workflow.
- Critical audit findings fell about 35% year over year across the 200+ control set, as the workflow surfaced and tracked them to closure.
- Board risk reporting moved from a periodic exercise to a near-live view — reporting that fed the bank’s regulatory examination.
- Three Lines of Defence reporting became consistent for the first time.
What I Learned
Mature shops rarely need new tools. They need the ones they have to produce data the board can act on. Re-engineering inside what’s already running usually beats migration projects.
Have a similar problem?
I’m open to CISO, Director, and Head of Security roles in SAMA-, NCA-, or CST-regulated organizations.
Discuss a Role