A five-phase approach to building cybersecurity governance programs in NCA, SAMA, and CST-regulated organizations.
الفلق — the break of day
Cybersecurity programs in Saudi organizations fail in predictable ways. They buy platforms before they understand their own assets. They write aspirational policy nobody can measure. They try to enforce every control at once. They produce KRIs that look serious but never drive decisions. They build twin copies of the same work in compliance, audit, and IT — none of them quite agreeing.
FALAQ is the approach I use to avoid those failures. Five phases, in order, each producing an artifact the next phase depends on. The order is not optional. You cannot quantify what you have not anchored. You cannot anchor what you have not inventoried.
Asset and data inventory before everything else.
Every NCA, SAMA, and ISO 27001 control assumes you can answer three questions about every asset: who owns it, what data does it process, and how critical is it to operations? If you cannot, every downstream control is fiction. Foundation work is unglamorous. Skip it and the rest collapses.
Short, enforceable policy with every clause tied to a control.
Policy is the contract that lets every other control hold. It must be short enough to be read, operationally enforceable — no aspirational language nobody can measure — and traceable, so every clause maps to a specific NCA control, SAMA expectation, ISO requirement, or PDPL article. Policy without traceability is paperwork; with it, policy is the spine of the program.
Controls deployed in sequence — not big-bang.
A common failure mode is trying to enforce all controls at once. Classification must precede handling rules. Handling rules must precede exception processes. Detection without response is theater. Layer controls in the order the dependencies require, and stage the rollout against the audit timeline so adoption can be measured before it becomes a non-conformity.
Three Lines of Defence and board reporting unified at the data layer.
If audit, compliance, and IT each maintain their own version of the same risk, you have three problems, not three perspectives. Alignment is the discipline of unifying the underlying data model so the same risk record produces views fit for the assessor, the treatment owner, and the board — without re-keying or reconciliation.
KRIs, KPIs, and residual risk in a single workflow.
Most KRIs reported to boards are vanity metrics — large numbers detached from any decision. Quantification means embedding Key Risk Indicators (what changed), Key Performance Indicators (whether controls are working), and residual risk scoring (how much exposure remains) into the same workflow. A board paper that does not change a decision was not worth writing.
| Level | Name | Indicator |
|---|---|---|
| 1 | Reactive | Compliance work driven by audit findings; no maintained inventory. |
| 2 | Defined | Asset inventory and policies exist, but drift between cycles. |
| 3 | Aligned | Controls mapped to specific NCA/SAMA/ISO clauses; sequenced rollout. |
| 4 | Quantified | KRIs + KPIs + residual risk in single workflow; board reporting reliable. |
| 5 | Adaptive | Threat-informed risk decisions; control efficacy continuously measured. |
Most organizations I work with arrive at Level 1 or Level 2 with the budget and the will to reach Level 3 in twelve months. The order matters. Foundation first. Anchor second. Anything else done before those two collapses under audit.
If your organization is preparing for an NCA assessment, a SAMA examination, or a PDPL rollout, I’m open to senior security leadership roles — CISO, Director, Head of Security.
Discuss a Role