The National Cybersecurity Authority (NCA) of Saudi Arabia released the second edition of its Essential Cybersecurity Controls (ECC-2) as a mandatory baseline for all government entities and critical national infrastructure operators. For the first time, several controls have been extended to private sector organisations that handle sensitive national data — making this a critical read for any KSA enterprise.

What Changed from ECC-1 to ECC-2

The second edition is not a minor update — it represents a fundamental restructuring of how Saudi organisations are expected to manage cybersecurity risk. The most significant changes fall into five areas:

• Asset Management: Organisations must now maintain a continuously updated inventory of all digital assets, classified by criticality. Shadow IT is explicitly addressed — unknown assets are considered non-compliant.
• Identity and Access Management: Privileged access must be governed by a formal PAM programme. MFA is mandatory for all remote access and all admin interfaces without exception.
• Third-Party Risk: Every technology vendor or managed service provider must now undergo a formal cybersecurity assessment before onboarding, with annual reviews thereafter.
• Incident Response: Response plans must be tested at least annually through tabletop exercises. Evidence of testing must be retained for auditors.
• Cloud Security: Workloads hosted outside the Kingdom require explicit NCA approval and must meet data residency requirements defined under PDPL.

The 5 Controls Most Organisations Are Failing

Based on Zyberon's assessment work across KSA mid-market enterprises, the following controls represent the most common gaps — and the highest audit risk:

1. Cyber Asset Register (Control 1.1): Most organisations have partial asset inventories. ECC-2 requires completeness with classification. If you can't list every device, application, and data store — you're not compliant.
2. Privileged Access Management (Control 3.3): Shared admin accounts, undocumented service accounts, and no session recording are the three most common failures we encounter.
3. Security Awareness Training (Control 5.1): Annual one-hour sessions no longer satisfy the requirement. ECC-2 expects role-based, quarterly programmes with tracked completion and phishing simulation results.
4. Vulnerability Management (Control 6.2): Organisations must now demonstrate a formal patch cadence. Critical vulnerabilities must be remediated within 15 days of disclosure.
5. Supplier Risk Assessment (Control 7.1): This is the most commonly overlooked. Every SaaS tool, every cloud service, every contractor with system access needs a documented security assessment.

Your 90-Day ECC-2 Readiness Plan

If you're starting from scratch or have received an audit notice, here's the prioritised sequence Zyberon recommends:

• Days 1–30: Conduct a gap assessment against all 114 ECC-2 controls. Classify gaps as Critical, High, or Medium. Build a remediation register.
• Days 31–60: Address all Critical gaps — typically PAM, MFA enforcement, and incident response plan documentation. Stand up or engage a SOC for continuous monitoring.
• Days 61–90: Address High gaps, conduct a tabletop exercise, document all evidence, and prepare your audit pack.

If you'd like to understand your current ECC-2 posture before your next audit cycle, our team offers a complimentary 30-minute consultation to give you an honest picture of where you stand.

Traditional network security operated on a castle-and-moat model — the assumption being that everything inside the perimeter was trusted. In a world where employees work remotely, data lives in multiple clouds, and attackers routinely compromise credentials, that model is not just outdated — it is actively dangerous.

Zero Trust replaces the perimeter with identity. Every request — whether from an employee laptop in Riyadh or a cloud workload in a data centre — is treated as potentially hostile until explicitly verified.

The Three Pillars of Zero Trust

• Verify Explicitly: Every access request is authenticated and authorised using all available signals — identity, device health, location, and behavioural patterns. MFA is the minimum; adaptive authentication is the goal.
• Use Least Privilege Access: Users and systems receive only the minimum permissions necessary for their specific task — and only for the duration of that task. Persistent privileged access is eliminated.
• Assume Breach: Design systems on the assumption that attackers are already inside. This means encrypting everything, segmenting networks microscopically, and maintaining full audit logs of all activity.

Zero Trust and KSA Regulatory Alignment

Implementing Zero Trust principles directly addresses requirements across all three major KSA cybersecurity frameworks:

• NCA ECC-2: Zero Trust satisfies controls in IAM (3.x), network security (4.x), and data protection (8.x) simultaneously — making it the most efficient path to ECC-2 maturity.
• SAMA CSF: The Framework's "Protect" domain maps directly to Zero Trust's least-privilege and microsegmentation principles.
• PDPL: Zero Trust's data classification and access controls are the technical foundation of PDPL's purpose-limitation and data minimisation requirements.

Starting Your Zero Trust Journey

The most common mistake organisations make with Zero Trust is trying to implement everything at once. Zyberon recommends a phased approach that delivers measurable security improvements at each stage:

1. Phase 1 — Identity: Enforce MFA everywhere. Deploy a PAM solution for privileged accounts. Eliminate shared credentials. Timeline: 30–60 days.
2. Phase 2 — Devices: Implement endpoint detection and response. Enforce device health checks before granting access. Deploy MDM for mobile devices. Timeline: 60–90 days.
3. Phase 3 — Network: Implement microsegmentation. Deploy east-west traffic inspection. Replace flat network architecture with identity-aware access. Timeline: 90–180 days.
4. Phase 4 — Applications: Move to application-layer access controls. Implement CASB for SaaS visibility. Deploy API security gateways. Timeline: 180–365 days.

Saudi Arabia stands at the frontlines of the world's digital revolution. With over SAR 80 billion committed to digital infrastructure under Vision 2030, the Kingdom is transforming every sector — government services, financial systems, healthcare, education, and logistics — at a pace that is unprecedented in the region.

This transformation creates enormous opportunity. It also creates an exponentially expanding attack surface — and threat actors have noticed.

The Threat Landscape Has Changed

In 2024, Saudi Arabia was the second most targeted country in the Middle East for ransomware attacks. State-sponsored threat actors, cybercriminal groups, and hacktivists all actively target KSA organisations — attracted by the concentration of high-value assets, critical infrastructure, and sensitive government data.

• Ransomware attacks against Saudi organisations increased by 34% year-on-year in 2024
• The average cost of a data breach in the Kingdom reached SAR 32 million — up 11% from the prior year
• Phishing remains the primary initial access vector, accounting for 67% of confirmed breaches
• Supply chain attacks targeting Saudi organisations' technology vendors grew by 280% between 2022 and 2024

PDPL: The Compliance Reality

The Personal Data Protection Law came into full enforcement in 2023, with SDAIA actively investigating complaints and issuing fines. The regulatory landscape has shifted permanently. Every organisation that processes the personal data of Saudi residents — regardless of where they are headquartered — is subject to PDPL.

The three most common PDPL violations Zyberon encounters during assessments are:

• Missing lawful basis documentation: Organisations collecting personal data without documented consent, legitimate interest, or contractual necessity.
• Inadequate data retention policies: Personal data held indefinitely with no defined retention schedule or deletion process.
• Undisclosed third-party sharing: Personal data transferred to vendors, analytics platforms, or overseas processors without data subject awareness or contractual safeguards.

Building a Cybersecurity Programme for Vision 2030

Organisations that treat cybersecurity as a compliance cost will struggle. Those that treat it as a strategic enabler — protecting the digital assets that drive Vision 2030 ambitions — will build durable competitive advantage. The framework for doing this successfully has three components: governance, technology, and people.

For years, Security Information and Event Management (SIEM) was the exclusive domain of large enterprises with seven-figure security budgets. Commercial platforms from Splunk, Microsoft Sentinel, and IBM QRadar delivered powerful capabilities — but at a price that put them out of reach for most mid-market organisations.

The open-source revolution changed that equation. Today, a well-architected open-source SOC stack can deliver 80–90% of the detection capability of commercial platforms at a fraction of the cost. But "open-source" is not the same as "free" — and the trade-offs are real.

The Open-Source Stack Zyberon Deploys

Zyberon's SOCaaS offering is built on a curated open-source stack that we have hardened, tuned, and integrated specifically for the KSA threat landscape and regulatory requirements:

• Wazuh: The core SIEM/XDR engine. Handles log collection, correlation, file integrity monitoring, vulnerability detection, and compliance reporting. NCA ECC-2 and SAMA CSF dashboards are pre-built.
• OpenSearch: The search and analytics layer. Stores and indexes all security events, providing sub-second query performance across billions of log records.
• Suricata: Network-based intrusion detection and prevention. Analyses all east-west and north-south traffic for known attack patterns and anomalies.
• Shuffle: The SOAR (Security Orchestration, Automation, and Response) layer. Automates repetitive analyst tasks, reducing mean time to respond from hours to minutes.

Honest Trade-Off Analysis

Open-source is not the right choice for every organisation. Here's where commercial platforms genuinely outperform:

• Threat intelligence integration: Commercial platforms have native integrations with major threat intelligence feeds. Open-source requires manual configuration — though this is a one-time setup cost.
• Vendor support SLAs: When something breaks at 2am, a commercial vendor's support desk is available. Open-source relies on community forums and internal expertise.
• Out-of-the-box compliance reporting: Commercial platforms have pre-built compliance dashboards for dozens of frameworks. Wazuh has NCA ECC-2 and PCI-DSS; others require custom development.

For most mid-market KSA organisations — those with 50–2,000 employees, operating under NCA ECC-2 or SAMA CSF, without a dedicated 5-person security team — the open-source stack delivers superior value. The total cost of ownership is typically 60–75% lower than equivalent commercial platforms over a three-year horizon.

The Chief Information Security Officer role has become one of the most important — and most expensive — positions in any enterprise. In the Kingdom, a qualified CISO commands between SAR 480,000 and SAR 840,000 per year in total compensation. For organisations with fewer than 1,000 employees, that cost is rarely justifiable as a full-time hire.

The virtual CISO (vCISO) model solves this problem. For a monthly retainer that typically represents 15–25% of a full-time CISO salary, organisations receive senior security leadership on demand — available for board reporting, regulatory engagement, vendor negotiations, and strategic decision-making.

What a vCISO Actually Delivers

• Security Strategy and Roadmap: A 12-month security improvement plan aligned to your business objectives, risk appetite, budget, and applicable KSA regulatory requirements.
• Board and Audit Committee Reporting: Quarterly risk reports written for non-technical audiences — giving your board the governance oversight that NCA ECC-2 and SAMA CSF require.
• Regulatory Engagement: Representation in NCA audits, SAMA examinations, and SDAIA interactions. A vCISO who knows the auditors' language can dramatically reduce audit friction.
• Vendor Governance: Security evaluation of all technology vendors, review of third-party assessments, and negotiation of security requirements in contracts.
• Incident Oversight: When a serious incident occurs, the vCISO becomes the command authority — coordinating the technical response, managing communications, and guiding the forensic investigation.

Is a vCISO Right for Your Organisation?

The vCISO model is the right choice if your organisation meets at least three of the following criteria:

• Fewer than 500 employees but subject to NCA ECC-2, SAMA CSF, or PDPL enforcement
• No dedicated security leadership at director level or above
• Upcoming regulatory audit or compliance certification within 12 months
• Recent security incident that exposed governance gaps
• Board or investor asking for formal cybersecurity oversight and reporting

Ransomware is the most operationally disruptive threat facing Saudi enterprises today. The average downtime following a ransomware attack is 21 days. The average total cost — including ransom payments, recovery costs, lost revenue, and regulatory penalties — exceeds SAR 28 million for mid-market organisations.

The difference between a 4-day recovery and a 4-week recovery almost always comes down to what happens in the first four hours after detection. Here is the exact playbook Zyberon's incident response team executes.

Hour 1: Confirm and Contain

The first hour is about stopping the spread, not understanding the attack. Ransomware encrypts files as fast as network bandwidth allows — every minute of delay means more data encrypted and more systems compromised.

1. Declare an incident: Notify your CISO or vCISO, IT leadership, and legal counsel immediately. Do not wait for confirmation — act on suspicion.
2. Isolate affected systems: Disconnect all suspected systems from the network immediately. Pull network cables, disable Wi-Fi, block at the switch level. Do NOT shut down systems — running memory may contain decryption keys.
3. Identify patient zero: Review your EDR or SIEM logs to identify the initial infection vector and the first affected system. This determines the scope of your investigation.
4. Preserve evidence: Take memory dumps of affected systems before any remediation. This evidence is critical for forensic investigation and insurance claims.

Hours 2–3: Assess and Activate

• Scope the damage: Identify all affected systems, encrypted file shares, and compromised credentials. Build a prioritised recovery list based on business criticality.
• Notify stakeholders: Brief the board, notify cyber insurance, and assess NCA notification obligations. Under NCA guidelines, material incidents affecting critical systems must be reported within 72 hours.
• Engage external IR support: If you don't have 24/7 SOC coverage, engage an external IR team immediately. The sooner forensic specialists are on the case, the better your recovery options.
• Evaluate backup integrity: Check whether backups are intact and unencrypted. Many ransomware operators specifically target backup systems — this assessment determines your recovery strategy.

Hour 4: Decide and Recover

By hour four, you should have enough information to make two critical decisions: whether to pay the ransom (rarely advisable — and in some cases illegal), and whether to recover from backups or rebuild from scratch. Both paths require a formal recovery plan with defined RTOs and RPOs for each critical system.

Before It Happens: The Three Controls That Matter Most

• Immutable backups: Backups stored in a location that cannot be modified or deleted by systems on your main network. This is the single most important ransomware resilience control.
• EDR on every endpoint: Behavioural-based endpoint detection that can identify ransomware activity before encryption begins — often providing a 15–30 minute window for containment.
• Tested incident response plan: An IR plan that has never been exercised is a document, not a capability. Tabletop exercises reveal the gaps before attackers do.