For a clear sense of where cyber priorities are heading in the GCC, you have to look at the people in control of the budgets – and what keeps them awake at night.
New research from PwC shows that boards and business leaders in the Middle East are taking a more focused stance on cyber. Nearly a quarter plan to raise cyber budgets by 11%+ in 2025, and 63% say their boards are highly effective on regulatory responsibilities – well above the global average.
This governance shift is driving spend into strategy, rather than just cybersecurity tooling.
According to PwC’s Middle East findings, business leaders in the region say their top investment priority is improving risk posture against a strategic plan, then data protection, and modernising tech/cyber infrastructure.
On the technology leader side (CISOs and CIOs), the emphasis skews even harder towards protection: 40% rank data protection as their top investment area (compared with 28% globally) and 31% are prioritising GenAI/ML.
Taken together, that’s a vote for practical controls that reduce blast radius (from DLP and encryption to strong IAM, secrets management, and better data lifecycle hygiene) and for building guardrails around fast-moving AI adoption.
Threat-wise, the concerns here are specific and immediate. Hack-and-leak operations top the list (47%, vs 38% globally), alongside third-party breaches (36%), BEC/account takeovers (36% vs 24% globally), and cloud-related threats (35% vs 42% globally).
And preparedness is mixed – some organisations are least prepared for cloud threats, while others are least prepared for third-party breaches.
With this in mind, we expect procurement requirements, continuous monitoring, and SBOM/SCRM capabilities to see budget tailwinds.
But we have to remember there’s a human layer too. When we interviewed past Black Hat MEA speaker Suresh Sankaran Srinivasan (Group Head of Cyber Defence at Axiata), he said:
“I wish everyone realised that cybersecurity is more of an attitude than a technical skill or control.”
That perspective is important in the context of the changes we’re seeing in the region. Spend is rising, but if it isn’t coupled with a mindset shift (from compliance box-ticking to resilient culture), the ROI will be thin.
Regulation is having a real impact on budget decisions too. Saudi Arabia and the UAE continue to tighten data localisation and sectoral rules – leading to local data centres and cloud controls to meet compliance requirements.
Boards feel the heat, and CISOs get the mandate (and, increasingly, the budget) to operationalise compliance without slowing down innovation.
When we interviewed Isabelle Meyer (Co-Founder and Co-CEO at ZENDATA Cybersecurity), we asked why events like Black Hat MEA are valuable to her. She said:
“The community! It makes us grow, gather, and create.”
That shared expertise is what helps boards and CISOs spend smarter – learning from peers, avoiding shiny-tool syndrome, and investing where it counts.
So here are our three key takeaways for Middle East cyber leaders right now:
If you want to position yourself at the heart of regional and global cybersecurity knowledge, there’s still time to register for Black Hat MEA 2025.
Join the newsletter to receive the latest updates in your inbox.
Planning your cybersecurity budget for 2026? We pull together forecasts from Gartner, IDC and the WEF to show where spend is shifting – from tooling to AI governance, supply chain trust, and layered controls
Read More
In 2025, cybersecurity funding is flowing to startups that prove real market need, build diverse resilient teams, and show defensible tech. Here’s how founders can win investor confidence in a tougher climate.
Read More
Global cybersecurity funding is cooling, but still resilient. Investors in 2025 are backing late-stage, proven platforms in AI-driven defence, identity, CTEM and security validation – and turning away from hype.
Read More