Yahya Kassab, Senior Director and GM for KSA & Gulf at Commvault, explains how AI is reshaping cyber risk across the Middle East and highlights the need for unified resilience through Cloud Unity, ResOps, and government partnerships.
How is the rapid adoption of AI across the Middle East transforming the region’s cyber risk landscape as threat actors increasingly weaponise AI to automate and scale attacks?
AI is definitely contributing to a wider threat landscape for a few reasons. The first is agentic AI, which has introduced a whole new layer of identities to manage, and these are AI identities rather than human ones. The second is the sheer volume of data AI generates, which adds its own complexity. Together, those two things make life harder for CISOs and their security teams.
Having said that, at Commvault, we are using AI to fight bad AI. We implement AI to detect threats early and warn customers, and we integrate with many security vendors in the market so we can draw on their insights and share intelligence across the different technologies. We also use AI to understand where data sits, which feeds directly into compliance and governance, telling us where the data is, who is accessing it, and who holds permission to access it.
So the problem is bigger, but it remains manageable when the right technology, processes, and awareness are in place.
With the UAE facing nearly 800,000 cyberattack attempts daily, how should organisations rethink their resilience strategy to secure AI-powered digital ecosystems rather than just traditional infrastructure?
The first thing is that people need to distinguish between the classic business continuity approach and the cyber recovery approach, as they are not the same. The second is that they have to accept that they will be hacked one day. It is not a matter of if, only of when, and they have to accept that all of their security measures might fail at that moment.
Once you accept that, you plan for the worst-case scenario, and that planning runs across several dimensions. Technology plays a big part, but you also have to redefine your processes and train your people. Those three dimensions have to work together, and that is what we call Resilience Operations (ResOps). It is a term Commvault introduced and the industry is now adopting, built on the idea that testing is not a one-time exercise but an ongoing process, so you always know what to do when a compromise occurs.
As enterprises deploy generative AI and autonomous systems, how is Commvault helping organisations modernise identity, access, and privilege controls to prevent AI agents from becoming new high-value attack surfaces?
Identity is a big topic and one we have been talking about for some time. Studies today show that 57% of cyberattacks start with compromised identity, so if you do not plan your identity protection well, you have a real problem.
The way we approach this goes beyond identity protection on its own. We link identity protection to recovery and security through our recently launched platform, Commvault Cloud Unity. It is a single platform that integrates all three and shares insights among them, so we always know who is accessing the data, where it is, and how it is being used.
We also recently acquired a company called Satori, one of the latest additions to our portfolio, and that solution plays a significant role in the approach we are now offering the market.
What frameworks should Middle East organisations adopt to ensure AI systems remain trustworthy, from data integrity and model governance to continuous verification and auditability?
Governments across the region are actively working on these frameworks, on local laws and on sovereignty, so there is a great deal happening on the government side. Our job as a technology provider is to align with those local laws and regulations. To be honest, each country has its own approach. They are not uniform, and they are not standardised, so what we do is work to understand each set of rules and adapt to it.
A good example is that our platform is certified by DESC, the Dubai Electronic Security Centre, which is the regulation in Dubai that allows government entities to use a SaaS platform. We were the first to achieve that, and we are doing the same across other countries in the region.
How is Commvault enabling cyber resilience that protects not only infrastructure but also the data, identities, and AI workflows that underpin mission-critical operations across the region?
To build on what I mentioned earlier, we bring together identity, resiliency, cyber recovery, and security through Commvault Cloud Unity, which integrates them and surfaces insight across all of them. But cyber resiliency goes beyond data alone. Bringing the data back is one thing. The second thing is bringing the operations and the applications back, and that is where we have introduced technologies in the cloud, such as Cloud Rewind, which lets us rewind the environment to the moment just before the attack or compromise. And then there is ResOps, which I described earlier, an approach rather than a technology, linking people, process, and technology, modernising them and keeping the testing ongoing. Those are the three dimensions we work across.
What role should national strategies and regulatory frameworks across the Middle East play in ensuring safe, sovereign, and compliant AI adoption at scale, and how is Commvault supporting this shift?
We had the pleasure today of hearing about this from His Excellency Dr. Mohamed Al Kuwaiti, who serves as the Head of Cyber Security for the United Arab Emirates Government, during our SHIFT event in Dubai, and I think he set this out clearly. It starts with partnership, a clear framework between public, private, and people, so that everyone carries responsibility. Security and defence are not the job of any single party; they are the responsibility of all. That is the first dimension. The second is awareness, because so many of the issues we face today come down to it. People often do not grasp the scale of the threat, its impact, or how easy hacking has become with AI tools, so awareness matters enormously.
The last dimension Dr. Al Kuwaiti raised is the human role. The UAE is planning to build local capacity to develop cyber resilience and security professionals, and we are glad to partner with the government on exactly that. It was part of our announcement at SHIFT Dubai, the launch of the Commvault Innovation Centre of Excellence with the Cyber Security Council in Abu Dhabi, which will serve as a centre for innovation, development, education, and awareness.
As AI accelerates both innovation and risk, how should boards and executive teams recalibrate their resilience strategy to ensure business continuity in an era of autonomous threats, and where does Commvault fit into that conversation?
At board level, the first step is that the risk and security teams, or both, should be represented on the board itself. We need to redefine the governance process around the decisions we take. For example, if an organisation is considering adopting AI, deploying generative AI, or moving to the cloud, there has to be a process that governs that decision and works through it step by step, assessing the risk before the decision is made. This is not really an argument about cloud versus on-premise. Both work, and both can be very risky or very safe depending on how you implement them. That is why having governance and risk expertise on the board is so important, in my view, so that every decision the board makes must pass through that process before it is implemented.











