The Cyber Resilience Compass 2025

Critical information infrastructure (CII) is essential to the functioning of societies, supporting daily life and powering key sectors such as energy, healthcare, finance, telecommunications and transportation. As the systems become increasingly digital, ensuring their cybersecurity is vital to protecting public safety and economic stability. The Dubai Electronic Security Center (DESC), as the cybersecurity regulator in Dubai, plays a significant role in securing the emirate’s CII through a structured, risk-based approach reinforced by regulatory frameworks. To build the Dubai Cyber Resilience Plan, DESC identified critical sectors, ensuring the protection of critical services and assets that are the backbone of the city’s operations. In collaboration with the designated sector leads, DESC conducted rigorous risk assessments, mapping interdependencies that connect the various sectors to prevent cascading failures that could negatively affect the city’s economy and the well-being of its citizens. The Dubai Cyber Resilience Plan includes cybersecurity guidelines and measures for sector leads to implement, such as asset classification, disaster recovery, business continuity planning and incident response plans. The approach to fortifying Dubai’s digital infrastructure integrates regulatory oversight and strategic cybersecurity initiatives, positioning the city as a global leader in cyber resilience.CASE STUDY 4 Dubai Electronic Security Center (DESC) – Securing critical information infrastructure: Dubai’s cyber resilience approach People and culture encompass an organization’s strategies and practices for building and retaining a workforce, as well as empowering employees and equipping them with the necessary cyber skills and awareness. This involves: –Growing and retaining talent –Implementing training and awareness programmes to build employee ownership and engagement –Building a culture of psychological safety –Establishing a common language across the organization Examples of front-line practices that organizations are applying: –Chief information officers (CIOs), CISOs and human resources (HR) develop robust strategies for talent acquisition, training and retention to build cyber talent capacity in the organization. Organizations first understand the skills they require, then develop targeted recruitment and retention initiatives based on these needs. Approaches include partnerships with universities, cybersecurity boot camps or continuous learning and mentorship programmes. –Cybersecurity and learning and development teams collaborate to implement cybersecurity training and awareness programmes tailored to different roles to build ownership and engagement and to prevent incidents. Local leadership educates employees on their responsibilities and how their actions affect the organization’s cyber resilience. Training programmes are regularly updated to align with evolving threats and business needs. –CISOs and local leadership cultivate a culture of psychological safety to increase the reporting of incidents and mistakes, to encourage transparency and accountability and ultimately to lead to quicker identification and resolution of issues. CISOs promote open lines of communication and regular feedback loops, paired with organization-wide policies of positive reinforcement for proactive incident reporting, to strengthen trust and to ensure that employees report potential issues. –CISOs establish a simplified cyber and risk taxonomy to reduce departmental divisions, enhance mutual understanding and integrate cybersecurity into business processes. This unified taxonomy is incorporated into training sessions, risk management frameworks and communication channels to promote communication and collaboration at all levels and in all departments of the organization.3.3 People and culture The Cyber Resilience Compass: Journeys Towards Resilience 12