The 2025 Voice of the CISO Report from Proofpoint provides a global window into how chief information security officers are experiencing today’s shifting threat environment. This year’s survey covered 1,600 CISOs across 16 countries, including 100 participants from the UAE. Their responses reveal how cybersecurity leaders in the UAE view risk, where they have confidence, and where gaps still exist. Taken together, the findings offer a valuable look at how UAE organizations are preparing for an increasingly complex security landscape.
Rising Concern Over Cyberattack Risk
One of the most striking findings from the UAE is how many CISOs believe a serious attack is on the horizon. According to the survey, 69% of UAE CISOs think their organizations are likely to face a material cyberattack within the next 12 months. This number sits slightly below the global average of 76%, but it still means that more than two out of three CISOs in the country expect disruption.
This perception matters. It reflects a baseline expectation that cyber incidents are inevitable, not hypothetical. For organizations in the UAE, it suggests that the conversation has shifted from if a breach will happen to when. Yet the fact that the UAE figure is lower than in markets like Germany, Brazil, or India may also signal a level of confidence in local security controls, regulation, and investment. Nevertheless, the threat is very real, and CISOs are bracing themselves.
Fewer Data Losses, but Greater Consequences
The UAE diverges from global patterns when it comes to data loss. Worldwide, two-thirds of CISOs reported losing sensitive information in the past year. In the UAE, 77% said the same.
On the surface, this looks like progress, however, the story changes when looking at the impact of these breaches. While incidents may be less frequent, when they do occur, they hit harder. The operational downtime, legal exposure, and remediation efforts required to recover in the UAE appear to be more expensive than in most other markets.
This imbalance is a critical insight for business leaders. It suggests that resilience planning in the UAE cannot rely only on preventing incidents. Organizations also need to invest in response capabilities, crisis management, and post-incident cost mitigation.
Email Fraud as the Leading Threat
When asked which threats worry them most, UAE CISOs pointed to email fraud. This aligns the country with the U.S., UK, and Italy, where business email compromise is considered the most dangerous attack vector.
Unlike ransomware or malware, which rely on technical vulnerabilities, business email compromise depends on exploiting trust, impersonation, and human error. For UAE companies, this means their defenses must be as much about educating employees and strengthening processes as about deploying technical safeguards.
This finding is consistent with the UAE’s regional threat profile. As a global business hub with high volumes of international financial transactions, the country is an attractive target for attackers seeking to manipulate executives, finance teams, and suppliers. It also reinforces the need for stronger email security, advanced phishing detection, and continuous awareness training.
Human Risk Remains the Greatest Vulnerability
The Proofpoint report makes clear that people are at the heart of most cybersecurity challenges. Globally, 66% of CISOs said human error is their greatest vulnerability. The UAE is included in this global pattern, with 57% of CISOs in the country also citing people as their greatest risk.
Whether it is a careless insider sending data to the wrong party, a compromised employee account, or a malicious insider abusing their access, human behavior continues to be the most difficult variable to secure. The UAE’s emphasis on email fraud only strengthens this conclusion. Technical defenses can stop many automated attacks, but no firewall can prevent an employee from clicking on a convincing phishing link. Despite awareness campaigns, insider risk management programs are not consistently resourced. For UAE enterprises, this represents a significant gap.
The Dual Edge of Generative AI
No 2025 cybersecurity report would be complete without examining the role of artificial intelligence, and the UAE’s responses illustrate the tension between opportunity and risk. According to the survey, 54% of UAE CISOs believe that generative AI poses a security risk to their organizations. This is slightly below the global average of 60%, reflecting heightened awareness in the region.
Public AI platforms can expose sensitive information, employees may share data outside protected environments, and attackers can use AI to scale phishing campaigns or craft more convincing social engineering lures. In short, AI lowers the barrier for both mistakes and attacks.
At the same time, CISOs in the UAE are pragmatic. Few advocate for banning AI outright. Instead, they recognize the need to govern its use through policies, monitoring, and secure adoption strategies. Many see AI as a tool that, if properly controlled, could actually strengthen defenses against human error and advanced threats. The challenge for UAE organizations will be balancing efficiency with security, taking advantage of new technologies while minimizing exposure risks.
Cybersecurity in the Boardroom
One of the more encouraging global findings in the report is the level of boardroom alignment. The report shows that around 64% of CISOs globally feel their boards see eye to eye with them on cybersecurity, indicating that executives are increasingly treating it as a strategic business issue rather than a purely technical one.
This alignment is significant because it affects how resources are allocated. Boards that understand the risks are more likely to support investments in people, processes, and technology. They are also more likely to weigh the reputational, financial, and operational consequences of a cyberattack in strategic decision-making. For CISOs in the UAE, this stronger global trend could provide a much-needed foundation for addressing the pressures of their role and advocating for necessary security measures.
Pressure on the Role of the CISO
Despite stronger board alignment, the role of the CISO in the UAE is still marked by heavy expectations. 62 percent of UAE CISOs report feeling that the demands placed on them are excessive. While this is slightly below the global figure of 66 percent, it still underscores the stress of being responsible for protecting organizations against increasingly complex threats.
The report also shows that 67 percent of CISOs globally feel personally accountable when cybersecurity incidents occur. For many security leaders, this creates a high-stakes environment where burnout is a growing concern.
For UAE organizations, this points to a broader leadership challenge. It is not enough to hire a CISO and expect them to carry the entire burden. The role needs to be supported with adequate budgets, staff, liability protections, and mental health considerations. Without these, the sustainability of cybersecurity leadership in the UAE is at risk.
Can your organisation handle the next cyberattack?
The Proofpoint 2025 Voice of the CISO Report shows that cybersecurity in the UAE stands at a turning point. CISOs widely expect cyberattacks, and while incidents may be fewer, their financial and operational damage is far greater. Human risk, especially email fraud and phishing, remains the weakest link, now complicated by generative AI threats. Encouragingly, stronger boardroom involvement is giving CISOs the backing to push for better budgets, policies, and security controls. For UAE enterprises, partnering with a reliable cybersecurity service provider in UAE is essential to translate executive support into robust resilience measures that cover prevention, swift incident response, effective recovery, and long-term sustainability of cybersecurity leadership in a rising threat environment.
