Skip to main content
Field Guide · Issue 10 · NIST CSF 2.0

A cybersecurity programme is built, not bought.

The NIST CSF 2.0 cybersecurity strategy Dubai and UAE teams actually ship — phased, measured, budgeted. Built from hundreds of consulting engagements across Dubai, Abu Dhabi and the wider GCC.

6
Functions
3
Phases
90
Days
12mo
Horizon
N
Blueprint · 00.NIST-CSF-2.0Programme plan · 90-day starter view

A firewall here. An EDR there.
A SIEM trial nobody closed.

I've seen too many companies throw money at cybersecurity without a plan. Six months later they've spent the budget on tools they never finished deploying - and still can't answer basic questions.

Are we actually more secure than last year? What should we invest in next? Where would an adversary reach first? Without a roadmap, the answers are vibes.

This page is the NIST CSF 2.0 implementation we run with clients — structured, prioritised, measurable. Tuned with practical timelines and budget bands from real cybersecurity consulting UAE engagements across Dubai, Abu Dhabi, and KSA.

"Cybersecurity isn't a product you buy. It's a programme you run."

- Programme lead · Artiflex

Typical wasted spend · un-roadmapped 12-month window

USD 0

Shelfware, half-deployed tools, overlapping licences. The first deliverable of a roadmap is recovering this.

roadmap.blueprint · draft v1

PHASE 01

Days 1–30

PHASE 02

Days 31–60

PHASE 03

Days 61–90

MTTD

4.2h

−62%

MTTR

18m

−71%

Patch

94%

+41pt

# values drawn from a composite of six recent regional deployments · individual results vary by maturity starting point

NIST CSF 2.0 Implementation

Six functions. One coherent cycle.

The NIST Cybersecurity Framework 2.0 — the backbone of our NIST CSF 2.0 implementation work across the UAE — organises every control, tool, and process into coherent functions. Pick any security investment, it lands in one of these boxes.

Updated Jan 2024 · NIST CSF 2.0

NIST released version 2.0 of the Cybersecurity Framework in February 2024, adding a new Govern function alongside the original five. Govern sits above the cycle: risk appetite, roles, policy, and supply-chain oversight — the things leadership owns. NIST reference →

F-00

Govern

New in CSF 2.0. Leadership ownership — risk appetite, roles, policy, and supply-chain oversight.

  • Cyber risk strategy
  • Roles & RACI
  • Policy suite
  • Third-party oversight
F-01

Identify

Know your assets, data, users, and risks. You can't protect what you don't know about.

  • Asset inventory
  • Data classification
  • Risk register
  • Business-impact analysis
F-02

Protect

Deploy preventive controls - firewalls, endpoint security, identity, and encryption.

  • MFA & SSO
  • Endpoint protection
  • Data encryption
  • Access reviews
F-03

Detect

Implement monitoring and detection - SIEM, EDR alerts, anomaly and behaviour signals.

  • SIEM / log pipeline
  • EDR telemetry
  • Anomaly rules
  • Threat-intel feeds
F-04

Respond

Have incident-response plans and teams ready. Practise them - tabletops, live drills.

  • IR runbooks
  • On-call rota
  • Tabletop cadence
  • Comms playbooks
F-05

Recover

Business continuity, disaster recovery, backup verification, lessons-learned reviews.

  • Immutable backups
  • Restore drills
  • BCP / DR plan
  • Post-incident review
Compliance Roadmap

NESA, SAMA, ISO 27001, SOC 2 — how your UAE roadmap maps to each

A cybersecurity strategy Dubai auditors sign off on isn't a second project — it's the same 30-60-90 phases, reframed against each regulator's control language. Here is how the phases line up.

NESA

NESA IAS · UAE

NESA compliance roadmap work for UAE federal entities and critical infrastructure.

  • Phase 1 — asset inventory, risk register, access control basics (NESA T1–T4).
  • Phase 2 — DLP, logging, incident management (NESA T5–T7). See
  • Phase 3 — continuous monitoring, testing, supplier oversight (NESA T8–T9). See
DLP page →Vulnerability Management →
SAMA

SAMA CSF · KSA

SAMA cybersecurity framework implementation for Saudi BFSI and payments clients.

  • Phase 1 — governance, third-party risk, identity (SAMA 3.1–3.3).
  • Phase 2 — cryptography, endpoint, data protection (SAMA 3.3.4–3.3.8).
  • Phase 3 — threat management, incident response, resilience (SAMA 3.3.13–3.3.15).
SIEM / SOAR / MDR →Endpoint EDR/XDR →
ISO

ISO 27001:2022

ISO 27001 implementation UAE — Annex A controls aligned to the 30-60-90 plan.

  • Phase 1 — A.5 organisational, A.6 people, A.8 asset controls.
  • Phase 2 — A.8 technological (crypto, logging, DLP), A.7 physical.
  • Phase 3 — ISMS metrics, internal audit, management review → certification audit.
Firewalls & Network →Vendor Scorecard →
SOC2

SOC 2 Type II

SOC 2 readiness UAE for tech startups scaling into MEA, US, and enterprise buyers.

  • Phase 1 — Security TSC: access, change mgmt, risk. Evidence collection starts day one.
  • Phase 2 — Availability + Confidentiality TSC: DLP, backups, encryption at rest.
  • Phase 3 — audit window (3 to 12 months) with continuous evidence from SIEM.
Email Security →Workspace SASE →

The same 30-60-90 plan, the same NIST CSF 2.0 functions — different evidence package depending on which regulator or customer is asking. We deliver this as a unified programme, not four parallel projects.

30 · 60 · 90 Day Plan

From a blank page to a programme - in ninety days

For organisations starting fresh or resetting. Three phases, thirty days each, measurable exits. The milestone plan we've used across dozens of engagements.

PHASE 01 · Days 1–30

Foundation & Quick Wins

Visibility first, then plug the obvious holes.

Establish a single source of truth for assets and risk, deploy MFA everywhere that matters, and ship an incident-response one-pager by the end of week four.

  • D-03

    Risk assessment kickoff · crown-jewel data identified

  • D-08

    MFA rolled out to email, VPN, admin consoles

  • D-14

    Endpoint protection audit - 100% coverage verified

  • D-21

    Firewall rule review · any-any rules removed

  • D-26

    DMARC · DKIM · SPF active on every sending domain

  • D-30

    Incident-response plan v1 signed off by leadership

Phase pillars · deep-dive pages

NGFW · Firewalls & Network SecurityEDR · Endpoint Security

Phase exit: all milestones closed, evidence packaged, phase review held with sponsor.

Budget Planning

How much should we spend - really?

The '10–15% of IT budget' rule is an answer without a question. Here's what our clients actually commit, sized against what they get for it. Vendor-neutral ranges drawn from 2024–2026 engagements.

Company size
Annual spend

SMB

50 – 200 employees

USD 50K – 150K

22% · relative band

EDR · firewall · email security · basic SIEM · annual pen test

Mid-Market

200 – 1,000 employees

USD 150K – 500K

45% · relative band

Above + MDR service · DLP · SASE · quarterly pen tests

Enterprise

1,000 – 5,000 employees

USD 500K – 2M

72% · relative band

Full stack + dedicated / managed SOC · SOAR · red teaming

Large Enterprise

5,000+ employees

USD 2M+

100% · relative band

Above + custom integrations · threat intel · 24/7 internal SOC

Cybersecurity strategy workshop · 90-minute · on-site or remote

Let's build your UAE cybersecurity roadmap together

Our cybersecurity consulting UAE team brings IT, leadership, and compliance into one room. By the end of the 90-minute workshop you'll have priorities, phased timelines, and a defensible budget — not a slide deck, a working document.

Virtual CISO services UAE

No CISO yet? We run the programme for you.

For organisations without a dedicated CISO, we provide fractional vCISO services — strategic oversight, roadmap execution, vendor management, and board reporting. One experienced leader, a fraction of the cost of a full-time hire, with the team behind them.

Maturity Model

Know where you are - before you plan where you're going

A five-level scale we use to benchmark every new engagement. Most organisations sit at Level 2 or 3. The realistic goal is one level per year - sustained, not heroic.

Level 03 · Defined

Formal plan, EDR, email security, DLP. Baseline monitoring.

Regular assessments in place.

Next move

Advance to Level 04 - Managed

Our roadmap targets one level per year. Anything faster is usually a stress test, not a programme.

Not sure where you sit?

Making the Business Case

Security ROI - translated for the board

Leadership doesn't buy 'theoretical threat reduction'. They buy quantified outcomes. Four framings that move security from cost centre to revenue lever.

Cost avoidance

USD 4.88M

average breach cost · IBM 2024

Multiply by your probability of breach - IBM reports 1 in 3 companies experience one over a 24-month window.

Insurance savings

20 – 40%

lower cyber-insurance premiums

Insurers reward mature programmes. MFA, EDR, immutable backups, and tested IR plans are the highest-leverage discounts.

Revenue enablement

SOC 2 · ISO 27001

unlock enterprise-tier customers

Certifications move you onto shortlists you cannot reach without them - especially in BFSI, healthcare, and government supply chains.

Compliance savings

10×

proactive cost vs. reactive fines

Paying to pass an audit always costs less than paying after a regulator arrives. Especially under UAE PDPL and NESA IAS.

Where This Connects

The roadmap ships pages - here are the tools it unlocks

Each phase of the plan maps onto capabilities elsewhere on the site. Start with the one that matches your phase, or talk to us about the whole programme.

Cybersecurity overview

The seven pillars, vendor guidance, and our programme framework.

Read more

Firewalls & Network Security

Phase 1 - the perimeter, segmentation, and vendor comparison.

Read more

Endpoint Security (EDR/XDR)

Phase 1–2 - behavioural detection, rollback, managed MDR.

Read more

SIEM, SOAR & MDR

Phase 3 - 24/7 monitoring, playbook automation, incident response.

Read more

Vulnerability Management

Phase 3+ - penetration testing, red teaming, retest proof.

Read more

Vendor Scorecard

Vendor-neutral 2026 scorecard across six practitioner dimensions.

Read more
Knowledge Base

Frequently Asked Questions

The NIST Cybersecurity Framework is a voluntary, outcomes-based set of practices published by the US National Institute of Standards and Technology. The current version, NIST CSF 2.0 (released February 2024), organises cybersecurity activity into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Govern was added in 2.0 and covers leadership ownership — risk appetite, roles, policy, and supply-chain oversight. The framework is widely adopted in the UAE because it maps cleanly onto NESA IAS, ISO 27001, and SAMA CSF, which means one control inventory can satisfy multiple regulators.

No — but you need a framework. NIST CSF 2.0 is the most widely adopted in the UAE because it's outcome-based rather than prescriptive, and its six-function model (Govern, Identify, Protect, Detect, Respond, Recover) maps cleanly onto NESA IAS, ISO 27001:2022, CIS Controls, and SAMA CSF. Pick one, map your controls against it, report progress in its language. Swapping frameworks every year is how programmes lose momentum.

For most organisations of 50–2,000 employees, yes — provided leadership backs the quick wins in Phase 1. The tooling is rarely the bottleneck; approvals, change-window access, and executive sponsorship are. We've delivered this timeline for Dubai SMBs with one IT lead and for mid-market firms with a small security team. Larger or heavily regulated estates — banks under SAMA, federal entities under NESA — usually need a 90-120-180 adaptation.

The rough industry rule is 10–15% of the IT budget for a mature programme, but that's a starting point, not an answer. A better framing: what would a breach cost your business — in downtime, fines, and customer churn — multiplied by your realistic probability (IBM's 2024 report puts average breach cost at USD 4.88M and breach likelihood at roughly 1 in 3 over 24 months)? Most of our UAE mid-market clients land at USD 150K–500K annually for a Level 3–4 programme; enterprises commit USD 500K–2M. NESA- and SAMA-regulated estates run higher because mandatory controls (24x7 monitoring, pen testing, logging retention) shift the floor.

See the budget matrix above — it reflects actual engagements, not vendor list prices. Beyond the tooling spend, budget 15–25% for people: a security lead or vCISO, analyst time, and awareness training. Compliance programmes (NESA, SAMA, ISO 27001, SOC 2) add a one-off 10–20% in the audit year. What we push back on: eight-figure tool stacks without the operating team to run them. That's shelfware waiting to happen.

We use a five-level maturity model — Ad Hoc, Developing, Defined, Managed, Optimised — scored against NIST CSF 2.0 function-by-function. An assessor rates each function on a 1–5 scale using evidence: policies, tool coverage, metrics, test results. Output is a radar chart (where you are per function) and a composite score (where you are overall). Most UAE mid-market clients start at Level 2 and target Level 3–4. Realistic pace is one level per year. Anything faster is usually a stress test, not a programme.

Four measures earn their keep: mean-time-to-detect (MTTD), mean-time-to-respond (MTTR), patch-compliance rate across criticals, and a quarterly posture score against your chosen framework (NIST CSF 2.0, NESA IAS, ISO 27001). Report these to leadership every quarter. Anything else — number of alerts, tickets closed, dollars spent — is activity, not outcome.

Cybersecurity ROI is the quantified value of the security programme relative to its cost, framed in four buckets: cost avoidance (breach cost × probability), insurance savings (MFA, EDR, immutable backups typically cut cyber-insurance premiums 20–40%), revenue enablement (ISO 27001 and SOC 2 unlock enterprise shortlists and BFSI supply-chain contracts), and compliance savings (proactive audit readiness is roughly 10x cheaper than reactive fines under UAE PDPL or NESA IAS). Boards don't buy theoretical risk reduction — they buy quantified outcomes. The ROI section above breaks this out with real numbers.

Perfect — that's the norm rather than the exception. We run a posture assessment against NIST CSF 2.0 (and your framework of record — NESA, SAMA, ISO 27001, or SOC 2), map you onto the maturity ladder, and build a 12-month roadmap starting from your current level rather than starting at zero. Most mature engagements begin with a gap analysis, not a rebuild.

Yes — and it's often the right setup. The roadmap becomes the shared plan your MSSP executes against, rather than an ad-hoc service relationship. We've taken over planning for UAE clients who keep their incumbent SOC, and we've partnered with in-house teams who needed a programme layer above their day-to-day operations. Our virtual CISO services UAE engagement model is designed to complement, not replace, operational security teams.

Three things, quarterly: where you are on the maturity ladder, the four programme metrics (MTTD, MTTR, patch compliance, posture score), and a rolling 12-month spend plan with milestones. Everything else is supporting evidence. We give every client a board-ready one-pager template as part of the Phase 3 hand-off — the same format most UAE boards now expect alongside NESA and PDPL reporting.

Stop buying tools. Start building a programme.

Our cybersecurity strategy workshop — a 90-minute session with Artiflex IT's UAE cybersecurity consulting team — frames your NIST CSF 2.0 roadmap: priorities, timelines, budget, NESA/SAMA alignment. No slides. No pitch. A working document your leadership can sign.