Mustafa Alobaidy
MA

Case Studies

Real-world results demonstrating measurable impact in GRC and cybersecurity awareness

Cyber Awareness Program for UAE Fintech

Background

Growing fintech company in Dubai with 200+ employees handling sensitive financial data

Challenge

Low security awareness across workforce, increasing phishing incidents (12/month), and pressure from regulators to demonstrate security culture

Approach

Comprehensive 6-month awareness program including bilingual training modules, monthly campaigns, executive briefings, phishing simulations, and metrics dashboard

Deliverables:

  • a full suite of bilingual training modules (video + slides)
  • a library of awareness posters and infographics
  • Monthly phishing simulations
  • Quarterly executive briefings
  • Real-time metrics dashboard

Results & Metrics

Impact

82% improvement in security posture, regulatory compliance achieved, and enhanced employee confidence

ISO 27001 Readiness for E-commerce Company

Background

Saudi-based e-commerce platform with 500+ employees handling millions of customer records

Challenge

Needed ISO 27001 certification for business expansion, significant gaps in documentation and controls, and no formal ISMS structure

Approach

9-month ISO 27001 implementation including gap analysis, documentation development, control implementation, internal audits, and audit preparation

Deliverables:

  • Comprehensive gap analysis report
  • a complete set of ISO-aligned policies and procedures (bilingual)
  • Statement of Applicability (SOA)
  • Control implementation guidance
  • Internal audit support
  • Certification audit preparation

Implementation Timeline

Month 1-2
Gap Analysis
Month 3-5
Documentation
Month 6-7
Implementation
Month 8
Internal Audit
Month 9
Certification

Before

Control Compliance:35%
Documentation:0%

After

Control Compliance:95%
Documentation:100%

Impact

ISO 27001 certified in 9 months, 95% control compliance achieved, enhanced customer trust, and competitive advantage gained

PII Governance Improvement for High-Profile Clients

Background

Luxury hospitality provider serving ultra-high-net-worth individuals (UHNWI) globally, handling sensitive personal information for VIP clients

Challenge

Fragmented data handling processes across departments, lack of comprehensive PII classification and protection policies, growing regulatory requirements (GDPR, PDPL), and risk of reputational damage from data mishandling

Approach

Comprehensive PII data mapping exercise, development of tiered data classification framework, creation of specialized policies for VIP/UHNWI data handling, implementation of role-based access controls, and targeted training for staff

Deliverables:

  • PII Data Inventory & Mapping Report
  • VIP Data Handling Policy & Procedures
  • Data Classification Framework (5 levels)
  • Privacy Impact Assessment Template
  • Staff Training Program (3 modules)
  • Data Subject Rights Management Process

Before

Data Inconsistencies:23
Policy Framework:0%
Training Completion:0%

After

Data Inconsistencies:1
Policy Framework:100%
Training Completion:100%

Impact

Enhanced client trust and satisfaction, full regulatory compliance (GDPR, PDPL), 78% reduction in risk exposure, improved operational efficiency in data handling, and created competitive advantage through privacy excellence

Risk Assessment & Executive Briefing for Saudi Bank

Background

Regional bank in Saudi Arabia with 50+ branches undergoing digital transformation initiative, facing regulatory pressure from SAMA (Saudi Central Bank)

Challenge

Legacy systems with security vulnerabilities, rapid digital banking expansion increasing attack surface, limited risk visibility at board and executive level, need to align with SAMA cybersecurity framework, and growing threat landscape (ransomware, APTs, insider threats)

Approach

Conducted enterprise-wide risk assessment (300+ assets), stakeholder interviews across all business units, technical vulnerability assessment coordination, threat landscape analysis specific to Saudi banking sector, risk quantification using industry-standard methodologies, and executive workshop with board-level presentation

Deliverables:

  • Comprehensive Risk Assessment Report (120 pages)
  • Executive Risk Summary (10 pages)
  • Risk Register (85 identified risks)
  • Risk Heatmap & Prioritization Matrix
  • Board-Level Cybersecurity Briefing Deck
  • 12-Month Risk Treatment Roadmap
  • SAMA Alignment Gap Analysis

Before

Risk Register:0
Executive Visibility:20%
Critical Vulnerabilities:42

After

Risk Register:85
Executive Visibility:100%
Critical Vulnerabilities:5

Impact

Full alignment with SAMA cybersecurity framework, board-level cybersecurity awareness increased, risk-based budget allocation of SAR 15M approved, enhanced regulatory standing with SAMA, and prevented potential losses estimated at SAR 50M+

This case study is a representative composite designed to demonstrate methodology, not a direct client engagement.