Cohesity’s Johnny Karam, Mark Molyneux on raising cyber resilience among UAE employees

The UAE workforce is showing strong signs of cybersecurity readiness, outpacing their EMEA peers in areas such as threat awareness and trust in their organisations’ ability to recover from attacks. That’s according to new research from Cohesity, a global leader in AI-powered data security and resilience.

The survey, conducted in partnership with OnePoll, captured responses from 500 full-time UAE employees, revealing that 86 percent believe they can identify a cyber threat, and nearly 90 percent trust their employer’s cyber resilience.

But the study also sheds light on lingering behavioural gaps, with some employees admitting they might delay reporting due to fear of blame or confusion about protocols. Cohesity leaders say this is the next frontier—empowering teams to not just recognise risks but confidently act on them without hesitation. With the UAE’s national cybersecurity ambitions accelerating, businesses now need to focus on turning awareness into action.

Gulf Business sat down with Johnny Karam, MD and  VP, International Emerging Markets, and Mark Molyneux, EMEA CTO at Cohesity, to unpack the findings and discuss what real cyber resilience looks like for organisations in the UAE and across the region.

Your latest research shows that while 86 per cent of UAE employees believe they can identify a cyber threat, deeper knowledge still seems lacking. What does this confidence gap reveal about current training methods, and how should organisations close it?

Johnny Karam: The fact that 86 percent of UAE employees feel confident in identifying cyber threats is a strong reflection of the country’s focus on digital awareness. This high level of awareness reflects the UAE Cybersecurity Council’s long-term investment in public education, including programs for students, women in tech, and the broader community, part of a strategy stretching from 2020 to 2030.

However, our study shows that this confidence does not always translate into deeper understanding or preparedness. Many employees may recognise the signs of a potential attack but feel uncertain about what to do next. This gap reveals that current training approaches are still too focused on awareness rather than action.

To close this gap, organisations need to evolve their training methods. It is no longer enough to explain what phishing or ransomware is in theory. What works best is practical, scenario-based training that prepares employees to respond under pressure. When individuals know exactly what steps to take and feel confident doing so, they become active contributors to the organisation’s defence. It is about building the confidence to act, not just the ability to identify.

One of the more striking insights is that fear of blame and confusion delays incident reporting. What steps can companies take to foster a culture of psychological safety and quick escalation in cybersecurity?

Johnny Karam: This is one of the most human yet critical findings from our research. In the UAE, 46 percent of employees who hesitated to report a threat said it was because they feared blame or were unsure whether their concern would be taken seriously. That hesitation can be costly. In cybersecurity, delays can make the difference between containment and escalation. It’s like spotting a fire in your office — no one hesitates to raise the alarm. That’s the level of instinctive response we need when it comes to cybersecurity threats.

Organisations need to address this by creating a culture of psychological safety, where reporting is always encouraged and never penalised, and this is where leadership plays a vital role in reinforcing that message. Employees must feel supported, and clear reporting channels should be made visible and simple to follow. Even if an alert turns out to be a false alarm, flagging it is always the right move.

Encouraging early reporting and removing the stigma around it helps create a stronger, faster-responding organisation. It’s also about cultural maturity. Just as the UAE focused early on education, the next phase is building psychological safety into company cultures, where “see it, say it, sort it” becomes second nature.

Ransomware continues to evolve, yet your data shows that nearly one in four employees does not fully understand it. How can organisations move from theoretical awareness to scenario-based, hands-on preparedness?

Mark Molyneux: Ransomware is no longer a rare or abstract threat. It is one of the most pressing challenges facing organisations today. The fact that 86% of employees in the UAE understand what ransomware is and how it spreads shows that awareness is extremely is extremely high, which is largely due to the UAE Cyber Security Council’s approach to increasing security awareness across the Emirates.

But to reach the step of cyber-resilience, we need to move beyond surface-level awareness. Scenario-based training, such as simulated attacks and role-playing exercises, is far more effective in preparing employees to respond confidently and quickly.

In addition, organisations can benefit from expert-led incident simulations or even partnerships with external response teams, like our Cohesity Cyber Event Response Team (CERT), to build muscle memory in high-pressure scenarios.

When people are familiar with the pressure of a real-time incident, they are more likely to take the right action. Awareness is important, but preparedness is what ultimately determines whether an organisation can contain an incident or fall victim to it.

What are some examples of human-centric cybersecurity training that have worked particularly well in the UAE or broader Middle East region?

Johnny Karam: In this region, the most effective training approaches are those that account for cultural context and local realities. We have seen companies run phishing simulations, real-time cyber escape rooms, and role-specific drills that make the training highly engaging and memorable. These methods encourage active participation and help employees internalise what to do in the face of a threat.

The strongest results come when training is localised, conducted in Arabic where relevant, aligned with regional threat trends, and inclusive of leadership participation.

When executives lead by example, it reinforces the idea that cybersecurity is everyone’s responsibility. We are seeing a clear shift across sectors like banking and healthcare, where security awareness is being embedded not just as a requirement, but as a core part of organisational culture.

Cybercriminals are constantly evolving — how does Cohesity stay ahead of the curve?

Johnny Karam: Cybersecurity is an arms race, and staying ahead takes relentless innovation. At Cohesity, we invest double the R&D of our closest competitor. That allows us to anticipate threats like AI-generated phishing and craft real-time responses, from behaviour-based access controls to early threat detection. But it’s not just about tech — we work with a network of cybersecurity partners and an expert advisory board to stay on top of tomorrow’s risks, today.

How do these findings align with the UAE Cybersecurity Council’s broader goals, and how is Cohesity engaging with regulators or national stakeholders to support these priorities?

Johnny Karam: The UAE Cybersecurity Council has taken decisive steps to strengthen national cyber resilience. The emphasis on public-private collaboration and secure digital transformation aligns closely with what we are seeing in the field. Our findings reflect this momentum, for example, 67 percent of UAE employees say they would report suspicious activity directly to cybersecurity teams, which is a strong indicator of engagement and awareness.

We work closely with government entities and industry stakeholders, participating in briefings, knowledge-sharing sessions, and collaborative initiatives to build operational readiness. Our AI-powered platform is aligned with the UAE’s focus on proactive defence and digital trust. True resilience depends on both technology and people, and we are committed to supporting both dimensions.

 With hybrid work environments and increasing digital transformation across sectors, how is Cohesity helping clients in the region build not just secure infrastructure but a more cyber-aware workforce?

Mark Molyneux: The shift to hybrid work has broadened the attack surface for organisations, making it even more critical to adopt an integrated approach to security. At Cohesity, we not only help our clients protect data across all environments, from on-premise systems to the cloud and edge, but we also work with them to build awareness and confidence within their teams.

Our research shows that 89 percent of UAE employees trust their organisation’s ability to recover from attacks, and 66 percent have received cybersecurity training in the past year. These are positive indicators. However, we aim to go further by supporting secure decision-making across every level of the organisation.

This includes simplifying processes, integrating automation where possible, and ensuring that employees have both the tools and the understanding needed to respond quickly.

Cyber resilience is not a department; it is a culture, and we help our clients embed it across their workforce.

Tell us about Cohesity’s offerings.

Mark Molyneux: Cohesity is a global leader in data security and resilience, trusted by more than 13,600 organisations worldwide, including over 85 of the Fortune 100.

Following our integration with Veritas’ enterprise data protection business, we now offer one of the most comprehensive platforms available, capable of protecting, managing, and recovering data whether it is stored on-premise, in the cloud, or at the edge.

What makes us different is how we combine advanced threat detection and rapid recovery with simplicity and ease of use.

Our AI-powered solutions help organisations identify threats early, isolate incidents, and recover quickly, all while reducing complexity. In today’s environment, where cyberattacks are becoming more frequent and more sophisticated, speed and reliability are essential.

But we also recognise that technology alone is not enough. That is why we work closely with our customers to build security awareness, support their teams, and align with their long-term resilience goals. Cybersecurity is ultimately about protecting people, operations, and trust, and Cohesity is here to help organisations do exactly that.