Cyber resilience has become the ultimate measure of business survival in a digital-first world. For the UAE—driving ambitious transformation and innovation—the stakes are even higher, with every advance bringing fresh exposure to cyber risks.
Fady Richmany, Corporate Vice President – Emerging Markets (CEE, CIS & META) at Commvault, stands as one of the region’s most influential voices shaping this dialogue. Since joining Commvault in 2021, he has overseen diverse high-growth markets, bringing with him more than 30 years of IT leadership experience.
Fady’s career spans critical roles with global technology giants, including a 16-year tenure at Dell/EMC where he spearheaded business growth across emerging markets and led the Data Protection Solutions Business Unit for the TEEAM region (Turkey, Eastern Europe, Africa, and the Middle East). With this wealth of experience, Richmany offers unique insights into the evolving cybersecurity landscape, highlighting the impact of multi-cloud adoption, the double-edged power of AI, and why resilience must evolve from business continuity to “continuous business.”
In this exclusive conversation with Sandhya D’Mello, Editor, Security Advisor Middle East, Richmany shares why resilience is no longer a defensive posture but the defining capability for enterprises navigating multi-cloud complexity, AI’s double-edged impact, and an unpredictable cyber threat horizon.
Interview Excerpts:
The UAE has committed to becoming a digital-first nation. With this approach, cybersecurity responsibility naturally rises. What does this mean for the sector, and what trends have you observed?
We are living in a digitally connected economy. The shared economy, cloud, and multi-cloud models have transformed the way we work and live. Before the cloud era, things were simpler; you had your data on your own machines, in your server room, in your data centre. Today, everything is distributed across clouds and platforms, and while that gives us incredible flexibility, productivity, and efficiency, it also comes with a cost. Every organisation now lives under the threat of a cyberattack. CXOs carry an enormous burden because a single breach can jeopardise an entire business. In the past, the CFO was seen as the key decision-maker because financial risk was at the centre. Today, that responsibility has shifted to the Chief Information Officer, the Chief Security Officer, and the Chief Trust Officer. It is now more than an IT or Security teams’ issue, it has become a board-level priority.
“The UAE is a great example of how strong leadership can shape the future. I have lived here for 33 years, and I am proud to call it home.”
The country’s digital-first vision and drive toward innovation are setting global benchmarks. But as digital transformation accelerates, cybercrime also rises. This is the reality of a connected world; you cannot completely avoid attacks, but you can be ready for them. That readiness is what defines true resilience.
At Commvault, we have been part of this journey for nearly three decades. Our roots go back to Bell Labs in New Jersey, and we have always been an engineering-led company. But the past two years have been a golden era for us. We made a deliberate shift from traditional data protection to cyber resilience, bridging the gap between data security and recovery. We call this the move from business continuity to continuous business. It is about always being ready, always protected, and always able to recover. For me, it comes down to three fundamentals: be ready, be prepared, and be proactive. That is the foundation of resilience in the digital age.
How has the evolution of cloud and AI changed the cyber landscape?
AI and cloud have completely reshaped the cyber landscape. They have brought enormous benefits, but they have also made the environment far more complex and dangerous. AI is a powerful tool. It works very well for those using it for good, but equally well for those with bad intentions. The people behind attacks are often one step ahead, and that is what makes the situation so serious. I always say that cyber resilience starts where cybersecurity stops, because many organisations are still focused on prevention rather than recovery.
Over the years, businesses have poured huge budgets into cybersecurity, building high walls and adding layer after layer of protection. Yet breaches continue to happen. The question today is not whether an organisation will be attacked but how ready it is when that moment comes. AI-driven attacks are faster, more sophisticated, and harder to detect. That is why you now need AI to fight AI. It is no longer optional to have AI embedded in your platform.
At Commvault, we built Arlie, our autonomous resilience technology, to help organisations recover faster and smarter. It helps identify the cleanest version of data and assesses security posture so recovery can happen at speed. According to IBM’s Global Study 2024, the average downtime after a ransomware attack is 24 days, with losses of millions of dollars. The financial, operational, and reputational impact is huge. That is why we moved beyond the old concept of business continuity toward what we call continuous business, where readiness and resilience never stop.
Skill shortages in cybersecurity are a pressing concern. How do you see AI influencing this challenge?
It is a massive issue, and AI is making the challenge both more complicated and more promising. On one side, AI enables more advanced attacks that are faster and harder to detect. On the other side, it can be used to close the gap created by limited human resources. We always say that AI should assist people, not replace them, and that is where its real value lies.
AI can automate many of the time-consuming tasks that overwhelm security teams. It can guide analysts to focus on what matters most, while systems like Arlie help organisations make faster, more accurate decisions during a crisis.
In this environment, resilience becomes a continuous state. The old frameworks of recovery and downtime do not apply anymore. What matters is being always ready, always protected, and always capable of recovering quickly. That is the mindset needed to stay ahead in today’s cyber landscape.
Is predicting real-time attacks a myth or a possibility?
You cannot predict attacks in real time. What you can do is detect an early ransomware attack. One of our offers is Threatwise as a Service. That came from an acquisition we did three years ago which we integrated into our platform.
To help customers detect an early attack we use what is called advanced deception. You create a simulated environment that looks like yours. If you have 5,000 virtual machines, 100 routers, scanners and cameras, you create a subset of those as fake assets. They have IP addresses, they behave like real assets, they mimic your environment. If an attacker hits those simulated assets, that is a trim wire, an alert that you are under attack.
Once you get that alert you decide the next move. Do you run forensics, cut them out, or leave them to see where they are trying to go? This approach is the best practical option today. To detect truly in real-time, you would have to be lucky enough for the attacker to touch those simulated assets first, and that is what advanced deception helps you achieve.
What does it mean to be cyber resilient?
It all goes back to the idea of being ready, being prepared, and being proactive. That is what cyber resilience is about. You must be ready to protect your crown jewels, which is your data. You need to build what we call a digital vault, or what some call a cyber-vault. It is the same idea as putting your jewellery in a bank vault. Your golden copy of data goes there. I call it a golden copy because it is unique, protected, and constantly checked for any malware or manipulation. It is kept almost offline, scanned regularly, and verified for data integrity.
In technology terms, we call this an air-gapped copy stored on immutable storage, which means once data is written, it cannot be changed. We also apply what we call indelible copies, where even administrators cannot delete data without authorisation. That is how you truly protect your data. You must also protect your Active Directory, which are the keys to the kingdom. Many organisations neglect this and end up exposed. With advanced recovery capabilities such as forest-level recovery, you help to make sure it stays safe and recoverable.
Another important element is cleanroom recovery. When you are under attack, your production, backup, and disaster recovery sites are often compromised. A cleanroom creates an isolated recovery environment so you can test and restore safely without contamination. We took this further with what we call the four Rs: risk, readiness, recovery, and rebuild. Through our acquisition of Appranix, we can now help customers rebuild their entire application stack in potentially less than an hour, a process that used to take weeks. This is supported by our Cloud Rewind capability and extended protection for AWS environments through Clumio.
“We also recently expanded into AI security with our acquisition of Satori Cyber. This is what true cyber resilience means – protection, recovery, and the ability to rebuild stronger and faster.”
Is ransomware still the most significant threat?
Ransomware is still a major concern, but I would say it has become more of a business term than a technical one. It means someone attacks you, locks your systems, and demands payment to release them. But cyberattacks take many forms. They can come through phishing, malware, social engineering, or even simple human error. So, when we talk about cyber resilience, it is not just about ransomware. You can have a breach without a ransom demand, or you might face a completely different kind of disruption.
Can you explain the concept of a “Minimum Viable Company” (MVC) in resilience planning?
The concept of a Minimum Viable Company, or MVC, is something we use to help customers stay operational even when things go wrong. I like to explain it simply. When we work with an organisation, we help them identify what is truly essential for the business to run. This goes beyond what we used to call mission-critical workloads. We look at the core systems, the key data, the people, and the processes that must stay active no matter what happens. That becomes their MVC. It’s the minimum state in which the company can continue to operate and serve customers during an outage or attack.
Think of it like an airline. As long as the engines are running, the plane can keep flying. It is fine if the Wi-Fi stops working, the entertainment system shuts down, or the food service is interrupted. Those are inconveniences, but the flight continues safely. The same principle applies in business. During a cyberattack or system failure, not everything has to run perfectly. What matters is that the essential parts of the business stay functional.
Implementing MVC starts with assessing the environment to identify those essential workloads and dependencies. Then comes prioritisation, deciding what can temporarily go offline without stopping operations. The next step is protection, applying the right security and recovery strategies around those critical components. Finally, recovery planning can help ensure that when something goes wrong, those vital systems come back online quickly. MVC is not just a technical idea. It is a resilience mindset that helps organisations maintain continuity, protect customer trust, and recover faster when disruptions happen.
Beyond the use of specific tools to combat ransomware, how important is overall awareness in building cyber resilience? And how is Commvault helping to raise awareness among organisations of all sizes, not just large enterprises?
Cyber resilience has changed everything for us. It has been embraced by customers and partners alike. This is because we are creating awareness. We have turned it into a real, interactive experience through a series of workshops. One of the most popular is Minutes to Meltdown. It is a tabletop exercise designed for C-level executives. Five people take on roles as CEO, CIO, CISO, CTO, and Chief Legal Officer, and they play through a real-life scenario based on a hypothetical airline cyberattack. The exercise walks them through every stage, from the first phishing email that lets the attackers in, to the full-scale attack months later. It is immersive, almost like a movie, and it always leaves participants thinking differently about their readiness. Everyone walks out knowing exactly what they need to fix the next day.
We also have the Cyber Recovery Range program, which takes awareness even further. It includes live and consultancy-driven assessments for both customers and non-customers. For those who are not yet with Commvault, we offer a complimentary analysis to show what is protected, what is exposed, and where their risks lie. For existing customers, we go deeper to measure readiness, resilience, and recovery speed. These initiatives have helped organisations of all sizes understand their true cyber posture and close the gaps before it is too late. This focus on awareness has been a major driver of our growth and credibility. A strong story backed by strong results. That is what defines Commvault today.
Can AI help organisations increase protection against cyber threats?
We already said it: you need AI to fight AI. Can it make you one hundred percent secure? No, nothing can. But AI is now essential to strengthen protection and resilience. You still need traditional cybersecurity tools such as firewalls, scanners, and intrusion detectors. Those are your first line of defence. They build the walls and highways that keep threats out. But you must also prepare for the day someone jumps over that wall. The question is, are you ready for that moment?
You still need to monitor, protect, and invest in strong defences, but you also need to plan for what happens after an incident. That is where cyber resilience comes in. A truly resilient company does not just rely on keeping attackers out. It knows how to recover quickly and continue operating even when a breach happens.
“What helps me sleep at night is not that I have cybersecurity, but that I have cyber resilience. That mindset shift is critical.”
In the multi-cloud era, where everything is interconnected, protection is only one part of the story. Resilience is what helps ensure that your business can withstand and recover from any attack, no matter how sophisticated it becomes.
Finally, what three short tips would you give organisations to strengthen cyber resilience?
Remember; be ready, be prepared, and be proactive. These are the three pillars of cyber resilience. Let me unfold them from a technology point of view. To be ready means to protect your crown jewels, which is your data. Build a digital vault with air-gapped, immutable, and indelible copies. Create an illusion by deploying decoys that help detect early attacks. And always protect your keys to the kingdom – your Active Directory.
Then, be prepared. Do not wait until it is too late. Test and drill your recovery plans regularly in a cleanroom environment. Measure your mean time to clean recovery and challenge your own resilience. Embrace multi-cloud strategies with air-gapped copies. If they had not diversified their environment and maintained secondary air-gapped copies, recovery would have been much harder. And finally, make compliance a priority. At Commvault, we are natively built on Azure and hold comprehensive certifications, including FedRAMP High, Government RAMP, HIPAA, ISO 27001, GDPR, and DORA.
Finally, be proactive. Move from business continuity to continuous business. Security, rebalancing, and recovery must be constant. Use Cloud Rewind to rebuild application stacks quickly, protect billions of objects efficiently, and define your Minimum Viable Company so you can potentially recover in days instead of weeks. Being proactive is about taking control before something goes wrong.
So, for organisations my advice is to be ready, be prepared, and be proactive. That is how you stay truly resilient.