Kiteworks survey reveals critical data governance gaps in Middle East

Image: Getty Images

Kiteworks has released the findings of its fourth annual Data Security and Compliance Risk Survey Report, uncovering a significant gap in data governance among Middle East organisations. While regional businesses lead globally in requiring supplier security certifications (60 per cent), the report warns that many lack visibility into whether those standards adequately protect private data flows — creating what experts describe as a “compliance theater effect” that looks strong on paper but weak in execution.

The survey, which gathered insights from 461 global organisations, highlights how Middle East companies have developed mature certification frameworks without corresponding capabilities to monitor third-party data exchanges. This lack of visibility creates cascading risks, including higher breach rates, slower detection times, and increased litigation costs.

“Requiring certifications demonstrates process maturity, but without visibility into actual data flows, it’s like having a state-of-the-art security system with no cameras,” said Dario Perfettibile, VP and GM, European operations, Kiteworks. “Our research shows that measurement drives protection – organisations must know precisely where their private data travels and who handles it.”

Strong standards, weak visibility

The report notes several imbalances in Middle East data governance practices:

• Process excellence: 60 per cent of organisations require supplier certifications, the highest globally.

• Visibility gaps: Despite this, most struggle with basic third-party data tracking.

• Technical controls: Only 31 per cent have systems in place to validate governance policies.

• AI governance: While 24 per cent enforce strict AI blocking (also the highest globally), most lack the visibility needed to ensure such policies protect sensitive content.

The hidden cost of blind spots

Globally, the findings show the consequences of insufficient third-party visibility:

• Organisations managing 1,001–5,000 third parties face the highest breach risk.

• 46 per cent of organisations without third-party visibility cannot determine their breach frequency.

• Companies with precise tracking detect breaches up to four times faster.

• Clear visibility reduces litigation costs by over 80 per cent.

“The data tells a compelling story: Visibility isn’t optional – it’s the foundation of effective governance,” added Perfettibile. “Middle East organisations have built the right processes; now they need the technology to make those processes meaningful.”

Moving from compliance theater to true governance

The report emphasises that certification frameworks and contractual safeguards offer limited protection without monitoring and measurement. To move from compliance theater to true governance, organisations must be able to answer critical questions such as:

• How many third parties handle our private data?

• Where does sensitive information travel?

• Which controls are effective in practice?

• Can breaches be detected and responded to in real time?

A call to action

According to Kiteworks, Middle East organisations must urgently address visibility gaps while leveraging their strong certification processes. Key actions include:

• Unified tracking of private data exchanges

• Real-time monitoring of third-party data flows

• Technical validation of compliance standards

• Risk assessment metrics for mitigation

“Middle East organisations stand at a critical juncture,” concluded Perfettibile. “They can either continue with compliance theater – looking good on paper while risks multiply – or they can build true governance by adding visibility to their already strong processes. The choice will determine whether they lead or lag in the global data security landscape.”

The full Data Security and Compliance Risk: 2025 Annual Survey Report is available at Kiteworks