Securing the Gulf: How Kalaam Telecom is Building a Cyber-Resilient ISP and Cloud Ecosystem

In an interview with Sanjay Mohapatra, Editor, Enterprise IT World MEA, Utkarsh Sinha, CISO of Kalaam Telecom Group, opens up on compliance-led security transformation, supply chain resilience, and the path to cybersecurity-as-a-service across Bahrain, Kuwait, and Saudi Arabia.

Briefly tell us about Kalaam Telecom Group—its footprint and current focus areas.
Kalaam Telecom Group began operations in Bahrain and then expanded its footprint by acquiring Sajal in Kuwait and starting operations in Saudi Arabia. We’re primarily an ISP, but we’ve broadened our offerings to include cloud services, voice, and bulk SMS solutions. Beyond these three countries, we provide global connectivity via MPLS to enterprise customers and other ISPs, with around 50 points of presence.

When I joined the organization about a year ago, I found that the cybersecurity team had suffered from a lack of continuity and resources. My immediate priority was to understand the existing landscape, set clear priorities, and build a capable team—which we’re currently in the process of hiring. Strategically, our major focus is compliance, especially with the rigorous standards in Saudi Arabia. But rather than treat compliance as a local challenge, we’re using it as a catalyst to uplift our security posture across Bahrain, Kuwait, and beyond.

This year, our technology roadmap is centered on a defense-in-depth approach—rolling out privileged access management, zero trust network enforcement, and endpoint detection and response (EDR) solutions. From mid-year onwards, we also plan to roll out cybersecurity-as-a-service for external customers, turning internal resilience into a revenue-generating capability.

“We’re using Saudi Arabia’s tough compliance environment as an opportunity to uplift security maturity across all our operations—not just to meet regulations, but to lead with resilience.” – Utkarsh Sinha, CISO, Kalaam Telecom Group

How are you leveraging AI and machine learning for threat detection and response? How do you balance automation with human oversight?
We’re currently transitioning to a new SIEM platform with integrated machine learning—specifically IBM QRadar with its ML engine. While AI offers significant promise, it’s not infallible. You may achieve 98–99% accuracy, but you’ll never reach 100%, so human validation remains essential. AI is still evolving, and without proper human oversight, it can misdirect or even misinterpret threats due to limitations in training data or model behavior.

That said, automation is crucial in areas like DevSecOps—especially for patch management. Many organizations struggle with timely patching that doesn’t disrupt operations. Automation helps not just with patch deployment but also with automated testing. If your testing involves web applications, automation should ensure forms render properly and business-critical processes remain intact. Coupled with human review, this reduces risk, speeds up deployment, and ensures minimal disruption.

 What services are you offering in the Saudi Arabian market?
Saudi Arabia has a strict compliance regime. As a telecom and cloud service provider, we adhere to multiple frameworks—namely the Communications, Space & Technology Commission (CST)’s R21 cyber security framework, the National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls (ECC), and the Cloud Cybersecurity Controls (CCC) for cloud services. While SAMA is more applicable to the banking sector, we assist clients in that space with compliance requirements as well. We’re also preparing to become STC (Saudi Telecom Company) privacy compliant to align with upcoming privacy regulations.

Who are your primary customers across Bahrain, Kuwait, and Saudi Arabia?
In Kuwait, we serve a large number of banking clients. We offer services like managed firewall, managed DDoS protection, web application firewalls, data center hosting, and managed security services. In Saudi Arabia, we are relatively new but are gaining traction among mid-sized enterprises and other ISPs. Cloud services are a key area of focus in this market.

As both a telecom operator and cybersecurity service provider, how are you mitigating the risk of supply chain attacks?
We take supply chain risk very seriously. For smaller vendors, we conduct risk assessments and require adherence to standards like GDPR and NCA. For major partners—such as Fortinet, which we rely on for many of our security solutions—we evaluate their historical commitment to cybersecurity and ongoing improvement efforts.

Internally, we maintain a strong vetting process, including background checks for all hires. We also evaluate third-party suppliers for cyber hygiene and demand demonstrable maturity before onboarding. The goal is to ensure neither we nor our partners become weak links in our customers’ security chain.

What does Kalaam Telecom’s incident response strategy look like? Are you prepared for major breaches like ransomware or DDoS attacks?
Yes, absolutely. We maintain incident response playbooks for different scenarios, with ransomware being a key focus. Our prevention strategy hinges on daily backups, hardened infrastructure, and EDR tools. If an attack does occur, we don’t negotiate with hackers—we rely on clean backups to recover. We might experience some data loss, but downtime is minimal.

Beyond technology, our greatest defense is awareness. Phishing remains a top entry vector, and employee education is critical. We conduct frequent awareness campaigns and phishing simulations. Additionally, we deploy MFA (multi-factor authentication) to add a second layer of security—even if credentials are compromised.

“Cybersecurity isn’t just about defense anymore—it’s about trust. And trust, especially in telecom, is something you have to earn every day.”

How are you extending cybersecurity awareness and best practices to your third-party suppliers?
We’ve instituted a three-pronged strategy for third-party engagement. First, supplier assessments—every third-party must demonstrate their own cybersecurity training and awareness programs, or be willing to implement them. Second, we enforce a “zero trust” model across our network. All third-party access is provisioned via remote VPN with MFA and channeled through our privileged access management (PAM) system, which records sessions and strictly controls permissions.

We’ve also segmented our network to isolate resources. Even if a third-party’s endpoint is compromised, our use of PAM and network segmentation ensures the malware won’t spread laterally into our infrastructure.

Do you share your audit outcomes or cybersecurity scores with your customers?
No, we don’t publicly share audit results. We comply with all regulatory requirements and undergo regular audits from bodies like CST. The outcomes of these audits are internal, unless there’s a legal requirement to disclose. It’s important to understand that every organization—regardless of size—deals with vulnerabilities. Even tech giants like Microsoft spend months working on vulnerabilities before patching publicly. The goal is to maintain a consistent, proactive approach and demonstrate the right intent to reduce risk.

Are you prepared to deal with zero-day attacks? What early warning systems or threat intelligence do you rely on?
Zero-day attacks are inherently challenging, but proactive threat intelligence helps. We monitor chatter on the dark web, using feeds from partners like Group-IB to detect early indicators. If there’s talk of targeting our brand or systems, we immediately begin deeper network investigations.

We monitor for anomalies in outbound traffic or unusual behavior that may indicate a breach. Even in a zero-day scenario, you’re likely to see signs—if you’re watching carefully. That’s where real-time intelligence and behavioral analysis are invaluable.