Strategic boardroom discussions moot robust, integrated cybersecurity policies

  • Experts at CEO Forum of 10th Annual Cyber Security Summit answer whether boards are prepared to respond to cyber attacks

By Hiyal Biyagamage 


The escalating scale and sophistication of cyber threats make it imperative for businesses to ask themselves a pressing question: Is the boardroom prepared to respond to a cyberattack? This was the central theme of the 10th Annual Cyber Security Summit’s CEO Forum, organised by Daily FT and CICRA Holdings, held at the Oak Room of the Cinnamon Grand in Colombo. Under the spotlight were issues that transcend technical jargon, pushing cybersecurity firmly into the realm of strategic business decisions.

With an impressive panel of experts comprising Cyber Security Evangelist and EC-Council Master Trainer Belly Rachdianto, Visa Head of Risk Services Vipin Suraliya, Sijesh Sreedhar of Google Cloud Security, Nishantha Hettiarachchi from Sysco LABS, and CICRA Holdings Group CEO Boshan Dayaratne, the event offered a panoramic view of challenges and actionable insights to empower corporate leadership.



The changing landscape of cybersecurity

“Cybersecurity has undergone a tectonic shift. It’s no longer an IT issue,” remarked Belly Rachdianto attending the panel. “It’s a critical business risk. Boards need to understand that a cyber breach is not a question of if but when.”

Rachdianto’s statement framed the discussion as panellists delved into the evolving nature of cyber threats. Today’s cybercriminals leverage artificial intelligence (AI), machine learning (ML), and social engineering to exploit vulnerabilities. The conversation was not confined to malicious hackers; it extended to State-sponsored actors and insider threats, each with unique complexities.

The forum’s live demonstration of a QR-code-based cyberattack riveted attendees. What seemed like an innocuous action—scanning a QR code—quickly spiralled into a mock breach, underscoring how even the smallest vulnerabilities can have devastating consequences.

“Such attacks highlight the importance of vigilance and cybersecurity awareness at every level of an organisation, starting from the boardroom,” said Nishantha Hettiarachchi. “Cybersecurity is everyone’s job.”



From prevention to preparedness

A paradigm shift is underway in how organisations approach cybersecurity. Sijesh Sreedhar emphasised this, stating, “The traditional approach of building higher walls is outdated. Modern cyber resilience demands a dynamic posture: preventing attacks where possible, detecting intrusions early, and responding swiftly.”

This resonated with Vipin Suraliya’s perspective. “You need to prepare your organisation like you would for a fire drill. Every department, from IT to HR, must know their role in responding to an incident. It’s about limiting damage and resuming operations quickly,” he explained.

The discussion also underscored the importance of crisis simulations. According to Boshan Dayaratne, “Simulation exercises provide boards with a hands-on understanding of what a cyber breach entails. When the real thing happens, there’s no room for trial and error.”



Cybersecurity as a strategic imperative

One of the forum’s most compelling arguments was the elevation of cybersecurity from a compliance requirement to a core business strategy. Rachdianto’s insights highlighted a key challenge: “Many boards treat cybersecurity as a sunk cost, focusing on the expense rather than the value. What’s the cost of losing customer trust? What’s the cost of downtime? The numbers are staggering.”

The 2023 Cost of a Data Breach Report by IBM, referenced during the forum, revealed that the average global cost of a data breach is $ 4.45 million. Panellists noted that while Sri Lankan firms might not see breaches of this scale, the proportional impact could be equally devastating due to constrained resources and limited digital infrastructure.



Bridging the skills gap

A recurring theme was the skills gap in cybersecurity—both globally and locally. Sri Lanka faces an acute shortage of trained cybersecurity professionals, a challenge compounded by the rapid digitisation accelerated by the COVID-19 pandemic.

“We need to rethink talent development,” Hettiarachchi emphasised. “It’s not just about hiring specialists. Organisations must train existing employees to recognise phishing attempts, manage secure passwords, and report suspicious activity.”

Suraliya proposed a multi-pronged approach: partnerships with universities to create specialised curricula, government incentives for cybersecurity training programs, and increased collaboration between the private sector and academia.

“Think of it as an ecosystem,” Suraliya said. “The responsibility for closing the skills gap doesn’t rest on one entity. It’s a collective effort.”



AI and automation: Boon or bane?

The integration of AI into cybersecurity sparked a spirited debate. On the one hand, AI-driven tools are enhancing threat detection, analysing vast amounts of data to identify anomalies that could indicate breaches. On the other hand, attackers are using the same technology to automate and scale their operations.

“AI is a double-edged sword,” noted Sreedhar. “While it can amplify our defences, it also creates an arms race. Boards need to ensure their cybersecurity investments include AI capabilities to stay ahead of adversaries.”

Dayaratne added a layer of caution, emphasising the ethical implications. “Boards must also think about the data they’re protecting and the tools they’re using. Misuse of AI can lead to unintended consequences, including privacy violations.”



Case studies: Lessons from the trenches

The panellists shared real-world incidents to drive home the importance of preparedness. One case involved a retail chain that suffered a ransomware attack, crippling its point-of-sale systems during peak shopping season. The company’s board, which had invested in incident response training, activated its crisis management plan within hours, mitigating losses and restoring operations in record time.

“The lessons here are twofold,” Hettiarachchi explained. “First, early investment in preparedness pays off. Second, communication is critical. When an incident occurs, transparency with stakeholders—including customers—can help maintain trust.”

Another example involved a financial institution targeted by phishing emails that mimicked internal communication. The attack succeeded due to a lack of multi-factor authentication (MFA) and employee awareness. Post-incident, the company introduced MFA and launched a cybersecurity awareness campaign.

“Simple measures like MFA can make a huge difference,” Rachdianto pointed out. “Boards should push for these basic, cost-effective steps as part of their oversight responsibilities.”



Cybersecurity and ESG

Interestingly, the discussion extended into the realm of environmental, social, and governance (ESG) metrics. As Rachdianto explained, “Cybersecurity is increasingly viewed as part of governance in ESG frameworks. Investors are looking at how companies manage cyber risks as a proxy for overall governance quality.”

Sreedhar concurred, adding, “A board that prioritises cybersecurity demonstrates a commitment to resilience, transparency, and accountability. These are qualities that resonate with both investors and customers.”



Key takeaways for boards

The forum concluded with actionable insights tailored to board members, that boards must treat cybersecurity as a strategic priority, not a technical issue. They also advised regular simulations that offer invaluable practice for real-world incidents, helping boards understand the practical challenges of crisis management.

“Organisations should educate employees, including senior leadership, on the fundamentals of cybersecurity. While AI can bolster defenses, boards must evaluate its ethical implications and potential risks,” the panellists concluded. 

As the curtains came down on the forum, its resounding message was clear: Cybersecurity is not a cost centre but a business enabler. Boards that embrace this paradigm will be better equipped to navigate the digital age with resilience and confidence. As Dayaratne aptly concluded, “In today’s interconnected world, cybersecurity is no longer optional. It’s a necessity—and an opportunity.”

Strategic partners of the CEO Forum and the 10th Annual Cyber Security Summit were Visa, Belkasoft, the platinum partners were Huawei and Google Cloud, Gold Partner was Sysco LABS, and Silver Partners were Millennium IT ESP, NCinga, and Just In Time Group. People’s Bank was the Banking Partner, LankaPay was the Official Payment Network Partner whilst Platform Provider was HashX. Electronic media partners were Sirasa TV, TV1 and NewsFirst, while the Podcast Partner was TechTalk360, and Brand Communications Partner was MullenLowe Sri Lanka.

– Pix by Upul Abayasekara and Ruwan Walpola