CFOtech Asia - Technology news for CFOs & financial decision-makers
Asia
Guides
#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
healthtech
Search
#
Malware
#
DDoS
#
Phishing

Exclusive: Why cyber leaders must think like business leaders in APAC

Yesterday
Author image
By Melania Watson, Interview Editor

Cybersecurity leaders can no longer afford to speak only in technical terms.

That was the key message from Jayant Dave, Chief Information Security Officer (CISO) for Asia Pacific and Japan at Check Point, during a recent interview.

He says the job now demands a blend of "technical acumen and business insight."

"If a critical application or infrastructure is down for an hour, what is the dollar value of that loss?" he said. "You must connect technical risk to business loss. That's how the business understands it."

Dave believes aligning cyber risk with broader enterprise risk frameworks is one of the biggest challenges facing CISOs today. The key to overcoming this, he says, is in developing a "shared common language" between cybersecurity and enterprise risk teams.

"In my banking experience, cybersecurity is the first line of defence," he explained.

"Then you have operational risk, internal audit, and even regulators. All these must be aligned when designing your cybersecurity risk appetite."

This team-of-teams approach goes beyond the technical. It involves legal, compliance, and crisis management teams working closely with defenders. "When the bad day happens, it's not just defenders. Legal teams are better equipped to respond to stakeholder obligations that cyber professionals may not be aware of," he added.

Boards and senior leaders are also more involved than ever. According to Dave, today's boards, particularly in heavily regulated industries like banking and healthcare, are now "custodians of risk appetites".

"They understand cyber risk now. They expect clear roles and responsibilities and they review risk appetite statements quarterly," he said. "If you're out of the appetite, that means you need to invest. You need to act. You need to report."

In Dave's view, true cyber resilience involves more than just prevention. "Yes, prevent if you can. But you also need to anticipate threats, enhance controls, and be able to respond and recover fast," he said.

Check Point's recent AI Security Report highlights the double-edged nature of AI in this context. While it enables defenders to act quickly, it also allows attackers to move faster and cheaper than ever before.

"If generating malware used to take days, it now takes minutes. AI has made phishing, DDoS, and social engineering attacks far more effective," he said. "But defenders have the same tools. It's about using them smartly."

He described AI as "a weapon of destruction" but also a powerful defensive tool - if used responsibly. "When electricity was invented, we stopped saying we were using it. Everything became electrical. The same is happening with AI," he added.

For companies operating in the Asia Pacific region, Dave warned against assuming regulatory uniformity. "Some people assume APAC is one country, one regulator. It's not. I dealt with 17 markets in my last role - each with different rules," he said.

He stressed the need for businesses to understand local data residency laws, especially when outsourcing. "Countries like China, India, and Indonesia have strict laws that don't allow sensitive data to be moved out. If your cloud provider isn't in-country, you'll face tough regulatory oversight."

Supply chain risk is another growing concern, exacerbated by geopolitical tensions and the recent memory of COVID-19. "It's not just about buying a cool tool," he said. "You need strategic partners embedded in the region who can provide support long-term. Some suppliers with great services vanished during the pandemic. That's a real risk."

On talent shortages, Dave said he doesn't believe AI will cost jobs in cybersecurity. In fact, the opposite. "We need more people. Skills in AI and quantum are in demand. Upskilling is essential," he said. "My advice? Train continuously. In some banks, you must complete certain credits each year to stay current."

Internships and real-world experience are part of that continuous learning journey, even if Dave himself didn't follow that path. "Every year, I've upskilled," he said. "In a modern security operations centre, you now have separate teams for threats, fraud and insider threats—all AI-powered. Analysts must train to keep up."

Frameworks like the Cyber Risk Institute (CRI) are vital tools for aligning technical and business risk, Dave explained.

"CRI consolidates policies like ISO, NIST and emerging tech standards. It helps you develop cybersecurity risk appetite statements in a language the business understands," he said.

He pointed out that in countries like Australia and Singapore, governance structures now mandate board approval of such statements. "Once approved by the board, there's no turning back. Regulators want evidence that senior leaders are involved."

Crisis preparedness is a major theme too. Dave advocates for including board members in cyber exercises. "If a critical third-party provider is compromised, who decides to disconnect them? Business leaders do," he said. "So they must be involved in those scenarios."

According to Dave, the role of the CISO has transformed and must continue to evolve.

"CISOs must think like business leaders now," he concluded. "If they don't understand the business dynamics, it can be a total disaster."

Related stories
KX & NVIDIA launch AI Banker Agent to boost global trading
Ignition unveils AI tool to help businesses set smarter prices
Loyalty laggards: Expert reveals which APAC sectors struggle with tech innovation
Why unified data security is crucial in today’s cloud era
Databricks One launches to bring AI tools to all employees
Top stories
Southeast Asia startups shine at AppWorks Demo Day in Singapore
SEON expands real-time AML suite with AI-driven risk platform
Opus 2 leads AI litigation management in major law firms survey
Datadog launches enhanced log tools for cost & compliance needs
JFrog & NVIDIA partner for enterprise-ready sovereign AI control