CISOs must translate cyber threats into business risk

Bridging the gap between cyber security and enterprise risk management programmes is a key priority for risk professionals, according to Jayant Dave, Check Point’s chief information security officer (CISO) in the Asia-Pacific region.

He noted that two decades ago, cyber security focused on perimeter defences such as firewalls and intrusion detection systems, with signature-based antivirus on endpoints. At the time, cyber strategies were considered part of technology risk management.

“In 2025, cyber security has become much more about business risk rather than being a tech risk. Aligning your cyber security risk appetite statements with business risk is pretty much the challenge at this point of time for many CISOs,” Dave said. “How do you connect the dots of cyber security risk in terms of financial risk, reputational, operational and strategy risks?”

To do so, he said, cyber leaders must understand the businesses they are defending. “As a CISO, you need to start speaking the business language. That’s where the board-level conversations are going in Australia.”

At the same time, regulations such as the Australian Prudential Regulation Authority’s (APRA) Prudential Standard CPS 234 demand board-level oversight and governance. This means technology leaders need to understand the business, and business leaders need to understand the technical aspects.

Frameworks such as the US National Institute of Standards and Technology’s Cybersecurity Framework (CSF) 2.0 and the Cyber Risk Institute’s CRI Profile 2.1 help cyber leaders align their risk appetite with the broader business landscape, Dave suggested.

“It also helps you in building a relationship with the regulators because, like APRA, the Hong Kong Monetary Authority [HKMA] has started recognising CRI as one of the frameworks for their assessments,” he said. “So, if you are in compliance with the CRI Profile, you are also aligning with your regulatory frameworks.”

Part of the process is to ensure that external providers’ risk appetite statements are reviewed and approved by the board, and that they are acceptable to regulators. Security investments – such as implementing a zero-trust architecture or adopting secure access service edge (SASE) – will be driven by a board decision that the organisation’s overall risk appetite has been exceeded.

But in less-regulated industries, there may be a lack of board awareness, which means investment “may not be prioritised from a cyber perspective”, Dave noted.

An important consideration is that security controls should not impact the end-user experience, Dave warned, otherwise users will look for ways to bypass them. “As a cyber leader, sometimes you have to be innovative in doing certain things in a safe and sound manner without impacting the user experience,” he said. “That’s where alignment comes into play.”

Another challenge arises when an enterprise is organised into multiple business units, such as a bank that incorporates market services, securities and wealth management. Dave suggests that a chief risk officer (CRO) should be embedded in each unit to serve as a trusted adviser on risk matters, helping to align technology and business risk from the start.

The creation of fusion centres can also bridge the gap between business and information security. A fusion centre brings together “the good defenders who understand the nuts and bolts of cyber” with their peers who know about business fraud, operational risk, and legal and compliance issues.

The technical team quantifies the risk from a technical perspective while the business team looks at the issues from a business perspective, and so “the common risk taxonomy gets aligned”. Fusion centre meetings can be held daily, weekly or monthly, and their activities should include cyber exercises.

However, those exercises should be designed to look at business risks. For example, the technical volume of a distributed denial-of-service (DDoS) attack is less important than its business impact: does it affect critical infrastructure? What is the potential business loss? How many customers are affected? This knowledge enables the technical team to understand where defences are most needed and helps business teams understand the nature and consequences of possible attacks.

“It’s not going to be a one-time exercise; it’s going to be a continuous journey” to ensure that everyone understands their role in a crisis, said Dave.

While prevention comes first, cyber resilience is about being able to respond and recover quickly when a crisis occurs. A cyber intelligence centre, such as Check Point’s ThreatCloud, helps organisations anticipate likely attacks so they can take appropriate steps.

But technical measures are not always enough. Dave gave the example of recent incidents where, despite robust defences, personally identifying information was stolen through social engineering attacks that manipulated employees. When that happens, it’s about having comprehensive incident response plans, putting them into action quickly, and learning from the incident to reduce the chance of it happening again.

Dave said AI can help defenders respond more quickly, but it is still necessary to have the right skills available. Ultimately, CISOs and business stakeholders – not an AI – are held accountable to regulators and shareholders.

While Australia has a high level of cyber security maturity, that maturity is not evenly spread. Governments and regulated industries are well aware of the issues, but even when small and medium-sized businesses are aware, they may not have the budget to address them.

For example, Dave knows some healthcare businesses are still running Windows XP. “At the macro level, yes, people are aware,” he said. “But when you look closer at specific sectors, there are definitely areas for improvement.”

Attackers are less likely to target a heavily defended bank and will instead turn their attention to sectors with weak links. “You will find ample opportunities where there are poor cyber hygiene practices,” he said.

Dave cautioned against building AI systems on top of weak foundations, such as unpatched computing environments. An underlying technology stack that’s vulnerable presents a major opportunity for bad actors, he said.

He advised organisations to implement critical controls through basic “secure baseline practices”, without spending a lot on new technology. Fundamentals such as secure coding and securely building operating environments should be achievable for any organisation, even one with a tight budget.

Finally, for organisations that cannot run their own security operations centre, he recommended: “Look for a strategic partner to do that for you.”