What I Shared at the PIKOM's Future of Cybersecurity Summit 2025 (And Why It Matters)
Hello Folks,
Last week, I had the chance to be part of a panel session at the Future of Cybersecurity Summit 2025, organised by PIKOM. This marks my third year in a row speaking at this event — always a good crowd and solid conversations. The panel I was on was titled “Finding the Right Cybersecurity Solution That Fits Your Business”, and I was joined by a fellow CISO from a local bank and a lawyer who covered the PDPA angles. The session was moderated by the CEO of one of our leading local cybersecurity players. In this post, I’ve decided to share the transcript (well, a polished and structured version) of what I spoke during the panel. I obviously can’t remember every single word I said, but what you’ll read below captures all the key points I shared — 100%.
Moderator: With so many cybersecurity tools and vendors in the market, what should businesses prioritize when selecting a solution that truly fits their needs?
Me: Whether you’re a 20-person startup or a listed enterprise, one thing’s for sure — the cybersecurity market is full of noise. There’s a tool for everything, and every vendor claims to be ‘the only platform you’ll ever need’.
My advice? Start with clarity. Understand what you’re protecting, why it matters to your business, and what would happen if it’s compromised. This applies whether you’re protecting customer PII or your manufacturing line.
I always tell businesses to avoid tool sprawl. Don’t end up managing 10 dashboards that don’t talk to each other. Reduce complexity and unify wherever practical. That alone can save time, reduce errors, and help you respond faster.
I’ve written a model I call the 5-4-3-2-1 approach — it helps organizations, regardless of size, think about prioritizing risks, layering controls, and aligning investments. Because honestly, you don’t need ‘more tools’, you need the right tools working together.
Moderator: How do you strike a balance between strong security and operational efficiency — especially for organizations juggling growth, compliance, and user experience?
Me: Security that blocks business is not security — it’s friction.
Whether you're an SME or a global firm, your controls must align with how the business operates. Security has to be part of the operations (heck, security is the business, we shouldn’t even call it a “business enabler” anymore because by saying it we are literally isolating it from the business itself), not fight against them. This is where design matters — user-friendly, scalable solutions with automation built-in.
I always encourage organizations to invest in automation early — patching, backups, incident detection, even reporting. It saves time, reduces errors, and frees up your people to focus on decision-making rather than routine tasks.
And culturally, security teams need to work hand-in-hand with product and operations. A strong access control policy that slows down a DevOps team is going to be bypassed. That’s where conversations matter — compromise, not confrontation.
Moderator: What role does risk profiling, industry, or business maturity play in determining the right cybersecurity approach?
Me: A bank and an e-commerce platform shouldn’t have the same risk approach — even if both handle data. Industry, regulatory obligations, customer expectations, and business model all play a huge role.
That’s why profiling is critical. What are your most valuable assets? Where are you most exposed? Are you a high-value target or part of someone else’s risk chain?
With regulations like Malaysia’s Cyber Security Act 2024, you might not be directly covered — especially if you’re not in NCII sectors. But you may still inherit those expectations through your customers or vendors.
Enterprises need structured risk assessments. SMEs may start with something simpler — even a spreadsheet listing their assets and key risks. Either way, the goal is to match your security level to your actual exposure, not based on fear or FOMO.
Moderator: How can a company ensure its cybersecurity investment remains relevant as the threat landscape and business evolve?
Me: The cyber threat landscape is like a treadmill — it keeps moving whether you’re ready or not.
The key here is adaptability. You need security capabilities that can evolve with your business. This means flexible tools, modular architecture, and — again — a reduction of tech debt and legacy dependencies.
I’ve seen organizations spend millions on tools that don’t scale or integrate. So as your business grows or shifts to the cloud or adopts AI, your security stack needs to grow with you.
Set a cadence — quarterly or half-yearly — to review your stack: what’s still working, what’s underperforming, and what’s adding unnecessary cost or risk.
And remember, staying relevant is not just about tools. It’s about skills, processes, and mindset. Train your people. Run simulations. Review your playbooks. Make security part of your business rhythm.
Moderator: How do you measure the effectiveness of a cybersecurity solution once it’s in place?
Me: Here’s the truth: a solution’s value isn’t in its technical spec sheet — it’s in the outcomes it delivers.
Ask yourself:
Is this solution reducing incidents or noise?
Are we responding faster to threats?
Is it helping us meet compliance with less stress?
Is it saving our team’s time or making life harder?
Whether it’s endpoint protection or cloud security tools, you need clear KPIs tied to your actual risk posture. Not vanity metrics. Not just how many alerts — but how many relevant alerts were acted on.
And don’t forget the business angle. Can this tool help us demonstrate due diligence to regulators or customers? With frameworks like the Cyber Security Act now in play, businesses — especially those serving NCII or regulated industries — need to be able to show they're in control. That’s effectiveness too.
Ultimately, effectiveness is about confidence. Are you sleeping better at night knowing your controls are working? That’s what you want.
That’s all from me for this round. Hope you found my takeaways from the panel useful — whether you’re running a startup or managing security in a big enterprise, the challenges are more similar than we think, but… there is no one-size-fits-all solution. As always, feel free to hit reply if you’ve got thoughts, questions, or just want to share your own experience. Until the next one — stay safe, stay sharp.
Cheers,
Sivanathan
P.S. My recently published book titled “Leadership in the Age of AI: A Handbook of Daily Cybersecurity Leadership Nuggets” is available for purchase:
Paperback (Amazon): https://www.amazon.com/Leadership-Age-AI-Cybersecurity-Transform/dp/B0DZ2PGP7Q
E-book (Gumroad): https://sivanathans.gumroad.com/l/cybersecurityleadership