Cyber Risk Comes of Age: How Digital Trust is Reshaping Corporate Leadership 

For years, cybersecurity was largely viewed as the responsibility of the IT department, a technical discipline measured by firewalls, antivirus software and compliance checklists.

That era is over.

As businesses embrace cloud computing, artificial intelligence, open APIs and digital ecosystems, cyber risk has quietly evolved into one of the most significant enterprise risks facing organisations today. Increasingly, Boards are discovering that cybersecurity is no longer about protecting servers it is about protecting customer trust, business continuity and corporate reputation.

Financial institutions perhaps understand this transformation better than most. They operate at the intersection of technology, regulation and trust, where every digital innovation also expands the attack surface.

In this exclusive conversation with Puru Shah from Risk Awareness team, Pranay Modi, Chief Information Security Officer, MAS Financial Services, shares his perspectives on why cybersecurity has become a Board-level responsibility, how organisations should balance innovation with resilience and why tomorrow’s CISO must think far beyond technology.

Cybersecurity has evolved from being an IT function to becoming a Board-level priority. As a CISO in the financial services sector, what do you believe has fundamentally changed over the past five years and how should Boards rethink cyber risk in today’s digital economy?

The most fundamental change is that cybersecurity has moved from the server room to the balance sheet.

Five years ago, cyber was largely a technology conversation: firewalls, antivirus, patch compliance. Boards saw it once a year on an audit slide. Today, the business itself is digital, which means cyber risk is business risk. In financial services especially, three shifts have redefined the landscape.

First, the attack surface has exploded. Digital-first banking, instant payments, open APIs, fintech partnerships and cloud adoption have dissolved the traditional perimeter. Our risk today lives in a vendor’s environment, a partner’s API, or an employee’s home network, not just inside our own data centre.

Second, the adversary has industrialized. Ransomware now operates as a business model, complete with affiliates and even “customer support.” Attacks that once demanded months of expertise can be purchased as a service, and AI has made phishing and social engineering frighteningly convincing. Financial institutions remain target number one, because that is where the money and the data are.

Third, regulators have raised the bar, and rightly so. In India, the RBI’s Master Directions on IT governance and the DPDP Act, 2023 have made cyber and data protection matters of board accountability rather than IT hygiene. Personal accountability has entered the boardroom.

So how should boards rethink cyber risk? My advice is to stop asking “Are we secure?” It is the wrong question; no honest CISO can answer it with an absolute yes. The right question is “How resilient are we?”, “How quickly do we detect, how quickly do we recover, and can we continue serving customers while under attack?”

Boards should govern cyber risk the way they govern credit or liquidity risk, with a defined risk appetite, quantified exposure, and metrics tied to business outcomes rather than vulnerability counts. And the CISO should have a standing seat at the table, not an annual guest appearance.

In a digital economy, trust is the real product. Customers do not merely deposit money with us, they deposit trust. Protecting that trust is not a cost of doing business, it is the license to do business.

Financial institutions are simultaneously embracing cloud, AI, APIs and digital ecosystems while facing an increasingly sophisticated ransomware and cybercrime landscape. How can organisations accelerate innovation without compromising resilience, and where do you see most enterprises getting this balance wrong?

I have always believed the innovation-versus-security debate rests on a false premise. The fastest cars in the world have the best brakes, not so they can drive slowly, but so they can drive fast with confidence. Security, done right, is that braking system for digital innovation.

The organisations that get this balance right do three things differently.

They build security in, not bolt it on. When security enters at the design stage, as guardrails rather than gates, it stops being the department of “no” and becomes the function that makes “yes” safe. A cloud landing zone with pre-approved controls, APIs governed by policy from day one, AI models with data protection designed in – these let product teams move fast without waiting at a checkpoint. Whenever security acts only as a final gate, teams route around it, and shadow IT becomes the real risk.

They tier their risk. Not every system deserves the same level of control. A customer-facing payment platform and an internal HR tool carry very different consequences of failure. Mature organisations apply the heaviest controls to their crown jewels and give lighter, automated guardrails to everything else. That is how you buy speed without selling resilience.

They treat resilience as a design requirement, not a document. In a ransomware era, the honest planning assumption is “we will be breached someday.” The differentiator is recovery, immutable and offline backups that are actually tested, rehearsed crisis playbooks, and the ability to keep serving customers while containing an incident.

Where do most enterprises get it wrong? In my experience, three places. First, they adopt cloud and AI with an on-premise mindset: lifting and shifting workloads without redesigning controls, which is why misconfiguration, not sophisticated attack, remains the leading cause of cloud breaches. Second, they chase shiny tools while neglecting fundamentals, buying AI-powered platforms while identity hygiene, patching and backup testing stay weak. Most successful attacks still walk in through a stolen credential or an unpatched system, not a zero-day. Third, they treat third-party risk as a one-time onboarding checkbox, even though every API partner and fintech integration is now an extension of their own attack surface, one that needs continuous monitoring, not an annual questionnaire.

The uncomfortable truth is that enterprises rarely fail at this balance because they innovated too fast. They fail because they secured too late. Innovation and resilience are not opposing forces; resilience is what makes innovation sustainable. You can build a digital ecosystem quickly, but you can only keep it if customers trust it.

Having built your career across enterprise infrastructure, information security and now leading cybersecurity for a regulated financial institution, how has your own philosophy of cyber risk evolved? Are today’s CISOs expected to be technology leaders, business strategists or enterprise risk managers or all three?

My philosophy has evolved in three distinct stages and each stage humbled the one before it.

I began my career in enterprise infrastructure, where security meant securing systems. If the servers were hardened, the patches applied and the firewall rules clean, I believed we were safe. It was an engineer’s view of the world: security as a technical state you could achieve and then maintain.

Moving into information security broke that illusion. I learned you can have perfectly configured technology and still lose, because a user clicks a link, a process has a gap, or a vendor has access nobody documented. Security, I realised, is not a state but a system: people, process and technology and the weakest of the three defines your real posture. That is when governance, awareness and control frameworks entered my vocabulary alongside configurations.

Leading cybersecurity for a regulated financial institution completed the evolution. At this level, security is not even a system, it is a business risk discipline. The question changed from “Is this system secure?” to “How much risk does this expose the business to, and is that within our appetite?” Not every risk deserves the same response: some you mitigate, some you transfer, some you consciously accept and document. Perfection is not the goal; prioritisation is. Regulation reinforced this maturity, when RBI directions and the DPDP Act hold leadership personally accountable, risk thinking stops being optional.

If I had to compress the journey into one line: I moved from protecting systems, to protecting information, to protecting trust.

On the second question: technology leader, business strategist or enterprise risk manager – my honest answer is all three, but not in equal measure, and not all in the same room.

Technology leadership is the entry ticket. A CISO who cannot sit with the SOC team and dissect why a detection failed loses credibility with their own function and becomes easy prey for vendor marketing. You cannot govern what you do not understand.

Business strategy is the language. Boards do not fund firewalls; they fund continuity, customer trust and regulatory standing. A CISO who cannot express cyber risk in terms of revenue, reputation and licence-to-operate will remain a cost centre in the eyes of leadership.

Enterprise risk management is the discipline that connects the two, translating technical exposure into business impact, defining appetite, and making defensible, risk-based decisions rather than fear-based ones.

And I would add a fourth, underrated skill: translation. The modern CISO sits at an intersection, speaking engineering with engineers in the morning, business with the board in the afternoon, and compliance with the regulator by evening, carrying the same message across all three languages without losing its meaning.

The CISO of five years ago protected the network. The CISO of today protects the enterprise. The CISO of tomorrow will be judged on how safely the business was able to grow under their watch.

The Risk Awareness Perspective 

If there is one message that emerges from Pranay Modi’s reflections, it is that cybersecurity has undergone a profound identity shift.

It is no longer merely about protecting technology. It is about safeguarding business resilience, preserving customer trust and enabling sustainable growth in an increasingly digital economy.

Perhaps his most powerful observation is that Boards should stop asking whether they are secure and instead ask how resilient they are. That distinction may well define the next decade of corporate governance.

Tomorrow’s CISO, as Pranay suggests, will not simply defend networks. They will help shape business strategy, translate technology into enterprise risk, and become trusted advisors in the boardroom, where cybersecurity decisions increasingly influence business outcomes as much as technology itself.

Top