Special Features

When the Doors Close, the Real Conversation Begins: CSA, SISA Hold Roundtable on Evolving Cyber Threats and More

Because Cyber Risk Has Moved Beyond the IT Function and Into Board and Business-Line Conversations

On the morning of 14 April 2026, ten senior executives, board members, risk leaders, and cybersecurity specialists walked into a meeting room at the Concorde Hotel in Kuala Lumpur—and discussed things they probably would not say in public.

That is precisely the point of a closed-door roundtable.

Hosted by Cybersecurity Asia and supported by SISA InfoSec, the session was co-moderated by Andrew Martin, Group Publisher at Cybersecurity Asia, and Mahendran Chandramohan, SVP Engineering at SISA Infotech. The ten attendees represented banking, insurance, and government institutions—ranging from board level down to the managers running hands-on cybersecurity operations day to day. The mix mattered. So did the format.

What emerged over the course of the morning was not a polished panel presentation. It was a candid, technically dense, and at times uncomfortable accounting of how cyber threats are evolving faster than the organisational structures, governance models, and regulatory processes designed to manage them. The overarching message was not subtle: cyber risk is no longer a technology problem. It is a core governance issue—and boards that have not figured that out are already behind.

AI Has Changed the Rules of the Game

SISA

The opening discussion landed on Artificial Intelligence (AI), and it did not take long to establish the stakes. Participants agreed that AI has fundamentally altered the balance between defenders and attackers—and not in defenders’ favour.

Threat actors are now using AI to identify vulnerabilities, automate reconnaissance, and compress attack timelines in ways that were simply not possible even two or three years ago. Breaches that once unfolded gradually over days or weeks can now escalate from initial access to full compromise within hours. The comfortable assumption that security teams have time to detect, assess, and respond before serious damage occurs has been quietly eroded.

Identity, the group agreed, has replaced the network perimeter as the primary attack surface—particularly in cloud environments where authenticated access frequently equates to unrestricted reach. And as organisations rush to adopt generative AI and feed enterprise data into models, the AI systems themselves are becoming high-value targets, often deployed without the maturity of controls that would apply to any other critical system.

Supply Chains Are Not a Secondary Risk Anymore

The conversation returned to supply chain exposure more than once—and for good reason.

The participants were clear-eyed about why attackers prioritise supply chains: a single compromised vendor, software update, or open-source component can propagate risk across thousands of organisations simultaneously. For financial institutions in particular—heavily regulated, operationally complex, and assumed by attackers to have both a high tolerance and capacity for absorbing financial loss—supply chain exposure is not a peripheral concern. It is a primary threat vector.

The efficiency of a well-executed supply chain attack, especially when aided by AI-driven discovery and exploitation, makes it the method of choice for sophisticated actors looking to maximise impact.

On Regulatory Reporting: There Is No Grey Area

One of the most direct exchanges of the morning concerned regulatory escalation—and the group was unambiguous about it.

Regulatory reporting is mandatory when legal or supervisory thresholds are met. There is no discretion, no grey area, and no tolerance for delay once an incident qualifies as reportable. This was not presented as a controversial position. It was presented as fact.

What organisations do have agency over, however, is the quality of their diagnostic capability—their ability to accurately determine what is, and is not, a reportable incident. Strong detection, correlation, and validation allow security teams to distinguish genuine breaches from routine security events early, reducing the risk of premature notifications driven by uncertainty rather than confirmed fact. The point was made explicitly: resilience and quality diagnosis do not weaken compliance. They support it—by ensuring that when escalation happens, it is timely, accurate, and defensible.

Boards Are Now Part of the Incident Response

Board readiness emerged as a genuine differentiator in the room—and not everyone was in the same position.

Multinational institutions described boards with established cyber literacy, direct escalation channels, and clearly defined roles during incidents. Others acknowledged that their boards rely heavily on management briefings, with limited independent technical depth. The gap between the two was visible in the room and acknowledged openly.

Expectations, however, are converging upward. Regulators increasingly expect boards to understand cyber risk, challenge management assumptions, and be able to explain response decisions after the fact. High-profile cases involving supplier failures and lapsed cyber insurance were cited as examples where boards themselves came under regulatory scrutiny for governance failings—not just the security teams.

There was debate over whether security leaders should sit on boards. There was no debate about whether boards must actively test their governance structures rather than simply assume they will function under pressure.

Playbooks That Actually Work

A pointed exchange emerged around incident response playbooks. Most participants argued theirs were built from real-world experience rather than audit checklists—but several acknowledged the uncomfortable truth that playbooks tend to become compliance artefacts when they are not continuously tested.

Tabletop exercises, red-team simulations, and breach rehearsals were widely viewed as essential—not to satisfy auditors, but to surface the ambiguity in decision-making, escalation timing, and cross-functional communication that only shows up when you actually run through a scenario. Documentation that looks robust in peacetime can break down rapidly under the pressure of a real incident.

The Forensics Problem Nobody Likes Talking About

When the conversation turned to forensic readiness, the confidence in the room became noticeably more guarded.

Many organisations believe they log everything—until a real investigation begins and the gaps become apparent. Insufficient log retention, disabled logging on edge devices, incomplete third-party evidence, and internal friction during investigations all surfaced as common failure points. Several participants noted that a significant proportion of real-world investigations fail to reach a conclusive root cause simply because the data no longer exists.

Insider investigations drew particular attention—described as politically sensitive, deeply disruptive, and slow, frequently requiring independent third-party investigators just to maintain credibility and momentum.

SISA

The Human Problem Has Not Gone Away

For all the technical sophistication in the room, human behaviour kept surfacing as the most persistent risk. Misconfigurations, delayed decisions, cognitive bias, and—perhaps most critically—fear of escalation.

Board members spoke openly about accountability, trust, and consequences. In several cases, accidental disclosures or delayed reporting were treated as governance failures rather than technical ones. The reputational and career implications of cyber incidents were described as real and unavoidable. This reinforces, rather than undermines, the case for transparency and discipline at every level of the organisation.

Where Malaysia Stands

The session ended on a note of guarded optimism. Relative to regional peers, Malaysia’s financial sector was described as comparatively advanced in cyber governance, regulatory clarity, and executive awareness. Cyber risk has visibly moved beyond the IT function and into board and business-line conversations.

But the unresolved challenges are real: AI governance, cloud sovereignty, long-term forensic readiness, and a growing dependence on third-party ecosystems that no single organisation can fully control. The bar is rising quickly. Organisations that rely on compliance checklists rather than operational resilience are going to struggle to clear it.

One participant put it best: organisations cannot promise they will not be breached. But they will increasingly be judged on whether they were prepared, decisive, and honest when it mattered.

That is the standard. And in a closed room in Kuala Lumpur on a Tuesday morning, ten people who live with that standard every day talked about it with a frankness that the conference circuit rarely allows.

That is why you close the doors.

Martin Dale Bolima

Martin has been a Technology Journalist at Asia Online Publishing Group (AOPG) since July 2021, tasked primarily to handle the company’s Disruptive Tech Asia and Disruptive Tech News online portals. He also contributes to Cybersecurity ASEAN and Data&Storage ASEAN, with his main areas of interest being artificial intelligence and machine learning, cloud computing and cybersecurity. A seasoned writer and editor, Martin holds a degree in Journalism from the University of Santo Tomas in the Philippines. He began his professional career back in 2006 as a writer-editor for the University Press of First Asia, one of the premier academic publishers in the Philippines. He next dabbled in digital marketing as an SEO writer while also freelancing as a sports and features writer.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *