Tuesday Oct 07, 2025
Tuesday Oct 07, 2025
Tuesday, 7 October 2025 01:38 - - {{hitsCtrl.values.hits}}
From left: Central Bank Chief Information Security Officer Sanjee Balasuriya, Brandix Director Oshada Senanayake, VISA Asia Pacific Visa Consulting and Analytics Risk Practice Lead Dibyajyoti Sen, Dialog Axiata Group Chief Information Officer Asela Perera, HashX Founder and CEO Avishka Bandara and Moderator Daily FT Editor and CEO Nisthar Cassim
By Hiyal Biyagamage
The opening session of the 11th Annual Daily FT–CICRA Cyber Security Summit set a strong, forward-looking tone with a keynote address by Dibyajyoti Sen, VISA Risk Practice Lead for Visa Consulting and Analytics, Asia Pacific. Speaking under the theme “Future-Proof Security: Predicting Cyber Threats Before They Strike”, Sen outlined how artificial intelligence, quantum computing, and sophisticated supply chain attacks are fundamentally reshaping the global cybersecurity landscape.
A complex and fragmented threat environment
Sen began by mapping out the 2025 cyber threat landscape, drawing from Visa’s global intelligence network. Financial institutions, he said, remain prime targets, facing sustained, high-volume attacks from increasingly organised and well-funded threat groups. He pointed to the fragmentation of the ransomware ecosystem, with new collectives like DragonForce and Scattered Spider emerging to replace older groups. “We’re seeing the evolution of ransomware-as-a-service cartels where brand loyalty and ideology have given way to a more commercialised, marketplace-driven model of cybercrime.”
CICRA Holdings Group Director and CEO Boshan Dayaratne
VISA Asia Pacific Visa Consulting and Analytics Risk Practice Lead Dibyajyoti Sen
Brandix Director Oshada Senanayake
Beyond traditional attacks, nation-state actors are escalating operations to infiltrate critical infrastructure, including energy, transport, and telecommunications networks. Sen highlighted how campaigns such as Volt Typhoon and Salt Typhoon compromised routers, internet service providers, and even government surveillance systems through outdated hardware. “The lesson is that our weakest link isn’t always the newest technology. It’s often the legacy systems we’ve ignored,” said Sen.
One of the most alarming shifts, Sen warned, is the weaponisation of generative AI (GenAI) by cybercriminals. The emergence of tools like GhostGPT, an uncensored AI chatbot marketed on Telegram for creating malware, phishing scripts, and exploits has lowered the technical barrier for threat actors.
“AI has become a force multiplier,” Sen said. “We’re now seeing less-skilled attackers execute highly sophisticated, personalised fraud campaigns that once required deep expertise.” He cited instances where ransomware groups such as Black Basta and EncryptHub used GenAI to craft credible communications, rewrite malicious code, and even negotiate ransom payments.
These developments, he emphasised, require AI governance and guardrails within organisations to ensure that defensive tools evolve in tandem with offensive innovation. “The same AI that protects us can be turned against us if deployed without oversight,” he added.
Insider and supply chain risks
Sen also drew attention to a new breed of insider threat which is state-sponsored actors, posing as legitimate remote IT workers within global firms. Some of these fraudulent employees, he revealed, have earned over $ 300,000 annually, with proceeds allegedly funding weapons programs. “The risk isn’t only data theft but the slow, silent compromise of trust within organisations,” warned Sen.
He called for rigorous identity verification, including live camera interviews, multi-document checks, and network monitoring for VPN or proxy usage. Similar vigilance, he said, must apply to supply chain security, where a single breach in a third-party vendor can cascade across entire industries.
Transitioning to solutions, Sen also urged organisations to embed AI not only in security operations centres (SOCs) but across the entire software development lifecycle (SSDLC). According to him, this “AI-augmented defence”, enables early threat detection, automated incident response, and adaptive monitoring with human oversight always in the loop.
He highlighted Zero Trust architecture and pessimistic design principles as Visa’s core pillars, advocating for a “verify, then trust” mindset where every device, user, and network interaction must be authenticated. “Security today is not about building walls; it’s about continuous verification,” he remarked.
Visa’s cybersecurity strategy, Sen added, has already yielded tangible impact, blocking over 66 million attacks targeting APIs and web applications every month, along with 10 million email-based threats and $ 40 billion in attempted fraudulent payment volume.
HashX Founder and CEO Avishka Bandara
Central Bank Chief Information Security Officer Sanjee Balasuriya
Dialog Axiata Group Chief Information Officer Asela Perera
Preparing for the quantum era
Sen concluded with a stark warning about quantum computing’s disruptive potential. With the world’s largest quantum systems approaching 1,200 qubits and steady improvements in accuracy, he noted that “the encryption we rely on today may not hold beyond the next decade.” Breaking 2048-bit RSA encryption could soon take seconds, not centuries, he explained, underscoring the urgency for quantum-resistant cryptography.
“The window to prepare is closing,” Sen said. “We have six to eight years before essential cryptography standards must evolve. Every organisation should be investing now in quantum-safe infrastructure to secure future data.”
Closing his address, Sen urged business leaders to view cybersecurity as a strategic investment, not a technical expense. “Future-proofing security is about mindset. As AI, quantum, and cybercrime converge, only those who adapt early will safeguard both trust and growth,” remarked Sen.
Shift from reactive to predictive security
The guest address was delivered by Brandix Apparel Ltd., Director Oshada Senanayake, who urged Sri Lankan enterprises to shift from reactive to predictive cybersecurity, a mindset he described as the only viable defence in an era defined by AI-accelerated attacks and converging digital risks.
Framing his talk around the theme “Future-Proof Security: Predicting Cyber Threats Before They Strike”, Senanayake argued that the “threat math” has flipped. Attackers today use automation and artificial intelligence to launch 36,000 scans per second, while nearly 80% of ransomware strains already employ AI. “We’ve reached a point where building higher walls is no longer enough. It’s time to install better radar systems,” he said, calling for a national and corporate-level move from ‘assume breach’ to ‘anticipate and neutralise’.
Senanayake outlined a layered “Predictive Security Stack” that integrates business governance, threat intelligence, and AI analytics to deliver early warning indicators before attacks materialise. This model, aligned with NIST CSF 2.0 and MITRE ATT&CK, incorporates deception technology, automated exposure validation, and Zero Trust frameworks.
He highlighted three strategic pillars of predictive defence, which are Intelligence, AI, and Community. Intelligence focuses on external and internal telemetry, ranging from dark web monitoring and decoy credentials to adversary emulation, to create actionable risk profiles tied to business priorities. AI analytics leverage User and Entity Behavioural Analytics (UEBA) and graph modelling to detect anomalies early, while the community pillar stresses shared learning through sectoral ISACs (Information Sharing and Analysis Centres) and coordinated incident response networks.
“The fastest signal-to-action conversion now happens when organisations collaborate,” Senanayake noted. “Cyber resilience is no longer a solo effort; it’s a shared national mission.”
AI governance and secure design
With generative AI advancing faster than regulatory frameworks, Senanayake warned that AI systems themselves are becoming new attack surfaces. He recommended adopting NIST AI RMF 1.0 and ISO/IEC 42001 standards to establish trust boundaries, manage prompt injection risks, and prevent model theft. “We must design AI systems like we design aircraft, not just for performance but for fail-safety,” he said.
He also referenced Sri Lanka’s ongoing policy landscape, citing the Personal Data Protection Act (PDPA), the Online Safety Act, and the forthcoming National Cybersecurity Bill as crucial foundations. Yet he urged stronger regional cooperation and alignment with Singapore’s AI Verify and India’s evolving MeitY governance frameworks to strengthen Asia’s collective posture.
Closing his session, Senanayake unveiled a 90-day Predictive Security Playbook, offering a practical roadmap for Sri Lankan organisations to operationalise cyber resilience. In the first 30 days, he recommended mapping critical attack paths, deploying canary sensors, and piloting UEBA analytics to identify behavioural anomalies. Between days 31 and 60, organisations should integrate threat intelligence with SOAR systems and initiate pre-launch domain monitoring to anticipate external risks. By the final phase, from days 61 to 90, Senanayake urged teams to red-team their generative AI applications, establish AI risk management profiles, and define executive-level KPIs under the CSF “Govern” function, ensuring cybersecurity accountability extends from technical teams to board leadership.
Building collective cyber resilience
The first session concluded with a panel discussion moderated by Daily FT CEO and Editor Nisthar Cassim, featuring Dialog Axiata Group Chief Information Officer Asela Perera, Central Bank of Sri Lanka Chief Information Security Officer Sanjee Balasooriya, and Hashx Ltd., Founder and CEO Avishka Bandara, along with Dibyajyoti Sen and Oshada Senanayake.
The panel explored the growing urgency for cross-sector collaboration and intelligence sharing to strengthen Sri Lanka’s collective cyber defence posture. Asela Perera noted that while Sri Lankan enterprises have accelerated their digital transformation journeys, many still underestimate the operational exposure created by complex vendor ecosystems and legacy integration. He stressed that board-level commitment and continuous testing are now prerequisites for resilience, not afterthoughts.
Adding a regulatory perspective, Sanjee Balasooriya outlined the Central Bank’s efforts to align the financial sector with global cybersecurity benchmarks, including mandatory incident reporting, red-teaming exercises, and upcoming compliance frameworks to reinforce risk management across licensed financial institutions. “Trust in the digital economy is built on security assurance. Financial stability now depends on cyber stability,” he observed.
Offering an entrepreneurial viewpoint, Avishka Bandara emphasised the importance of local innovation and cyber talent development, urging greater support for startups that can deliver indigenous cybersecurity solutions. He noted that emerging technologies such as blockchain, secure APIs, and decentralised identity models could significantly enhance transparency and authentication across digital ecosystems.
Strategic partners of the 11th annual cyber-security summit were Visa and Sysco LABS, Platinum partner was the South Asia Technologies, Community Impact Partner was Meta, Payment network partner was LankaPay. Other partners included platform partner #HashX, podcast partner Techtalk, hospitality partner Cinnamon Grand, Colombo, Creative partner Mullenlow Sri Lanka and electronic media partner Yes101, TV1 and
News 1st.
Pix by Ruwan Walpola and Upul Abeysekara
