Through deepfakes and data breaches, CEOs must lead cybersecurity battle

From left: Moderator, Daily FT Editor and CEO Nisthar Cassim, Meta Director – Public Policy for South Asia and Central Asia Sarim Aziz, Visa Consulting and Analytics, Asia Pacific Risk Practice Lead Sen Dibyajyoti, SECGRA Cloud Security Innovator/Director Paul Hidalgo, Rajah & Tan Cyber Security CEO Wong Onn Chee, and CICRA Holdings Group Director/CEO Boshan Dayaratne

• Key insights from the CEO Forum at the Daily FT–CICRA Summit

By Hiyal Biyagamage

The 11th Annual Cyber Security Summit, organised by Daily FT in collaboration with CICRA Holdings, commenced last week at Cinnamon Grand Colombo with its flagship CEO Forum, bringing together leading voices from global and local industries. The forum set the stage for a two-day conversation on the rapidly evolving cyber landscape, where Artificial Intelligence (AI) is simultaneously reshaping opportunities and amplifying risks.

Setting the context

During his opening remarks, CICRA Holdings Group Director/CEO Boshan Dayaratne highlighted how the convergence of AI, cloud adoption, and digitalisation has expanded the attack surface for businesses. He emphasised the need for Sri Lankan corporate leaders to elevate cybersecurity from a back-end IT function to a boardroom-level strategic priority. “The conversation today is no longer about compliance, but about resilience, trust, and long-term competitiveness,” Dayaratne said.

This framing mirrors global concerns. The World Economic Forum’s Global Cybersecurity Outlook 2025 warns that 72% of organisations reported a rise in cyber risks last year, with ransomware and AI-enhanced phishing topping the list. The report stresses that in an age of complexity, resilience must be treated as an enterprise-wide responsibility, not merely an IT issue.

A central theme of the forum was the role of AI in cyber defence and cybercrime. Meta Director – Public Policy for South Asia and Central Asia Sarim Aziz noted that while AI-powered tools are enabling faster detection of threats, adversaries are also weaponising AI to carry out sophisticated attacks. He stressed the importance of public–private collaboration in developing governance frameworks that balance innovation with safety.

Globally, two-thirds of executives expect AI to have the most significant impact on cybersecurity this year, yet fewer than four in ten organisations have processes in place to assess the security of AI tools before deployment. The paradox is clear; businesses are rushing to adopt AI without securing it, leaving themselves exposed. Participants also warned that banning AI outright is ineffective; employees will simply turn to personal devices or shadow tools. Instead, companies must set clear usage policies, backed by training and awareness, to prevent sensitive data from leaking into uncontrolled systems.

Global threat landscape

From a financial services perspective, Visa Consulting and Analytics, Asia Pacific Risk Practice Lead Sen Dibyajyoti described the escalating scale of fraud in digital payments. He pointed to phishing, social engineering, and AI-driven scams as the most immediate threats for banks and fintechs. “Resilience depends on embedding security by design across payment ecosystems,” Dibyajyoti said.

Fraud and social engineering were recurring concerns. Deepfake-enabled scams, such as impersonated CEO and CFO phone calls, have already cost global firms millions. Panellists highlighted the importance of layered security using multiple controls such as call-backs, shared secret questions, and verification protocols to counter increasingly sophisticated attacks. Education was stressed as a frontline defence, not only for employees but also for consumers, who are often the most vulnerable target group.

Rajah & Tann Cyber Security CEO Wong Onn Chee reinforced this by warning of ransomware-as-a-service and state-sponsored cyber espionage as top regional threats. He noted that fragmented regulations make coordinated responses difficult. Around seven in ten executives worldwide share this concern, citing cyber regulations as overly complex, fragmented, or burdensome.

With cloud migration accelerating across industries, SECGRA Director Paul Hidalgo focused on the structural vulnerabilities of multi-cloud environments. He stressed that traditional perimeter-based security models are obsolete in today’s distributed systems. Instead, he advocated for zero-trust architectures that continuously validate users and devices, combined with strong incident response frameworks.

Supply chain vulnerabilities remain a critical concern, with more than half of large organisations citing third-party risk management as their biggest barrier to resilience. Software vulnerabilities introduced by external partners, coupled with concentrated dependence on a small number of providers, are creating systemic points of failure that ripple across entire economies. The global IT outage in 2024 caused by a single faulty software update served as a stark reminder of this risk.

The forum also highlighted that most AI and cloud vendors limit their liability to refunding subscription fees in the event of a breach. CEOs were urged to negotiate contracts that include liquidated damages clauses, ensuring vendors face real financial consequences if failures expose businesses or customers to harm.

Local imperatives for Sri Lanka

While global experts painted a broad picture, the discussion also returned to Sri Lanka’s specific context. Speakers agreed that the country’s growing digital economy, from e-commerce to fintech to e-governance, faces acute vulnerabilities due to resource constraints and limited cyber maturity. For corporate leaders, integrating cybersecurity directly into business continuity planning is no longer optional; it must be treated as a core element of long-term operational resilience.

At the same time, participants stressed that technology investments alone will not be sufficient. Companies must balance systems spending with the development of skilled people who can anticipate and respond to threats effectively. The skills challenge is especially relevant: two out of three organisations worldwide now report moderate-to-critical cyber skills gaps, with only 14% confident they have the talent they need. For Sri Lanka, where digital adoption is accelerating, workforce development and capacity-building will be decisive in determining whether digital growth can be sustained securely.

The CEO Forum crystallised several strategic insights for corporate leaders. A clear consensus emerged that AI will fundamentally transform the cybersecurity battlefield, with deepfakes and AI-enhanced fraud creating threats that outpace traditional controls. This reality demands that cybersecurity be recognised as a leadership issue, where responsibility cannot rest solely with IT teams. Boards and CEOs must set the tone, embed resilience into strategy, and ensure that security is treated as a driver of trust and competitiveness rather than a compliance checkbox. Importantly, CEOs cannot simply delegate accountability to CISOs or IT managers; regulators and stakeholders are demanding board-level responsibility for cyber resilience.

Equally important was the recognition that the foundation of digital operations is shifting. Zero-trust principles are becoming the new baseline for organisations operating across cloud and hybrid work models, where continuous identity verification and endpoint security are non-negotiable. Leaders were urged to move beyond regulatory compliance by stress-testing systems, building a culture of security, and prioritising collaboration. Since no single company or Government can confront these challenges alone, partnerships across regulators, technology providers, and enterprises will be critical in shaping a safer digital future.

In conclusion

In his closing remarks, Dayaratne reiterated that cybersecurity is not just a technical challenge but an economic and national security priority. He urged Sri Lankan businesses to invest early, adapt continuously, and collaborate openly. “The threats are global, but so are the solutions. Our ability to act decisively today will determine whether Sri Lanka thrives in the digital future or lags behind.”

The CEO Forum set a decisive tone for the full-day Cyber Security Summit, where technical experts, policymakers, and industry practitioners delved deeper into emerging technologies and sector-specific risks. 

Strategic partners of the 11th annual cyber-security summit were Visa and Sysco LABS, Platinum partner was the South Asia Technologies, Community Impact Partner was Meta, Payment network partner was LankaPay. Other partners included platform partner #HashX, podcast partner Techtalk, hospitality partner Cinnamon Grand, Colombo, Creative partner Mullenlow Sri Lanka and electronic media partner Yes101, TV1 and News1st. 

Pix by Upul Abeysekera and Ruwan Walpola