Monday Oct 27, 2025
Monday Oct 27, 2025
Monday, 27 October 2025 00:05 - - {{hitsCtrl.values.hits}}
In most Sri Lankan organisations, cybersecurity is still viewed as an IT concern, i.e. something the “tech people” will take care of once the operational systems are running smoothly.
This mindset is dangerously outdated. In today’s digital economy, where every business process, from payroll to procurement, depends on interconnected systems, cybersecurity is a governance and leadership issue, not a technical one.
Across dozens of organisations we have engaged with, one pattern repeats: the head of IT is expected to “handle” cybersecurity alongside server maintenance, system rollouts, and user support. There is rarely a dedicated cybersecurity function, and very few boards receive structured cybersecurity briefings. The result? Cyber risk remains invisible until a breach occurs.
The misconception: “Cyber = IT”
This assumption stems from history. In the 1990s and early 2000s, cybersecurity mainly meant firewalls, antivirus software, and network protection, all managed by IT teams. But the modern cyber landscape is entirely different.
Today, threats exploit not just systems, but people, processes, and access patterns. They thrive on poor governance: excessive privileges, unmanaged accounts, lack of oversight, and weak accountability.
When cybersecurity is left to IT alone, decisions are made on operational convenience, not on risk appetite, compliance exposure, or business continuity priorities. That’s like asking your accountant to write your company’s governance policy.
The reality: Cyber governance is enterprise governance
In leading global organisations, cybersecurity oversight sits with the board risk committee or the chief risk officer, not buried within the IT department. Boards in these organisations routinely ask critical questions: Do we know who has access to what? Can we demonstrate control over privileged accounts? Are we compliant with ISO 27001, GDPR, or local data-protection laws? And if a ransomware attack strikes tonight, who makes the first call and according to what plan?
Cybersecurity today intersects with law, reputation, insurance, and shareholder confidence, all matters that sit within the board’s domain. It is no longer a technical safeguard; it is a pillar of enterprise governance.
The opportunity: Build security governance, not just defences
At Welford Systems, we’ve demonstrated this principle through our Welford IAG (Identity & Access Governance) platform, a system built not to block hackers, but to govern trust.
It helps organisations ensure that every user, administrator, and technical account has clear ownership, defined purpose, and time-bound access. In many of our engagements, organisations realised for the first time how many orphaned or unmanaged accounts existed, a hidden risk that no firewall could ever fix.
Cyber maturity begins not with a new tool, but with ownership, visibility, and accountability. Technology simply enforces what leadership chooses to govern.
A call to Sri Lankan leadership
Sri Lankan businesses are digitising at record pace. It’s time to move cybersecurity out of IT’s inbox and onto the board agenda. The rapid digital growth, from banking apps to e-governance portals, will only be sustainable if leadership recognises that cyber resilience is a business discipline, not a technology expense. The responsibility for digital trust starts at the top with the board and the CEO.
The next generation of successful organisations will be those that govern cybersecurity as seriously as finance, because in a digital world, the two are inseparable.
(The writer is the Founder and CEO of Welford Systems Ltd. (UK), the company behind Welford IAG, an identity and access governance platform designed to help organisations establish zero-trust governance across servers, databases, cloud platforms, and enterprise systems.)
