For today’s CISOs, security only works when it is embedded into how the business operates. Ahead of CISO Financial Services this February, Ellis Wong, Chief Information Security Officer at JST Capital, explains why culture, revenue-aligned risk metrics, and identity-first architecture are the foundations of effective security leadership.
For many organizations, cybersecurity is still viewed as a technical function rather than a business capability. But that thinking should be consigned to the past. According to Ellis Wong, Chief Information Security Officer at JST Capital.
For Wong, security culture has little to do with awareness posters or one-off initiatives. Instead, he defines culture as repeatable behaviors that persist regardless of organizational or technology change.
That starts at the top.
Wong emphasizes the importance of leadership signals, what executives measure, model, and prioritize. In practice, this means reporting security performance alongside business outcomes such as revenue, using the same cadence and visibility.
“Culture starts with what executives measure and model,” Wong explains. “Security has to sit next to revenue, not behind it.”
At JST Capital, this approach is reinforced through regular executive engagement, including annual tabletop exercises that simulate real-world attack scenarios. By involving senior leaders directly, security becomes a shared responsibility and a shared goal.
Designing security that people will actually use
Strong culture, however, cannot exist without practical implementation of security initiatives. Wong stresses that security controls must be frictionless if they are to be adopted consistently across the business.
Zero trust frameworks, multi-factor authentication, and single sign-on only work when they are intuitive. When security tools feel seamless, users stop seeing them as obstacles and start trusting them as part of how work gets done.
This mindset shifts security from enforcement to enablement, making good security behavior the default rather than the exception.
Translating cyber risk into business impact
One of the most persistent challenges for CISOs is demonstrating value to non-technical executives. Wong argues that traditional cyber metrics often fail because they do not connect clearly to business priorities.
Instead, he focuses on translating cyber risk into financial terms that leaders already understand. One example is what he calls “risk to revenue at risk,” a way of mapping security exposure directly to forecasted revenue.
By tying risk tolerance thresholds and critical vulnerabilities to potential revenue impact over the next quarter or year, security conversations become grounded in business reality.
“If you can translate cyber risk into revenue at risk,” Wong says, “the conversation with leadership completely changes.”
The investment Wong would make earlier
Looking back on his journey, Wong is clear about what he would do differently. He would invest earlier in an identity-first, zero trust architecture.
Rather than deploying authentication, device trust, and access controls in isolation, Wong now advocates for a unified approach, bringing together identity, authorization, secrets management, and just-in-time access within a centralized framework.
“I wish I had invested in an identity-first architecture from day one,” he reflects. “Integrating later is always more expensive.”
The lesson is not about buying a specific product, but about designing for coherence and scalability from the outset.
Why CISOs need strong peer communities
For Wong, leadership development does not happen in isolation. Industry forums play a critical role in helping CISOs benchmark their thinking, pressure-test assumptions, and learn from peers who are navigating similar challenges.
That is why he sees events like CISO Financial Services as an opportunity not just to network, but to exchange practical lessons that can accelerate maturity across the industry. Open discussion, particularly around what did not work, helps security leaders avoid repeating costly mistakes.
As he puts it, when CISOs contribute openly, everyone benefits.
Join us at CISO Financial Services 2026 to learn more about the latest challenges and developments for infosec executives the US.