<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=306561&amp;fmt=gif">
Skip to content

Navigating the Endless Sea of Threats: Insights from Leron Zinatullin of Linkly (Part 1)

Corinium’s Maddie Abe had the pleasure of engaging with Leron Zinatullin, CISO at Linkly and a CSO30 2024 honouree, ahead of his appearance as a speaker at the upcoming CISO Sydney 2025 next month.

Cyber security is a relentless race to keep pace with evolving threats, where staying ahead isn't always possible. As Zinatullin explains, advancing cyber maturity demands more than just reactive measures—it requires proactive strategies, cultural alignment, and a deep understanding of emerging risks. In this first part of our interview, Zinatullin shares his insights on staying informed about threats, defining cyber maturity, and aligning security metrics with business goals.

Staying Ahead of Emerging Threats 

"It begins with understanding your organisation’s threat profile and threat actors’ tactics, techniques, and procedures," Zinatullin asserts when asked how he stays informed about cyber threats. "Threat intelligence feeds augment your detection and response capability."

For Zinatullin, maintaining a proactive mindset is equally critical. "The team understands the impact of our work and our duty to safeguard critical services, data, and trust," he says. Regular external tests and incident simulation exercises play a pivotal role in refining response strategies. "These exercises help us drill some common scenarios, including crisis communications," he explains.

Another crucial aspect of staying prepared is collaboration. "One of the most important aspects of maintaining situational awareness is the community," he highlights. "Ongoing collaboration with industry peers, government, and academic partners is key for building resilience."

Defining Cyber Maturity

When it comes to cyber maturity, Zinatullin believes in a balanced approach. "A common way to measure maturity is to map your controls to an established framework like NIST Cyber Security Framework or the Essential Eight," he says. However, he warns that a tailored approach may sometimes be more effective.

Zinatullin emphasises that maturity should focus on outcomes rather than checkboxes. "To advance maturity, focus on uplifting controls that result in the most cost-effective risk reduction," he advises. He also stresses the importance of streamlining compliance efforts. "Although worded differently, controls from different frameworks often aim to achieve the same objective. Maintaining cross-framework control mapping can help streamline your compliance program."

But compliance is only part of the journey. "An organisation can be compliant but still insecure," Zinatullin points out. "Security leaders should go beyond compliance and actively manage risks, focusing on overall security posture and risk reduction."

Aligning Security Metrics with Business Goals

The alignment of security metrics with organisational goals is another area where Zinatullin offers actionable advice. "Security leaders have access to amounts of data never seen before," he says. "Antivirus software, firewalls, data loss prevention solutions—they all generate a staggering amount of alerts."

The challenge lies in presenting this data meaningfully. "Do metrics tell a story to the Board?" Zinatullin asks. "10,000 ‘attacks’ blocked. What does this mean? More importantly, so what? Are we reporting on what is easily available rather than what actually matters to the business?"

He cautions against simply reporting on the number of attacks, alerts, or incidents. "You can indeed look backwards on the number of attacks, alerts, incidents and these can be useful in some contexts," he says. "Some would argue this acts as a justification for the investment in security tools that have been implemented to detect these intrusions. But this runs the risk of overwhelming the business with numbers that may carry little meaning or relevance to their concerns."

"If you must communicate technical details that correlate with the maturity of cyber capabilities, I recommend forward-looking metrics," Zinatullin suggests. "For example, a number of systems with the latest patches applied, number of systems scanned for vulnerabilities, or the number of systems with multi-factor authentication enabled. These will change over a specified period and can demonstrate increased coverage, maturity, and trends. Measuring time between incident detection, response, and recovery, alongside other parameters, can be a useful proxy for cyber resilience."

He adds that this approach can help businesses better define their risk appetite. "Does the Board want you to move faster, increase coverage, or shorten response times? If so, are they prepared to fund relevant initiatives or would they rather accept the associated risk?"

Zinatullin recommends ensuring that the 'so what?' question is always addressed. "Tailor your messaging to organisational objectives and business risks. If available, check the company’s annual report: there is usually a section on business risks, so it’s a good idea to align security risks to those in order to speak the same language."

He concludes by emphasising how cyber security can contribute to broader business goals. "Cyber security can support launching new products and services, expanding to new markets, acquiring new entities, and reducing insurance premiums, among other things. Know what the business objectives are and align your security metrics to them to get buy-in and stay relevant."

The bottom line, according to Zinatullin, is that KPIs and metrics should always be tied to business objectives and leadership expectations. "There is no one-size-fits-all approach to security metrics. They should be selected based on the organisational context and demonstrate the security function’s progress towards achieving the desired level of compliance, risk reduction, and business enablement."

This deep dive into Zinatullin’s approach to cyber security offers valuable lessons for leaders striving to navigate today’s complex threat landscape. Stay tuned for Part 2, where we explore Zinatullin’s experiences with incident management and his perspective on emerging cyber threats.


Don’t miss the opportunity to hear more from Leron Zinatullin at CISO Sydney 2025 on 11-12 February at Royal Randwick Racecourse.

If you would like to share your experience and insights at the event, feel free to reach out to Maddie Abe.