As cyber threats grow in scale and impact, organisations are being forced to rethink how they define and manage risk. In this interview, Corinium’s Vanessa Jalleh speaks with ISACA’s Jenny Tan about why resilience starts with mindset — and how cyber leaders can elevate the conversation beyond IT, making it a core part of business and boardroom strategy.
In this interview, Jenny Tan, ISACA SG Chapter's Immediate Past President, offers a pragmatic and strategic view on the challenges facing today’s cyber security leaders. She explains why organisations must reframe how they think about cyber security — recognising it as a business risk, not just a technical issue. Jenny highlights the need to shift from an “if” to a “when” mindset, embed resilience into culture, and ensure leaders at every level are prepared to respond when it matters most.
Question 1: Cyber Security is often seen as a technical issue — but how do you make it a leadership, cultural, or even boardroom conversation?
Firstly, we need to reframe our mindsets accordingly. Incidents with significant impacts have clearly indicated that cyber security is intrinsically linked to business risk and strategy. Examples include:
-
Reputational damage (e.g. The Equifax data breach in 2017 is considered one of the most significant cyber security incidents in history. Approximately 147 million individuals had their sensitive personal information compromised due to a vulnerability in the Apache Struts software used by Equifax.)
-
Regulatory consequences (e.g. The British Airways data breach in 2018 resulted in a £20 million fine under GDPR. The official British Airways website was hacked, and data from over 400,000 customers was stolen. Attackers exploited vulnerabilities in third-party scripts on the site.)
-
Financial impact (e.g. The Maersk–NotPetya cyber attack in 2017 led to an estimated loss of nearly US$300 million.)
-
Strategic disruption (e.g. The Colonial Pipeline ransomware attack in 2021 forced a rethinking of how critical infrastructure manages cyber security. The incident exposed the risks of interdependence between IT and operational technology (OT), costing the company US$4.4 million.)
Next, cyber security professionals must learn to speak the language of the Board. Boards think in terms of risk, compliance, ROI, and reputation — not firewalls and patches. Present your technical ideas using risk-based metrics, discuss business outcomes if cyber security fails, and highlight the cost of non-compliance (e.g. NIST, ISO, SOC 2, DORA, etc.).
Finally, embed cyber security into organisational culture, not just policy. The tone at the top must be right. Leadership should actively encourage good risk management practices — it’s everyone’s responsibility, not just that of the Risk, Audit, or Compliance teams. Leadership is also expected to participate in crisis simulation exercises. When the tone and culture are set correctly, organisational resilience becomes evident.
Question 2: What’s one cyber security mistake or assumption you see organisations repeatedly making, and what would a healthier mindset look like instead?
A common mistake is assuming: “It won’t happen to us because we’re small or not high-profile.” Organisations must shift from an “if” mindset to a “when” mindset — and embrace resilience as a core value.
A mindset shift is crucial: everyone is now a target. Being compliant only addresses the minimum baseline — it does not guarantee full security. Organisations must treat cyber security as a leadership and business issue, not just an IT function. Your IT department may not be equipped to handle cyber security responsibilities alone.
Also, don’t rely solely on insurance. If you haven’t implemented sufficient cyber security measures, insurers may not cover the full extent of damages. Even if insurance pays out, the loss of trust, reputational damage, and compromise of intellectual property could be far more devastating — and not worth the risk.
Don’t miss the opportunity to hear more from Jenny Tan at CISO Singapore 2025 (19-20 August) at the Equarius Hotel, Sentosa.
Alongside this event, we have two exciting events AppSec & DevSecOps Singapore 2025 (20 August) and Cloud Security Singapore 2025 (20 August) happening in the same space.
If you would like to share your experience and insights at our events, feel free to reach out to Vanessa Jalleh.
