The CISO role has greatly evolved over the past few years. According to Anthony Tai, CISO, Bank Islam Malaysia Berhad, modern-day CISOs in the financial sector must focus on the long-term resilience of the firm.
A seasoned technology and information security leader with over 25 years in financial services, Anthony has led regional and global risk, audit, and advisory functions, contributing to governance, resilience, data management, and business continuity initiatives.
In an interaction with CEO Insights Asia, Anthony shares his perspectives on the evolving role of a CISO. He talks about the need for strategic risk integration, resilient frameworks, adaptive governance, and leadership that balances protection with growth, opportunity, and long-term institutional sustainability.
Read the following interview for deeper insights.
Having navigated cyber, financial, and regulatory risk across consulting and banking, how do you see the role of a CISO evolving?
The CISO evolved from the traditional Head of IT Security role. This role which is operational in nature, still overshadows many CISOs in their newer mandate. A CISO has to be strategic and holistic in his views for the financial institution. This includes having a strong grasp of all the risks an FI faces, be it cyber, financial, regulatory and even credit related.
Instead of focusing on the day-to-day and BAU activities, a CISO should be thinking about the longe-term resilience of the firm.
Adopting a strategic view where robust controls are balanced with the reality of budgetary and resource constraints is going to be a balancing act the CISO needs to master.
Starting your journey in IT assurance and internal audits, how did those early experiences influence your approach to building integrated risk frameworks in today’s complex digital ecosystems?
IT assurance and internal audits have built in me a strong foundation in understanding the key relationships between risks, control objectives and control activities. Every process carries with it certain risks, and understanding how to address and mitigate these risks via controls is of paramount importance. In addition, understanding the design effectiveness of controls helps me evaluate whether the risks have been appropriately addressed.
With exposure to frameworks like COBIT, ISO 27001, and ITIL, how do you balance structured governance with the agility required to address rapidly evolving cyber threats worldwide?
Frameworks like COBIT, ISMS, ITIL act as a guide and the foundation for how your enterprise address and minimize risks. While not necessarily prescriptive and detailed, they help organisations equip themselves with the right controls and processes to respond to threats. Cyber threats evolve very rapidly, and the response playbook needs to be updated regularly.
Leading across Deloitte’s SEA Risk Advisory and extended enterprise services, what key lessons did you learn about managing third-party risk in an interconnected global business environment?
Managing the risks arising from third parties has become more and more critical. This means that the engagement with vendors and third parties needs to be formal with specific expectations, requirements, performance guarantees and consequence management criterias built in. Regular engagements, reviews and assessments of third parties are also key.
Transitioning from advisory leadership to a Group CISO role, how has your perspective shifted in aligning cybersecurity strategy with business growth, customer trust, and regulatory expectations?
It has not shifted much, really. As the CISO, my current role is still very much advisory focused. I do have executive powers, but generally, my role is focused on what, holistically, will help the bank grow. This includes supporting my colleagues in enabling business units to thrive, ensuring processes are efficient and reducing red tape whilst making sure that our bank is protected.
KEY TAKEAWAY: Advice on building risk expertise, leadership vision & long-term industry impact
I believe all great leaders have a strong grasp on risk and its impact to their organisations. Risk is two-sided coin. On one side, is danger and on the other, lies opportunities. A good leader understands this and knows how to find balance in these situations.