An Advocate of Proactive Cyber-Resilience: Dr Kiran Kewalramani on Why Cyber Governance Starts in the Boardroom 
In cybersecurity, experience alone is not enough. What distinguishes a genuine authority from a capable practitioner is the ability to translate complex risk into board-level accountability. Dr Kiran Kewalramani, CEO and Founder of Cyber Ethos, is that authority.
An Author of the bestselling book, ‘Cyber Insecurity: The Silent Risk in Your Boardroom,’ Dr Kiran is also a Board Director and Audit & Risk Advisor.
Honouree of ‘Cybersecurity Business of the Year 2024,’ ‘Cybersecurity Entrepreneur of the Year 2025’ and ‘𝗕𝗼𝗮𝗿𝗱𝗿𝗼𝗼𝗺 𝗖𝘆𝗯𝗲𝗿 𝗟𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽 𝗔𝘄𝗮𝗿𝗱 at the 𝗙𝗹𝘂𝘅𝘅 𝗔𝘄𝗮𝗿𝗱𝘀 𝟮𝟬𝟮𝟲,’ Dr Kiran is a globally recognised authority on board-level cyber governance, enterprise and emerging risk, and cyber resilience, serving organisations across Australia, the Asia-Pacific region, and beyond.
Building a Foundation for Cybersecurity
Defining moments come in every leadership journey. Yet only some get etched in memories forever. In Dr Kiran’s case, although his career spans over two decades across cybersecurity, governance, and executive leadership, initially, as he began, “The field was not even called cybersecurity.” It was information security, and most organisations treated it as a subset of IT infrastructure, something the network team handled between other tasks.
He remembers responding to a worm outbreak that had propagated across an entire enterprise network virtually overnight, taking down critical systems with it. What was striking was not the technical damage. It was the complete absence of any leadership response. No executive knew what to ask, and no one understood what it meant for the business. The IT team fixed it quietly, and life moved on as if nothing had occurred, he recalls.
As his career progressed and he moved into senior leadership roles, including heading technology for a utility organisation, Dr Kiran watched information security gradually evolve into a discipline of its own. “Cybercrime became an industry. Threat actors became organised and well-resourced. And boards remained almost entirely disconnected from the risk building underneath them.”
Then the Optus, Latitude and Medibank breaches happened in Australia, and everything changed, he shares. Millions of Australians were affected. Boards were held publicly accountable. Executives were expected to manage risks they weren’t prepared for. Those events made it undeniable that the gap between technical cyber capability and board-level understanding was not just a governance problem. It was a national business risk.
That became the foundation for Cyber Ethos and the driving force behind Cyber Insecurity: The Silent Risk in Your Boardroom. “Because what I had witnessed across two decades finally had a name and an urgency that could no longer be ignored,” reflects Dr Kiran.
Cyber Strategy and Governance
“What sets us apart is not what we deliver but how we think,” he says. Many advisory firms operate at one of two extremes:
1. Most operate either deep inside the technical weeds
or
2. Produce compliance documentation that satisfies an audit but does not build genuine resilience.
However, Cyber Ethos works at the intersection of cyber strategy and organisational governance. As a Board Director and Audit & Risk Advisor himself, Dr Kiran sits inside the boardroom, not outside it. “That means the advice we bring to executive teams is grounded in the accountability structures boards operate under, not theoretical frameworks.” The measure of success at Cyber Ethos is whether leaders genuinely understand their risk, own their decisions, and can lead with confidence through a crisis, he reveals.
Bridging the Governance Gap
Today, instead of remaining merely a technical issue, cybersecurity has become a boardroom priority, and with it, a test of how seriously organisations treat enterprise risk. Thus, according to Dr Kiran, boards and executive leadership must rethink their accountability towards the emerging cyber risks. “Here is what I tell every board I work with: most are still treating cybersecurity as a technology problem delegated to the CIO or CISO and reviewed quarterly through a dashboard they do not fully understand. That is not governance. That is delegation dressed as oversight.”
In his book, Cyber Insecurity: The Silent Risk in Your Boardroom, Dr Kiran makes the case directly. Cyber risk is business risk, and business risk is a board responsibility.
In Australia and across the Asia-Pacific region, regulatory expectations under frameworks like the SOCI Act are making this a legal reality, not just a governance best practice. The governance gap is not a lack of investment. It is a lack of ownership.
Boards need to ask different questions. Not “Are we compliant?” but “Do we understand our most critical assets, where are our ‘crown jewels,’ who could threaten them, and what the business impact of losing them would be?”
In fact, Dr Kiran insists, “Cyber accountability at the top is not optional. It is a fiduciary obligation.”
Tackling the Most Concerning Risks
Dr Kiran has spent over two decades inside the most complex, high-stakes cyber environments, including governments and critical infrastructure. “The risks that concern me most,” he says, “are the ones that hide in plain sight.“
Ransomware remains the most operationally destructive threat facing organisations today. Yet, many boards still treat it as an IT recovery problem rather than a business continuity and reputational crisis requiring board-level preparedness. What will a ransomware event actually cost your business in operational terms? Think about – regulatory notification obligations, operational downtime, reputational exposure etc.
Third-party and supply chain exposure is the most structurally underestimated vulnerability. Organisations secure their own perimeter but hand access to dozens of vendors without the same scrutiny. And then there is the compliance illusion.
Passing the Essential Eight or any other framework assessment tells you where your controls were at a point in time. It does not tell you where your adversary is heading.
“The organisations I have seen breached most severely were often the most compliant on paper. That should make every executive stop and think seriously,” he warns.
The Board’s Responsibility for Emerging Technology Risk
Emerging technologies, like AI, are moving faster than most governance frameworks. The board’s responsibility is not to understand every technology in detail. It is to set the risk appetite for what gets deployed in the organisation’s name. Dr Kiran’s position is clear. “AI is not the threat. Ungoverned AI adoption is.”
He says “the question boards are not yet asking is: what risk appetite have we set for the technology being deployed in our name? When that question is absent, the board has not governed the decision. It has simply inherited the consequences.”
That creates a risk the boards have never been asked to approve.
Responsible AI integration is a leadership decision before it is a technical one. The board must define the risk appetite for what gets deployed in the organisation’s name. That means understanding the what, the why, and the failure scenarios. Speed without governance is not a competitive advantage. It is deferred liability.
Three Lessons Every Board Should Absorb
Dr Kiran also served as a Chief Information Security Officer (CISO) within the public sector. Thus, having led security functions across large, mission-critical environments, he shares three lessons every leadership team needs to absorb urgently.
First, shared threat intelligence is not a competitive weakness. It is a collective strength. The most resilient organisations share threat information because an attack on one is a signal for all.
Second, resilient organisations rehearse crisis scenarios at all levels repeatedly, not just in technical teams. Most have a plan that has never been tested beyond a tabletop exercise.
Third, security culture is built from the top down over the years, not installed through annual awareness training. The depth of security mindset in any workforce is a direct reflection of leadership commitment. That lesson is transferable to every organisation, and it is largely ignored.
Closing the Strategy-Resilience Gap
Here is a pattern Dr Kiran sees consistently: organisations that invest significantly in cybersecurity tools still suffer catastrophic breaches such as ransomware and data breaches. The diagnosis is almost always the same.
The pattern is consistent, and the diagnosis is the same every time. The failure is rarely about technology. It is about a strategy that has not been owned at the top or connected to business outcomes.
“What I see most often is a collection of products assembled into something that looks like a programme but functions like a patchwork with no coherent strategy underneath.” Worse, the metrics reported to the board measure activity, not resilience. Incidents detected. Patches deployed. Training completions. None of that tells you whether the organisation could survive a serious, targeted attack. Dr Kiran calls this the activity-resilience gap, and it is the most common strategic failure in cybersecurity today.
“The question every board should ask is this: if we were targeted by a sophisticated adversary tomorrow, what would break first, and how long would it take us to recover?” If the answer is unclear, the strategy has already failed.
Operating in the Global Cyber Threat Landscape
Add rising geopolitical tensions and cyber warfare to the mix, and no organisation is a bystander. “It is shifting in ways that demand leaders fundamentally rethink risk,” Dr Kiran says. State-sponsored actors are no longer selective in their targeting. Critical systems, operational networks, and supply chains globally, including across Australia and the Asia-Pacific region, are active theatres.
The line between cyber conflict and physical conflict is blurring, and that is a documented reality, not speculation. The scale and sophistication of attacks is accelerating in ways that demand boards revisit their risk frameworks, not just their technology budgets.
What leaders need to prepare for is not a specific threat. It is persistent, purposeful pressure from adversaries with patience, resources, and strategic intent. The organisations that navigate this well have built resilience into their operating model, not just their technology. That preparation begins in the boardroom.
Translating Risk for the Boardroom
Dr Kiran speaks direct about why executive understanding is now critical to cyber resilience, “The communication gap between cybersecurity teams and executive leadership is one of the costliest governance failures in organisations today.”
When a CISO presents to the board using the language of vulnerabilities, threat vectors, and patch cycles, they have already lost the room. Boards make risk decisions in the language of financial exposure, operational continuity, reputational impact, and regulatory consequence.
Dr Kiran wrote Cyber Insecurity: The Silent Risk in Your Boardroom specifically for board directors, CFOs, and executives, because this translation failure is systemic across most boardrooms globally.
The shift required is from technical reporting to business-impact framing.
- What is the financial exposure if customer data is compromised?
- What is the operational impact if this system is unavailable for 72 hours?
When cyber risk is framed in those terms, it stops being an IT briefing and starts being a business decision. That shift in language is a shift in accountability, and it is the most important cultural change any organisation can make.
Collaboration – The Architecture of Enduring Cyber Resilience
Also, Dr Kiran emphasises the critical importance of collaboration. “It is the architecture of genuine and lasting cyber resilience across industry, policy, and research communities.” Where it works well, you see meaningful threat intelligence sharing, policy grounded in operational reality, and skilled professionals entering the workforce with strong foundations. Where it breaks down is in the coordination gaps between speed and process. Industry moves fast. Policy moves carefully. Research moves on its own cycle. Those gaps create windows that adversaries exploit.
Dr Kiran operates actively across all three spheres, “And what that experience consistently confirms is this: the relationships built before a crisis determine the quality of the response during one.” Investing in those relationships through policy engagement, research partnerships, and workforce development is one of the highest-return activities any cybersecurity leader can prioritise.
Advice for the Next Generation of Leaders
Boards that want genuine cyber capability around the table need to understand what they should be demanding from the next generation of leaders. The most important advice Dr Kiran can give to anyone aiming to operate at both the technical and executive levels is this: “The path is not mapped, and no one will build it for you.”
To earn a seat at the leadership table, you must develop beyond the technical: strategic thinking, commercial acumen, communication that works in a boardroom as well as a briefing room, and governance literacy that lets you challenge and advise directors credibly.
What separates the leaders who reach the highest levels is not deeper technical knowledge. It is the ability to translate risk into decisions and uncertainty into direction. That is what boards need from the leaders who sit alongside them. The leaders who get there fastest are the ones who sought governance exposure long before they needed it.
Creating Future-Ready Cybersecurity Leadership
Finally, looking towards an unpredictable tomorrow, in Dr Kiran’s view, the future-ready cybersecurity leadership is not defined by knowing every emerging threat or investing in the most advanced tools. It is defined by clarity, courage, and frameworks that allow leaders to act decisively through conditions that will never be fully certain or fully controlled.
He cautions, “Adversaries will keep adapting. The pressure will not let up. What will not change is the need for leaders who hold steady and build organisations that bend without breaking. Boards that begin this work today will be the ones best positioned to endure when it matters most.”
To explore how this applies to your board or executive team, contact Dr Kiran Kewalramani via
https://kirankewalramani.com/contact/
or
email kk@Kirankewalramani.com