The role of the CISO is undergoing a decisive shift from security gatekeeper to business co-pilot. At the 4th edition of ETCISO Secufest 2026, industry leaders across banking, infrastructure, manufacturing, retail and cybersecurity came together to discuss how security leaders can support growth by translating cyber risk into business decisions, governance frameworks and measurable outcomes.

Opening the discussion, Ravi Kumar, enterprise technology and cybersecurity strategist, underscored that business acceleration and security enablement must move together. “The answer is yes, but with guardrails,” he said, outlining a playbook built around zero-trust identity, data minimisation and a “kill switch” for partner integrations. He added that security conversations with business leaders can no longer remain limited to vulnerabilities and CVSS scores. “We do not use the language of vulnerabilities when we talk to business. It is more about revenue at risk,” he said, pointing to the need to frame cyber exposure in terms of continuity, brand equity and customer trust.

Uday Deshpande, Group CISO, Larsen & Toubro, said risk quantification is increasingly essential in environments where security delays can directly affect critical infrastructure projects and contractual commitments. He explained that cyber risk must be mapped to financial loss, operational disruption and regulatory impact so business leaders can understand the consequences of a lapse. At the same time, he noted that the CISO’s role is not to simply stop projects, but to present options. “It is a conditional go,” he said, explaining that security teams must propose minimum controls, compensating measures and risk ownership structures before recommending a final decision.From the retail sector, Anup Tongaonkar, Group CISO, Aditya Birla Fashion and Retail Ltd, described how exception management can quickly spiral if security is seen only as an approval bottleneck. “You need to have a business lens,” he said, explaining that CISOs must separate convenience-driven requests from genuine business needs and use controls, governance and risk committee escalation to manage them effectively. He also stressed that influence is built through action rather than policy alone. “If security becomes an obstacle, the perception will build that it is there to stop business, not support it,” he noted.Dinesh Kumar Shrimali, CISO & DPO, Tata Steel, brought in the privacy and accountability perspective, noting that large industrial enterprises must treat security and privacy as embedded parts of business operations. He said the organisation has put data ownership, impact assessments and periodic reviews in place so that operational, employee and supplier data are not handled in silos. He also highlighted the importance of privacy-by-design and continuous engagement with users and system owners to improve awareness and accountability.

Offering a cross-sector view, Sharda Tickoo, Country Manager, India & SAARC, TrendAI, said the biggest challenge for organisations is not access to technology but the ability to operationalise it fast enough for business needs. “The real struggle is rarely just the technology,” she said. According to Tickoo, most organisations still face gaps in visibility, slow-moving governance models and a lingering mindset that sees security as a blocker rather than an enabler. She also cautioned that AI will not simplify security unless it is layered onto a unified and well-integrated security fabric.

The panel concluded that the next-generation CISO must combine technical judgment with business fluency, continuous risk management and organisational influence. As enterprises move faster on digital transformation, security leaders will be expected not just to reduce risk, but to help the business move ahead with confidence, consistency and resilience.

(With inputs from Shiva Kumar).

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!