Sabika Ishaq, director, head of information security and chief information security officer (Ciso) at Grant Thornton. Photo: Ciso

Sabika Ishaq, director, head of information security and chief information security officer (Ciso) at Grant Thornton. Photo: Ciso

Sabika Ishaq, director, head of information security and chief information security officer (Ciso), shares her views on the sector’s future prospects as part of the “Cybersecurity Resilience in a Complex World” roundtable organised by the Paperjam Club on Tuesday 29 April 2025 at Proximus House.

How do you guide organisations in preparing for the complex regulatory landscape surrounding cybersecurity, especially as new regulations continue to emerge?

: Over the years, I’ve had the privilege of working at the intersection of cybersecurity, risk management, and regulatory compliance, particularly within highly regulated sectors like financial services. My approach to navigating the evolving regulatory landscape starts with translating complex regulatory language into practical, actionable strategies that align with business goals.

At the core, organisations need to build resilience by embedding compliance into their broader cybersecurity frameworks rather than treating it as a one-off exercise. The key is to start by conducting a thorough regulatory mapping exercise followed by working cross-functionally within the business functions to establish a governance model that’s agile and adaptable.

To stay ahead of emerging regulations, emphasis should be placed on proactive horizon scanning, i.e., working with threat intelligence teams, legal advisors and industry bodies to anticipate change rather than react to it.

Finally, to ensure regulatory preparedness organisations must aim towards building a strong culture of cyber awareness, from the boardroom to the front lines, ensuring that everyone--from technical teams to non-technical stakeholders--understand their role in compliance and governance.

How can businesses ensure they are balancing cybersecurity resilience with innovation, especially when introducing new digital technologies or platforms?

Balancing cybersecurity with innovation isn’t just a technical challenge--it’s a strategic one. In my experience, the key is embedding security early into the innovation lifecycle, so it becomes an enabler rather than a blocker. I often refer to this as building a “secure-by-design” mindset across the organisation.

When organisations explore new digital technologies--whether it’s cloud adoption, AI integration or customer-facing platforms--I work with product, technology and compliance teams to perform early-stage risk assessments and threat modelling. This allows us to identify vulnerabilities and compliance gaps before they become systemic issues.

But resilience isn’t only about controls; it’s also about agility. That’s why I advocate for adaptive security frameworks and zero-trust architectures that scale with innovation, crucially  focusing on the human element. It is important that innovation teams are engaged in ongoing cyber awareness and that security teams understand business priorities. This mutual understanding helps avoid the friction that often exists between innovation and risk functions.

In short, resilience and innovation can co-exist when cybersecurity is seen not as a gatekeeper, but as a trusted partner in the digital journey.

Given the rise of remote work and digital transformation, what new risks do you see emerging for businesses, and how should they adapt their cybersecurity frameworks?

Remote work and digital transformation have fundamentally reshaped the threat landscape--blurring traditional perimeters and increasing exposure across a broader digital footprint. One of the most significant emerging risks is identity-related attacks, where compromised credentials become the gateway to larger breaches. With employees, partners and third parties accessing systems from various locations and devices, identity and access management has become the new perimeter.

Another critical risk is the fragmentation of security controls across hybrid cloud environments and third-party platforms. As businesses digitise rapidly, there is a growing need to manage supply chain risks more rigorously, especially as attackers increasingly target vendors and service providers as weak links.

To adapt, organisations must evolve from static, perimeter-based models to dynamic, risk-based cybersecurity frameworks, and move towards continuous monitoring and behaviour-based analytics, which help detect anomalies in real time.

Moreover, remote work has introduced a cultural dimension to cyber risk reinforcing the importance of security awareness through engaging, real-world training that reflects today’s digital behaviours including incident response protocols tailored to distributed environments.

Ultimately, cybersecurity frameworks must become more flexible, intelligence-driven, and business-aligned to effectively support digital transformation in a post-perimeter world.