- Cyberattacks can escalate beyond business into leaders’ personal lives
- Plain language, designed to be a practical reference for non-tech leaders
In the fast-changing world of cyber threats, Krishna Rajagopal wants one thing to be clear. Cybersecurity is no longer just an IT department issue. In fact, it left the IT department long ago. In the US, while the NYSE has not specifically mandated it, an increasing number of listed companies have begun to voluntarily appoint cybersecurity experts to their boards to enhance their oversight capabilities.
That same concern has not hit Bursa Malaysia companies yet. But it should, contends Krishna. Cybersecurity is a matter for the boardroom, and to push home his point, he’s written a book, “The Cybersecurity Power Play: A Boardroom Guide to Digital Defence” to explain why.
Krishna is the founder and group CEO of Akati Sekuriti Sdn Bhd, a Malaysian cybersecurity with clients in over 20 countries, ranging from multinational banks to global healthcare giants. While there are separate entities in other countries, the Malaysian and Singapore entities had combined revenue of US$4.9 million (RM21 million) for 2024.
But long before Akati Sekurity became an authoritative player in cybersecurity, Krishna’s journey began with a deep curiosity in digital forensics and a love for “breaking things.”
“From a very young age, I was interested in hacking, breaking things,” he said. Displaying a natural flair for coding and hacking, he was never interested in the dark side of hacking. Rather he was fascinated by the question, “how do you track it back?” he recalled, meaning, how does one follow the trail of a computer that has been hacked, back to the attacker.
This led him to discover a core concept of ethical hacking. “To catch a criminal, you must think like a criminal.” Adopt the mindset of criminals ie thinking creatively and unconventionally, will allow one to understand and anticipate their tactics, making it possible to detect and stop cyber threats effectively
This curiosity led Krishna to an early career in computer forensics, graduating from the Asia Pacific Institute of Information Technology (APIIT), now known as Asia Pacific University of Technology & Innovation (APU) where he stayed on and became part of the teaching faculty. He was also part of the founding team behind EC-Council’s Certified Ethical Hacker (CEH) program.
In 2007, he founded Akati Technology, which over the years, evolved into Akati Sekuriti — spelt with a ‘K’. “One reason is to tell the people we are local,” he said. Today, Akati has grown to a 200-strong team with operations across Asia, Africa, and the Americas.
Bridging a ‘dangerous gap’
Krishna says his book, The Cybersecurity Power Play, is deeply personal and aims to bridge the ‘dangerous gap’ between technical experts and decision-makers.
“The book is for anyone in a leadership role, from middle management to C-level executives and policymakers,” Krishna explained. “There’s always been this misconception that cybersecurity is just an IT issue. But it’s not. Just like safety isn’t only the police’s responsibility, cybersecurity isn’t only for the IT department. It’s everyone’s responsibility.”
The book is written in plain language, designed to be a practical reference for non-tech leaders, a cheat sheet they can carry into any meeting.
“They don’t need to be experts,” Krishna said. “Let’s say the security head starts talking about penetration testing. The leaders can open the book, check the cheat sheet, and go, ‘Oh, ransomware means this, trojan means that. I understand now.’”
Drawing from real-life incidents, including the Equifax (involving around 140 million accounts in 2017) and Marriott (involving around 500 million guests, discovered in late 2018 but with the breach starting from 2014) breaches in the US, Krishna makes the case that governance failures, not just technical gaps, are often to blame for catastrophic cybersecurity events.
He recounted one chilling example from the region, where a company hit by ransomware, brought in negotiators to deal with the attackers. “On the surface, the negotiations seemed successful, and the issue appeared resolved. But the attackers weren’t finished,” Krishna said.
What began as a corporate data breach quickly turned into personal blackmail. “They went back and hacking the chairman’s daughter’s home. They got hold of some personal photos and threatened to leak them. That’s why cybersecurity must be a board-level concern, because the criminals know you (board members) call the shots,” he said.
Shame, fear, embarrassment and the Phoenix Strategy
Among the book’s key insights is the concept of The Phoenix Strategy. It is a response framework aimed at tackling one of the most overlooked threats in cybersecurity.
“The biggest problem is shame,” Krishna said. “So, what happens? Either I give you half the truth (about the severity of the hack) or I cover up. And this happens at multiple layers.”
He explains that when a cyber incident occurs, individuals at various levels of an organisation may downplay or hide the facts out of fear, embarrassment, or damage to reputation. A staff member might withhold key details, which then get filtered as the information moves up the chain. By the time it reaches the board, leadership is only seeing a fraction of the real problem.
The Phoenix Strategy, then, is about confronting that fear and creating a culture where transparency is encouraged. So, organisations can rise stronger from breaches instead of being burned by denial and delay.
He also delves into the often-ignored human side of cybersecurity, including talent burnout, hiring challenges, and the need for cultural reform.
Another important point he raises is the need to rethink how companies choose their security leaders for their unique needs, recognizing that one size doesn’t fit all.
“There are different types of Chief Information Security Officers (CISOs),” Krishna said. “That’s another problem in the industry. We take a Ferrari and expect it to function like a truck. It can’t.” In the book, he pairs CISO types with behavioral profiling, a refreshing approach rarely seen in cybersecurity literature.
So what impact does Krishna hope the book will have?
“Before the book, board members feel this topic is something they’re not comfortable with. Post, I hope they’ll feel more comfortable, and start asking the right questions, and not shy away from cybersecurity conversations.”
The Cybersecurity Power Play isn’t meant for junior analysts. “Give it to your board, not your junior executives,” Krishna smiled. Available on Amazon and Notion Press, the book closes with a look into the future. From Artificial Intelligence (AI) to quantum computing threats, urging leaders to prepare before the next digital crisis lands at their boardroom table.
As for what’s next? Krishna is already working on his second book, expected out by early next year. This time tackling another untapped area of cybersecurity – leadership.
Until then, his message is this. “If you need to make decisions on cybersecurity, get the right cybersecurity person on the board. If you can’t, then get this book, and send it to every one of your board members.”
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
