The relationship between CEOs and CISOs is undergoing a fundamental transformation, with security leaders now expected to articulate cyber risk in direct business terms such as financial impact, resilience readiness, and fraud exposure rather than technical security metrics. Speaking at ET CISO Decrypt 2026, Pravin Kumar, CMISO at NPCI, noted that boardroom conversations have shifted significantly in recent years, moving from periodic security reviews to frequent, impact-focused discussions driven by rising fraud incidents and AI-enabled threats. The discussion underscored how cybersecurity has evolved from a technical function into a core business decision-making input for enterprise leadership.

The fireside chat titled “Boardroom Conversations: What CEOs Expect from CISOs” at ET CISO Decrypt 2026 explored how expectations from security leaders are changing in BFSI organisations, particularly in high-volume digital transaction ecosystems like NPCI.

Opening the conversation, moderator Amol Dethe, Editor, ETBFSI, set the context by highlighting the increasing pressure on CISOs to align cybersecurity priorities with business outcomes, particularly in sectors facing rising digital fraud and regulatory scrutiny.

Pravin Kumar, CMISO at NPCI, observed that CISOs are no longer viewed purely as technical gatekeepers but as business enablers who must support growth while ensuring systemic resilience. He pointed out that organisations have adopted digital banking and payment systems faster than the population’s digital literacy has evolved, creating a structural vulnerability that fraudsters actively exploit.

He noted that CEO and board engagement with cybersecurity has become significantly more frequent and more direct, particularly in the aftermath of large-scale global incidents. According to him, board discussions have shifted from asking whether systems are secure to a more pragmatic question: what happens when a breach occurs, and how quickly can the organisation recover?

A key theme that emerged was the expectation for CISOs to communicate in business impact language. Pravin Kumar emphasised that security leaders must move away from purely technical explanations and instead present clear business consequences of cyber risk, including revenue impact, operational disruption, and customer trust erosion.

The discussion also highlighted the challenge posed by rapidly evolving digital fraud. Kumar noted that modern attackers evolve in parallel with business innovation, exploiting new product features and digital capabilities almost as soon as they are launched. This has made security-by-design and threat modelling essential components of product development cycles rather than post-deployment controls.

A significant portion of the conversation focused on the impact of artificial intelligence on cybersecurity. Kumar described AI as a dual-use technology that has strengthened both attackers and defenders. While AI enables highly sophisticated phishing attacks and personalised fraud campaigns, it is also essential for security operations centres to detect and respond to threats at machine speed. He emphasised that cybersecurity has effectively become an “AI versus AI” contest, where both sides continuously adapt using automation and intelligence.

He further noted that organisations increasingly rely on AI-driven automation to maintain SOC effectiveness, as manual processes are no longer sufficient to respond to real-time threats in high-volume environments.

On the question of return on investment in cybersecurity, Kumar highlighted the long-standing challenge of quantifying security value in financial terms. He suggested that framing cyber investment decisions around breach cost scenarios, regulatory penalties, and recovery expenses helps boards better understand the tangible value of security spending.

Using NPCI as an example, he described the complexity of securing large-scale digital payment systems processing billions of transactions, where even minor disruptions can have systemic implications. He compared this environment to a high-pressure urban transit system operating at extreme speed and volume, where zero downtime tolerance and automation-driven security are essential.

He concluded that security must be embedded into system design from the outset rather than treated as an afterthought, reinforcing the principle of “security by design” as foundational to resilient digital ecosystems.

Ultimately, the session reinforced that modern CISOs are expected to operate at the intersection of technology, business strategy, and risk governance—translating complex cyber threats into clear business outcomes while enabling secure digital growth at scale.

(With inputs from Prachi Pandey.)

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!