In this Help Net Security interview, Adnan Ahmed, CISO at Ornua, discusses how organizations can build a cybersecurity strategy that aligns with business goals. He explains why many companies stumble by focusing on technology before understanding risk and shares how embedding cybersecurity across the business helps build resilience.
Ahmed also outlines how a mature roadmap should integrate zero trust principles, operational resilience, and a security culture across both IT and OT environments.
When you think about cybersecurity strategy today, what do most organizations get wrong from the start?
The biggest mistake I see among organizations is initiating cybersecurity efforts with technology rather than prioritizing risk and business alignment. Cybersecurity is often mischaracterized as a technical issue, when in reality it’s a business risk management function. Failure to establish this connection early often results in fragmented decision-making and limited executive engagement.
Effective cybersecurity strategies should be embedded into business objectives from the outset. This requires identifying the business’s critical assets, assessing potential threats and motivations, and evaluating the impact of assets becoming compromised. Too often, CISOs jump straight into acquiring cybersecurity tools without addressing these questions.
Another common gap is people and culture. Human error remains the leading vector for cyberattacks, yet organizations disproportionately allocate resources to technology while neglecting employee awareness and training. I always say security starts at home, when employees understand how to protect themselves and their families, they bring that mindset to work.
Compliance, while a necessity, is another element to proactively consider. Meeting regulatory requirements is important, but compliance doesn’t equal resilience. Attackers don’t care if you ticked all the boxes, they simply look for vulnerabilities and will exploit them.
In industries such as food manufacturing, that Ornua operates in, overlooking OT and ICS security introduces substantial risk. A comprehensive defense-in-depth approach must encompass both IT and OT.
Finally, don’t forget third-party risk and incident response. With the rise of supply chain attacks, companies must evaluate vendor security posture. Incident response plans must be operationally tested and include provisions for business continuity and disaster recovery. It’s critical that when an incident happens, the plan must be tested, not just written.
In short, start with risk, build culture, secure operational technology, manage vendors, and prepare for the worst. Success depends on cross-functional collaboration, adherence to zero trust principles, and a culture that sees security as a business enabler, not a barrier.
Has your own thinking about strategy shifted over time, and if so, what drove that change?
Yes, my thinking has evolved over the years. When I first started, the focus was on safeguarding IT systems and reducing risk in isolation. It wasn’t tied to broader business objectives, and that was a gap I didn’t appreciate at the time.
Two things changed that for me. First, the threat landscape shifted dramatically. Cybersecurity attacks today target OT and ICS. In food manufacturing, those systems run production lines, refrigeration, and safety processes. A cyber incident in these areas extends beyond data loss, it can disrupt production and even compromise food safety, introducing a far more complex level of risk.
Second, it became evident to me that cybersecurity cannot operate in isolation. It must support and enable business operations and growth. Today, my approach is risk-based and aligned with our business prioritizes, while still built on zero trust principles. We focus on resilience, not just compliance, and OT security is a core pillar of that strategy. Ultimately, protecting those environments is critical to keeping the business running and ensuring our consumers are safe.
What’s the most effective way for security leaders to connect cybersecurity strategy with core business goals?
In my experience, the most effective way to align cybersecurity with business goals is to speak the language of the business. Too often, security leaders jump straight into technical jargon, firewalls, patching, MFA, encryption but that is not what executives are focused on. They care about keeping the business running, protecting revenue, and maintaining reputation.
It’s important to position cybersecurity as a business enabler, not a cost. For example, instead of saying “we need MFA”, explain how MFA helps reduce fraud risk and protects customer trust, which directly impacts brand value. I also link security metrics to business KPIs, things like uptime for production systems or assessing the cybersecurity posture of suppliers to strengthen supply chain resilience and meet regulatory requirements.
At the end of the day, it’s about how security protects what matters most: operations, revenue, and reputation. When you apply that understanding, cybersecurity becomes part of the business conversation, not just an IT project.
Which emerging threats do you believe are underestimated right now, and how should teams prepare?
One of the most underestimated threats in cybersecurity right now is the convergence of IT and OT environments. In industries like food manufacturing, attackers aren’t just targeting corporate networks anymore, they are going after operational technology and industrial control systems. A ransomware attack that halts production or disrupts refrigeration isn’t just inconvenient, it can be financially devastating with serious safety implications.
Another area that’s often overlooked is supply chain risk. We are seeing attackers exploit third-party vendors and software updates because they know those paths usually have weaker controls while reaching many organizations at once. On top of that, AI-powered attacks are evolving fast through deepfakes, voice phishing, and highly convincing social engineering campaigns are becoming harder to spot.
In my view, OT and supply chain attacks are the silent killers. Most teams underestimate them until production stops or trust is broken. The time to act is now: adopt zero trust across both IT and OT, strengthen vendor risk management, and build resilience into every layer of the business.
If you were advising a CISO building a three-year roadmap today, what would be your top three priorities?
I would focus on three core priorities that make a difference.
Begin by identifying and prioritizing your organization’s most critical assets, including OT and ICS environments, and supply chain dependencies. Security investments should be aligned to these risks. Too often, strategies begin with buying tools instead of assessing risk, and that’s a mistake.
Zero trust principles must be applied across both IT and OT environments. In sectors such as food manufacturing, protecting OT is just as important as protecting data. Core capabilities such as assets visibility, network segmentation, secure remote access, authentication, and continuous monitoring must be treated as essential components.
While regulatory compliance is necessary, it is insufficient in the face of actual cyber incidents, compliance won’t save you when something goes wrong. Organizations must develop and routinely test incident response plans, ensure business continuity measures, and foster a security culture. Technology will fail at some point, and the ability to detect, respond to, and recover quickly is what keeps the business running.
In short, an effective cybersecurity strategy should start with risk alignment, incorporate zero trust principles across IT and OT, and emphasize resilience beyond regulatory compliance. Cybersecurity is not just a defensive measure, it is fundamental to sustaining business operations.