Malaysia Aims to Accredit 100 Cybersecurity Experts as C-CISO This Year

Malaysia Targets 100 C-CISO Accredited Cybersecurity Leaders in 2026

Malaysia has set an ambitious target: accredit 100 cybersecurity professionals as Certified Chief Information Security Officers (C-CISO) this year. Reported by The Malaysian Reserve, this initiative reflects the government's recognition that the country needs not just more cybersecurity workers, but more cybersecurity leaders.

The C-CISO certification, administered by EC-Council, is designed for senior security executives who manage enterprise-wide information security programmes. Unlike technical certifications that test hands-on skills, C-CISO focuses on governance, risk management, strategic planning, and the business side of cybersecurity.

What Is the C-CISO Certification and Why Does It Matter?

The Certified Chief Information Security Officer (C-CISO) programme is one of the few certifications that specifically targets executive-level cybersecurity leadership. It covers five domains:

1. Governance, Risk, and Compliance — Establishing security governance frameworks, managing risk at the enterprise level, and ensuring regulatory compliance
2. Information Security Controls and Audit Management — Designing, deploying, and managing security controls aligned with business objectives
3. Security Programme Management and Operations — Building and running a security programme, including budgeting, staffing, and vendor management
4. Information Security Core Competencies — Technical foundations including access control, cryptography, network security, and application security
5. Strategic Planning, Finance, and Vendor Management — Aligning security strategy with business strategy, managing security budgets, and overseeing third-party relationships

The certification requires candidates to have at least five years of experience in three of these five domains. This is not an entry-level qualification — it is designed for professionals who are already in or moving toward CISO-level roles.

Why Malaysia Is Investing in Cybersecurity Leadership

Malaysia has made significant progress in building cybersecurity awareness and technical capacity. However, a persistent gap remains at the leadership level. Many organisations — particularly in the public sector and among mid-sized enterprises — lack dedicated security executives who can translate technical risks into business decisions.

This leadership gap has real consequences:

• Security budgets are underfunded because cybersecurity is not represented at the board level
• Incident response is slower when there is no executive with clear authority to make decisions during a crisis
• Regulatory compliance becomes reactive rather than proactive, leading to situations like recent enforcement actions against financial institutions
• Strategic security planning is absent, leaving organisations in a cycle of patching vulnerabilities rather than building resilient systems

The push to accredit 100 C-CISO professionals aligns with Malaysia's broader cybersecurity strategy, including the creation of a centralised cybersecurity agency and the implementation of the Cyber Security Bill 2024.

What Does a CISO Actually Do?

For many Malaysians, the role of a Chief Information Security Officer may seem abstract. Here is what it looks like in practice:

**Setting security strategy.** A CISO defines how an organisation approaches cybersecurity — not just which firewalls to buy, but how security supports business growth, protects customer trust, and meets regulatory requirements.

**Managing risk.** Every business faces cyber risks. A CISO quantifies those risks, prioritises them, and ensures the organisation invests its security budget where it matters most.

**Leading incident response.** When a breach or attack occurs, the CISO coordinates the response — from containing the threat to communicating with regulators, customers, and the media.

**Reporting to the board.** In mature organisations, the CISO has a seat at the leadership table. They translate technical risks into business language that executives and board members can act on.

**Building security culture.** The most effective CISOs understand that technology alone does not prevent breaches. They build programmes that make every employee part of the security effort.

How This Benefits Malaysian Businesses and the Public

Having 100 newly accredited C-CISO professionals in the Malaysian workforce will create a ripple effect across multiple sectors:

• Financial institutions gain leaders who can ensure compliance with BNM's RMiT framework and other regulatory requirements
• Government agencies get qualified executives to oversee the security of critical national infrastructure
• Healthcare, energy, and telecommunications sectors benefit from dedicated security leadership as they digitise operations
• SMEs gain access to a larger pool of experienced security consultants and advisors

For the general public, stronger cybersecurity leadership in the organisations that handle your data — banks, hospitals, government agencies, telcos — means better protection of your personal information and digital transactions.

Frequently Asked Questions

What is the difference between C-CISO and other cybersecurity certifications?

C-CISO focuses specifically on executive-level cybersecurity leadership — governance, strategy, and business alignment. Other certifications like CEH or CompTIA Security+ focus on technical hands-on skills. C-CISO is designed for professionals moving into or already in senior security management roles.

Who is driving the C-CISO initiative in Malaysia?

The initiative involves collaboration between government agencies, EC-Council (which administers the C-CISO programme), and industry bodies. It is part of Malaysia's broader national cybersecurity capacity building strategy.

Does Malaysia have enough cybersecurity professionals to fill CISO roles?

Not yet. Malaysia faces a significant cybersecurity talent shortage at all levels. The C-CISO initiative specifically targets the leadership tier, where the gap is most acute. Parallel efforts in university partnerships and technical training programmes are working to build the broader talent pipeline.