Salinawati Salehuddin is the Section Head of IT Risk Management at Agrobank, Malaysia. She oversees strategies to identify, assess, and mitigate IT risks, ensuring regulatory compliance and information security. Her leadership helps safeguard Agrobank’s technological infrastructure and maintain operational resilience in a rapidly evolving digital landscape. With experience in both risk management and information technology, Salinawati plays a critical role in protecting the bank’s assets and supporting its business continuity objectives.
In an exclusive interview with Enterprise Security Magazine APAC she shares her invaluable insights regarding the latest developments in the sector, the prevailing challenges as well as the possible solutions.
Can You Briefly Describe Your Leadership Role As Section Head Of It Risk Management? What Are Your Key Responsibilities?
As the Section Head of IT Risk Management, I am entrusted with leading and overseeing the organization’s technology risk posture, ensuring that it remains aligned with regulatory expectations, industry best practices, and business objectives. While my core responsibilities include managing IT risk assessments, policy governance, and risk mitigation planning, my role extends beyond traditional boundaries. I am also responsible for handling highly confidential incidents, including those involving fraud and data breaches, where discretion, accuracy, and swift coordination with key stakeholders are critical. Additionally, I actively contribute to shaping the organization's cybersecurity awareness initiatives, promoting a risk-conscious culture across all levels. I am involved in key digital strategy projects and supporting the risk evaluation of emerging technology initiatives. My approach is grounded in proactive engagement, collaboration, and strategic foresight to ensure technology risks are not only managed but also positioned as a value-added component of business resilience and innovation.
With Threats Constantly Evolving, What’s Your Approach To Ensuring That An It Risk Framework Remains Dynamic And Aligned With Real-World Vulnerabilities Rather Than Just Theoretical Ones?
In today’s environment, where cyber threats evolve faster than ever, I believe an effective IT risk framework must be living, practical, and deeply connected to real-world conditions—not just compliance checkboxes or theoretical models.
My approach is to ensure the framework remains adaptive and intelligence-driven. I actively promote the integration of threat intelligence, lessons from incidents, and feedback from our frontline teams—because they’re the ones who often see risks emerging before they’re on a formal radar. It's essential that our framework reflects what's actually happening in our environment, not just what's written in policies.
Equally important is maintaining strong relationships across business and technical teams. I’ve found that when people feel heard and involved, they’re more likely to surface potential risks early. That collaboration allows us to adjust controls and priorities in real time—especially when business objectives shift or when we detect patterns that suggest something’s not quite right.
Leadership in this field isn't just about managing threats; it's about inspiring trust, enabling innovation, and fostering a culture where security is seen as a shared responsibility
Ultimately, I view the framework as a strategic enabler, not a blocker. It needs to evolve alongside the business and threat landscape, and that requires leadership that listens, adapts, and acts decisively. I strive to be that kind of leader every day.
How Do You Evaluate The Effectiveness Of Risk Response Strategies—Especially In Environments Where Metrics Don’t Always Tell The Full Story?
Evaluating the effectiveness of risk response strategies, particularly in environments where metrics alone may not capture the full picture, requires a balanced approach that combines both quantitative and qualitative insights. While I rely on measurable indicators—such as incident trends, risk assessment findings, audit findings, and control test results—I also place significant value on stakeholder feedback, operational resilience, and behavioral change within the organization. For me, a truly effective risk response goes beyond technical compliance; it’s about whether the strategy fosters informed decision-making, enhances trust, and supports business continuity. I regularly engage with cross-functional teams to understand how controls are functioning in practice, not just on paper. This helps surface real-world challenges, such as user experience friction or unintended process gaps, that traditional KPIs may overlook. Ultimately, I view effectiveness not just as a reduction in risk scores, but as an ongoing dialogue between people, processes, and technology working in alignment to safeguard the organization.
You’ve spent years translating complex risk language into business impact. What communication techniques have proven most effective in gaining executive and board-level support?
Over the years, I’ve dedicated myself to bridging the gap between complex risk concepts and meaningful business impact—translating technical risk language into insights that resonate with executive and board-level stakeholders. I’ve found that the most effective communication techniques are those that prioritize clarity, context, and relevance. Rather than focusing solely on technical details or control gaps, I frame discussions around potential operational, financial, reputational, and regulatory consequences—always aligning risk exposure with strategic priorities and business outcomes. Storytelling, real-world scenarios, and plain-language summaries have proven particularly valuable in fostering understanding and engagement at the leadership level. I also believe in creating space for dialogue—encouraging questions, acknowledging uncertainty, and being transparent about both knowns and unknowns. This approach has helped build trust and ensure that risk is viewed not just as a compliance function, but as a strategic partner in decision-making.
What Advice Would You Offer To Rising Professionals In It Risk And Cybersecurity Who Want To Grow Into Leadership Roles And Drive Meaningful Change In Their Organizations?
To rising professionals in IT risk and cybersecurity who aspire to grow into leadership roles, my advice is to cultivate both technical depth and strategic perspective. It’s important to master your craft, but equally vital to understand how technology risks impact the broader business. Invest time in learning how to communicate complex issues in a way that resonates with non-technical stakeholders—this ability to translate risk into business relevance is a key leadership differentiator. Be curious, stay adaptable, and never underestimate the value of listening. Leadership in this field isn't just about managing threats; it's about inspiring trust, enabling innovation, and fostering a culture where security is seen as a shared responsibility. Seek mentors, embrace collaboration, and be willing to challenge the status quo respectfully. Meaningful change doesn’t come from having all the answers—it comes from asking the right questions and leading with purpose and integrity.
