Sri Lanka’s cybersecurity focus is expanding, along with increasing efforts at digitalisation. 

In an interview with The Sunday Morning Business, digital trust advocate and University of Sri Jayewardenepura Department of Information Technology Head Prof. Lasith Gunawardena noted that cybersecurity preparedness was similar to navigating a landscape that kept shifting, because just as institutions adapt to one set of threats, new and more sophisticated ones emerge. Therefore, readiness must be viewed as an ongoing commitment to adapt, invest, and coordinate at multiple levels.

Following are excerpts:

How prepared is Sri Lanka’s current cybersecurity infrastructure to handle evolving threats, especially with the rapid adoption of digitalisation?

From a national perspective, the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) plays a crucial role in monitoring, alerting about, and responding to threats. It acts as the national focal point for cybersecurity incident coordination. 

However, while its alerting function is valuable, there is an opportunity to further strengthen its resources and mandate to effectively address the growing complexity of threats, particularly those that extend over multiple institutions. 

In comparison, the United States established the US Computer Emergency Readiness Team (US-CERT) in 2003 with a similar focus on national cyber incident coordination and public alerts. However, as cyber threats became more complex and widespread, the US Government recognised the need for a more empowered and integrated approach. 

This led to the creation of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018, transforming US-CERT into a broader agency under the Department of Homeland Security. CISA now leads national efforts to protect critical infrastructure from both cyber and physical threats, with significantly more authority, resources, and cross-sector coordination.

Cybersecurity infrastructure is often thought of in terms of physical or technical components, such as secure networks, firewalls, and monitoring tools, but it also includes legal and policy frameworks. Sri Lanka has taken notable steps in this regard, particularly through the drafting of the Cyber Security Bill, which lays an important foundation for regulatory oversight, accountability, and enforcement.

In the private sector adoption of cybersecurity measures has generally been more proactive, and largely driven by regulatory compliance pressures. The Personal Data Protection Act (PDPA) No.9 of 2022, for example, mandates the appointment of data protection officers and sets clear expectations around data security. Information system audits are increasingly integrated into private sector governance structures, particularly among financial institutions and listed companies.

However, outside highly regulated sectors, many Small and Medium-sized Enterprises (SMEs) and informal enterprises remain underprepared due to cost concerns, lack of awareness, or absence of regulatory incentives. The gap is even more noticeable in sectors where cybersecurity requirements are not clearly enforced.

Moreover, while digitalisation is advancing in the public sector, cybersecurity preparedness is uneven. Information system audits are not systematically carried out and most institutions lack dedicated cybersecurity personnel. 

There is no formal cybersecurity cadre within the public service, which means that in most cases preparedness depends on whether a particular institutional leader has proactively prioritised cybersecurity or whether committed individuals go beyond their formal responsibilities. The outsourcing of IT services including cloud storage services also bring in concerns about cybersecurity.

Moreover, inter-agency coordination in response to cyber threats is limited. Public sector organisations often operate in silos and this can have an impact when compared with a national-level response mechanism that can be activated across ministries or departments.

To complicate matters further, cybersecurity is still not seen as a strategic priority by many public sector entities, as it is often treated as an IT issue rather than a critical component of risk management and national resilience. The absence of a widespread cyber-aware culture, along with a shortage of trained personnel, obstructs timely and effective responses to threats.

Thus, in terms of public sector preparedness for cybersecurity, unless a particular institution’s leadership has proactively invested in IT staff who possess the necessary cybersecurity training, or if individuals go beyond their regular call of duty to ensure cybersecurity and compliance in their systems, preparedness efforts are lacking. 

Furthermore, the efforts are not stemming from a formally identified, specialised service with dedicated personnel in the general Government public sector services. Hence, often in the Government sector, the response to cyber incidents is reactive and thus the preparedness in the sector requires more improvement.

What do you think are the main reasons why there is such a gap in human resources, especially when it comes to the public sector?

The public sector in Sri Lanka has historically been less agile in adopting and scaling new digital services. While it was once at the forefront of computing adoption, particularly in the early stages (the 1970s and ’80s), the private sector has overtaken it since, driven especially by better access to technology, investment, and innovation. In contrast, IT-related functions in the public sector have not evolved at the pace required to meet the demands of rapid digitalisation.

Most Government institutions still operate with traditional IT roles such as programmers, system analysts, network administrators, or system support staff. These positions are often focused on basic service delivery, such as maintaining internal systems or supporting data entry applications. Dedicated roles for cybersecurity, whether in governance, operations, or incident response, are either minimal or entirely absent in most institutions.

This gap cannot be resolved at the level of individual organisations alone. It requires a coordinated, top-level policy response, including the creation of a defined cybersecurity cadre, structured career pathways, and national service classifications that reflect emerging digital needs.

How can institutions, especially in the public sector, strengthen digital trust, particularly at a time when data breaches are quite high?

Strengthening digital trust requires a comprehensive approach that addresses both pre-breach and post-breach phases. At the core of this effort is the need to invest in cybersecurity infrastructure, including secure network architecture, threat detection systems, access controls, encryption, and continuous monitoring tools. These technical safeguards form the backbone of any resilient digital system.

However, infrastructure alone is not enough. Institutions must also build human and organisational capacity. Regular employee training, cyber awareness campaigns, and periodic readiness assessments are critical for reducing vulnerabilities, especially those that stem from human error. 

For example, the 2016 cyberattack on the Bangladesh Central Bank was enabled by a spear-phishing email that exploited staff who had not been properly trained. This highlights the need to identify at-risk personnel and equip them with the knowledge to recognise and respond to threats.

Institutions should adopt internationally recognised cybersecurity frameworks and standards, complementing both infrastructure and training and supported by third-party audits and certifications. These measures ensure consistent and best-practice security across departments and service providers.

However, digital trust is not merely about prevention, as it is also about accountability after a breach occurs. Institutions must have predefined incident response plans that include a strong emphasis on transparent and timely communication. If personally identifiable information is compromised, affected individuals must be informed immediately. Transparency in such moments is not optional but a fundamental trust-building obligation.

Unfortunately, we often see a tendency to downplay or hide breaches, both in the public and private sectors. This undermines public confidence and increases the damage caused by the breach. Trust breaks down when users feel excluded or misinformed.

What are some of the key cybersecurity-related frameworks and standards, both sector-specific and general, that organisations in Sri Lanka should be aware of and adopt?

Cybersecurity frameworks and standards can be categorised based on their scope; some are sector-specific, while others provide organisation-wide guidance.

For example, in the financial sector, particularly for entities handling credit card data, the Payment Card Industry Data Security Standard (PCI DSS) provides strict guidelines to ensure secure handling of payment information. Similarly, in the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) sets standards for safeguarding sensitive patient data.

Across industries, one of the most widely recognised global standards is ISO/IEC 27001, which outlines requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It provides a solid foundation for managing data security risks within organisations of any size.

In addition, the NIST Cybersecurity Framework, developed by the US National Institute of Standards and Technology (NIST), offers a flexible, risk-based approach to managing cybersecurity and is applicable to organisations of all sizes.

For Sri Lankan organisations engaging with international partners, particularly in Europe, General Data Protection Regulation (GDPR) compliance is also critical, as it governs how personal data must be collected, stored, and processed.

Locally, Sri Lanka’s PDPA provides a legal framework for data protection and outlines responsibilities for both public and private sector organisations regarding the handling of personal information. While enforcement mechanisms are still evolving, the PDPA represents an important step towards integrating national practices with international standards.

Beyond technical standards, frameworks like Control Objectives for Information and Related Technologies (COBIT) play a vital role in IT governance and management. COBIT helps organisations align IT goals with business objectives, establish clear policies and accountability, and manage cybersecurity risks at the enterprise level. It complements standards like ISO 27001 by providing the governance structure necessary to implement effective cybersecurity controls and ensure continuous improvement.

From a compliance standpoint, there is a future need to establish a national authority to monitor and enforce adherence to these frameworks and standards across sectors. While the legislative groundwork has begun, we are still some distance from achieving full, consistent oversight.

What kind of progress have we made in terms of integrating cybersecurity principles into the digital economy roadmap, especially when it comes to areas like fintech, e-commerce, and e-governance?

In the fintech sector, most financial services are subject to various compliance requirements, and today, cybersecurity must be embedded from the very start rather than treated as an afterthought. 

The private sector plays a significant role, with the rapid digitalisation of services, infrastructure, and finance, thus making continuous collaboration between the Government and private entities essential. The Government alone cannot drive these initiatives effectively.

However, there are challenges within the Government’s regulatory framework, which has struggled to keep pace with fast-moving technological advances. For example, when private companies began offering certain electronic payment services in Sri Lanka, there was initially no specific legal framework, forcing some providers to pause operations until regulations caught up. Similarly, existing cybersecurity laws and frameworks have limitations that require timely updates to remain effective.

From an e-commerce perspective, the Covid-19 pandemic accelerated consumer adoption and acceptance of online shopping as a substitute for traditional transactions. While this growth is positive, it has also unfortunately increased the risk of financial scams, highlighting the need for stronger cybersecurity measures and consumer protection.

Across both e-governance and e-commerce, regulatory frameworks must strive to keep pace with technological innovation. While some lag is inevitable, falling too far behind constitutes significant risks to trust and security.

An important related element is the PDPA, which provides the legal foundation for safeguarding personal data in Sri Lanka. Effective integration of cybersecurity principles within the digital economy must align with data privacy regulations like the PDPA to ensure that citizens’ information is protected throughout digital transactions and services.

In order to support the expansion of secure digital services, incentives could play a significant role. For example, recognising companies that undergo cybersecurity audits and demonstrate compliance, through certifications or public acknowledgment, could encourage broader participation and raise overall cybersecurity standards. Such initiatives would help accelerate the growth and trustworthiness of fintech, e-commerce, and e-governance in Sri Lanka.

Do you think cybersecurity has received adequate attention, especially in policymaking and when it comes to allocating funds related to digital infrastructure and human resources?

Cybersecurity investments within the public sector have largely been reactive rather than proactive. 

Historically, cybersecurity has received limited attention in policymaking and is more limited in terms of dedicated infrastructure and resources. There is an evident need to improve both awareness and capability across all levels of public sector employees. Basic cybersecurity awareness should be a baseline requirement for every public sector staff member who accesses digital systems, in order to ensure they understand how to protect their own credentials and data.

Beyond general awareness, the public sector also urgently requires dedicated cybersecurity professionals. Key leadership roles such as Chief Information Officers (CIOs) remain scarce in public sector organisations despite ongoing efforts by the Information and Communication Technology Agency (ICTA) to strengthen IT governance.

Moreover, when it comes to human resource investments, the public sector’s salary structure for IT and cybersecurity staff is significantly below industry standards, making it extremely difficult to attract and retain qualified professionals. Cybersecurity experts can earn multiple times more in the private sector or abroad, leading to a persistent risk of brain drain.

On the infrastructure side, cloud adoption has increased, influenced in part by provisions in the PDPA regarding data residency. For example, the Central Bank mandates that banks store all data, including backups, within Sri Lanka’s geographic boundaries. Additionally, data classification policies, distinguishing between public, shared, and confidential data, are essential, along with strong encryption and access controls to safeguard sensitive information. 

Another important aspect is managing third-party vendors. Public sector agencies inevitably rely on private service providers for digital services, making it critical to assess vendors’ security practices, data handling policies, and audit histories before onboarding. Entrusting sensitive information to third parties demands risk management and clear incident response mechanisms to minimise damage in the event of a breach.

How well is cybersecurity integrated into higher education curricula, particularly in computing and related fields, and what opportunities are there for non-technical professionals to enter the cybersecurity workforce?

Today almost every internal degree programme in Sri Lanka across faculties incorporates courses which provide at least competency in basic IT skills, and it is essential that cybersecurity training is included as a compulsory element in these courses to prepare a capable workforce.

Globally, computing education follows a framework set by leading organisations, such as the Institute of Electrical and Electronics Engineers (IEEE) and Association for Computing Machinery (ACM), which serve as the international standard for computing curricula. 

Traditionally, their framework included five core pillars, Information Technology, Computer Science, Computer Engineering, Software Engineering, and Information Systems. Since 2020, however, two new pillars have been added – Data Science and Cybersecurity – reflecting the growing importance of cybersecurity as a distinct discipline.

In Sri Lanka, most computing degree programmes now cover cybersecurity to varying extents. It is also important to recognise that cybersecurity is multidisciplinary and not all professionals in the field need a technical computing background. Many roles focus on areas like human factors, policy, and compliance, enabling individuals from non-technical backgrounds to contribute meaningfully.

As cybersecurity becomes progressively embedded in curricula, both through specialised degrees and as part of other computing programmes, opportunities increase for a diverse workforce. In addition to formal degrees, certifications and training programmes also provide accessible pathways for those seeking careers in cybersecurity without a traditional computing degree.