“If something goes wrong, it’s not simply that “the server is down.” An organisation’s operations are halted, customers are affected, regulators ask questions, reputation takes a hit and the brand is damaged,” Panos Panayiotou, founder and CEO of Circl3.tech says.
In an interview with GOLD magazine, Panayioutou shares his views on the current cybersecurity landscape, how Cyprus should be approaching the issue and the need to deal properly with cyber threats.
What made you start Circl3.tech?
After spending more than 20 years as Chief Information Security Officer (CISO) in the country’s biggest banks, I wanted to take on a personal challenge – to step out of a very structured environment as a high-ranking executive and prove to myself that I could build my own company from zero. In 2022 I took that step and Circl3.tech was born, infused with the deep expertise and discipline gained from those years in the financial industry, for organisations that need cybersecurity to work safely day-to- day, not in theory but in practice. And a personal insight: entrepreneurship forces you to be accountable in an additional way. You can’t just wear a title – the delivery of sound results comes first.
We all know that cybersecurity is no longer just an IT issue. How, in your opinion, has its role evolved in recent years?
To me, cybersecurity was never “just an IT issue.” Originally, it was close to IT but the industry understood very quickly that this was bad practice. After all, regulation did not allow it and, practically, security can’t be effective if it’s treated like a sub-division of IT. What’s changed in recent years is the pressure and the stakes. Today everything is connected: business processes, systems, suppliers, production, machinery, even cars. If something goes wrong, it’s not simply that “the server is down.” An organisation’s operations are halted, customers are affected, regulators ask questions, reputation takes a hit and the brand is damaged. The evolution in cybersecurity grabbed the attention of Boards which needed more simplicity and visibility, not technical details. What Boards of Directors really want to know is this: “What are our main risks?” “What’s our state of readiness?” “What could break the business?” and “What are we doing this quarter to reduce any risks?” An exceptional leader used to say, “Don’t tell me what you know; tell me what I need to know.” That applies here too.
How are companies in Cyprus and the region approaching cybersecurity? Strategically or reactively?
Cyprus is improving but many organisations are still reactive and, even when they move, it’s often driven by regulation. If I compare it to 10-20 years ago, the difference is huge: back then, many organisations didn’t have cybersecurity on their radar at all. They didn’t understand it and it wasn’t treated as a management issue (it was, indeed, “just an IT issue” that they did not want to bother about). Today, with NIS2, DORA and now the CRA, awareness is increasing but we still see the same common behaviour: many companies do the minimum to stay compliant, while some refuse to comply. And we’ve seen the same thing, even after serious attacks: instead of rebuilding properly, they often ask, “What’s the minimum investment we can make in order to move on?” Still, we’ve at least moved from “We don’t understand cyber” to “Let’s discuss it.”
Cyprus has been the target of several cyberattacks. From your experience of working with the Government, what can be improved and how can the problem be dealt with successfully?
That’s a difficult question! Many people assume that cybersecurity is the same everywhere: you apply the same frameworks, buy the same tools and you’re done. That’s not pragmatic. Public administration is a different ecosystem. The threat landscape is different (intent, persistence, visibility) and the operating model is often decentralised. That can help agility, but without strong coordination, it creates uneven maturity and blind spots. With additional real constraints – understaffing, skills gaps, slow/rigid procurement and processes – execution becomes harder than it is in the private sector. So, practical priorities have been set: central coordination of core cybersecurity processes and public–private partnerships to bring in skills and build internal capacity.
What is the biggest misconception that CEOs have about cybersecurity strategies?
The biggest misconception is that cybersecurity is a one-off purchase. “We hired a CISO,” “We outsourced it,” “We did a penetration test,” “We installed a firewall – we’re covered…” These are all useful steps but none of them is cybersecurity. Cyber isn’t a project with an end-date. It’s a capability – with ongoing ownership and rhythm – because risks keep moving: vulnerabilities, regulation, customer demands, supply chains, digitisation, new attack methods. CEOs who get it right treat cyber like safety or quality: it requires clear accountability, disciplined basics and continuous improvement. Cybersecurity isn’t something you complete – it’s something you run.
With new cybersecurity frameworks, like NIS2 and DORA, coming into force across the EU, are organisations in Cyprus prepared?
Not fully – and it varies, depending on the sector. Regarding NIS2, Cyprus has moved from awareness to legal obligation. National legal expectations are now concrete for a much wider scope (600+ entities) but many are still in “minimum compliance mode” – appointing roles and responding to questionnaires – instead of building repeatable security management systems. Financial services feel more pressure because DORA was applied earlier. Banks are generally ahead but the biggest gap lies in operationalising it – testing, implementing third-party oversight and proving resilience – not just documenting it. So, there is a momentum – regulation is forcing it – but many organisations aren’t practically “ready.” The winners will treat NIS2/DORA as an operating model change, not as a compliance project.
Let me add something perhaps unpopular: many people say that Europe is over-regulated but I disagree. Without regulation, cyber stays behind, because everything else is viewed as “urgent.” Regulation sets a baseline, forces accountability and pushes towards more secure ecosystems. Regulation is the accelerator; treating it as paperwork instead of resilience is wrong.
How is artificial intelligence reshaping both cyberattacks and cybersecurity?
AI is moving fast; Anyone claiming certainty about where it will end and how it will reshape current processes is merely guessing. What I can say from real experience is this: it is here and it makes attacks more scalable and believable – especially when deceiving people or deploying malware. It helps criminals scale what used to demand more effort – more convincing phishing, faster reconnaissance, better social engineering, quicker iteration. It doesn’t create brand-new crime but it makes familiar attacks cheaper and more effective.
On the defence side, AI helps with speed – triage, anomaly detection, prioritisation and summarising huge volumes of logs and alerts – but only if the organisation has set the fundamentals in place. AI won’t fix weak identity controls, unpatched systems or poor backups. We need to approach AI as we approach every big shift: don’t panic and don’t worship it – tighten the fundamentals, build resilience and use it to your benefit.
Looking back over your career, what is the most defining cybersecurity shift that you’ve witnessed?
It’s regulatory expansion – from “nice to have” in few sectors to baseline expectations across every industry. Today, regulation, supervisory pressure and customers’ and partners’ expectations are forcing organisations to take cyber more seriously, even if they are not active in a traditionally “regulated” sector. It’s not only the laws but the knock-on effect: if your clients are regulated, you become part of their compliance chain. Suppliers, service providers, cloud vendors – everyone is being asked to prove controls, resilience and incident readiness. That has pushed cybersecurity from an informal practice to a structured, documented, measured and continuously improved discipline. Regulation didn’t make cybersecurity harder – it made it real.
(Photo by TASHPO)
This interview first appeared in the March edition of GOLD magazine. Click here to view it.
