S P E C I A L R E P O R T

What if the greatest cybersecurity risk isn’ t external attackers, but internal assumptions? Many business leaders still treat cybersecurity as a purely technical issue, underestimating how human behaviour, processes and strategy shape exposure to risk. In this special report, Intelligent CISO editor, Mark Bowen, speaks to industry experts and reveals why this misconception continues to put organisations at risk.

Jason Steer, CISO, Recorded Future

Cybersecurity risk is fluid. Today’ s risk is not tomorrow’ s, and yesterday’ s risk is not today’ s. It’ s important that business leaders understand this and position their organisations to respond to threats as they evolve.

Business risks span a range of categories including compliance, operations, reputation, strategic and cyber. These are all important aspects of risk assessment and business leaders must develop them. Cyberthreats play across almost all of these categories, given that most businesses are heavily digital focussed.

A resilient and adaptive cybersecurity programme must include building knowledge and insight about the ever-shifting threat landscape. Simply, timely intelligence informs better decision making across a business. Threat intelligence enables business leaders to better understand how threats manifest as risks unique to their organisation.

For example, findings from Recorded Future’ s State of Security Report 2026 show how cybercriminals are increasingly leveraging infostealers and Generative Artificial Intelligence( AI). The attacks specifically target trusted platforms and vendor pathways, at scale and faster speeds, to gain access to critical cloud and on-premises systems. Effective cybersecurity programmes must keep pace with such changes to ensure defensive measures are fit for purpose, i. e. they are able to deter this week’ s emerging threats, which are different to previous challenges.

Cyberthreat intelligence can provide business-critical insight about the; what, why, when and how, of changing threat actor behaviour. This can be used to more effectively predict and prioritise the threats that matter most in the short term and support better road-mapping and planning in the mid and long term. It can enable a proactive approach to looking over the horizon to help manage and mitigate cybersecurity risks.

Aaron Engel, CISO, ExpressVPN

One of the biggest misconceptions I still see from business leaders is the idea that‘ old school’ threats like phishing or social engineering are basically yesterday’ s problem. They’ re not. If anything, they’ ve become more effective – and more dangerous – than ever.

What’ s changed isn’ t the tactic, it’ s the sophistication. With AI now in the mix, attackers can craft emails that sound exactly like a trusted colleague, replicate tone and writing style, and even generate convincing voice messages that mimic senior leaders. The scary thing is these requests feel completely legitimate, even to experienced employees.

That’ s where the real risk lies. Many organisations still think of cybersecurity as something that can be solved with the right tools or platforms. But attackers aren’ t just targeting systems anymore – they’ re targeting people. And all it takes is one moment of hesitation, or one request that‘ seems about right’, for someone to click, approve, or share something they shouldn’ t.

In this environment, awareness and instinct matter just as much as technology. Employees need to feel confident pausing, questioning, and double-checking – especially when something feels urgent or out of the ordinary. Creating that culture is far more effective than relying on any single security solution.

The reality is, social engineering hasn’ t gone away. It’ s been supercharged. And the organisations that recognise that – and invest in their people accordingly – are the ones that will stay ahead.

WWW. INTELLIGENTCISO. COM 47