S P E C I A L R E P O R T
Chris Gunner, Virtual Chief Information Security Officer, Thrive
Business leaders often assume that stronger cybersecurity simply arises from spending more on technology. And as the spend goes up, more solutions are added to the mix that decision-makers falsely believe are plug-and-play. But risk management can’ t be something that is just purchased or ticked off the list. It’ s a continuous discipline.
In just five years, we only need to look at how ransomware has evolved from a custominstalled software devised by underground groups into a readily available Software-asa-Service deployment to get an idea of the threats facing businesses.
Tools need to be effectively executed and maintained on a constant basis to keep new techniques at bay, but this is made harder when many organisations don’ t have a rehearsed incident response plan with clear roles defined. No one really knows who to call or who is in charge of what, leading to panicked responses when an attack is already well underway.
Beyond just acquiring tools, cyber-risk requires continuous monitoring, multiple layers of protection, human expertise, governance and alignment with business strategy. That might seem a bit daunting for businesses, so a good starting point is to conduct a cybersecurity assessment.
This way, leaders can see a thorough analysis of their current infrastructure, including all tools, policies, controls and services, along with the operational status of each one. They need to be able to confidently answer whether a particular tool is deployed correctly, whether it is monitored continuously and who the accountable person is for maintaining it.
Investments should then be mapped against the actual risks identified to see where the gaps are. In some cases, external expertise may be the best way to provide the necessary oversight for continuous security operations. Businesses can then confidently move forward with tools, services and processes that make a positive difference to cybersecurity risk management.
Corey Nachreiner, CSO, WatchGuard Technologies
The biggest misconception business leaders still have about cybersecurity risk is that it can be‘ fixed’ with the right tools. Cybersecurity is not a software problem. It’ s a business risk problem involving people, processes and priorities.
Every business takes risks. That is how innovation happens. Expecting cybersecurity to eliminate risk is like expecting seatbelts to prevent car accidents. The real value is reducing impact and keeping people moving when something goes wrong. That is why cyber-resilience matters more than perfect prevention. You should absolutely try to block attacks, but your first responsibility as a CISO is to ensure the business can continue operating during a breach, outage or disaster.
Too much attention in our industry is still placed on stopping every possible threat, rather than preparing for reality. Tabletop exercises that test decision making, communication, backups, and recovery plans often deliver more business value than another penetration test report that is only read by security teams. When an incident happens, what matters most is whether people know their roles and can act quickly and confidently to keep the business running.
Risk also changes constantly. New technologies, new regulations, new threats, and new business models all shift the risk landscape. Trying to eliminate risk can waste time and stifle growth. The CISO’ s role is to help the business take smart, profitable risks while managing the consequences.
When done well, cybersecurity is not just protection. It is an enabler of trust, resilience and growth. That is the mindset business leaders need to adopt.
Evgeny Zaretskov, Group Chief Security Officer, SOFTSWISS
The biggest misconception that business leaders still have about cyber-risk is that they treat it as a technical issue with uncertain and therefore seemingly distant consequences. As a result, many do not fully believe that a cyberincident can rapidly turn into real financial, operational and reputational damage for their own company until it actually happens. That is why budgets so often become available only after the incident, and controls tighten only after the loss. By that point, the money is no longer a strategic investment – it is the price of reacting too late and recovering from the damage.
In iGaming, that misconception is especially costly because the distance between a cyber incident and business harm is unusually short. For companies operating in the crypto-enabled segment, a serious incident can turn into direct financial loss very quickly: if payout liquidity is held in hot wallets or other immediately accessible on-chain infrastructure, a successful attack can drain those funds within minutes. And if the incident affects player data or account access, it stops being an internal technical issue and quickly becomes a licence-to-operate issue, with mandatory reporting, regulatory scrutiny, sanctions, suspension or even licence revocation.
Nassim Taleb captures the same logic very well in The Black Swan through a thought experiment: if, before 9 / 11, someone had insisted on reinforced cockpit doors, it would have looked like an excessive, inconvenient, almost paranoid measure right up to the moment it became clear, that it might have prevented the catastrophe. Cybersecurity works the same way. Serious investment in security and in building a genuinely protected business almost always looks expensive before the incident. Afterwards, it looks like the cheapest decision the company failed to make in time.
WWW. INTELLIGENTCISO. COM 49