S P E C I A L R E P O R T

James Tucker, Head of CISOs in Residence EMEA, Zscaler

The biggest misconception that business leaders still have is that cybersecurity risk is a technology problem. In reality, security is a human behaviour problem, with technology only being a part of the equation. The majority of data loss challenges still stem from employees and their behaviour, as incidents typically start with someone within the organisation clicking, approving or entering credentials in the wrong place.

The CISO must work to influence the mindset of the leaders within a business to secure investments that enable the IT security team to adapt adequate policies and improve their security posture. They need to explain the risks in a way that the board will understand, before offering a more secure approach to keep the cybersecurity risk under control. The first step is to improve the visibility for the IT security team into all internal and external data streams and enable them to understand who is connecting to what and why. From there, organisations can apply policies based on the principle of the least privilege, ensuring alignment with real business needs.

A good example is the use of AI. If organisations simply block AI tools, it won’ t stop employees using it, as they will find ways to circumvent security controls to benefit from AI productivity gains. As organisations lose control by blocking the tool, they should understand human behaviour and support secure usage by getting appropriate guardrails for secure governance in place.

As the board funds outcomes in terms of revenue, avoiding losses or enabling the business to become more productive, the CISO needs to speak their language and offer solutions that relate to the leadership’ s vision. Equipping CISOs for that conversation starts with one truth: the leadership cares about what a failure costs them, or what that expanded security project is going to prevent them from doing. It’ s for this reason that the security leaders who get traction with the business aren’ t necessarily the most technical people in the room. Instead, they’ re the ones who made security feel like everyone’ s problem without anyone feeling blamed for it.

Jonathan Nguyen-Duy, CTO, Arqit

Many business leaders still frame cyber-risk around immediate threats such as malware, ransomware or the threat of a major breach. While those risks are real, many of the issues CISOs worry about most sit far deeper in the technology foundations the business relies on every day.

Encryption is a good example of under-appreciated risks. It underpins almost every digital interaction, protecting data, securing transactions and allowing systems to authenticate one another. However, in most organisations it’ s been deployed gradually over many years by different teams, developers and vendors. Because of this, it often ends up spread across applications, infrastructure and third-party services – and very few businesses have a clear and current view of where cryptography sits across their environment.

That lack of visibility is becoming increasingly dangerous in the era of AI and Quantum Computing, which has changed the tempo of cyber risk. Organisations need to know what type of encryption they are using, where it sits, and where it is vulnerable, including exposures relevant to quantum risk. Indeed, for me, the conversation leaders should be having is not simply around whether they are sufficiently secure, but whether they’ re positioned to address changes in technology and threats.

That is why cryptographic discovery – the practical discipline of continuously discovering and managing cryptographic exposure – is essential. Without reliable cryptographic inventory, businesses will struggle to make sensible, timely decisions before attackers, regulators or breaches do it for them.

Kim Larsen, CISO, Keepit

The biggest misconception business leaders still have about cybersecurity risk is that it’ s primarily a prevention problem. In reality, it’ s a resilience problem.

Hope is not a strategy and that’ s exactly where many organisations fall short. There’ s still a tendency to equate security with having controls in place – firewalls, endpoint protection, access policies – rather than asking the harder question: can we actually recover when something goes wrong?

The data shows that incidents are not rare, catastrophic events. They are constant, low-level, operational issues. The recently published Keepit Annual Data Report highlights that around 90 % of restore activity is simple, single-file recovery. That tells us most data loss is driven by everyday factors like user error or accidental deletion, not just sophisticated attacks. In other words, disruption is part of normal business operations.

What’ s more concerning is that even major global outages don’ t meaningfully change behaviour. Organisations don’ t significantly increase testing or validation of their recovery processes in the aftermath of high-profile incidents. Awareness is there, but it doesn’ t translate into action.

The real misconception, then, is thinking that having backups equals being resilient. It doesn’ t. Backup is only valuable if it’ s tested, if recovery processes are understood, and if they can be executed quickly and at scale when needed.

Cybersecurity risk isn’ t defined by whether you can prevent every incident, you can’ t. It’ s defined by how well you respond and recover. Real resilience comes from treating recovery as a core operational discipline, not a box to tick.

50 WWW. INTELLIGENTCISO. COM