S P E C I A L R E P O R T
Marshall Erwin, CISO, Fastly
Many business leaders think of cybersecurity primarily as how well defended they are against malicious hackers. Evidence suggests that software bugs and misconfigurations are an even greater risk. Thinking back on big, headline-making incidents of recent years, oversights and rushed software deployments have been causing as much chaos as bad guys in hoodies.
Fastly’ s global security report found software bugs( 40 %) factored in more cyberincidents globally than external attackers( 39 %) in 2025, up from 33 % the previous year due in large part to AI accelerating deployment pipelines. AI introduces more complexity and more code, inevitably leading to more mistakes without appropriate oversight.
Enterprises shipping code quickly and at scale need to make sure security and software aren’ t siloed to achieve a strong security posture. Currently only 37 % of organisations have shifted security responsibilities toward platform engineering or DevOps. Integrating security throughout a business rather than focusing too hard on hackers and the perimeter requires a cultural and procedural rethink.
Giving security leaders a say in how systems are set up and managed helps to bake security into an organisation’ s architecture from the outset. Clear governance frameworks and accountability for security incidents make the process of preventing and dealing with software-related outages or downtime more efficient. Security is as much about mindset as it is about investment in the right tools. Especially with AI being integrated into developer workflows, any project a business starts can leave them vulnerable – unless security is a core consideration from the outset.
Mick Leach, Field CISO, Abnormal AI
I often come across the misconception that security teams can figure out tolerance on their own, which shouldn’ t be the case. Cybersecurity risk is business risk, so it should be the role of the business to drive tolerance to risk, and the role of security teams to execute it.
I think the most important thing for business leaders to remember is that cybersecurity risk isn’ t something that will ever be fully mitigated. There’ s no switch you can flip to mark the completion of your journey to becoming cybersecure. It’ s an ongoing process that requires constant evaluation and diligence to keep it at an acceptable level.
Patricia Titus, Field CISO, Abnormal AI
For CISOs, it’ s Groundhog Day, we’ re still seeing cybersecurity being treated as an IT issue instead of being seen as a core business risk. The threat it poses to organisations is consistently underplayed and underestimated.
This issue is compounded by misconceptions. Business leaders assume security teams are handling it, or that they can catch up later, when in reality this increases both cyber and operational risk. It’ s often only when leaders are forced to focus on cybersecurity because of an incident that captures their attention such as a breach that they finally act.
Another major misconception I still see is compliance being mistaken for security. While it’ s a crucial part of achieving higher security standards, ticking the box once doesn’ t mean you’ re secure from that point onwards. Compliance frameworks mostly offer point-in-time evidence, not assurance of continuity or of an organisation’ s day-today security posture
Leslie Nielsen, CISO, Mimecast
Insider threats are rising fast, and many organisations are still looking in the wrong direction to stop them. Recent research found that 29 % of UK organisations reported an increase in malicious insider incidents at their company over the past year. The attack surface is no longer just the perimeter.
Attackers are no longer focused purely on breaching systems from the outside. They are embedding themselves within organisations by exploiting hiring processes that are not sufficient to spot the sophistication of modern and AI enabled bad actors. Reports of North Korean IT operatives using AI to pose as remote workers illustrate just how scalable these methods have become, and how recruitment is now a key entry point. The M & S breach last year, where hackers used the credentials of a third-party IT contractor to access over nine million customer records and cause an estimated £ 300 million in disruption, is a stark reminder that attackers don’ t need to break down the door when they can walk through a trusted one.
The challenge is that insider threats don’ t fit neatly into traditional security models, which is why they are so often underestimated or overlooked. Managing this risk isn’ t just an IT issue anymore. HR and recruitment teams, in particular, have become critical gatekeepers in stopping malicious actors from getting in. And the financial stakes are real: the average cost of a single insider threat incident now stands at approximately £ 9.78 million for UK organisations.
Addressing this requires organisations to rethink who owns the problem. HR and recruitment teams are now on the frontline, and they need the tools, training and threat intelligence to act on it. Cybersecurity can’ t remain a specialist function when the entry point is a job application.
WWW. INTELLIGENTCISO. COM 51