S P E C I A L R E P O R T
Shane Read, CISO, Goldilock Secure
One of the biggest misconceptions among business leaders is that more connectivity means better business performance. In reality, overconnectivity has become one of the most significant, and overlooked, drivers of cyber-risk.
For years, organisations have been encouraged to connect everything – systems, users, partners and infrastructure – in the name of efficiency. But that‘ always-on’ mindset has dramatically expanded the attack surface. Every API, remote connection and third-party integration is another potential entry point, and collectively, these create environments that are increasingly complex and difficult to secure.
The instinct is often to respond by adding more security tools. But layering on solutions can create blind spots and an overreliance on software controls that attackers, particularly with the rise of AIdriven threats, are increasingly becoming adept at bypassing.
The assumption that breaches can always be prevented, or that software alone is enough, is one the industry has to move past. Most CISOs now work on the assumption that an attacker will eventually get in. What matters now is what happens next, and how far they’ re able to go.
That starts with rethinking connectivity itself. Not every system needs to be online all the time, yet critical assets, such as backups and core infrastructure, are often left exposed simply because‘ that’ s how it’ s always been done’. Reducing that unnecessary exposure can make a meaningful difference in limiting both the likelihood and the blast radius of an attack.
We’ re seeing a shift towards‘ right-sized connectivity’, where systems are only connected when needed and are able to be isolated on demand. That’ s what gives organisations real control when an incident occurs.
Tools and teams are necessary but they’ re not sufficient.
Alec Barea, CISO, Flare
The organisations that will handle Agentic AI well are the ones that already have strong fundamentals. Not because they predicted this specific wave, but because solid foundations compound. Every new threat cycle becomes an iteration instead of a crisis.
The biggest misconception business leaders still have about cybersecurity risk is that new threats require new defences. Every few years a new category dominates the conversation, and leadership concludes that a new product will solve it. But security budgets remain a fixed percentage of tech spend regardless of the threat environment. You cannot buy your way through every wave. You have to scale efficiently, and the only way to do that is depth in the fundamentals.
Start with the most basic one: knowing your information. What data you have, what it is worth, and where it lives. That is what information security actually means. Everything else, identity governance, access
Tom Exelby, Head of Cyber at Red Helix
Ask a room full of CISOs what business leaders get wrong about cybersecurity risk and you’ ll hear:“ They think it won’ t happen to them.”“ They see it as an IT problem.”“ They treat compliance as a finish line.”
All of which are valid. But in my experience, these are all symptoms of a single, deeper misconception.
The root cause is that business leaders are not including cyberthreats in the wider business risk management process in the same terms as other risks they manage.
When a board believes a breach won’ t happen to them, it’ s because no one has quantified the likelihood in terms they recognise. When they treat cyber as an IT problem, it’ s because the security function was never given a seat at the risk table. When they mistake compliance for security, it’ s because governance frameworks get treated as the destination rather than a baseline. None of these misconceptions would survive a properly integrated enterprise risk process.
The solution starts with the language being used. Security leaders must present cybervulnerabilities in the same terms the business already uses for its other risks; financial exposure, likelihood, operational impact, risk appetite.
Frameworks like FAIR and the NCSC Cyber Assessment Framework make that translation credible and repeatable. Use them and show your working.
Don’ t wait for budget season to have the conversation about your cyber-risk because by then, it’ s already too late. It needs to be embedded into the continuous risk management process so it’ s always on the register, and visible alongside financial, operational and regulatory risk.
The misconceptions business leaders hold are real. But they persist because we haven’ t embedded ourselves in the process where they get resolved. That’ s the shift that matters most.
control, monitoring, follows from there. If you do not know what you are protecting, no product will protect it for you.
This matters more now than ever because AI tooling is actively working against these principles. The Model Context Protocol, the emerging standard for connecting AI agents to enterprise tools, was designed without mandatory access controls. In practice, most MCP servers run with the user’ s full permissions or a single broad token, with no scoping to what the agent actually needs. Security is treated as the customer’ s problem, which is exactly why organisations with strong fundamentals will absorb this wave and those without them will buy another product.
Security teams that know their data and control access to it will still invest in AI tooling. They will just be the ones choosing tools that solve real problems in their environment instead of reacting to the expo floor. That is the difference between scaling security and just growing the stack.
54 WWW. INTELLIGENTCISO. COM