An agentic AI system does more than generate text. It can plan, decide, and act across multiple steps using tools, data sources, workflows, and sometimes other agents. In enterprise terms, this means the system can move from “answering a question” to executing work.

A simple way to think about agentic AI is:

• Brain: The model that reasons or generates response.

• Context: The instructions, memory, and data it uses

• Tools: The systems it can access to take action

  

That distinction matters because the main risk is no longer just inaccurate output like we have seen it in the last couple of years due to non-deterministic system behavior.

The bigger issue is unsafe or uncontrolled action.

Where agentic AI makes sense

While the industry is telling you it is the next big thing of operational efficiency, Agentic AI is most useful when work is:

• multi-step, not one-shot

• repetitive but not highly judgment-sensitive

• tool-enabled, but within clear limits

• bounded in scope

• easy to supervise, interrupt, or reverse

Agentic AI use cases in an enterprise

These are typically the most effective starting points: Summarizing emails, documents, tickets, or meetings; researching approved internal knowledge sources; drafting reports, RFP responses, or internal communications; gathering information across systems for analysts; triaging support requests before human review; and coordinating routine workflow steps across approved tools.

These use cases tend to perform well because the impact of failure remains limited, and actions can usually be reviewed, validated, or reversed if necessary.

Where agentic AI is higher risk

Risk rises sharply when an agent can take actions that are privileged, external, irreversible, or difficult to detect quickly. High-risk situations include moving money or issuing refunds, approving transactions or business decisions, modifying authoritative records in ERP, HR, finance, or CRM systems, sending messages as a trusted employee or executive, changing access rights or interacting with IAM or PAM systems, executing code, scripts, database commands, or infrastructure changes, browsing untrusted websites or using unvetted third-party tools, and making decisions that affect customers, employees, or regulated outcomes.

In these cases, the issue extends beyond model quality. The real risk comes from the combination of autonomy, tool access, and business impact. To identify areas of high risk, I recommend to look into the EU AI Act Annex III to source an extensive list of what is being considered as high-risk AI system.

Another rule of thumb for daily operations is that an AI agent becomes materially more dangerous when it is connected to: Payment or treasury systems; ERP, HR, CRM, or ticketing systems with write access; email or collaboration tools with send/delete capability; admin consoles or privileged APIs shells, Python, PowerShell, CI/CD pipelines, or database tools; browsers operating in authenticated sessions; external plugins, connectors, MCP servers, or other agent-to-agent interfaces.

A read-only assistant is very different from an agent that can send, change, approve, execute, or delete.

To sum it up, the most practical rule of thumb is the following:

Use ‘classic’ GenAI or (even Machine Learning) when:

• the task is one-shot

• no tools are needed

• the output is advisory only

• a human will perform the actual action

Use a bounded agent when:

• the task requires several steps

• only a small, approved toolset is needed

• the work is narrow and reversible

• there is clear ownership and monitoring

Use a tightly governed agent with human approval when:

• money, legal exposure, customer outcomes, regulated data, or critical operations are involved

• rollback is difficult

• misuse could create material business harm

So, can these guardrails be narrowed down into basic principles?

Yes, of course.

Agentic AI usually makes sense when three factors stay controlled:

1. Agency: How autonomous is the system?

2. Impact: What happens if it gets it wrong?

3. Complexity: How many steps, tools, and dependencies are involved?

The higher these go, the stronger the controls and guardrails must be.

How to implement Agentic AI safely in an enterprise

Begin by creating a clear inventory of all agents, documenting each agent’s purpose, ownership, underlying model, data access, available tools, and assigned risk rating. From there, classify the tools those agents can use according to their level of risk, distinguishing between read-only capabilities and those that can write, approve, or execute actions. Apply the principles of least privilege and least agency by limiting each agent’s permissions and autonomy to only what is strictly necessary for its role. Introduce human approval at critical control points, ensuring that any high-impact action is reviewed before execution.

Strengthen identity management by treating agents as non-human identities with unique credentials that can be quickly revoked if needed. Maintain comprehensive monitoring and logging of all agent activity, including tool usage, goal changes, privilege escalation, and any unusual behavior. Finally, operate with the assumption that all connected content, whether from web pages, documents, emails, APIs, or even other agents, may be malicious and design safeguards accordingly.

The bottom line

Agentic AI works best when it acts like a well-supervised junior operator: Focused mission, approved tools, visible activity, and easy human intervention.

It becomes risky when it acts like an unsupervised privileged employee: Broad permissions, external connectivity, code execution, money movement, or decisions affecting people.

Use agents for coordination, preparation, and controlled execution. Use humans for approval, exceptions, and irreversible actions - and your chances of applying Agentic AI successfully will rise significantly.

The episode unpacks how cyber and AI exposure shape strategic…

Read more

The next serious AI failure in business is unlikely to come from a model producing a flawed paragraph. It is more likely to come from an AI agent with access to messaging channels, external tools, persistent sessions, and live workflows taking the wrong action with valid credentials. OpenClaw makes that shift easier to see because it is built as a self-hosted, always-available assistant that connects to multiple chat platforms and supports tool use inside those environments. That makes it a useful signal of where enterprise AI is heading: Away from content generation and toward delegated action.

A category shift is now visible

Many leadership teams still evaluate AI through the lens of model quality. They ask whether the model is accurate, fast, helpful, and safe enough for drafting, summarization, and decision support. Those questions remain relevant. They no longer capture the full business risk.

A different class of AI is now emerging. OpenClaw is described as a personal AI assistant that runs across messaging apps, remains persistently available, and can use tools to complete tasks. Its documentation emphasizes multi-channel access, sessions, routing, media support, and configurable tool permissions. Those features move AI closer to an operating layer inside day-to-day work.

That matters because the economics improve as AI moves closer to execution. A system that can monitor communication flows, retrieve context, coordinate tasks, and trigger actions offers more than convenience. It offers cycle-time compression, lower coordination cost, and a new form of operating leverage. That is why agentic systems are drawing attention from boards, executive teams, and investors.

It also changes the risk equation.

When AI can act inside live workflows, the central question is no longer whether the system sounds intelligent. The question is whether the enterprise has delegated authority it cannot yet govern with confidence.

Permission is becoming the defining risk variable

Traditional AI creates output risk. It can misstate facts, miss nuance, or produce poor analysis. Agentic AI creates authority risk.

That distinction has direct strategic significance. A flawed summary can usually be reviewed and corrected. An agent that reads a message, interprets context, accesses a tool, and initiates an action can create operational, legal, and reputational consequences before anyone notices the chain of events.

This is where many organizations remain underprepared. Once a system can ingest external content, maintain persistent presence across channels, and use tools with real permissions, the control problem becomes sharper. The issue shifts from model performance to authority design. Who approved the access model? Which actions require human intervention? What evidence exists that activity can be supervised, reconstructed, and contained?

Those are governance questions. They sit squarely in the domain of executive accountability.

Tools like OpenClaw are relevant because they make the access problem tangible. Its architecture and tooling show how quickly AI can move into messaging environments, connected services, and persistent workflows. The strategic implication reaches far beyond one project. Enterprises are entering an era in which AI systems will receive access before most control frameworks have matured enough to manage that access safely.

The upside will be real and the downside will be expensive

The commercial case for Agentic AI is easy to understand. Businesses want less friction in execution. They want fewer manual handoffs, faster internal response, and better use of scarce management time. Systems that can sit inside communication channels and coordinate routine activity promise measurable productivity gains.

That creates value in three places.

For enterprises, Agentic AI can reduce coordination drag in functions where delay compounds cost. For software vendors, it creates a path from commodity model access toward higher-value workflow integration. For investors, it opens a more durable competitive question: which companies can convert AI capability into trusted enterprise deployment.

That final point will drive valuation outcomes.

The market will reward governable autonomy. Buyers will pay for systems that can be bounded, supervised, logged, and constrained with clarity. They will hesitate when a product appears powerful but cannot satisfy internal controls, legal review, cyber underwriting questions, or regulated deployment requirements.

This is where early enthusiasm and durable enterprise value begin to diverge. Capability attracts attention: Control sustains revenue.

In practical terms, trust architecture is becoming part of the product. Vendors that treat identity, permissions, auditability, and containment as first-order product features will be better positioned for core enterprise adoption. Vendors that treat those issues as secondary may still generate pilot activity and user enthusiasm, but they will face slower expansion, harder procurement cycles, and weaker long-term monetization.

This is now a boardroom and investment issue

Boards should view Agentic AI as a governance matter with clear oversight implications. Once systems can act across communications and workflows, the board’s questions become more exacting. What authority has been delegated? Where are the approval boundaries? How is management testing that those boundaries hold under pressure? What evidence supports confidence in supervision and escalation?

CEOs should view this as an operating model decision. The pressure to deploy Agentic AI will come from productivity goals, competitive signaling, and internal momentum. That pressure can create hidden exposure when leadership treats delegated action as a software feature instead of an enterprise authority model.

CFOs should view this through the lens of risk-adjusted returns. The upside includes labor leverage and faster execution. The downside includes incident cost, control remediation, legal review, vendor diligence, insurance friction, and delayed scaling. Capital allocation discipline matters most when upside is visible and downside remains underpriced.

Investors should pay close attention to the difference between autonomous capability and commercially deployable autonomy. Open ecosystems and open-source momentum can accelerate experimentation. Enduring enterprise value will accrue to platforms that can convert flexibility into trust, and trust into repeatable adoption.

That is where category leaders will separate from high-visibility followers.

The leadership framework is simple

The most useful way to assess Agentic AI is through three executive questions.

1. Authority: What can the system access, approve, trigger, or change?

2. Exposure: What messages, files, external content, or third-party inputs can influence its behavior?

3. Containment: What mechanisms can limit, supervise, reverse, and investigate its actions?

This framing improves the quality of decision-making quickly. It helps leadership distinguish between acceptable low-authority use cases and deployments that create enterprise-level exposure. It clarifies where hard permission boundaries are required. It forces management to define where AI can assist, where it can act under constraint, and where human approval remains mandatory.

Disciplined adopters will gain advantage here. They will move quickly in low-authority environments, impose tighter controls where business consequences rise, and scale only when auditability and containment are credible. That is how organizations capture operating leverage without accumulating hidden liability.

The real signal is broader than OpenClaw

OpenClaw matters because it makes the next phase of AI visible. It shows how fast the market is moving toward persistent, tool-using, multi-channel agents that can do work inside the flow of business.

That is the real strategic story.

The center of AI risk has moved from generated content to delegated authority. That is where cyber risk, governance, operational resilience, and valuation now converge. Leadership teams that recognize this early will make better decisions about deployment, control design, vendor selection, and capital commitment.

The firms that create lasting value in this phase of AI will be the ones that govern permission with discipline. That will matter more than raw autonomy. It will matter more than product theater. It will matter more than model prestige.

In enterprise AI, enduring advantage will come from control over what the system is allowed to do.

The recent cyberattack on Stryker deserves attention well beyond the security community. This was not simply another breach, and it does not fit neatly into the familiar ransomware narrative. It appears to have been a destructive attack with immediate operational consequences for a major global medical technology company.

Stryker disclosed on March 11, 2026 that it had experienced a cyberattack affecting portions of its network. By March 12, the company said the incident was disrupting order processing, manufacturing, and shipping, even as patient-related services and connected medical devices were reported as unaffected. Those facts alone make this a significant event. A cyber incident that interrupts core business operations at scale is no longer an IT matter.

It becomes an enterprise resilience issue.

Public reporting has linked the incident to Handala, a group widely described as Iran-linked. The wider geopolitical setting matters here. This incident is being reported not as ordinary criminal activity motivated by financial gain, but as part of a broader pattern of politically motivated cyber aggression tied to current regional conflict. That should change how boards interpret the event. It sits closer to sabotage than extortion.

The technical lesson is as important as the geopolitical one. Early reporting indicates that this may have involved the abuse of enterprise management capability to disable or wipe systems at scale, rather than the deployment of conventional ransomware. Reuters reported that no ransomware was detected. Security reporting has pointed to the possible use of trusted administrative mechanisms to create enterprise-wide disruption. That distinction is critical. When attackers gain control of identity systems, endpoint management, or remote administration tooling, they may not need malware to cause major damage. They can use legitimate control planes to execute destructive actions quickly and broadly.

That changes the board conversation.

For years, many organizations have centered their preparedness around theft of data and encryption of systems. Those remain serious risks, but they are no longer the full picture. The more consequential question is whether an attacker can take over the mechanisms the company itself uses to manage trust, configure devices, and operate at scale. If the answer is yes, then the organization may face a rapid loss of operational control, not just a compromise of confidentiality.

That appears to be the central issue in the Stryker case. The disruption quickly affected the company’s ability to process orders, support manufacturing, and move product. That is a direct line from cyber compromise to business interruption. For a company serving healthcare markets, the stakes are especially high because operational disruption can affect customers, partners, supply chains, and public confidence all at once. Reuters also reported a negative market reaction after the incident became public.

There is also a sector-specific lesson. Medical technology and healthcare organizations occupy an uncomfortable position in the threat landscape. They are commercially important, operationally complex, highly connected, and close to services that society depends on. That makes them attractive targets for state-linked actors seeking leverage and visibility. AP has reported warnings from officials and researchers about wider Iranian cyber activity directed at American and other targets during the current conflict. Leaders in healthcare, industrial sectors, logistics, and other strategically important industries should assume that this risk is relevant to them.

Boards should take three messages from this incident.

• First, destructive cyber risk is now a mainstream corporate risk. It is no longer confined to governments or critical national infrastructure.

• Second, trusted enterprise control systems have become prime targets. Identity platforms, device management tooling, endpoint administration, and remote access systems now sit much closer to the center of enterprise risk than many governance models still reflect.

• Third, resilience must be tested against loss of control, not just loss of data. It is not enough to ask whether backups exist. The more important question is whether the organization can recover safely and at scale if the normal administrative plane has been compromised and cannot be trusted.

That leads to a better set of board questions. Are high-impact administrative actions tightly restricted and independently monitored? Are destructive functions such as remote wipe or mass reconfiguration subject to stronger safeguards? Can the company rebuild endpoints and servers without depending on the same control systems that may have been used in the attack? Has management exercised a crisis scenario based on destructive disruption rather than ransom negotiation?

One note of caution is warranted. Some of the more dramatic figures circulating publicly about the Stryker incident appear to originate from attacker claims and have not been independently verified. Boards should be careful not to over-index on those numbers. The confirmed facts are already serious enough and provide more than enough basis for action.

The Stryker incident is important because it shows how cyber risk can become operational risk very quickly, especially when trusted enterprise control mechanisms are turned against the company itself.

That is why this event belongs on the board agenda.

It is not simply a story about one attack.

It is a warning about the kind of cyber failure that can materially disrupt a modern enterprise.

Read more

Companies spend billions on cybersecurity, yet breaches keep happening. The assumption is that more spending equals more security. But the truth is, many organizations waste money on tools they don’t fully utilize while ignoring simple, cost-effective solutions.

If you think security requires a massive budget, think again. Some of the most effective defenses cost little or nothing at all.

Here are five ways to improve your security posture today without spending a fortune.

1. Reduce Your Attack Surface - For Free

Most attacks don’t succeed because hackers use advanced techniques. They succeed because companies leave doors wide open.

• Unused user accounts remain active

• Employees have excessive access rights

• Old software lingers unpatched

• Cloud services are left exposed with weak configurations

These are free security risks - meaning they cost nothing to fix.

Actionable steps:

• Remove inactive accounts and revoke excessive privileges

• Enforce the principle of least privilege - employees should only access what they need

• Regularly audit cloud configurations and close unnecessary access points

• Patch systems systematically instead of relying on sporadic updates

You don’t need a new tool for this. You need discipline. And discipline costs nothing.

2. Use Open-Source Security Tools Instead of Expensive Software

Some companies believe only high-priced enterprise security solutions can protect them. But some of the best cybersecurity tools are free and open-source.

A few examples:

• OSSEC - A host-based intrusion detection system that monitors for unauthorized activity

• Snort - A powerful network intrusion detection tool used by security professionals worldwide

• Security Onion - A full security monitoring platform with built-in tools for threat hunting

• KeePass - A secure, offline password manager to enforce strong credentials

These tools compete with expensive commercial alternatives. The only cost is the time required to configure them properly.

3. Automate Security Tasks Instead of Hiring More Staff

Security teams are overwhelmed with manual tasks - monitoring logs, responding to alerts, enforcing policies. Hiring more people is expensive. Automating repetitive tasks is not.

Some low-cost automation options:

• Set up alert triggers - Instead of manually checking logs, configure automatic alerts for unusual activity

• Use script-based automation - Basic security scripts can automatically disable inactive accounts, enforce password resets, or patch systems overnight

• Leverage built-in security features - Many cloud platforms (AWS, Azure, Google Cloud) offer automated security monitoring for free

Automation allows your existing team to focus on real threats rather than wasting time on routine security maintenance.

4. Train Employees With Realistic Attacks, Not Boring Lectures

Most security awareness training fails because it’s treated as a compliance exercise. Employees click through slides, take a multiple-choice test, and forget everything within days.

Instead, train people with realistic, hands-on attacks:

• Conduct phishing simulations where employees experience an actual attack scenario

• Run live security drills where staff must respond to a staged security incident

• Offer incentives for employees who report suspicious activity before an actual attack happens

Companies that implement hands-on training reduce phishing click rates by up to 75%.

The cost?

Practically nothing.

The benefit?

Avoiding costly breaches caused by human error.

5. Focus on Incident Response Instead of Just Prevention

Most organizations spend money trying to prevent attacks but have weak plans for responding when one happens. The reality is, no system is 100% secure. Attackers only need one vulnerability to get in.

A well-prepared company can contain an attack in minutes. A poorly prepared company takes weeks - sometimes months - to recover. The difference is preparation, not budget.

Simple, cost-effective improvements:

• Develop a basic incident response playbook that outlines who does what when an attack occurs

• Conduct table-top exercises to practice responding to real-world attack scenarios

• Implement offline backups that can be quickly restored in case of ransomware

None of this requires an expensive security solution. It requires planning, execution, and a mindset shift from “if an attack happens” to “when an attack happens.”

The Bottom Line: Security Is About Priorities, Not Just Spending

Cybersecurity budgets don’t guarantee protection. Many breaches happen in companies that spend millions on security. What matters is not just how much money is spent but how effectively it is used.

The strongest security defenses often come from better policies, tighter controls, and well-trained people.

The best part?

They cost nothing but effort.

The question is not whether you have enough budget for cybersecurity. The question is whether you are using what you already have to its full potential.

Read more

Your company just got hit with a cyber attack: Customer data stolen. Operations shut down. Millions in ransom demanded.

You call your cyber insurance provider, expecting full coverage - Then you get the bad news. The policy doesn’t cover ransomware. You didn’t meet the insurer’s security requirements.

Finally, your claim is denied.

Now what?

Many companies buy cyber insurance thinking it’s a safety net. But if you don’t understand how cyber policies work, you might still be on the hook for millions.

So, is cyber insurance worth it? And how do you make sure you’re actually covered when disaster strikes?

What Cyber Insurance Actually Covers (And What It Doesn’t)

Cyber insurance isn’t magic. It won’t make an attack go away. But it can help pay for the damage.

What’s Typically Covered?

• Incident Response Costs → Forensic investigations, legal fees, PR crisis management

• Data Breach Costs → Notifying customers, offering credit monitoring

• Ransomware Payments → If allowed by law

• Business Interruption → Lost revenue from downtime

• Regulatory Fines → GDPR, CCPA penalties (if included in policy)

What’s Usually NOT Covered?

• Pre-existing vulnerabilities → If you failed to patch a known issue

• Negligence → If you ignored basic security controls

• Lost future revenue → Business damage beyond downtime

• Reputational harm → Loss of customers due to breach fallout

Some companies assume they’re covered until they realize the fine print says otherwise.

The fix? Get the right policy and make sure you actually qualify for coverage:

Step 1: Know What Type of Cyber Insurance You Need.

Not all cyber insurance policies are the same.

There are two main types:

1. First-Party Coverage → Covers your company’s direct losses

2. Third-Party Coverage → Covers legal claims from customers, vendors, or partners

Which one do you need?

If your company handles customer data: Get Third-Party Coverage (protects against lawsuits). If a cyber attack could shut down operations: Get First-Party Coverage (pays for downtime costs). If you store financial or medical records: Get coverage for regulatory fines (GDPR, HIPAA).

But be careful: Some policies don’t include ransomware payments. If you want coverage, you need to request it.

Step 2: Meet the Security Requirements (Or Your Claim Will Be Denied)

Insurance companies don’t pay out for companies with bad security. If you don’t meet minimum cybersecurity standards, your policy is useless.

What insurers look for before approving a claim:

• Multi-Factor Authentication (MFA) → Required for remote access & privileged accounts

• Regular Patching & Vulnerability Management → No coverage for ignored security updates

• Incident Response Plan → Must show you have a plan for handling breaches

• Endpoint Detection & Response (EDR) → Helps detect threats early

• Access Controls → Least privilege & Zero Trust measures

But what happens if you don’t meet these standards? Your insurer can deny your claim - no matter how much you paid in premiums.

Fix this before an attack happens.

Step 3: Watch for Hidden Loopholes in Your Policy

Cyber insurance policies are full of fine print.

Read carefully for these hidden clauses:

• “War Exclusions” → Some insurers won’t cover attacks from nation-state hackers.

• “Failure to Maintain Security” → If an attack exploits an unpatched system, you might not get paid.

• “Acts of Employees” → If an insider causes the breach, your policy might not apply.

• “Retroactive Coverage” → Some policies only cover incidents after a certain date.

Ask your insurer exactly what they cover and what they don’t - before you sign anything.

Step 4: Calculate Your Cyber Insurance Coverage Needs

How much should you insure? Here’s a simple way to estimate:

Cyber Risk Exposure = (Estimated Attack Likelihood) x (Financial Damage of an Attack)

But how does translated into the real world? Here’s an example:

• Likelihood of a ransomware attack → 20% per year

• Estimated downtime cost → $10M

• Regulatory fines & legal fees → $5M

Total exposure: $3M risk per year

How much cyber insurance should you buy? At least $3M in coverage - but more if you handle sensitive data.

Step 5: Negotiate Your Cyber Insurance Premiums

Cyber insurance costs are skyrocketing. In the past 5 years:

• Premiums have increased 300%

• Ransomware claims are up 400%

• Some companies are getting denied coverage entirely

But you can lower your premiums if you prove strong cybersecurity measures (MFA, EDR, Zero Trust). I also recommend to document and showcase your history of low incidents, because fewer breaches euqals to lower risk.

And in general, demonstrate an active risk management process and strong incident response processes are a gamechange in negotiating premiums down.

You might also talk to an insurer who won’t cover ransomware payments. Then ask for higher business interruption coverage instead.

The Bottom Line: Cyber Insurance is NOT a Replacement for Cybersecurity

Cyber insurance won’t stop a breach.

But if used correctly, it can save your company from financial disaster. Get the right coverage for your business needs. Meet all security requirements - before disaster strikes. Watch for exclusions that could leave you unprotected. Negotiate your policy to maximize coverage at the lowest cost.

Because at the end of the day, a good cybersecurity strategy prevents attacks.

A smart cyber insurance policy ensures your business survives when they happen.

Cybersecurity is no longer just a technical field. It’s a battlefield where the pace of change is accelerating, the stakes are higher than ever, and AI is rapidly reshaping the rules of engagement.

The irony? In an industry built on protecting digital systems, the biggest threat to professionals today might be their own obsolescence.

So how do you stay relevant in a domain being rewritten by automation, algorithms, and artificial intelligence?

Here’s the hard truth—and the path forward.

Read more

Read more

Read more

Today's cyberspace is more complex than ever before. Following decades of relative stability, the world is now marked by increased geopolitical conflicts, the growing prowess of cybercriminals, and rapid advances in emerging technologies. This escalating complexity presents a profound challenge to achieving cyber resilience, with significant consequences for organizations and nations. Cyber insecurity is identified as a global risk across multiple time horizons, threatening supply chains, financial stability, and democratic systems. The financial toll is staggering, with losses from cybercrime estimated to have exceeded $12.5 billion in 2023 according to the FBI. Recent incidents, such as a global IT outage that disrupted numerous critical sectors and caused an estimated $5 billion in losses, starkly underscore the vulnerabilities inherent in our increasingly interconnected digital world. Leaders must adopt a security-first mindset in this complex environment.

Why should I care as a business owner?

Business leaders today face a confluence of compounding factors driving this complexity, presenting significant pain points. A key challenge is the increased integration of and dependence on complex supply chains, leading to a more opaque and unpredictable risk landscape. Supply chain challenges are the leading cybersecurity risk for organizations, with 54% of large organizations identifying them as the biggest barrier to achieving cyber resilience. Concerns centre on software vulnerabilities introduced by third parties and the propagation of attacks throughout the ecosystem. Lack of visibility and oversight into the security levels of suppliers is a major issue. Adding to this, dependence on a limited number of critical providers can create systemic points of failure, with cyberattacks or outages causing far-reaching consequences. Managing third-party compliance with security requirements is also a significant challenge.

Another major concern stems from the rapid adoption of emerging technologies, particularly AI, which contributes to new vulnerabilities. While 66% of organizations expect AI to have the most significant impact on cybersecurity in the coming year, only 37% have processes in place to assess the security of AI tools before deployment. This creates a paradox where organizations race to adopt AI without necessary security safeguards, potentially introducing vulnerabilities. Small organizations are particularly exposed, with 69% lacking adequate safeguards for secure AI deployment, exacerbating cyber inequity. Furthermore, cybercriminals are harnessing AI effectively to enhance the sophistication and scale of attacks. Adversarial advances powered by Generative AI are a primary concern for nearly 47% of organizations. These tools lower the cost and required expertise for cybercrime, enabling sophisticated attacks like deepfake impersonations of senior leaders used for fraud. Phishing and social engineering attacks have seen a sharp increase, partly due to AI augmentation.

The proliferation of regulatory requirements around the world adds a significant compliance burden. Over 76% of CISOs report that the fragmentation of regulations across jurisdictions greatly affects their organizations' ability to maintain compliance. Many respondents find regulations too complex, too numerous, or struggle to verify third-party supplier compliance. This intricate "regulatory jigsaw puzzle" can sometimes detract from developing customized, risk-based strategies.

These challenges are exacerbated by a widening cyber skills gap. Two out of three organizations report moderate-to-critical skills gaps, including a lack of essential talent and skills. Only 14% of organizations are confident they have the necessary people and skills today. This shortage leaves organizations vulnerable to sophisticated attacks. The demand for professionals skilled in operating AI and defending against it is growing, yet 67% of leaders noted a shortfall in investments in AI skills within their organizations. Furthermore, burnout among cybersecurity professionals poses a significant retention challenge.

Escalating geopolitical tensions are also a major factor, influencing the cybersecurity strategy of nearly 60% of organizations. Geopolitical turmoil affects the perception of risks, with CEOs citing cyber espionage and loss of sensitive information/IP theft as top concerns. State-sponsored attackers are increasingly targeting not just governments but also economies and critical infrastructure, with organizations risking becoming collateral damage. The spillover from nation-state threats into the cybercriminal domain further complicates the landscape. Critical infrastructure, including energy, water, telecommunications, and space technologies, is increasingly targeted.

This complexity fuels cyber inequity, widening the gap between organizations with sufficient resources ("cyber haves") and those struggling ("cyber have-nots"). Some 35% of small organizations believe their cyber resilience is inadequate, a proportion that has increased sevenfold since 2022. By contrast, the share of large organizations reporting insufficient cyber resilience has nearly halved. 71% of cyber leaders believe small organizations have reached a critical tipping point where they cannot adequately secure themselves against rising cyber risks. This inequity extends to regions, with less confidence in critical infrastructure preparedness in Africa and Latin America compared to Europe and North America. The public sector is also disproportionately affected by insufficient resilience and workforce shortages compared to medium-to-large private organizations. Since the overall resilience of the ecosystem is determined by its weakest links, this inequity creates systemic vulnerabilities.

Business leaders also face challenges in quantifying cyber risks and their economic impacts, making it difficult to assess the required investment and balance it with competing priorities. While leaders increasingly integrate cyber-risk management into enterprise risk management, fewer than half of CEOs believe their organizations invest enough.

Despite these formidable challenges, there is a compelling case for prioritizing cybersecurity. Framing cybersecurity as a critical investment for the future rather than a mere expense is essential. Leaders have the opportunity to build resilient ecosystems and safeguard the benefits of digitalization for all. Achieving cyber resilience ensures the organization's ability to minimize the impact of significant cyber incidents on its primary goals and objectives. Proactive security measures, while costly, are negligible compared to the financial consequences of an attack. Effective cybersecurity is not just about technical defence; it's about safeguarding the business's bottom line, long-term viability, market share, brand trust, and customer confidence. It supports business continuity and digital trust. Organizations that embrace proactive risk management and collaborative approaches can reduce disparities and address systemic vulnerabilities. Leaders who have the resources to help those without them can enhance the resilience of the entire ecosystem. Ultimately, building resilience demands a shift in perspective, recognizing cybersecurity as a collective responsibility.

What can you do?

To navigate the increasing complexity and build resilience, business leaders can take several actionable steps:

1. Adopt a Security-First Mindset and Integrate Cyber Risk into Business Strategy: View cyber risk not purely as an IT problem but as an overall business risk. Translate technical risk into business impact, quantifying risks and their economic effects to align investments with core business objectives. Ensure leadership engagement and oversight, with boards receiving regular updates on cyber risks and trends.

2. Strengthen Supply Chain Cybersecurity: Recognise that supply chain interdependencies are a top risk. Enhance visibility into third-party dependencies and work to enforce security standards on suppliers. Implement secure software development practices and explore standardization or certification for greater trust. Invest in your own business resilience strategies, not relying solely on critical providers like SaaS partners.

3. Adopt AI Securely: Implement processes to assess the security of AI tools before deployment. Foster a strong cyber culture as central to integrating AI safely. Define the right risk tolerance for AI technologies, govern their deployment, and ensure consistency with organizational policies and regulations. Understand organization-specific vulnerabilities related to AI adoption.

4. Address the Cyber Skills Gap: Acknowledge the critical workforce shortage. Invest in upskilling current employees and recruiting from non-traditional backgrounds beyond traditional cyber degrees. Leverage AI to augment human capabilities, focusing on training the workforce to harness AI for positive outcomes. Rethink recruitment practices and prioritize retention strategies, including addressing burnout and promoting employee well-being.

5. Foster Collaboration and Information Sharing: Recognize that sophisticated, borderless cybercrime demands a unified response. Engage in stronger collaboration between public and private sectors. Participate in information-sharing and threat intelligence initiatives, for example, through CERTs or ISACs. Embrace an ecosystem-based approach for collective defence.

6. Improve Incident Response Capabilities: Accept that 100% security is unattainable; focus on developing adaptable strategies to minimize impact. Foster a security culture that incentivises incident reporting through training, support teams, anonymous channels, and non-punitive policies. Develop and utilize cyber-incident response playbooks tailored to incident types.

7. Contribute to Reducing Cyber Inequity: Larger, more resilient organizations have an incentive to support smaller, less-capable entities to enhance ecosystem resilience. This can involve sharing knowledge or supporting initiatives aimed at capacity building and providing resources to struggling sectors or regions. Advocate for government incentives for SMEs to adopt proactive security measures.

8. Maintain Foundational Cyber Hygiene: Amid rapid technological change, do not neglect the basics. Continuously prepare to respond to threats by focusing on foundational practices and vulnerability management.

9. Integrate IT and OT Security: Recognize that organizational resilience requires addressing IT and OT security holistically, as they can no longer be treated in isolation. Implement "security by design" and "security by operations," including continuous monitoring and regular assessments for operational environments.

10. Prepare for Quantum Threats: While the full impact is uncertain, quantum security risks are present. Begin conducting risk assessments and develop a quantum-readiness strategy. Stay informed about and consider adopting post-quantum cryptography standards and related technologies.

Addressing complexity requires decisive leadership action and treating cybersecurity as a strategic imperative rooted in its economic implications. By implementing these actions, leaders can build resilience that permeates the entire organization and contributes to a more secure digital ecosystem for all.

Read more

We explore what this means…

Read more

Imagine this: You walk into the office, check your email, and see an urgent message from your security team. The network is locked down. Every file, every system, every critical piece of data is encrypted. A note appears on screens across the company:

“Pay $5 million in Bitcoin, or you’ll never see your data again.”

Your mind races. How did this happen? How much damage is already done? Should you pay? What if they take the money and still leak your data?

For CISOs, this is not a hypothetical scenario. It is a daily reality somewhere in the world. Every year, ransomware attacks cost businesses billions of dollars. The worst part? Even companies with strong security measures fall victim. But those who survive – those who recover without crippling losses – do not rely on luck. They have a plan.

Ransomware is a Business Killer

Ransomware attacks are no longer just about locking files. Modern attacks exfiltrate data before encryption, ensuring that even if you have backups, hackers still have leverage. They threaten to leak customer records, financial statements, and intellectual property.

For a CISO, the stakes are clear:

• Financial Damage - Ransom demands are increasing, but the real cost comes from downtime, lost revenue, and regulatory fines.

• Reputation at Risk - Customers and partners will ask one question: Can we still trust you?

• Legal Consequences - Depending on your industry, you could face lawsuits, government investigations, and compliance penalties.

When Seconds Turn Into Millions

The worst time to plan for a ransomware attack is during a ransomware attack. Once hackers have locked your systems, time works against you. Every minute of downtime costs money. In critical industries like healthcare and finance, losses can reach millions per hour. Incident response teams scramble to understand the scope of the attack, but without a predefined strategy, chaos takes over. The pressure to pay grows as employees, customers, and executives demand immediate action.

Some companies recover quickly, while others never do. The difference is preparation.

A Battle-Tested Ransomware Survival Plan

A ransomware attack is not an IT problem. It is a business crisis. The companies that survive follow a structured plan before, during, and after the attack. The only way to win against ransomware is to assume it will happen and prepare accordingly.

(1) Backups That Actually Work

Daily backups are useless if attackers encrypt them too. Store backups offline, in air-gapped systems. Test restoration regularly. A backup that cannot be restored in real-world conditions is worthless.

(2) Segment Your Network

Limit the blast radius of an attack. Use zero-trust principles: no user or system should have access to more than necessary. Implement strict access controls and multi-factor authentication (MFA).

(3) Train Employees Like It’s Life or Death

Over 90% of ransomware attacks start with phishing. Teach employees how to recognize suspicious emails, unusual requests, and social engineering tactics.

(4) Have a Ransomware-Specific Incident Response Plan

A general cybersecurity plan is not enough. Assign clear roles: Who makes the call on paying ransom? How is the company communicating with customers and regulators? Also, conduct tabletop exercises. Simulate real attacks so teams can practice decision-making under pressure.

During the Attack: Contain the Damage

The first few hours determine the scale of the disaster. The goal is to limit the attack’s spread and assess the situation.

(5) Isolate Infected Systems

Disconnect compromised machines from the network immediately. Shut down file-sharing services and cloud connections to prevent further encryption.

(6) Do Not Rush to Pay

Paying ransom does not guarantee recovery. Some attackers take the money and disappear. Others leave backdoors for future attacks. If customer data is stolen, paying ransom does not erase the legal consequences.

(7) Engage External Experts Immediately

Call your incident response team. If you do not have one, this is the moment you realize why you should have. Contact law enforcement. Many governments discourage ransom payments, but they can provide intelligence on whether decryption tools exist for the specific ransomware strain.

(8) Secure Internal and External Communication

Assume hackers have access to your email system. Use out-of-band communication channels for critical discussions. Avoid making public statements until you have a full understanding of the situation.

After the Attack: Recover and Prevent the Next One

Once the immediate crisis is contained, the real work begins.

(9) Restore Systems in Phases

Rushing to bring everything back online can reintroduce malware. Recover in stages, starting with critical infrastructure.

(10) Investigate How the Attack Happened

Was it a phishing email? A compromised remote desktop protocol (RDP) login? A software vulnerability? Conduct a full forensic analysis. Find the initial entry point and close it permanently.

(11) Rebuild Trust with Customers and Regulators

Be transparent but strategic in communication. A well-handled response can strengthen credibility, while a poor one can destroy it. Offer identity protection services to affected customers if personal data was exposed.

(11) Harden Security Against the Next Attack

If you were attacked once, you are now a target for future attacks. Hackers know you might pay again. Invest in threat detection, endpoint security, and real-time monitoring to catch suspicious activity before it escalates.

A Simple Rule: Plan Like You Have Already Been Hacked

Most companies that survive ransomware do not survive because they were lucky. They survive because they expected an attack and built defenses accordingly.

They had tested backups. They had an incident response team ready. They knew exactly what to do the moment the first ransom note appeared.

For a CISO, there is no question of if ransomware will strike, only when. Those who prepare today will still have a company to protect tomorrow.

Read more

Most CISOs walk into executive meetings armed with charts, dashboards, and detailed threat reports. They leave those meetings frustrated, wondering why the CEO looked bored halfway through.

Here’s the truth: it’s not because cybersecurity isn’t important. It’s because most of what gets reported has no connection to how a CEO thinks.

Telling your CEO about patch compliance percentages, threat feed volumes, or port scan detections is like explaining turbulence patterns to passengers mid-flight. It may be accurate, but it doesn’t help them understand whether the plane is going to land safely.

CEOs don’t want to understand cybersecurity. They want to understand risk, impact, and performance. In other words, they want clarity on one thing: how safe is the business, and what’s it going to cost if it isn’t?

Information Overload, No Business Clarity

Cybersecurity teams often present metrics that make perfect sense to a security professional but mean very little to someone running a company. CEOs don’t care how many alerts the SIEM generated last month. They care about how exposed the company is, how soon you’ll know if something goes wrong, and how much damage can be avoided.

This disconnect creates friction. CISOs feel unheard. CEOs feel overwhelmed by technical detail. And somewhere in between, important decisions are delayed or misinformed.

The Cost of Misaligned Communication

When a breach happens, the question isn’t why wasn’t the SIEM fine-tuned enough? The question is why didn’t we see this coming?

Boards and CEOs expect CISOs to provide clarity, not noise. When security reporting doesn’t match executive priorities, the result is underfunded initiatives, ignored warnings, and slow responses.

In high-stakes environments, miscommunication isn’t just inefficient. It’s dangerous.

Focus on the Metrics That Reflect Business Risk

These are the three security metrics that actually resonate in the boardroom.

(1) Time to Detect (TTD) and Time to Respond (TTR)

What it tells the CEO:
How long is our business exposed before a threat is identified and contained?

CEOs understand time. Time is money, reputation, and liability. If your average detection time is 72 hours, you’re telling your CEO that attackers have three days to move laterally, exfiltrate data, or encrypt systems. That’s not a technical detail - that’s a threat to business continuity.

How to report it:
Use a simple model:

• "We currently detect threats in an average of 4 hours."

• "Our containment time is 6 hours, down from 18 hours last quarter."
  Then explain the impact:

• "This reduces potential breach damage by over 40 percent based on current threat modeling."

Frame it in time and money, not tools and logs.

(2) Risk Reduction Over Time

What it tells the CEO:
Are we actually getting safer?

CEOs think in progress, not process. They want to see whether investments in cybersecurity are lowering the company’s risk exposure. If you can't show measurable change, it doesn’t matter how many controls you've deployed.

How to report it:
Use a risk scoring model with clear comparisons.

• "At the start of the year, our top 10 business-critical systems had a combined risk score of 820."

• "Today, that number is 540, due to new access controls and vulnerability remediation."

This tells the CEO that money spent on security resulted in measurable risk reduction. That’s the kind of outcome that gets funded again.

(3) Financial Exposure from Cyber Risk

What it tells the CEO:
How much could a breach cost us - and how much are we saving by reducing that risk?

CEOs are fluent in financial models. If you can’t translate cyber risk into economic impact, you’ll lose your seat at the strategy table.

How to report it:
Calculate exposure using business impact assessments. For example:

• "A ransomware attack on our order processing system would cost us an estimated $2.1 million in downtime and lost revenue."

• "Based on current controls, that exposure is now down to $850,000."

That reduction isn’t just security progress - it’s operational protection, reputational insurance, and a bottom-line benefit.

Be a Translator, Not a Technician

You are not in that boardroom to showcase how well your team configured firewalls. You are there to articulate risk and demonstrate impact.

The CEO doesn’t need a tour of the control room. They need a flight plan. Focus on the few metrics that speak their language - time, risk, and money.

The better you tell the story, the more they will listen. And the more they listen, the safer the business becomes.

Read more

Read more

Cybersecurity doesn’t generate revenue. It doesn’t launch new products. It doesn’t add customers.

At least, that’s how most board members see it.

To them, it’s just another expense - like office rent or printer paper.

Necessary, but not exciting.

But here’s the problem: when cybersecurity is treated as a cost instead of an investment, budgets get cut. And when budgets get cut, security gaps open up. That’s when breaches happen, regulators step in, and lawsuits start flying.

The key to fixing this? Stop talking about security in technical terms. Start talking about it like an investment - one that saves money, protects revenue, and reduces risk.

Here’s how to prove cybersecurity’s ROI in a way your board will actually listen to.

Step 1: Show How Security Saves the Company Money

If you’re asking for a $2 million security budget, you need to show that it’s saving more than $2 million.

Most companies don’t track this. But you can.

How to Calculate It

1. Find the Cost of a Cyber Incident - Look at industry breach reports. If similar companies face an average breach cost of $5 million, that’s your baseline risk.

2. Estimate the Likelihood of an Attack - Use historical data or industry reports to determine the probability of a major incident in a given year (say, 20%).

3. Show How Security Reduces This Risk - If your investments cut the likelihood of a breach from 20% to 5%, you just saved millions.

Example:

• Company risk without strong security: 20% chance of a $5M breach = $1M expected loss per year

• With improved security: 5% chance of a $5M breach = $250K expected loss per year

• That’s a $750K savings - meaning security investments are paying for themselves.

Now, instead of asking for budget, you’re showing how cybersecurity prevents financial losses.

Subscribe now

Step 2: Show How Security Protects Revenue

When security works, nothing happens. No downtime. No lawsuits. No lost customers.

But when security fails? The financial damage can be massive.

How to Prove It

1. Find Your Company’s Revenue Per Hour - Work with finance to calculate how much money your company makes per hour.

2. Estimate Downtime Costs - If a ransomware attack takes systems down for 24 hours, multiply that by revenue per hour.

3. Show How Security Reduces Downtime Risk - Highlight investments in incident response, backup systems, and real-time monitoring that minimize downtime.

Example:

• Company generates $500K per hour

• A ransomware attack could cause 24 hours of downtime = $12M loss

• Security investments reduce downtime risk by 80%, preventing a $9.6M potential loss

Now, security isn’t just a cost - it’s business insurance that keeps revenue flowing.

Step 3: Show How Security Avoids Fines and Lawsuits

Regulators don’t care about excuses. If you lose customer data, you will get fined.

How to Calculate the Risk

1. Look at Recent Fines in Your Industry - Find cases where companies paid millions for security failures (GDPR, CCPA, PCI-DSS violations).

2. Show Your Compliance Risk - If your security controls don’t meet requirements, you’re in the same danger.

3. Show How Security Investments Prevent This - Highlight investments in compliance automation, data protection, and risk assessments that keep the company out of trouble.

Example:

• GDPR fines can be 4% of annual revenue

• If your company makes $1B per year, a data breach could mean a $40M fine

• Investing $2M in compliance saves $38M in potential legal costs

At this point, the board isn’t asking why they should fund security. They’re asking how fast they can approve it.

How to Use This in Your Next Board Meeting

Forget the technical slides. Bring numbers. Show financial impact. Speak in business terms.

Instead of saying:

"We need $2M for endpoint security and SIEM upgrades."

Say:

"This investment will prevent an estimated $10M in losses from breaches, downtime, and fines."

That’s how you move cybersecurity from an expense to an investment. And that’s how you get the budget you need - without the usual pushback.