Reframing risk: how CISOs can shape boardroom discussions on cyber threats 

In the age of AI, CISOs must guide firms through intricate regulatory landscapes, demonstrating how compliance can mitigate risks and enhance data security to form a robust cybersecurity strategy

Secureworks Header

Cybersecurity threats are a serious risk for any business - a recent UK government survey reported that 50% of UK businesses have experienced a breach or attack in the last 12 months, rising to almost three quarters of large businesses. New technologies mean new risks, as well as new regulations to navigate. 

To succeed in the current environment, business leadership needs to understand the risks both as they exist now and as they evolve. Being able to execute proper management of these risks is key to maximising opportunities for their organisation: the role of a CISO has never been more critical to the overall business success of an organisation. 

Cyber threats can take many forms - stealing data, holding data hostage, extortion, ransomware and corporate espionage. As technology continues to evolve, the threats evolve too. Ken Deitz, CISO of cybersecurity firm Secureworks, points to AI as an example of this: “If you’re trying to build and operate generative AI services, there’s a new threat landscape - whether through prompt injections that trick the AI into providing answers that it shouldn’t provide, data poisoning that trains the AI to act in incorrect ways, or a myriad of other threats.” 

There’s more cause for concern than AI potentially opening holes for attackers to use - it can also help them create new forms of attack. “Just like good companies are trying to use AI to make their workforce more efficient, the threat actors are also trying to gain efficiency and knowledge from AI,” says Deitz. That comes both in the form of helping attackers improve their code and tooling and in providing new tools. 

There’s been a rise in new cyber attacks, from efficiently generating convincing phishing emails targeted at victims in multiple languages to deep fakes that can be used to impersonate key personnel and authorise fraudulent financial transactions. The rapidity of technological change means it’s imperative for firms to dedicate resources to keeping up with new threats. Simply preparing for what exists now isn’t enough when the landscape is changing so quickly. 

It isn’t just threats that are evolving: the regulatory environment is also shifting, especially for companies currently operating in, or looking to expand into, different markets. Even understanding which set of regulations need to be adhered to can be complex. In Europe, companies need to understand legislation from both the EU and individual countries, whereas in the US privacy laws vary between different states - and all these considerations may interact depending on where data is being stored and processed. Companies need to protect themselves against cybercriminals, but they must simultaneously ensure they don’t risk fines or prosecution because of how they manage customer data. 

From red tape to resilience 

Regulatory compliance doesn’t have to be seen as a burden. In fact, it can reduce the damage that cyber attacks can cause. Deitz explains how data compliance can help companies reduce the chance of putting their business in jeopardy. “Companies are trying to gather data, they’re trying to analyse data and they’re trying to use that data to improve their business, to make money, to do many things,” he says. 

“But there is a point when it can become toxic. Having large amounts of readily accessible data can become an issue, not just for regulation but also during any sort of security incident.” Deitz suggests companies should reduce the amount of data they have, concentrating efforts on maximising the effectiveness of the data they’re collecting while minimising the volume of it. This is the best way to keep one’s customer and teammate data safe. 

Having large amounts of readily accessible data can become an issue, not just for regulation but also during any sort of security incident

Ensuring that the data a firm holds is compliant with the regulatory regime it operates in might feel like an overwhelming amount of red tape. However, in the event of a cybersecurity breach, a compliant business will be exposed to less risk than a non-compliant one. Deitz warns that firms should be concerned not just with the safety and security of their services and products, but customer privacy and individual privacy. “If you go in with those design principles, it’s going to be a lot easier,” he says. The same underlying principles can help firms mitigate against regulatory and cybersecurity risks. Businesses should be building a security culture that encourages every team to instinctively reduce exposure. 

A CISO’s role can be seen primarily as defensive. There’s an assumption that CISOs deal purely with loss prevention, justifying any cost to the business purely on the basis that it reduces the chance of security incidents that will have a far greater cost. In actual fact, the role of a CISO should be about creating opportunities for a business. Growing a business always entails taking on risk and cyber threats are a key part of that. Implementing safeguards to protect against those threats allows a business to grow more quickly, take on new customers and drive revenue. Rather than simply preparing for worst case scenarios, the CISO can and should be seen as someone who is laying the groundwork for the best case scenarios. 

Failing to take cybersecurity seriously can come with a heavy cost - in 2023 the average worldwide cost of a data breach was reported to be nearly $5m - so it is undeniable that every firm needs to take action against the risks involved. While it may not be an area that business leaders would choose to spend money on in an ideal world, it’s important not just to view mitigation as a ‘defensive shield’ but as an integral part of how a modern business operates, from senior leadership across the entire firm. 

A CISO needs to ensure they’re not just managing risk as though it was a separate business department, but that they’re winning support from leaders across the entire organisation. While rapid technological change is enhancing business operations, AI is also allowing cyber criminals to become more sophisticated in their approach, increasing the risk-factor CISOs must combat. Building a business culture that drives growth, navigates compliance and protects against risk effectively is imperative in the face of a rising tide of cyber attacks.

For more information please visit