The Boardroom Blind Spot: How CISOs Can Bridge the Cyber Resilience Knowledge Gap

By Tony Spinelli, VP and Field CISO at Halcyon and Board Member - Peapack Private and Blue Cross Blue Shield Association

From. my experience, the board is often only told what's going well. I think we've got to flip the model with a heavy dose of what's not going well. Because that's where we can really provide not only oversight but guidance as well. Do you need funding for specific threat scenarios? Is it a personnel issue where you need increased staff? Do we need to think differently about the strategy we're applying for cybersecurity given changes in the threat landscape?

In my recent conversation with Joe Kornik, Editor-in-Chief of VISION by Protiviti, I made clear that this lack of information is one reason boards continue to prioritize traditional prevention-based controls without the equal level of focus on response / resilience / recovery that leave their organizations vulnerable, especially as the world embraces AI. Where we used to say (naively but ambitiously) "We're going to prevent everything", organizations today must operate under the assumption that breaches will occur. And where we used to say: "What do we do if a breach occurs?", we now must say: "How do we respond when a bad actor gets into our environment? Because it will happen."

The shift required isn't just tactical—it's philosophical. For board members, this means asking different questions, demanding different metrics, and ensuring that recovery and resilience receive the same attention and investment that prevention strategies have historically commanded.  

Closing the Knowledge Gap

When boards are informed about a cyber program, the focus is often on technology. But today's bad actors are really exploiting the human threat vector before moving on to the technical. They're using social engineering and sending AI generated phishing emails. More nefarious is when they impersonate your IT help desk, convincing employees to share information about their credentials and passwords. If they can't get that, they're cracking those passwords.  

What is so challenging for board members and cyber practitioners today is that 98% of these attacks are carried out using valid credentials. Think about that. Is there a cybersecurity tool today that stops valid credentials from working? No.  

This reality demands a different conversation in the boardroom. Boards must ensure their organizations are investing in security awareness training for employees, implementing behavioral analytics to detect anomalous use of valid credentials, and deploying deception technologies that can identify attackers even when they're using legitimate access.

The Domino Effect of Supply Chain Disruptions

Recent geopolitical developments and high-profile attacks have exposed a critical vulnerability: supply chain interdependencies. Organized crime groups—Scattered Spider, Akira, Medusa, and Qilin —are targeting supply chains because of the outsized leverage they provide.

Consider the scale of disruption: a Jaguar Land Rover recently suffered an attack that cost an estimated $260 million and halted production for six weeks. But the impact extended far beyond that single company. With 5,000 businesses in their supply chain, each dependent on continued operations to pay employees and fulfill their own obligations, the economic ripple effects are staggering—potentially affecting entire economies.

For boards, this means asking tough questions about supply chain resilience. Do we understand our critical dependencies? Have we identified single points of failure? What is our plan if a key supplier goes offline due to a cyberattack? These scenarios require tabletop exercises and stress testing that goes beyond traditional business continuity planning.

Preparing for AI

For board members, I think it comes down to inquiring about four critical things:

1. AI Policy and Practice: Using the NIST AI risk management framework will help you think holistically about the specific policies, practices, and procedures that will ensure you are really well-controlled.  

2. Data Governance: AI requires powerful data modeling. You have to have a really strong understanding of the uses of that data. As a board member, I would make sure you ask to be walked through the data governance program–not just for AI, but the data governance program for the org as a whole.  

3. Use Case Risk Assessment: Having a risk assessment process built around AI use cases is going to be absolutely critical. So, suppose you're using large data models. In that case, you're using a lot of customer information, a lot of proprietary information, a ton of PII information. You're going to do some very articulate and challenging things with AI with that data, so it’s paramount that each one of these use cases has its own risk assessment.

4. Third Parties: You don't have complete control of your third parties, but in many cases, your third parties are either providing you data, or you're providing data to them that's going to be part of that AI model in some way. Never take your eye off your third parties.  

Closing the Cyber Talent Gap

Is there enough AI capability out there right now to meet the demands that the future will bring? No.

Boards really need to start thinking about hiring more cyber talent as AI becomes a bigger part of their organizations. Having that talent is critical to understanding how AI can be used to protect your enterprise and then guard against AI from an offensive perspective. You're going to need cyber talent that's much more focused on recovery, response, and reaction.  

The days of prevention being your sole strategy and enough to remain secure are over. The question now is whether your organization is prepared to respond, recover and remain resilient when—not if—an attack occurs.

To learn more about how Halcyon helps organizations build resilient ransomware defenses, visit Halcyon.ai.

‍