How leaders should rethink cybersecurity strategy

Most senior leaders face the following challenges: 

a. Lack of communication: Successful senior leaders build a strong rapport with their fellow senior leaders. This is easier said than done, because most cybersecurity leaders need to effect changes. Sometimes, these changes are seen as painful. Symptoms of lack of communication include lack of funding, executive technical intolerance, and resistance to change. 

b. Improving processes: Successful cybersecurity leaders are able to identify where an organisation has failed to update its processes. Cybersecurity and efficiency should be one and the same; therefore, cybersecurity can, if done right, be seen as a way to make organisations more cost-effective. 

c. Managing rapidly-changing technologies: Leaders have been managing what I call the “tech onslaught” for years. But, tech is changing even more rapidly than before. Recently, I spoke with a senior leader from AstraZeneca. He told me that his workers see significant changes and updates in procedures and technologies every three weeks. Three weeks! 

Organisations typically go wrong when communication fails. They also go wrong when they try to either “boil the ocean,” rather than focusing on the true risks facing the organisation. 

Regulation and privacy are major concerns worldwide. Increasingly, cybersecurity leaders are seen as risk managers, more than technical wizards. First, cybersecurity leaders should pay attention to processes and systems. The best cybersecurity leaders are process-oriented people, but they are also creative. They are systems-oriented individuals. 

Increasing the ability to automate is a root concern. Your ability to automate will help you move the cybersecurity needle. Leaders should pay attention to incident response capabilities, change management procedures, and enhanced monitoring. This includes observability practices (logs, traces, and metrics). But, automating repetitive governance, monitoring, and pen testing tasks are top of mind, right now. 

I would focus less on roles than specific skillsets that help your organisation address risk. When expanding your team, consider the following: 

a. Foundational knowledge: Too many workers – even those with experience – lack foundational knowledge in essential technologies. This can include AI prompting, DNS, understanding of attack life-cycles, and incident response. 

b. Answer the following question: Do my existing or new workers understand the most-critical technologies that the business relies on? 

c. Map certifications to your business risk: This way, you’re not doing superfluous training. You’re addressing risk directly. Nothing is more transformative to organisations than education. So, I would consider the following: 

1. Security+: Foundational cybersecurity training that helps people level-set their knowledge. Without this, people won’t have a full understanding of the entire cybersecurity horizon. 
    
2. CySA+: Shows that individuals have obtained critical security operations centre and analytics skills. This includes threat identification, incident response, and working with cybersecurity threat intelligence. 
    
3. PenTest+: Proves that individuals understand the business of the pen test. 

The primary way to do this is to get your workers a snapshot of truly productive ways that AI is used in cybersecurity right now. Our new expansion certification, SecAI+, is an example of a course and certification that does this. How? It quickly cuts to the chase. It focuses on what I call the cybersecurity AI trifecta: 

a. Protecting AI itself: The best practices, processes, systems, and tools that allow you to ensure the AI platforms and functionality you are using are as secure as possible. 

b. Improving processes: Ways to improve incident response, security analytics, cybersecurity threat intelligence, and penetration testing, among other critical tasks. 

c. Improving and automating compliance: Specifically, using AI to de-friction and automate critical compliance and risk management procedures, always under the auspices of human beings. 

Cybersecurity threat intelligence and information sharing is critical. In my travels around the world, I often hear from enterprise and government leaders that their needs are unique. That’s usually not the case. It is far more important for leaders to realise that they can learn from others. 

Singapore’s leaders have actually done a very good job collaborating with others and learning critical lessons from the experiences of others in most areas. But, most leaders worldwide have not leveraged education properly. 

Too often, education is seen as a “nice to have,” rather than a must-have. It is also common for upskilling programmes to adopt popular or “challenging” programs, rather than focus on more valid criteria. That criteria should include considerations such as: 

a. Based on critical skills and/or job roles: The offering needs to create mission-critical skills. 

b. Timeliness: It must keep pace – and even anticipate, critical changes in processes and technologies used in today’s organisations. 

c. How well the training helps the organisation manage risk: Map the offerings to the risk management outcome. This avoids the problem where organisations choose an upskilling program for subjective reasons, rather than more rational reasons. 

d. The quality of the program: Make sure that the upskilling has been created using international standards (e.g., ISO 17024), and documents how they receive and process input from experts around the world. 

e. Legal defensibility: An upskilling program and certification must be created using processes that help avoid bias. It must create a learning and testing environment that truly tests critical knowledge, rather than accidentally or improperly favouring any one type of learner or any one demographic. 

f. The efficiency of the program: Make sure that the program uses data-driven and AI-enabled processes. Ensure that it uses hands-on, practical approaches that create cybersecurity muscle memory, rather than giving a theoretical overview of concepts. 

g. How engaging the training is: It has to be challenging, but also created so that it engages workers of various generations. 

Join us for a closed-door event on 4 February 2026 with James as we take this conversation further by bringing senior leaders and cybersecurity decision-makers together to explore how organisations can translate strategy into action. Register here.