The past few years have seen a dramatic shift in how organizations protect themselves against attackers. The rise of AI and the fast-paced digitalization have changed the security landscape, making CISOs’ jobs more complex than ever before.
This rapidly changing environment demands a fresh mindset, one that challenges long-held assumptions about what keeps organizations secure. Is video and verbal authentication still reliable in an era of AI-generated deepfakes? Can we still use spreadsheets to manage digital certificates’ expiration dates? And are quantum threats something to worry about now, or are they still just science fiction?
Security experts weigh in on the myths that we finally need to retire.
Humans will be replaced by AI in cybersecurity
Many CISOs and other executives have strong opinions about AI’s role in cybersecurity and the ways it could change (or not) the industry. But while AI excels at processing data at high speed and spotting patterns across vast datasets, it lacks multiple qualities that humans bring to the table.
“It’s not humans or AI – it’s both, working in partnership to eliminate the ‘noise’ and keep real threats out,” says Joe Partlow, chief technology officer at ReliaQuest. “Even the best agentic AI can’t know the nuances of the business context that’s required to respond effectively to cyber-attacks.”
By automating repetitive tasks, AI allows human analysts to spend more time on strategic decisions and tailored responses. “Humans working collaboratively with agentic AI teammates is the only way security teams are going to stay ahead of continuously evolving threats,” says Partlow.
Big tech platforms have strong verification that prevents impersonation
Some of the largest tech platforms like to talk about their strong identity checks as a way to stop impersonation. But looking good on paper is one thing, and holding up to the promise in the real world is another.
“The truth is that even advanced verification processes can be easily bypassed,” says Ben Colman, CEO of Reality Defender.
When OpenAI launched Sora 2, its new text-to-video platform, Colman and his colleagues managed to create deepfakes of CEOs and celebrities that passed Sora’s multi-step “Cameo” verification. And they did it in under 24 hours.
“Despite live video and verbal authentication steps, the platform’s safeguards failed to detect the impersonations, proving that current verification tools are not yet equipped to handle AI-generated manipulation,” Colman adds.
The bottom line? Trusting verification alone isn’t enough anymore. Organizations need layered, adaptive defenses that assume bad actors will try to break through.
Your investments in identity providers protect you from the latest attacks
While identity solutions and SASE (secure access service edge) platforms can help, they are not perfect. Organizations remain just as vulnerable to phishing, credential theft, and other basic attack techniques that adversaries continue to use.
“If you’re spending millions on identity and SASE projects but still experiencing major incidents, the problem is not that these technologies don’t work. The problem is that your security approach hasn’t evolved to match modern attacker behaviors,” says Brian Soby, CTO and co-founder of AppOmni.
Soby argues that most corporate security strategies today resemble aviation’s “big sky theory” of collision avoidance, which means that they’re betting on low odds of being targeted, because the number of potential victims is immense.
This theory, however, no longer holds, says Soby. These days, the skies are actually crowded, so there’s a good chance that collisions might occur. “Ask yourself: Would we have been vulnerable to the latest campaigns? If the answer is yes, it’s time to face the hard truth: your defenses rely more on luck than security,” Soby says.
Buying more tools can bolster cybersecurity protection
One of the biggest traps businesses fall into is the assumption that they need more tools and platforms to protect themselves. And once they have those tools, they think they are safe.
Organizations are lured into buying products “touted as the silver-bullet solution,” says Ian McShane, Arctic Wolf’s field CTO. “This definitely isn’t the key to success.”
Buying more tools doesn’t necessarily improve security because they often don’t have a tools problem but an operational one. “By prioritizing and embracing security operations where they can make the best of their existing investments instead of endless cycling through new vendors and new products, they will go a long way toward addressing the rapidly evolving threat landscape in a way that meets the unique needs of their business,” says McShane.
Hiring more people will solve the cybersecurity problem
Professionals who are truly talented and dedicated to security are not that easy to find. So instead of searching for people to hire, businesses should prioritize retaining their cybersecurity professionals. They should invest in them and offer them the chance to gain new skills.
“It is better to have a smaller group of highly trained IT professionals to keep an organization safe from cyber threats and attacks, rather than a disparate larger group that isn’t equipped with the right skills,” says McShane. “While hiring new team members can be beneficial, the time and money spent by a business on hiring new employees can be used more effectively to bolster their security infrastructure.”
If we solve for the latest attack, we’ll be safe
Many companies fall into the trap of chasing the last breach, channelling their defenses on known threats while neglecting broader, proactive strategies. “Only focusing on what has happened is a good way to be hit by what’s next,” says Ian Bramson, VP of global industrial cybersecurity at Black and Veatch.
This issue has become even more evident with the rise of AI. “As companies become more digital and automated, cybersecurity becomes more central to strategic growth,” Bramson adds. “For example, an all-source monitoring approach can help you spot patterns and identify shifting threats that haven’t even reached your operational technology (OT) environment.”
A robust monitoring program can give organizations a clearer view of their risk landscape. “This allows you to prepare and take actions before they become a real incident or attack,” Bramson says.
You can cover all the gaps if you perform enough testing and analysis
While thorough testing and analysis can help identify and address many security gaps, no system can ever be completely secure. “Techniques and threat actors are evolving constantly, so it’s certainly best to cover all the bases and prevent entry in the first place, but assume a cyber-attack will happen,” says Katy Winterborn, director of internal security at NCC Group.
CISOs and their organizations need to think in terms of when, not if, and adopt a mindset that balances prevention with preparedness. “Create defense in depth, exercise incident response, and check that you can recover from backups,” Winterborn says. “Make sure you’ve had conversations at the right level and set expectations about what could happen in the worst case.”
Above all, Winterborn adds, remember that no defense is bulletproof.
Change your password regularly and use MFA
You’ve probably heard it a hundred times: change your password often. But according to the latest NIST guidance, that’s not really necessary — unless there’s a sign the password has been compromised. In that case, they should be updated.
Otherwise, if the password is already strong — at least 15 characters long — forcing routine changes can actually make things worse. That’s because most users tend to make only small, predictable tweaks to their existing passwords, which makes them easier to guess and less secure in the long run.
“People will follow patterns to remember the passwords,” says Tim Rawlins, senior adviser and director, security at NCC Group. “Summer2025! becomes Winter2025! unless blocked.”
Instead, experts recommend using a password manager to generate and store unique passwords for every account and. “Use one password per service and just change it in case the platform gets hacked,” says Kolja Weber, CEO FlokiNET.
And yes, enable multi-factor authentication (MFA) wherever possible to be more secure, but keep in mind that MFA can be bypassed. “If you want an extra layer, use passkeys,” Weber adds.
You can manage all digital certificates deployed across your enterprise network manually with a spreadsheet
Companies have thousands of digital certificates running at any given time, and trying to track all of them manually is a recipe for disaster. Just one expired certificate can cause cascading failures such as outages of critical systems.
“The idea that you can manage digital certificates manually is more outdated than ever,” says Jason Soroko, senior fellow at Sectigo.
The public key infrastructure industry has recently undergone massive changes, and the certificate lifespan will continue to decrease in the years to come.
“Starting in March 2026, public SSL/TLS certificate lifespans will begin a phased reduction to just 47 days by 2029, making manual tracking virtually impossible,” Soroko adds.
Compliance equals security
As the US Marine Corps likes to say, being inspection-ready is one thing, but being combat-ready is another. “Many companies focus too much on meeting compliance requirements and not enough about being truly secure,” says Bramson.
Many companies have aggressively invested in their digitalization and modernization efforts, which have expanded the attack surface and vulnerabilities. According to Bramson, “regulations can’t keep up with the speed of innovation.”
In this context, companies need to aim for security, not just compliance, because checking all the compliance boxes is merely meeting the minimum standards, which is clearly not enough. “It takes a much more comprehensive and individualized program to reach an advanced state of cyber maturity,” Bramson says.
Quantum computing and the threats it poses are still decades away
Criminal groups and nation-state actors are actively collecting encrypted data today, banking on future quantum breakthroughs to crack it wide open. This “harvest now, decrypt later” (HNDL) tactic means national security intel, financial records, and other sensitive information could be compromised retroactively.
“Quantum threats are already in motion, and they aren’t waiting for Q-day,” says Soroko. “Even if your data seems secure now, it may be fully exposed the moment quantum computing reaches critical thresholds. The risk is silent, invisible, and growing fast.”
In fact, NIST has already published a set of encryption tools designed to resist attacks from quantum computers and has urged system administrators to start transitioning to these new standards “as soon as possible.”
Some tech providers are aware of the risks and are moving quickly, but most enterprises, especially those with legacy systems, will require time, planning, and new capabilities to make the switch.
“To begin the journey toward quantum resistance, start small but start now,” Soroko says. “Automating things like digital certificate renewals is a low-hanging fruit that builds momentum and prepares your IT infrastructure for bigger shifts like quantum-safe encryption.”
We must allow law enforcement to break end-to-end encryption to keep us safe
Some governments around the world are looking to pass legislation that would allow law enforcement institutions to intercept, store, and even decrypt instant messages exchanged through applications such as WhatsApp, Telegram and Signal.
Some of these proposals mandate client-side scanning on citizens’ devices, “effectively breaking the promise of end-to-end encryption,” says Sabina-Alexandra Stefanescu, an independent security researcher. “The pushback against such laws from the civic society and security experts alike stands on firm principles: every individual has an inalienable right to privacy,” she adds.
In countries where journalists or human rights activists can face consequences, encrypted messaging and file storage “are the last bastions at their disposal in order to conduct their investigations,” according to Stefanescu.
The independent researcher argues that allowing law enforcement to decrypt messages “can make every person vulnerable and every device less secure.”
Deregulating generative AI is necessary to drive innovation
While some believe that loosening regulations around generative AI would unleash a new wave of innovation, others argue that the opposite is true: we need stronger safeguards in place.
Stefanescu points to the AI Incident Tracker, an MIT-led initiative that documents real-world harms caused by AI systems. The data gathered by the researchers show a steady rise in concerning cases over the past few years, with the most significant surge linked to the spread of misinformation and the actions of malicious actors.
“We chose to believe a mythical image of GenAI as a technology that is sure to evolve into a state that can do no harm, even while all evidence points to the contrary,” Stefanescu adds.
No Responses