By: William Jepma
For Cybersecurity Awareness Month, the editors at Solutions Review have compiled a list of comments from some of the top leading industry experts.
As part of Cybersecurity Awareness Month, we called for the industry’s best and brightest to share their comments. The experts featured represent some of the top Cybersecurity solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value.
Cybersecurity Awareness Month Quotes from Industry Experts
Ronak Massand, CEO and Co-Founder of Adaptive
“In any organization, data is the most critical asset that must be protected. The primary goal of a hacker in any breach is to exfiltrate this data. The severity of a breach is ultimately measured by the number of sensitive records compromised.”
“Given this, organizations should prioritize data protection, recognizing that all other security measures are simply means to that end. Security leaders must have a deep understanding of how data is stored and how it can be accessed across various services, third-party tools, human identities, and other data consumers within the organization. By gaining a comprehensive understanding of data lineage and managing access and protection at each stage, organizations can invest in fewer tools and focus on deeply integrating them into the infrastructure, ensuring that the most important assets are safeguarded effectively.”
Baber Amin, Chief Product Officer at Anetac
“This Cybersecurity Awareness Month, organizations must address threats to both human and non-human identities. While many focus solely on human users, non-human identities pose equal—if not greater—risks.
“Research conducted in partnership with TechTarget’s Enterprise Security Group (ESG) shows that for every human user, there are 20 non-human identities, often with high-level privileges. These automated accounts are prime targets for attackers, yet their security is frequently overlooked. Back in June, TeamViewer suffered a cyber-attack where bad actors were able to take control of an employee’s account. Now imagine if the same bad actors compromised a non-human account. The response time might have been drastically reduced with the consequences of the breach significantly increasing.
“To minimize the likelihood of a successful attack, enterprises should follow these steps:
- “Adopt modern Identity and access management tools that can monitor both human and non-human identities.
- “Password security: implement robust cyber hygiene policies, regular password rotation every 90 days for both human and non-human accounts, and use secure password management software.
- “Invest in smart cybersecurity tools that can improve the visibility and management of all identities and the activity chains linked to those identities.”
Tim Eades, Chief Executive Officer and Co-Founder of Anetac
“In today’s digital landscape, many security breaches stem from overlooked basic security practices rather than sophisticated attacks. This year’s Cybersecurity Awareness theme, “Secure our World,” reflects this oversight. While advanced security tools are valuable, organizations benefit most when they prioritize fundamental practices, including strong passwords, a password manager, multi-factor authentication, and keeping software up to date.
“The difference between a minor incident and a major breach often comes down to these basics. Our research indicates that 53 percent of organizations take over 13 weeks to rotate passwords—a gap that creates unnecessary vulnerabilities. As we innovate against emerging threats, we can’t neglect the fundamentals. A modern identity security strategy must combine robust security hygiene with advanced tools for complete visibility into both human and machine identities.
“By focusing on a balanced approach—combining sound security practices with advanced tools—organizations can significantly enhance their resilience against potential breaches. Remember: attackers will always choose the path of least resistance. Don’t make it easy for them.”
Doug Murray, CEO at Auvik
“Last year, CISA announced that the enduring theme for all future Cybersecurity Awareness Months would be “Secure Our World.” This theme evokes the sentiment that security is a shared responsibility between individuals, businesses, and governments alike. Even within a specific organization, security is a shared responsibility. Consider the issue of infrastructure sprawl. Both CISOs and CIOs are purchasing and managing tools that support cybersecurity objectives or serve a particular IT function. A big concern here is the cybersecurity risks involved in infrastructure sprawl, as the proliferation of tools and vendors has gotten out of control for many IT teams.
“Another increasing area of risk is shadow IT and shadow AI, which involves the use of IT systems, devices, software, and services without explicit approval from the IT department. SaaS shadow IT is probably one of the biggest hidden risk factors that IT leaders face today, particularly at a time when employees are experimenting with emerging AI tools. Most people who utilize shadow IT tend to think that they’re just using a productivity tool. However, organizations have found shadow IT adoption can open vulnerabilities.
“In purchasing a combination of different tools, companies easily end up with huge overlaps. For example, it’s common for a company to have multiple firewall providers operating within their network all at the same time. This is not only redundant but could actually be introducing even more cybersecurity risk to the business unnecessarily. How can we manage some semblance of consolidation to drive up efficiency and lower costs? What’s needed is a network management platform that gives us a federated view of everything that IT uses for its daily processes, systems, and management. Business leaders must then work together to determine which tools to keep and which they can do without in order to reduce sprawl and overall risk exposure.”
Ian Bramson, Vice President of Global Industrial Cybersecurity at Black & Veatch
“The cybersecurity threat landscape is fundamentally shifting, raising the stakes from data manipulation to impacting physical safety and operational uptime within operational technology (OT) environments, such as power plants, water plants, oil & gas refineries, and other critical infrastructure. As such, the industrial cybersecurity world in 2025 must adapt to a more consequence-driven approach, where safety and uptime are the priorities rather than resources and ROI. After all, the true ROI in industrial cybersecurity–for now–is that nothing bad happens. But how long can we count on that to remain the status quo?
“While there is still time to adapt, there isn’t a nanosecond to lose. As cyber attackers expand their focus to penetrating OT environments, the digital front lines are now being drawn inside the equipment, devices, and operations that drive critical infrastructure. Heavy industry and high-hazard operations are in the cyber crosshairs, driving risks to sites and environmental and public safety. Negative impacts on critical infrastructure also threaten economic stability and national security. And while cybersecurity attacks do not have physical boundaries, they can and do have very real-world impacts.”
Dale “Dr. Z” Zabriskie, Field CISO at Cohesity
“The growing threat of ransomware and insider attacks has made data resilience more critical than ever. According to Cohesity’s Global Cyber Resilience Report, over 3100 IT and Security decision-makers globally were polled and confirmed the threat of cyber-attacks—especially ransomware—continues to rise, with the majority of respondents falling victim to a ransomware attack in the last six months, and most having paid a ransom in the past year. A full 80 percent of those surveyed said they had responded to what they believe to be AI-based attacks or threats within the last 12 months.
“Organizations must have a multi-layered defense strategy to combat these threats. Implementing solutions such as immutable snapshots, encryption, and strict access controls is essential to ensuring critical data is secure. Isolating backup data and employing advanced protections like time-based locks can make the difference between a minor incident and a major disaster. In today’s threat landscape, being prepared with these layers of defense is crucial for cyber resilience in the effort against both ransomware and insider threats.”
Jackie McGuire, Senior Security Strategist at Cribl
“For years, the cybersecurity industry has faced challenges in finding talent with the right skill set to fill roles. However, what’s not often talked about is the disproportionate amount of neurodivergent talent already working in the cybersecurity industry and the untapped talent pool with the potential to fill these roles.
“Neurodiversity is a massive spectrum, and cybersecurity leaders need to rethink how they’re assessing skills and what a ‘typical’ candidate may look like for any position. By embracing unique skill sets of neurodivergent talents, such as the ability to hyper-focus, detect patterns, and identify vulnerabilities that others might miss, security teams can unlock new, meaningful problem-solving solutions.
“Eliminating the stigma around neurodiversity and creating an open dialogue about the resources and accommodations neurodiverse team members need to excel in their roles, such as written materials or subtitles during virtual meetings, enables leaders to tap into the unique strengths of team members and build an environment for them to thrive.”
John Scott, Lead Cyber Security Researcher at CultureAI
“October 1st marks the start of Cybersecurity Awareness Month. A global campaign launched two decades ago to improve cybersecurity awareness and equip people with the knowledge and resources they need to be secure online. But what impact has this campaign truly had in the workplace? Yes, it spotlights the issue and boosts high-level awareness of threats like phishing. But no matter how much you train your employees, humans will always make mistakes—and malicious actors will always look to exploit these mistakes.
“Cybersecurity Awareness Month puts unnecessary pressure on security teams, who often have the added responsibility of delivering training or events in addition to preventing threats and mitigating risks, and employees, who are put under pressure to understand a complicated threat landscape. Is this the best use of anyone’s time? The issue also allows companies to think, ‘Well, we’ve done security now,’ and then shift focus to other matters for the remaining 11 months of the year. However, developing a strong security culture is not a ‘one-and-done’ deal. It’s a continuous effort to ensure that everyone’s first response is the most secure one.
“Crucially, this is not a one-month campaign. Short bursts of awareness do not tackle the depth of security threats. To be successful, security requires an enduring shift in mindset, technology, processes, and culture. Human-related breaches will continue to remain high unless we take action. Focus on technology that empowers real-time risk management. It’s time to adapt.”
Omar Khawaja, Field CISO and VP of Security at Databricks
“What I’ve found from talking to hundreds of security leaders across the public and private sectors is that when it comes to generative AI, many leaders are worried they don’t know which risks to worry about. On top of this, they also know that not investing in GenAI may pose a different kind of risk—falling behind. Risks can range from training data poisoning to prompt injection to model theft. While there isn’t a ‘silver bullet’ strategy when it comes to protecting against these threats, companies should focus on the specific risks that matter most to each specific GenAI use case. This means throwing the long list of potential—but ultimately, not relevant—risks out the door and reviewing your deployment architecture, strategy, and end goals for incorporating AI.
“Fear—whether it’s fear of missing out or fear of security risks—cannot drive your AI strategy forward. Fear places you on the fringes of the AI spectrum, and I believe there is a happy medium where your team is aligned on AI goals, risks, and opportunities. That middle ground is foundationally sound for strong decision-making once you truly know how AI works inside and out.”
Jose Seara, CEO and Founder of DeNexus
“This year’s theme for Cyber Awareness Month, “Secure Our World,” highlights the need for increased cyber protection in all aspects of our personal and professional digital lives, including industrial systems—the connected equipment and systems that control factory floors in manufacturing, the buildings hosting data centers, power generation sites, electricity distribution networks, or even the tarmacs and boarding areas in airports.
“Given the gap in cybersecurity resources and the flattening of cybersecurity budgets, cybersecurity leaders need to take a step back and assess where to allocate scarce resources and limited budgets to achieve the greatest return on investment, which, for cybersecurity, is to reduce the probability of material cyber incidents. This starts by identifying and measuring cyber risks in financial terms, the probability and severity of potential cyber incidents due to weaknesses in cyber defenses.”
Jack Chapman, SVP of Threat Intelligence at Egress
“When we crunch the numbers, the total annual volume of phishing emails remains relatively steady year on year. What’s changing is the sophistication of these attacks. We all live digital lives, and there’s far more material about each of us readily available on the internet than many people realize or most of us would be comfortable with!
“This includes things we willingly choose to share, such as our birthdays and family members we’re connected with on social media platforms, and even who our boss might be on corporate websites. It also includes data that’s been compromised in previous breaches—from passwords to things like our home addresses. Cyber-criminals don’t have to look very far to be able to build a comprehensive picture of who someone is, what the best way might be to target them, or even to guess the answers to their security questions.
“Most often, these attacks will be targeted spear phishing emails that impersonate someone close to us or use other social engineering tactics to pull our levers. In more sensational stories, these impersonation tactics can be combined with deepfake software so a phone or video call can sound and look like the person we know. The threat of generative AI being used in these attacks is steadily growing. Recent research shows that 75 percent of the phishing toolkits available for sale on the dark web reference AI, and 82 percent reference deepfakes.
“It’s often some of the simplest measures that can help keep people safe from these targeted threats, starting with awareness of what information is available online and taking steps such as limiting the visibility of your online social media profiles. However, when cyber-criminals want something, they often won’t stop, which is why it’s imperative that we fight fire with fire and protect ourselves with advanced technology that can detect these sophisticated attacks.”
Chaim Mazal, CSO at Gigamon
“Adversarial AI is outsmarting current security defenses. To stay ahead, organizations must gain deep, real-time visibility into all network traffic. Today, one in three breaches are going undetected and of those that are detected, only 25 percent of breaches are being detected in real-time. Given 93 percent of malware hides in encrypted traffic, prioritizing deep observability across your hybrid cloud infrastructure is mission-critical for securing sensitive data.”
James Hadley, CEO and Founder of Immersive Labs
“Over the past year, we have seen significant cybersecurity events, such as disruptions caused by supply chain, social security number, and Medicare breaches that have highlighted how fragile our digital ecosystem can be. System compromises and ransomware attacks have proven to be devastating to organizations, costing businesses around 5 million dollars on average. These various crises have once again proven that the status quo of traditional cybersecurity certifications and awareness training is simply ineffective.
“Rather than offering realistic crisis simulations, many businesses are mired in the same antiquated training over and over again while the threat landscape has continued to evolve. So, why are leaders still relying on a list of names of employees who watched an outdated video to check the cybersecurity box? How can we be confident in the skills of our cybersecurity professionals if we aren’t evaluating their hands-on skills based on data?
“With cyber drills, CISOs can prove and improve their organization’s knowledge, skills, and judgment against simulated attacks. These drills give leaders the proof they need to better understand their organization’s cyber capabilities and shortcomings. In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, checkbox awareness is no longer enough. Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses’ most sensitive data remains secure.”
Eric Herzog, CMO at Infinidat
“The merging of cybersecurity and enterprise storage infrastructure has been compelling CIOs, CISOs, and IT team leaders to rethink how to secure enterprise storage across hybrid multi-cloud deployments in light of the dramatic increase in cyber-attacks over the past several years and into the foreseeable future. Sophisticated cyber-attacks, including new forms of AI-driven attacks, are increasingly targeting enterprise storage infrastructure. Enterprises need proactive strategies, seamless integration across data center IT domains, and the most advanced, automated technologies to stay ahead of cyber threats. Comprehensive cyber storage resilience and recovery capabilities improve the ability of an enterprise to combat and protect against ever-increasing cyber-attacks and data breaches by combining automated cyber protection, immutable snapshots, logical air gapping, a fenced forensic environment, cyber detection, and virtually instantaneous data recovery.”
Philip George, Executive Technical Strategist at InfoSec Global Federal
“Cybersecurity Awareness Month this year comes on the heels of NIST releasing post-quantum encryption standards, which are designed to withstand attacks from cryptographically relevant quantum computers (CRQC). For several years, the cybersecurity community and government leaders have been raising awareness around the impending threat of a CRQC and the potential large-scale effort to migrate to quantum-safe encryption, recognizing there is not one area across the information technology domain that does not rely on some aspect of vulnerable classical cryptography. Therefore, the arrival of the new quantum-safe standards is a pivotal moment. These new ciphers provide public and private sectors with the ability to establish an effective bulwark against both present day and emerging cryptographic threats to include the prospect of a CRQC.
“But the very first step for any organization is to conduct an automated discovery and inventory of deployed cryptographic assets. This single act provides the foundation for the development of a comprehensive and effective defense-in-depth strategy that aligns with greater efforts like that of zero-trust (ZT) modernization. If an organization has not conducted an automated discovery and inventory scan in lieu of prior manual efforts, it could be implicitly accepting risk that has neither been accurately assessed nor mitigated. This can create scenarios where PQC migration execution is incomplete at best or fails to mitigate an exposed attack surface of a high-value asset.
“Migrating to the new post-quantum algorithms will take considerable time and effort. Aligning such activities with similar large-scale modernization efforts like zero-trust will be key. This paired approach will ensure that the adoption of ZTA principles won’t be undone by continuing to rely on soon-to-be-deprecated cryptography. Cryptography is the underpinning of Zero Trust, so aligning PQC migration with Zero-Trust initiatives is imperative.”
Yousef Hazimee, Head of Security at LearnUpon
“With the advent of new attack vectors and advanced technologies, it’s vital that security teams enable employees to recognize risks and regularly review and update security training to keep them engaged. If you keep serving up the exact same content every year, employees will lose interest, and the training will lose its value, which can end up being a big cybersecurity risk.
“My best advice would be to start with something manageable and design the program with your audience in mind. Given that LearnUpon provides training and corporate learning to other companies, we take training our own employees with our own software very seriously. We run company-wide security awareness training on an annual basis, keeping all employees up-to-date on new and evolving threats and reinforcing the robust security practices we have in place. You can create an impressively comprehensive security awareness course, but if it is pitched at the wrong level for your audience, it won’t work. Focus on your learners, and try to build a program that feels relevant and realistic to them.
“For example, if they are learning on the go, then a course of short videos might be the best. Or are they not the most tech-savvy? Then, you might want to start with the basics and work your way up to more sophisticated topics. Over time, as your audience becomes more security-aware, you can adjust the training to grow with them. Remember that you are asking workers for their time to complete the training. Respect the time your learners are dedicating by keeping your cybersecurity materials relevant to them and up-to-date.”
Larry Zorio, CISO at Mark43
“To effectively manage organizational risk tolerance, start by identifying your most valuable assets through an inventory of ‘crown jewels.’ Then, build a risk strategy by asking key questions and prioritizing investment in secure, resilient technology, as it will save you time and cost in the long run.
“In addition, adopt a recognized framework like the NIST Cybersecurity Framework (CSF) to provide a structured approach to managing cybersecurity risks. Tactical items to include are vulnerability management, regular backups, monitoring, and audit functions, and incident response tabletop exercises to ensure you build muscle memory for seamless mitigation in the event of a breach.”
Zack Schuler, the Executive Chairman and Founder of NINJIO
“October is National Cybersecurity Awareness Month, an ideal time for companies to focus on how they can defend themselves from rapidly evolving cyber threats. From the exploitation of revolutionary new technology like AI to the proliferation of attack vectors, we have entered a new era of cyber risk—and much of this risk is driven by human vulnerabilities.
“AI has eliminated the barriers to entry for advanced forms of phishing and other social engineering attacks, and cyber-criminals have never had more powerful resources for manipulating victims. Companies need a proactive approach to cybersecurity awareness training, which will help employees anticipate emerging cyber threats, think critically about their digital behavior, and respond to cyber-attacks.”
Will LaSala, Field CTO at OneSpan
“As Cybersecurity Awareness Month unfolds, it’s crucial to spotlight how phishing-resistant technologies are revolutionizing defenses across multiple industries. With 95 percent of security breaches resulting from human error, cyber education is undeniably important, but it should not be the only line of defense digital threats encounter. Advanced authentication protocols like FIDO2 and WebAuthn leverage public key cryptography to secure login processes. These methods render stolen credentials useless to attackers, offering a highly secure and user-friendly approach that goes beyond traditional security measures.
“With digital agreements and transactions now integral to business operations and threats continuing to escalate, companies must focus on securing the customer experience from end to end. By integrating advanced authentication methods, organizations can ensure transactions and identities are verified, mitigating the risk of credential theft. Combining these technologies with ongoing user education provides a comprehensive defense, reinforcing our cybersecurity infrastructure against evolving threats. This Cybersecurity Awareness Month, let’s champion these methods as the gold standard in online security.”
Damon Tompkins, President at Pathlock
“As we observe Cybersecurity Awareness Month, it’s essential to highlight the importance of identity security in protecting our digital environments. This includes implementing robust identity and access management systems, which control who has access to what within the organization and continuously monitor those identities to detect and respond to any unusual activity.
“Prioritizing identity security helps organizations enhance their security posture, protect sensitive information, and comply with regulatory requirements. Effective identity security practices, such as adopting a zero-trust model, ensure that every access request is scrutinized, regardless of its origin. This approach not only safeguards data but also supports operational efficiency by ensuring that users have the appropriate level of access at all times. As we navigate an increasingly digital world, robust identity security measures are more crucial than ever in defending against cyber threats and maintaining a secure and compliant access environment.”
Darryl Jones, Vice President of Consumer Strategy at Ping Identity
“Whether it’s logging into a banking app, making purchases online, or paying through a mobile wallet, consumers use their digital identities every day, often multiple times a day, to interact with businesses online. But this digital experience is not always a pleasant or easy one. A majority of consumers (89 percent) have complaints about passwords, with 61 percent admitting they have too many to keep track of. To no surprise, over half (54 percent) have stopped using an online service because they became frustrated when trying to log in.
“Traditional password-based authentication does not provide the most secure or seamless experiences, two critical elements to earning consumer trust. Adopting a mindset of ‘never trust, always verify’ will not only help improve resilience against emerging AI-based threats but create a better overall digital experience for consumers. This Cybersecurity Awareness Month, I encourage organizations to explore the powerful combination of identity verification and digital credentials to help create a more secure world.”
Tim Perry, Head of Strategy at Prepared
“Emergency systems need to be resilient. They can’t be vulnerable to disruption, whether it’s a storm that knocks down a wire, a cyber-attack, or a failure of one of the PSAP’s legacy software providers to keep their creaky old software up and running. There’s probably a misconception in the market that on-premises solutions are somehow more secure than cloud-based solutions. They are not. Cloud-based solutions do what the next-generation 911 movement has been trying and not always succeeding to do for a couple of decades, which is to improve the resiliency of systems.
“It’s important to stay ahead of cybersecurity compliance requirements and to always evolve as a technology because the threats themselves evolve. Legacy software can be really inadequate or buggy; from our perspective, it’s just a failure to evolve. When you’re thinking about cybersecurity, it’s as important to think about ‘who’ as to think about ‘what.’ Are you concerned about a cyber-criminal or a nation-state actor? Depending on who you think it is, you might choose different approaches to cybersecurity.”
Rebecca Herold, CEO and Co-Founder of Privacy & Security Brainiacs
“AI implementation throughout organizations promises to provide benefits when fully tested and accurate AI algorithms are used. However, inaccurate AI tools are being used by the public and within organizations; these create cybersecurity and privacy risks within the full digital ecosystems of businesses and homes. Those faulty AI algorithms within such tools, along with AI tool vulnerabilities and errors, will be exploited increasingly more often throughout 2025, creating completely unexpected types of threats and vulnerabilities, along with new types of harm to not only networks and systems but also to the individuals within those ecosystems. Especially hard-hit will be critical infrastructure entities, such as public utilities, transportation structures, construction, and hospital systems.
“Consider healthcare. Research published by the National Library of Medicine government agency indicates GenAI is actively used in large numbers of healthcare institutions for disease detection, medical diagnosis, and health screening processes involving radiology, cardiology, gastrointestinal medicine, and diabetes detection and treatment. The need for correct results from such GenAI uses is absolutely critical. The data used for training the associated AI tools must be accurate, the algorithms involved must be protected from unauthorized changes and manipulations, and only appropriately authorized data should be used for training the algorithms. When security ensures these issues are not applied, bad decisions will be made, resulting in harm. For example, AI-informed misdiagnoses lead to harmful treatments that result in patient harm.
“For these types of high-tech risks, comprehensive AI security and privacy program practices must be implemented and consistently followed. AI security and privacy education must be provided to support this goal. Individuals responsible for cybersecurity within their organizations need to stay up-to-date on new and emerging threats, such as malicious AI, inaccurate AI algorithms, shadow devices compromising the digital ecosystems, and unauthorized use and access to AI training data repositories.”
Eric Schwake, Director of CyberSecurity Strategy at Salt Security
“As we enjoy the convenience of digital services, we must also recognize the growing attack surface and evolving threat landscape. APIs, the invisible threads connecting our applications and data, are a prime target for malicious actors.
“Organizations must adopt a comprehensive approach to API security to effectively secure our digital ecosystem. This begins with thorough API discovery, gaining complete visibility into all APIs across the development lifecycle. Understanding the full scope of your API landscape is the crucial first step in identifying potential vulnerabilities and misconfiguration.
“Next, robust API posture governance is essential to ensure that APIs adhere to security best practices and comply with industry regulations. This includes implementing strong authentication and authorization mechanisms, enforcing data validation rules, and proactively managing API access controls.
“Finally, organizations need advanced API behavioral threat protection to detect and prevent malicious activity in real-time. This involves analyzing API traffic patterns to identify anomalies and uncover hidden threats that may bypass traditional security measures. Organizations can proactively defend against attacks and safeguard their critical assets by pinpointing actual malicious traffic within these anomalies.”
Pukar Hamal, Founder and CEO at SecurityPal
“The proliferation of AI over the past few years has introduced new cyber threats to companies. As with any powerful tech, there’s a trade-off between speed and security: while AI helps companies achieve objectives quicker, it also increases the scope for risk and attack. Organizations shouldn’t shy away from AI use altogether but rather do so with security and governance at the top of their minds. Establish a layered security approach—including encryption, behavior monitoring, and automatic alerts for unusual activities—to defend your system from cyber threats. At the same time, prioritize transparency in AI operations across your teams, ensuring your entire organization understands how to safely use AI and interpret its outputs. This is crucial for preventing AI misuse, building trust with internal and external stakeholders, and stymying any cyber threats associated with AI use.”
Patrick Harr, CEO at SlashNext
“Cybersecurity Awareness Month is a reminder that the methods used by cyber-criminals continue to evolve, making it imperative for organizations to have the resources and plans in place to prevent these attacks before they result in data compromise and other security concerns. To stay one step ahead of these sophisticated tactics, organizations must adopt a multi-faceted defense approach, which includes utilizing AI to combat AI-based scams. Even with continuous training to help employees recognize the hallmarks of email and message-based scams, many are still unable to evade complex schemes like 3D phishing. However, while humans may struggle to recognize these threats on their own, AI-based security platforms can detect unusual activities associated with 3D phishing attempts.”
Nitin Singhal, VP of Engineering (Data, AI, and Integrations) at SnapLogic
Meeting the pace of GenAI security by shifting left in architecture design
“Security isn’t a final checkpoint; it’s the foundation of product philosophy. Integrating security from the outset is crucial to mitigate costly reputational damage post-launch. If these controls are not pushed to the left and are after-thoughts, the damage is already done, and we might have branched regulatory boundaries and user trust. To avoid such a situation, you should define architectural tenets to ensure metadata collection, audibility, and digital asset inventory as part of regular software development.
“GenAI commoditizes technology access by pushing new technology into the hands of almost everyone at a company. While this has many benefits, the responsibility to meet security measures grows exponentially. Leaders must ensure robust safeguards at every potential vulnerability point, balancing innovation with protection. In this new landscape, security isn’t just an IT concern—it’s a company-wide imperative that shapes our digital future.”
The industry’s AI adoption FOMO is leading to security and compliance risks
“Don’t let FOMO drive your GenAI strategy; ensure it’s built on a foundation of compliance, transparency, and trust—because in the race to innovate, knowing where your data flows is as crucial as the innovation itself.” GenAI is not very different from how we think about AI security, but there is a subtle difference: LLMs do not have a delete button. Once data lands in the public LLM model, it is irreversible and cannot be deleted. So as an organization, you have to consider regulations like GDPR, and it’s crucial to know where the data is coming and going. You must know if the models are auditable and if they’re not going to introduce any biases or lead you to a situation that causes you not to be compliant. Please note that it is not just about regulatory compliance but also user trust.
“A well-architected system minimizes customer data usage and maximizes the metadata that they collect at the lower granularity. These principles enable engineers to build systems where you can configure current and future controls rather easily. Otherwise, whenever there is a law, you have to stop what you are doing and set up a new team to build controls on top of the already tangled web of data. Businesses don’t want to be in a state where they don’t know where the data is coming from. Think about tangled wires going to and from the circuit board to the switchboard. If you don’t have a clear indication of which one turns on the switchboard, you could be at risk or at fault for a security or compliance violation.”
Or Shoshani, CEO and Founder at Stream Security
“This National Cybersecurity Awareness Month, we must continue to better understand the increasing complexity and dynamic nature of cloud environments relative to on-premises alternatives. With rising widespread cloud adoption, organizations face new challenges and new threats, all of which emphasize the need for real-time cloud security.
“More than 80 percent of data breaches involved data stored in the cloud and these breaches have been strongly correlated with higher costs, as it took businesses longer to identify and contain. As threats grow, it’s essential to take a real-time cloud security approach. Most solutions today are point-in-time and aren’t able to identify threats before significant damage is done. Compounded by the overburdened security analyst and SecOps teams, the need for solutions that close knowledge gaps to help stay ahead of threats is more paramount than ever. To stay ahead of emerging threats, businesses must adopt proactive cloud security measures that detect, investigate, and respond to exposures and threats as they arise, not hours after.”
Jason Keenaghan, Director of Product Management, IAM at Thales
“Human error is the leading cause of data breaches, and hackers now have a leg up to take advantage of these weaknesses, thanks to artificial intelligence. Phishing is the second fastest-growing attack, and leveraging generative AI, hackers are able to craft word-perfect emails in any language to help them get a foothold on business networks. Most often, hackers use phishing to steal employee credentials, masquerading as trusted entities to bypass traditional password-based security systems—and this makes passwords even less secure than ever.
“Cyber hygiene training, while wholly necessary, will always be an uphill battle, but shifting away from password credentials can help organizations harden their defenses despite human error. Passkeys can help to eliminate concerns around stolen credentials altogether. Passkeys provide easier, faster, and more secure sign-ins. They’re harder to crack due to their use of cryptographic techniques and often being coupled with biometric authentication. Furthermore, with device-bound passkeys, they cannot be intercepted, as they never leave the user’s device. This shift away from passwords represents a significant leap forward in advancing the security of the digital landscape as a whole and is critical for all organizations to recognize.
“Now is the time to implement passkeys wherever possible and adopt a passwordless 360-degree mindset to address the needs of all users and applications, with none left behind. As it comes to paring down credential-based human risks, the simpler, the better, and passkeys are the strongest defense we have to put an end to the phishing era.”
Ratan Tipirneni, President and CEO of Tigera
“Cybersecurity Awareness Month highlights the importance of implementing stronger defense mechanisms that protect organizations and citizens from increasing cyber-crime. Kubernetes and containerized environments underpin digital innovation and are at the core of modern application development. While these environments boast significant advantages, offering scalability, efficiency, and flexibility, they are also subject to various security risks. This includes vulnerabilities, misconfigurations, network exposures, and both known and zero-day malware threats. The distributed nature of microservices, the dynamic scaling of workloads, and the ephemeral nature of containers introduce unique security challenges.
“Traditional approaches to risk assessment whereby vulnerabilities, misconfigurations, and threats are identified and prioritized in isolation—and each generates its own set of alerts and priorities—are insufficient for the unique nature of Kubernetes. To effectively protect your Kubernetes environment, it is essential to adopt an interconnected security approach that accounts for how these risks interact. Many security risks are associated with specific services. By understanding the relationships between services, security teams can better assess the potential blast radius of risks if left unmitigated. This will enable more accurate and timely risk assessment, prioritization, and mitigation.
“This Cybersecurity Awareness Month, organizations should work to deploy tactics that help evaluate risks holistically and implement controls such as default-deny network policies, workload isolation, IDS/IPS, and WAFs. These tactics will reduce their risk of exploitation, limit lateral movement in the event of a breach, and block known threats before they can manifest.”
Jason Kichen, Chief Information Security Officer at Tricentis
“Every advantage comes with risks–generative AI is no different. Given the sensitive data it often handles, security stakes are inherently higher for organizations. A breach could result in financial loss, reputational damage, and loss of trust. To mitigate this, establishing a red team dedicated to testing generative AI is critical.
“These red teams assess AI’s exposure to risks, both from operational issues to adversarial attacks. Since generative AI is evolving quickly, most companies lack the tools and/or expertise to test it effectively. However, by fostering collaboration between red teams and internal developers, businesses can close knowledge gaps and strengthen software security.
“As technology advances, especially with generative AI, new risks will continue to emerge. To protect your systems, customers, and reputation, specialized testing for AI is essential. In this rapidly evolving landscape, being proactive is key.”
Kevin Bocek, Chief Innovation Officer at Venafi
“Rise of the machines is here! As Cybersecurity Awareness Month unfolds, new AI technology, from AI agents to AI coding assistants, is here. But our new superpowers will bring new threats. Opportunities for attackers to authenticate at machine speed and uncertainty about the source and integrity of code have already emerged. Recent research underscores a growing challenge: 83 percent of security leaders report that developers are using AI to generate code, but 66 percent find it difficult to keep up with these rapid technological advancements. With 92 percent of security leaders expressing concern about the risks posed by AI-generated code, we’re going to find new paths ahead.
“So if the machines are here and security professionals are so concerned, what do we do? Humans and machines have at least one thing in common: they both require identities. We use machine identities to identify machines running and communicating and use code signing to authenticate code from open-source. All of this allows us to use the Internet, install apps on mobile devices, and fly safely on today’s latest digital aircraft. Applying these same machine identity techniques–when secured–solve the challenges that AI agents to AI coding assistants will present.”
Lynn Dohm, Executive Director of Women in Cybersecurity (WiCyS)
“During Cybersecurity Awareness Month, messaging to already-cyber-conscious audiences is often redundant. It’s time to take a different approach—one that focuses on students and builds real connections. To cut through the clutter, we need to simplify the message and empower the next generation to see themselves in cybersecurity. This month isn’t just about raising awareness; it’s about shaping the future leaders of this field.
“Teenagers are much more likely to listen to someone closer to their age who they can relate to. They’re not going to engage with adults lecturing them about cybersecurity. To shake things up, this Cybersecurity Awareness Month, we’re showing young women that they belong in this field by mobilizing our student chapters to reach high school students directly. We’re showing them that cybersecurity is already a part of their lives and doesn’t have to be intimidating.
“We’ve developed a Cybersecurity Awareness Month toolkit, backed by our top-tier partners, that these student leaders will take into high schools, breaking down cybersecurity into simple, everyday language. Many students don’t realize they’re already practicing cybersecurity when they use things like two-factor authentication. By having peers—people who were recently in their shoes—share this message, we’re making cybersecurity feel relevant and accessible. It’s not a big, scary concept; it’s something they’re already part of.”
Matthew Sharp, CISO at Xactly Corporation
“Today, all businesses are digital, which is creating a web of systemic risks. As AI adoption accelerates, cybersecurity leaders must manage material exposures and enforce AI governance. This Cybersecurity Awareness Month, if you haven’t already, establish an AI governance council to evaluate AI use cases and vendors in your value chain and make sure you can objectively identify material risks.”
Boaz Gorodissky, CTO and Co-Founder at XM Cyber
“Cybersecurity Awareness Month serves as a reminder to organizations that protecting critical assets requires a much more comprehensive approach to exposure management. Organizations typically have around 15,000 exposures scattered across their environments that skilled attackers could potentially exploit, and yet, CVE-based vulnerabilities account for just a small percentage of this massive exposure landscape. Even when looking only at exposures affecting their most critical assets, CVEs represent only a small part of the risk profile. While organizations are focused on patch management and vulnerability management to address CVEs, the maturity to mobilize teams and remediate issues such as misconfigurations and weak credentials is low, leaving organizations exposed.
“This disconnect between the traditional cybersecurity focus and the real-world threatscape demands a paradigm shift in security strategies. This Cybersecurity Awareness Month, organizations should use the opportunity to ensure a comprehensive and proactive approach to cybersecurity. They should ensure they get a continuous and complete view of securing all critical assets (on-prem and cloud) to holistically safeguard their digital assets in today’s increasingly complex threat landscape.”
Original Story: https://solutionsreview.com/security-information-event-management/cybersecurity-awareness-month-quotes-from-industry-experts-in-2024/
