The Power of Constantly Exploring New Ideas, Adapting to Unknown Situations, and Challenging the Status Quo

As we witness the unprecedented pace of innovation, the 21st century can be characterized as an era of industrial disruption. We are seeing shifts across every dimension of innovation; new technological adoptions like artificial intelligence (AI) and autonomous systems that will drive significant economic transformation, new business models that offer subscription or usage-based access versus ownership that are fundamentally redefining consumer choice and value, and changing consumption patterns that are shifting towards everything digital, starting with search to commerce to payments.

There is often fear around major innovation shifts, but on balance, they have historically delivered more opportunities than threats. For example, the public internet, which went mainstream in the mid-1990s, has enabled a trove of innovations that have helped us connect with and access people and information freely and broadly. This has transformed how we communicate, how we learn, how we work, how we conduct commerce, and, as I often say, how we play, because it has been embedded in all aspects of our lives. However, this adoption, which offers many benefits, has also presented many cybersecurity challenges.

Cybersecurity has been around since the 1970s, driven by the emergence of computer viruses. The primary methods of protection were originally antivirus software and a firewall. It became more of an industry in the 1990s as the public internet grew in popularity. We began to see a growing list of cybercrimes across sectors, with some more prevalent than others. In general, the crimes targeted individuals, organizations, and a company’s infrastructure, including devices, servers, storage systems, networks, applications, and operations.

For example, in the world of supply chain and logistics, threats come in many forms, including credential theft, routing system manipulation, counterfeit insertion, and traditional attacks such as malware injection, phishing, DoS, and ransomware. It’s interesting to observe how the protection against cybersecurity attacks continue to evolve, from protecting infrastructure to protecting data, privacy, and identity, and, given the increasing threat of AI, protecting trust.

AI continues to change the landscape for everything, and cybersecurity is no exception. Indeed, AI presents a similar paradigm shift regarding cybersecurity needs as the Internet did, but at an even more complex level. Today, we are seeing threat actors now using AI-enabled phishing and social engineering, AI-enabled malware, and AI exploitation of AI systems themselves. We are seeing shifts in two dimensions, namely the sophistication of threats and the sophistication of development tools for detecting and protecting against them.

A good example of a threat is “vishing,” which stands for voice phishing, a cybercrime tactic that uses phone services to trick people into providing sensitive information. This approach has been around for some time, but the recent use of AI has made it much more convincing and realistic. These new attack vectors are increasingly sophisticated, attempting to subvert cybersecurity defenses through more manipulative and persuasive phishing and deepfake campaigns to catch users off guard. The defenses will need to use AI as well to protect against threats more quickly and accurately across endpoints, networks, and cloud environments. Research indicates that 51% of IT/cybersecurity professionals expect threats to be a top concern in 2026, but only 14% feel prepared to manage these risks.¹ This lack of preparedness is backed up by Kyndryl’s 2025 Readiness Report, where only a minority feel “completely ready” to manage them.² This gap underscores the urgency for modernization.

Adaptability is Key

IT/cybersecurity professionals will have to adjust as AI continues to grow its presence, bringing new, more sophisticated threats. The answer is to use a combination of AI-specific protection and detection capabilities, along with constant awareness programs, to combat these AI-enabled threats as part of your defense framework. This includes extending your existing threat models to include AI-specific risks across the entire infrastructure, including internal and third-party connections. There will be many new threat vectors, including prompt-injection attacks, model poisoning, extraction, manipulation, and unauthorized use. There will also be code standards attacks against Large Language Models (LLMs) and AI applications for data leakage.

The best practices for the management and governance of cybersecurity and resilience require companies to maintain the appropriate level of protection and access control to secure what matters most, namely their data, their brand, and their stakeholders. When it comes to securing data, protections must include a combination of access controls and authentication to verify who is accessing the data, filtering data packets from untrusted external networks, encrypting the data to prevent unauthorized use, and protecting the data from known threats.

When it comes to securing the brand, protections must include a combination of monitoring and detection tools and processes to defend against fraud, protect sensitive information, and prevent and contain service disruptions for various stakeholders.

Finally, when it comes to securing the stakeholders, protections must include a combination of comprehensive awareness training, complete with tabletop exercises, annual certification, and account management. This includes thinking before clicking on the unknown, securing public connections with a virtual private network (VPN), keeping application software up to date, and using strong passwords with multi-factor authentication.

Even with the most stringent discipline in place, breaches are likely to occur due to a cyberattack. The ability to identify, protect, and detect can still become compromised. However, material damage can be minimized if you have policies and procedures in place to respond and recover rapidly. This is foundational for companies to reduce their cybersecurity risk as outlined by the NIST Cybersecurity Framework, a set of guidelines from the National Institute of Standards and Technology. Companies should make sure they are doing the following:

1. Making consistent investments in infrastructure modernization and cybersecurity skills is essential to protect core operations and customer trust.
2. Supporting your Chief Information Security Officer (CISO) with routine reviews of meaningful company-wide metrics for protecting sensitive data and information.
3. Delivering regular cybersecurity education, constantly adjusting to the evolving threat landscape, because training and awareness are the best human line of defense.
4. Exercising annual employee certification to help reinforce personal responsibility and accountability.
5. Conducting routine tabletop exercises involving all key stakeholders to simulate various threat scenarios focused on how to recover and respond quickly so that you “stay ready, so you don’t have to get ready.”

After 33 years as a technology and business executive, I have spent the last decade serving as a board director across industries, including energy and utilities, financial services for digital payments, and a concentration in distribution and logistics for parcels and freight, electronic components and embedded solutions, and maintenance, repair, and operations (MRO). You get to routinely witness what every company has likely already dealt with, including various forms of cyber threats, from phishing to denial-of-service attacks to ransomware attacks.

I recall in 2015 when one of my board companies was among the first to establish a separate risk committee to govern and oversee its cybersecurity threats. My other boards either expanded the audit committee’s scope or established an ad hoc cybersecurity-focused committee as an extension of the audit committee. Their focus included governance of products, processes, policies, and procedures across information and operational technology, intellectual property, data security and privacy, internal controls, and business continuity and recovery. The addition of these board-level oversight committees did not change the executive leadership’s responsibility for day-to-day operations; they helped to underscore the board’s duty to ensure best governance practices were being exercised. This shift was necessary given that the global cost of cybercrime was estimated at $3 trillion annually in 2015 and is expected to exceed $10 trillion today.³

Best Practices

While some threats posed by AI may be unique and move faster than before, the practices to counter such risks remain consistent with past efforts. The best practices for board governance and oversight include establishing a cybersecurity committee with the right skills and oversight structure to conduct routine deep-dive reviews of various operational aspects. This is to ensure cyber-readiness before, during, and after an attack. The focus is on preparedness, achieved through routine reviews of the cyber scorecard and key metric indicators, investments in modernization, skills and education, tabletop simulations, incident response plans, and incident root-cause analyses for continuous improvement.

In addition, the entire board must participate in annual training to increase literacy and maintain a general understanding of current market trends and the company’s cyber risks. Given the ever-changing nature of cybercrime, the board of directors must maintain a continuous dialogue with management, focusing on key risk indicators and threats. In addition, they must routinely exercise what I’ve termed “The Curiosity Advantage.” In other words, never stop asking the appropriate questions. This is expected and required of a board member, and it is a natural part of your oversight responsibilities. To quote Albert Einstein, “The important thing is not to stop questioning.”

This leads to what I believe are the three most powerful questions for board directors: “Why?”, “How?”, and “What if?” Due to the open-ended nature of these questions, they have enabled appropriate dialogue for transparency between a company’s leadership and its board of directors. What I’ve learned is that the leaders who thrive during disruption are the ones who keep asking the hard questions, even when the answers aren’t obvious. Curiosity isn’t just a personal trait; it’s a strategic advantage. It drives us to challenge assumptions, explore alternatives, and make informed choices about where to invest and how to adapt.

The board should be asking questions like these:

1. Why are we confident that we can detect a significant cyberattack quickly and that the appropriate level of monitoring and protection is in place for our most critical assets?
2. How do we know, on an ongoing basis, that our response and recovery plans will enable continuous operations during a real-world cyber incident?
3. What if one of our third-party providers experiences a breach that cascades into our environment, disrupting operations?

This is not an exhaustive list of questions, but it serves as an example of the types of questions board directors should be asking and that a company’s leadership must answer with solutions. This is a never-ending dialogue because AI is joining in and is setting the pace in this age of disruptive innovation. Bad actors have begun using AI-enabled models and tools to enhance their cyber threats and attacks, and so defenses must also be AI-enabled to stay a step ahead. We must continue to treat governance not as an IT issue but as an enterprise risk covering strategic, operational, financial, technology, and regulatory compliance. “Zero Trust” will become the norm for a company’s operating models and for user access to critical assets. Threats must be assumed to occur both inside and outside the company, driving the need to “trust nothing and verify everything.” The stakes for the company and its board leadership continue to rise, requiring everyone involved to stay in shape with their defenses.

In conclusion, curiosity helps leaders navigate the tension between urgency and discipline, ensuring modernization is purposeful rather than reactive. Boards and executives who embrace such a mindset will lead confidently into the AI era.

https://www.forbes.com/sites/forbesbooksauthors/2026/03/24/cybersecurity-in-an-age-of-disruptive-innovation/