Last week, I had the pleasure of attending the 10th CISO 360 Global Congress in Lisbon. While I enjoyed participating in a panel on the intersection of cybersecurity and geopolitics with a fantastic group of peers, the insights that have stayed with me are those gathered beyond the stage. The hallway conversations and roundtable discussions revealed three recurring themes that are becoming impossible to ignore. None of them are new problems.
The Board Conversation Has Already Shifted — Most CISOs Haven’t
Frontier AI models have put cybersecurity on the board agenda in a way that years of breach headlines never quite managed. Boards are paying attention. They’re reading the coverage and asking questions in the language of business risk.
And most CISOs are still responding in the language of threat:
- Here is the adversary
- Here is what they can do now
- Here is what we need to prevent it
What follows is a budget question about what it will cost if nothing changes.
It doesn’t land. Not because boards don’t care, but because that framing asks them to authorize spend against a worst case they can’t size. They hear the urgency and have no way to act on it.
The CISOs I watched handle this well had made a different choice. They weren’t walking in with threat briefings. They were walking in with exposure posture:
- Here is what our program can actually see
- Here is how it maps to the outcomes you care about
- Here is where we have coverage and where we don’t
The ones doing it well are showing exposure posture in the language of the business — not by listing threats, but by quantifying risk into P&L currency the board understands. They’re showing where they have coverage, where they don’t, and how those gaps map to the outcomes the organization is actually accountable for.
Frontier AI didn’t change the underlying risk. It compressed the window between exposure and exploitation and put the question on the agenda with an urgency that didn’t exist two years ago. The CISOs treating that as an opening are the ones having a different kind of board conversation. The ones still leading with doom are getting tuned out.
Regulation Isn’t Coming. It’s Here, and It’s Personal
There was genuine debate in Lisbon about whether these frameworks actually improve security posture or just generate paperwork. I’ve heard that debate at every event I’ve attended in the last two years. It’s worth having.
But one thing wasn’t debated: EU NIS2 and the UK Cyber Security and Resilience Bill are live realities. And both of them do something the industry hasn’t fully reckoned with: they put board members personally on the hook.
For a long time, “the board is accountable” was a governance principle that rarely carried personal consequence. That changed. The question boards are starting to ask isn’t, “are we compliant?” It’s “if something happens and I’m personally named, what’s my defense?”
A clean audit doesn’t answer that. Compliance frameworks measure whether controls exist. The standard NIS2 asks whether they were working when it mattered, and answering it means showing exposure posture, not paperwork. The defensible record is what your program could actually see, where it had coverage and where it didn’t, and how those gaps mapped to the outcomes the business couldn’t afford to lose. Instead of “we passed the audit,” it’s “here’s what we were watching, here’s what we’d closed, and here’s the call we made on what was left.”
CISOs who have internalized that the report upstairs is now an exposure report, not a compliance one, are already changing how they brief the board. The ones who haven’t will figure it out the hard way.
For a deeper look at what NIS2 and the UK Cyber Security and Resilience Bill actually require, and the detection architecture that makes those timelines achievable, read NIS2 Reporting Obligations: How AI-Driven Threat Intelligence Closes the Gap.
Speed Isn’t the Answer — Anticipation Is
Every conversation I had at the 10th CISO 360 Global Congress touched on AI — not as the threat, but as the response. The question was how to keep pace with a threat landscape that moves faster than most security programs were designed for. Everyone was asking the same thing: what do you actually do about it?
The reflexive answer is move faster and have better SLAs, tighter patch cycles, and more automation in the response workflow. I get the instinct. Speed metrics are measurable and feel like progress. But going faster only helps if you know what you’re dealing with.
The organizations I see pulling ahead aren’t the ones that respond the fastest. They’re the ones that don’t get surprised. That takes continuous visibility across external signals, your internal environment, and your control posture — maintained around the clock, not just during business hours. The threat doesn’t run business hours; most CTI functions do. Adversaries have noticed: we see it in compressed attack windows, after-hours execution, and campaigns timed to run inside the gap between when a threat appears and when an analyst can act on it. No analyst should start a shift asking what they missed overnight.
Moving at the speed of threat isn’t a headcount problem. It’s a program design problem. The teams in the best position are the ones that have built for anticipation, not reaction.
The Miasma open-sourcing in June 2026 was a live example of exactly this challenge: a single publication event that converted a trackable campaign into an untraceable technique deployed by an unknown number of operators. I wrote about what a program built for that looks like in a recent blog, The Miasma Worm: A Three-Layer Model for Modern Cyber Defense.
The Math Changed. The Doctrine Has to Follow.
None of these are new problems. Boards have always needed to understand risk. Regulation has always set the governance floor. Defenders have always been outnumbered.
What shifted is the math. The window between exposure and exploitation is shorter. The personal accountability stakes under NIS2 are real in a way they weren’t before. And the adversary playbook now explicitly exploits the gap between when threats emerge and when defenders with full context can respond.
Boards are asking better questions about risk than they ever have. Regulations are asking for something defensible, not impossible. Adversaries aren’t faster than defenders; they’re operating inside the gaps the current doctrine was built around. The doctrine hasn’t caught up. That’s the work.

Mending the Broken Cyber Defense Chain
If you’re a CISO working through what it actually takes to build a program that can answer these questions — not in theory, but operationally, download this ebook.
Download Ebook