For years, we’ve thrown billions into cybersecurity. And yet, attacks are rising. Breaches are faster, more damaging, and more frequent than ever. If that doesn’t signal something’s off, I don’t know what does.
I had the chance to speak with Karissa A. Breen, founder of KBI.Media, on her KBKAST podcast. We unpacked what’s going wrong and why it’s not really about the money. It never was.
Cyber attackers haven’t paused. They’ve evolved.
They’ve shifted tactics, changed tools, and moved laterally in ways we never expected. Meanwhile, we’ve kept investing in the same defenses and they’ve learned how to slip through them. That’s why I believe we should have invested in cyber defense yesterday. Not just in tools, but in building structured, proactive, and resilient defense.
Boards are beginning to realize this, albeit slowly. The narrative is shifting from cybersecurity to digital resilience. And when business is digital, the risk is digital. You can’t keep operations running without hardening what makes those operations possible.
Let’s talk about mindset again. Boards still view themselves as engines for growth. But digital risk still isn’t being treated as a governance priority. That’s the gap. When a breach can halt operations, crush share prices, and lead to massive fines, it’s no longer just a technical issue, it becomes an existential one.
Some companies are getting it. They’re asking better questions: Where are we vulnerable? What’s the weakest link? How do we shore that up? They’re going beyond the quarterly updates and surface-level reporting. But it’s still early. The larger, more mature enterprises are beginning to invest. Many smaller or more agile ones still treat it as secondary.
I’ve spoken to CEOs who believed they were ready. They had invested in tools, run simulations, and checked all the boxes. But now they realize it’s not enough. Cyber defense isn’t just another checkbox.
It’s how you ensure business continuity in a world where attackers never rest.
Some will say budgets are tight. I’ve heard that argument in every market. But again, this isn’t a conversation about ROI. This is the cost of doing business. Just like a logistics company needs trucks or a factory needs machines, a digital business needs cyber defense. You wouldn’t run a courier company without vans. So why run a digital business without protection?
A COO once told me they treat cyber risk like danger not just risk. There’s a difference. When human safety is at stake, you don’t compromise. You don’t delay. You act. That’s the level of urgency we need in digital safety. Because at its core, cyber defense is about ensuring safety, reliability, and efficiency. Confidentiality and availability are part of it, but the real value lies in protecting people, processes, and reputation.
Every business should ask one simple question: What is the minimum viable digital business I can sustain if a breach happens?
You should be able to operate at 50, 70, maybe even 90 percent during an incident. That’s what resilience looks like. Without that mindset, all you have is business continuity which barely covers 15 to 20 percent, at best.
If you’re planning for innovation, plan for resilience in the same breath. Don’t separate the two. Otherwise, a single breach can wipe out your entire digital effort. You don’t need massive investments. You need the right ones. You need to know what systems matter most and ensure attackers can’t see them, can’t touch them, and can’t move laterally through them.
Yet many organizations still don’t know what’s critical in their own infrastructure. Asset management remains a challenge. Shadow IT is everywhere.
Without visibility, you can’t protect. Without prioritization, you can’t defend.
That’s where microsegmentation comes in. When you can see how traffic flows, you can control it. You can model potential attack scenarios, prepare your playbooks in advance, and stay a step ahead. So, when something does happen, you can contain the threat, limit the blast radius, and keep operations running.
Let me give you a number. Imagine your enterprise is divided into 26 segments. If an attacker hits segment A, and your models are ready, you contain it there. You don’t let it spread to B, C, or D. That’s how you maintain minimum viable business.
And if you’re attacked, your response changes. You don’t tell the media you shut everything down. You tell them you’re still running, still delivering, and still operational. That’s the power of cyber defense done right.
But let’s not pretend this is easy. Most organizations still don’t know how exposed they are.
Some still believe antivirus is enough. Or that their firewall will catch everything. We need to evolve.
Why haven’t we done it already? Until recently, attacks weren’t this frequent or this brutal. The pandemic changed that. It showed us how connected we are and revealed new doors to attackers. And now, in 2025, we’re finally waking up.
Boards need to make cyber defense a standing agenda item. They need to ask one question in every meeting: Are we ready for a breach? If that question is asked consistently, things will start to move because for most organizations today, the honest answer is still no.
And that’s the real problem. We’re still responding to threats with scattered point solutions, while attackers are playing a different game altogether. They don’t knock twice. They find a new door, exploit the gap, pivot quickly, and exfiltrate before anyone notices.
It’s time to stop asking what kind of attack might hit us and instead ask what happens when it does. Because it will.
We are past the point of waiting. If you haven’t started already, you’re already behind. Start now before the next breach becomes your headline.
