As organisations grapple with expanding attack surfaces and increasingly sophisticated threats, the importance of strong security fundamentals and clear visibility has never been greater. Quentyn Taylor, Senior Director of Information Security at Canon Europe, Middle East and Africa, tells us why overlooked risks such as compromised credentials, alongside the rise of AI-driven threats, demand a renewed focus on foundational security, governance and leadership-driven cyber-resilience.
As attack surfaces continue to expand across hybrid work, cloud and connected devices, which emerging risks are of greatest concern—and where do organisations continue to underestimate their exposure?
The ‘digital perimeter’ is no longer a clear line; it’s a fluid, expansive landscape where every device can be a potential entry point. It’s not so much the emerging risks that cause organisations to underestimate their exposure, but that of emerged risks such as stolen credentials, that remain inadequately addressed.
Stolen and compromised credentials are one of the most underestimated threats facing organisations today. The reality is that when a business doesn’t have a clear picture of its own perimeter — and in a hybrid, cloud-connected world, that perimeter is increasingly difficult to define — attackers don’t need to break down the door. They walk straight through it, using legitimate credentials that have been quietly harvested or bought. The challenge isn’t always that organisations lack the right tools; it’s that they don’t fully understand the extent of their own exposure. Until businesses can answer confidently where their boundaries are and who has access to what, the more headline-grabbing threats remain a secondary concern.
It is also important to consider how attackers are leveraging AI in their execution. While we aren’t yet commonly seeing AI write malware, it is increasing the speed at which attackers can operate – enabling faster, broader distribution and, consequently, more victims. There is also the threat posed by Quantum Computing. Whilst there is not yet a viable quantum computer that can crack current encryption, the arms race is on, and unlike AI it is highly unlikely that we will be told when a viable quantum computer has been created. Therefore, by the time we become aware of a viable supercomputer’s creation, it will be too late for some. Hence, it is imperative that companies think now about what data they have that needs to be continually encrypted in a post Quantum Computing world.
Given a dual focus on information security and product security, how should organisations better integrate security into product design and lifecycle management?
Integrating robust security into product design and lifecycle management is not optional – it must be built in from the start. Organisations must adopt a ‘security-by-default’ approach from conception, embedding security features at the earliest stages, so that products are architected to be resilient against evolving threats. This extends across the entire lifecycle, from supply chain management through to end-of-life processes.
You must make every product security decision as if you were the end-customer. Ask yourself what you would expect to find if you were evaluating a supplier’s product — and then build to that standard. It’s this kind of holistic thinking at Canon, that has allowed us to bring together information and product security to create a compelling solution that resonates with customers.
To put this into practice, once you have considered the structure and exposure of your business, ask yourself: are you doing everything you would want your supplier to do? It’s a simple but powerful question that can identify areas for improvement and uphold security standards across the business.
There has been a suggestion that focusing on fundamentals can be more impactful than chasing high-profile threats—are organisations still getting that balance wrong today?
Yes – and it is easy to understand why. High-profile threats grab headlines and drive boardroom conversations, but one principle remains constant: it only takes one weak link for attackers to access an entire system. Foundational security hygiene and the protection of often-neglected endpoints are the areas most frequently overlooked, and most frequently exploited.
The vulnerabilities that lead to real-world compromises, from small organisations to major multinationals, rarely stem from novel, sophisticated attacks. Instead, they stem from basic failures: unpatched systems, poor access controls, leaked credentials. Prioritising comprehensive, fundamental security can often pre-empt the need to contend with far more serious threats further down the line.
As the role of the CISO continues to evolve, what new skills or perspectives will define successful security leaders over the next five years?
We have seen a notable shift in recent years toward the non-technical CISO, with increasing emphasis placed on management capability, financial acumen and business strategy. These are important skills — being able to translate cybersecurity risk into clear business implications and building a security-first culture across an organisation, are genuine leadership imperatives. However, these capabilities must be balanced with strong technical understanding.
Over the next five years, this trend will continue, with successful security leaders being determined not just by their technical prowess, but by their ability to translate complex cybersecurity risks into clear business implications for the employees across all levels of the business. As it is often the human element that becomes a business’ security vulnerability, CISOs that can translate the technology of cyberattacks into active lateral thinking among employees will be able to turn this weakness into a strength.
To do this successfully demands enhanced communication skills, a deep understanding of organisational strategy, and the capacity to build a ‘security-first’ culture that permeates every department. CISOs are the orchestrators of a multi-layered defence, integrating security into business operations, supply chains, and evolving Digital Transformation initiatives, moving beyond purely technical oversight to comprehensive risk leadership.
How can organisations better measure the effectiveness of their cybersecurity awareness programmes beyond basic compliance metrics?
Measuring the true effectiveness of cybersecurity awareness programmes goes far beyond ticking compliance boxes. The starting point must be defining what ‘good’ security hygiene looks like for your organisation – because if you don’t know what good looks like, you have no meaningful way of measuring how close you are to achieving it.
While security is a matter of confidence and reassurance, I firmly believe that cybersecurity awareness programmes can and should be measured in numbers; it’s just about identifying the right numbers. This means looking beyond who clicked on a phishing e-mail or completed a training module, and instead pressure testing where the real strengths and weaknesses lie. What is the susceptibility rate of a given population across a range of different stimuli? What are the behaviours that indicate genuine, embedded security hygiene? Championing those with good cybersecurity practice and hygiene can also drive broader awareness and upskilling, with peer-to-peer learning making a tangible contribution to overall business security.
What role should leadership play in embedding a security-first culture across the organisation, particularly in the context of Digital Transformation initiatives?
A security-first culture is built from the top-down – not as an IT function, but as a core business imperative. Leadership must not only demonstrate commitment to cybersecurity but set clear and realistic expectations for what the commitment looks like in practice.
Ultimately, an organisation gets the security culture that its leadership chooses to have. Cyber threats will come, and in today’s environment, the expectation should be that they will. What separates successful and secure organisations is not that they prevent every attack, but that they are built to bounce back. This resilience doesn’t happen by accident; it is embedded into the organisation’s identity by leadership, which sets the benchmark for what resilience means and what it looks like in action.
Click Here For The Original Source.
