Cybersecurity leaders must accept a hard truth: AI has already broken the traditional model of defense in 2026. Attackers now operate faster, at lower cost, and at greater scale than most organizations can handle. The only viable response is to rethink security as a continuous, business-driven risk function.
This shift defined a recent panel at RSAC 2026 featuring Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks; Kara Sprague, CEO of HackerOne; Suzanne Brown, Director of Board Services at the New York Stock Exchange; and Margi Murphy, Reporter at Bloomberg. Their discussion focused on how AI is reshaping cyber risk, redefining the CISO role, and forcing boards to take direct ownership of security outcomes.
The Executive Breakfast, ‘Investing in Cybersecurity: What Boards Expect and Executives Deliver’ was hosted by SecurityScorecard Chief Marketing Officer Claire Trimble, with support from sponsors Carahsoft, Armis, ServiceNow, and LockThreat GRC, whose partnership helped bring this executive discussion to life.
AI Has Reduced the Cost and Time of Cyberattacks to Near Zero
Sprague noted that AI has fundamentally changed how attacks are executed in 2026. It has reduced the cost of launching attacks while increasing their speed and effectiveness, forcing security teams to reevaluate their defenses.
“The cost of an attack is approaching zero. Because now you have all of these… attackers who now are equipped with very easy access to very powerful models,” Sprague said, noting attackers now use advanced reasoning agents to automate reconnaissance, exploitation, and lateral movement.
“The onus is on all of us in this room to really recognize that that change has happened—and change the way that we’re operating as defenders. We need to adopt continuous security mechanisms,” Sprague said.
Whitmore reinforced how quickly attacks now unfold, noting that attackers can move from initial access to full compromise or stealing data in just 72 minutes. “AI is creating this intense amount of speed by which the attackers are operating,” Whitmore said.
This acceleration forces a new reality. Sprague warned of what lies ahead:
“The attack surface of the enterprise is expanding very, very rapidly,” Sprague said. “We are going to face a wave of exposures and vulnerabilities that nobody in this room can actually comprehend. And what that means is that we all have to be prepared to rapidly scale out our defenses.”
This is not a distant risk. It is already unfolding. Organizations must prepare for a surge in exploitable weaknesses across both internal systems and third-party ecosystems.
Cyber Risk Has Escalated to a Board-Level, Nation-State Problem
The panel argued that cybersecurity has outgrown its technical roots. It now sits at the center of enterprise risk, shaped with geopolitical threats, regulatory pressure, and business survival.
CISOs face an unprecedented challenge in this context, Whitmore noted: They must defend against nation-state actors, cybercriminals, and hacktivists at the same time.
This shift has fundamentally changed expectations in the board room. Security leaders are not just hired to protect systems. They are safeguarding the continuity of the business under conditions that resemble modern warfare.
At the same time, regulation has elevated cyber risk into the boardroom. The SEC’s requirement to disclose material breaches within four days has made cybersecurity a direct governance issue. Boards must now understand and act on cyber risk as part of enterprise strategy, not as a technical update.
This convergence exposes a critical flaw in how organizations approach security. Many boards still ask, “Are we secure?” Sprague reframed the core question boards should be asking:
“Boards need to stop asking the question, ‘Are we secure?’ Because that answer is always no. And they need to start asking the question, ‘What are the scenarios that could completely screw us over?’”
Incident Response and Third-Party Risk Remain Major Gaps
This mindset shift is one that boards need to make quickly in 2026. Cyber incidents now disrupt operations, halt revenue, and impact market confidence. The question is not whether an attack will happen, but how the organization will respond when it does.
Boards must take ownership of that outcome. That means focusing on resilience, understanding worst-case scenarios, and making informed decisions about risk acceptance and investment.
Brown noted that despite growing awareness, many boards still underestimate operational risk, third-party exposure, and incident response.
“The board, where they fall down a lot is they ask… ‘Are we prepared?’ But then they neglect the incident response… I think that incident response is where they fall down,” Brown said. “And the markets will react to that.”
Brown also emphasized that cyber incidents are no longer limited to data breaches, and boards need to right-size their conception of risk in order to get ahead of it and realize that third party compromises can amplify this risk. A single vendor failure can cascade across thousands of dependencies, halting business operations entirely, Brown noted, citing the Jaguar Land Rover incident. “It can be an operational breach [where] you cannot deliver your product.”
The Communication Gap Is Still the Biggest Barrier
To close the gaps for boards and CISOs working to buy down risk in 2026, one unifying problem persists: Communication.
Security teams often present dashboards filled with technical metrics, but these don’t help boards make decisions, the panel concluded. Sprague explained that boards and CEOs actually need to ask: “How much money did you spend to remove how much risk?”
Whitmore reinforced the need to translate technical data into business outcomes: Security leaders need to be “thinking about how we can more effectively communicate what’s going on in the lens of the board audience.” This means framing cybersecurity in terms of financial impact, operational disruption, and risk reduction. Without this shift, boards cannot act effectively.
Brown advised CISOs and security leaders to stop focusing on technical findings and instead communicate risk in business terms. This includes driving digital transformation, influencing board decisions, and aligning security with enterprise outcomes.
“You need to lift up your skill set to be more about enterprise strategy. So often I talk to CISOs who say they implemented something. The board’s eyes are going to glaze over, they are not going to understand it, they’re just not,” Brown said. “And so what they’re always looking for in a board member is adaptability, understanding enterprise across the business.”
Security Is Now a Business Survival Function
AI has not just increased cyber risk. It has changed how risk behaves. Attacks scale faster, spread wider, and hit harder across your ecosystem.
That shift leaves no room for outdated models. Annual assessments, siloed ownership, and technical reporting no longer support business decisions. Boards need clear answers on exposure, financial impact, and resilience.
Security leaders cannot carry that burden alone. The CEO and board must own cyber risk as a core business function. That starts with visibility across internal systems and third-party relationships, where many of the most damaging failures begin.
SecurityScorecard helps you quantify that risk in real time. You can track third-party exposure, identify weaknesses before attackers do, and translate findings into clear business impact.
If you want to move from reactive defense to measurable risk ownership, start with the data your board actually needs. To strengthen resilience across your third-party ecosystem, request a demo today.
