Principal Product Manager

AI is reshaping cyber risk in 2026: why boards must take ownership now. Cybersecurity leaders must accept a hard truth: AI has already broken the traditional model of defense in 2026. Attackers now operate faster, at lower cost, and at greater scalethan most organizations can handle. The only viable response is to rethink security as a continuous, business-driven risk function. This shift defined a recent panel at RSAC 2026 featuring Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks; Kara Sprague, CEO of HackerOne; Suzanne Brown, Director of Board Services at the New York Stock Exchange; and Margi Murphy, Reporter at Bloomberg. Their discussion focused on how AI is reshaping cyber risk, redefining the CISO role, and forcing boards to take direct ownership of security outcomes. The Executive Breakfast, 'Investing in Cybersecurity: What Boards Expect and Executives Deliver' was hosted by SecurityScorecard Chief Marketing Officer Claire Trimble, with support from sponsors Carahsoft, Armis, ServiceNow, and LockThreat GRC, whose partnership helped bring this executive discussion to life. AI has reduced the cost and time of cyberattacks to near zero. Sprague noted that AI has fundamentally changed how attacks are executed in 2026. It has reduced the cost of launching attacks while increasing their speed and effectiveness, forcing security teams to reevaluate their defenses. "The cost of an attack is approaching zero. Because now you have all of these... attackers who now are equipped with very easy access to very powerful models," Sprague said, noting attackers now use advanced reasoning agents to automate reconnaissance, exploitation, and lateral movement. "The onus is on all of us in this room to really recognize that that change has happened - and change the way that we're operating as defenders. We need to adopt continuous security mechanisms," Sprague said. Whitmore reinforced how quickly attacks now unfold, noting that attackers can move from initial access to full compromise or stealing data in just 72 minutes. "AI is creating this intense amount of speed by which the attackers are operating," Whitmore said. This acceleration forces a new reality. Sprague warned of what lies ahead: "The attack surface of the enterprise is expanding very, very rapidly," Sprague said. "We are going to face a wave of exposures and vulnerabilities that nobody in this room can actually comprehend. And what that means is that we all have to be prepared to rapidly scale out our defenses." This is not a distant risk. It is already unfolding. Organizations must prepare for a surge in exploitable weaknesses across both internal systems and third-party ecosystems. Cyber risk has escalated to a board-level, nation-state problem. The panel argued that cybersecurity has outgrown its technical roots. It now sits at the center of enterprise risk, shaped with geopolitical threats, regulatory pressure, and business survival. CISOs face an unprecedented challenge in this context, Whitmore noted: They must defend against nation-state actors, cybercriminals, and hacktivists at the same time. This shift has fundamentally changed expectations in the board room. Security leaders are not just hired to protect systems. They are safeguarding the continuity of the business under conditions that resemble modern warfare. At the same time, regulation has elevated cyber risk into the boardroom. The SEC's requirement to disclose material breaches within four days has made cybersecurity a direct governance issue. Boards must now understand and act on cyber risk as part of enterprise strategy, not as a technical update. This convergence exposes a critical flaw in how organizations approach security. Many boards still ask, "Are we secure?" Sprague reframed the core question boards should be asking: "Boards need to stop asking the question, 'Are we secure?' Because that answer is always no. And they need to start asking the question, 'What are the scenarios that could completely screw us over?'" Incident response and third-party risk remain major gaps. This mindset shift is one that boards need to make quickly in 2026. Cyber incidents now disrupt operations, halt revenue, and impact market confidence. The question is not whether an attack will happen, but how the organization will respond when it does. Boards must take ownership of that outcome. That means focusing on resilience, understanding worst-case scenarios, and making informed decisions about risk acceptance and investment. Brown noted that despite growing awareness, many boards still underestimate operational risk, third-party exposure, and incident response. "The board, where they fall down a lot is they ask... 'Are we prepared?' But then they neglect the incident response... I think that incident response is where they fall down," Brown said. "And the markets will react to that." Brown also emphasized that cyber incidents are no longer limited to data breaches, and boards need to right-size their conception of risk in order to get ahead of it and realize that third party compromises can amplify this risk. A single vendor failure can cascade across thousands of dependencies, halting business operations entirely, Brown noted, citing the Jaguar Land Rover incident. "It can be an operational breach [where] you cannot deliver your product." The Communication gap is still the biggest barrier. To close the gaps for boards and CISOs working to buy down risk in 2026, one unifying problem persists: Communication. Security teams often present dashboards filled with technical metrics, but these don't help boards make decisions, the panel concluded. Sprague explained that boards and CEOs actually need to ask: "How much money did you spend to remove how much risk?" Whitmore reinforced the need to translate technical data into business outcomes: Security leaders need to be "thinking about how we can more effectively communicate what's going on in the lens of the board audience." This means framing cybersecurity in terms of financial impact, operational disruption, and risk reduction. Without this shift, boards cannot act effectively. Brown advised CISOs and security leaders to stop focusing on technical findings and instead communicate risk in business terms. This includes driving digital transformation, influencing board decisions, and aligning security with enterprise outcomes. "You need to lift up your skill set to be more about enterprise strategy. So often I talk to CISOs who say they implemented something. The board's eyes are going to glaze over, they are not going to understand it, they're just not," Brown said. "And so what they're always looking for in a board member is adaptability, understanding enterprise across the business." Security is now a business survival function. AI has not just increased cyber risk. It has changed how risk behaves. Attacks scale faster, spread wider, and hit harder across your ecosystem. That shift leaves no room for outdated models. Annual assessments, siloed ownership, and technical reporting no longer support business decisions. Boards need clear answers on exposure, financial impact, and resilience. Security leaders cannot carry that burden alone. The CEO and board must own cyber risk as a core business function. That starts with visibility across internal systems and third-party relationships, where many of the most damaging failures begin. SecurityScorecard helps you quantify that risk in real time. You can track third-party exposure, identify weaknesses before attackers do, and translate findings into clear business impact. If you want to move from reactive defense to measurable risk ownership, start with the data your board actually needs. To strengthen resilience across your third-party ecosystem, request a demo today.

Prompt Injection attacks are still bad, still a hosting problem. Posted: 3/25/2026 Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists. Follow Us: 1k 1k Key takeaways. When HackerOne released its state of cybersecurity report last year, it presented quite a few concerning figures - one of which being that prompt injection attacks have gone up 540% year over year. Today, attackers are still experimenting with (and succeeding at) manipulating AI systems through prompts at the fastest rate possible thus far. Prompt injection is one of the most common ways attackers get into AI systems. And with how much hosts are investing in AI, that means it's now also a hosting problem. What's actually happening. Prompt injections occur when someone (a hacker, cyberattacker, botnet, whatever you want to call them) tricks the model into ignoring the original rules assigned and doing something else (like accessing private information). The report urged hosting providers to go beyond prompt filtering and actually test whether their AI systems can be exploited the way bad actors are already doing it. And since hosts still have plenty to worry about, HackerOne launched Agentic Prompt Injection Testing to test exactly that. "Hosting providers aren't responsible for a customer's prompts or model logic - but they play a decisive role in limiting the blast radius when AI apps are manipulated," warns Sandeep Singh, a senior director at HackerOne. Admittedly, it's less about the tool itself and more about why something like this had to be built in the first place. It's very much in line with zero-trust thinking: Don't assume anything works the way it's supposed to. Always double-check. Now you have to test it. AI-powered systems and tools are so directly connected to data that it can take just one prompt mishap to cause an outage or breach. It may be happening more than you think. IBM found that about 1 in 8 organizations (13%) have already experienced an AI-related data breach. More telling is that nearly all of them admitted they didn't have proper AI access controls in place. When breaches did occur, 60% led to compromised data, 31% caused operational disruption, and 23% caused financial losses. Singh predicts auditors will expect hosts to actively test how AI systems react to being attacked, and not just rely on assuming everything will work as intended. As for how to do that, Singh has a few suggestions. "Providers will either offer native capabilities or partner integrations that help customers test AI systems under adversarial conditions and produce clear evidence of what can actually be exploited before it becomes an incident," he says. It's probably worth heeding that advice. Hosting providers are being pulled deeper into the AI security stack whether they like it or not. At this point, testing what a real attack looks like is really the only way to prepare.