It’s time for the security leader to ditch fear, uncertainty and doubt and embrace a role as cyber-architect, says Neal Humphrey, VP Market Strategy at Deepwatch.

A changing cybersecurity landscape

For a long time, cybersecurity has been sold on the age-old concept of fear, uncertainty and doubt.

Security lends itself to the fear of the “known unknown”.

We know that there are bad actors, with bad intentions, that are capable of taking advantage of the protected and unprotected.

The unknowns are when an attack will occur (the internet is a dangerous place and attacks are almost constant), how sophisticated the attack or attacker is and the goal of the attack.

Vendors and organizations want to make a business as secure as possible. But security spending and capabilities work on a curve of diminishing returns on spending and talent.

The going security approach and fear-based sales have continued for so long because it has worked.

Security experts lived in different worlds than the executives they served.

They thought of themselves as all-knowing protectors and, buried in their day-to-day jobs leading the business, most business leaders didn’t ask too many questions.

But the cybersecurity environment is changing.

The money is drying up and businesses are starting to ask tougher questions about the value that security leaders actually provide.

In 2024, more than a third of security leaders saw budgets remain flat or decrease, according to a survey of more than 750 Chief Information Security Officers.

That means one thing: it’s time for cybersecurity leadership to adopt a cyber-architecture mindset.

Cyber-architects versus technicians

Security leaders, by and large, continue to think of themselves as technicians.

They focus on the day-to-day security tasks in front of them.

Meanwhile, they adopt a “cyber knows best” attitude toward other parts of the business, unwilling to offer explanations that make sense to those not engrossed in cybersecurity.

They present problems without offering explanation as to how the problems – and any proposed solutions – could impact the business. In short, they talk over the heads of leadership teams.

Taking on a “cyber-architecture” mindset requires a whole new approach.

It means doing the work of engaging in longer-term strategic thinking, which begins with learning the ins and outs of the business.

It means building relationships and trust across the C-suite, learning the language of the business and speaking in terms that other backgrounds can relate to.

More than anything, it requires for the first time taking a collaborative approach to security, connecting problems and solutions to real business interests.

Solutions are presented as options that could each bring about various possible consequences – not as ultimatums, with death and destruction hanging in the balance.

Proactive versus preemptive

Security is a game of controlling the controllables – while preparing for the unexpected.

Based on what they know about the threat environment, cybersecurity technicians establish safeguards to shore up systems against known threats – that’s being proactive.

But truly preemptive cybersecurity goes a step further, meticulously planning for events that have not yet occurred and may never.

Cyber-architects practice truly preemptive security.

They ensure written protocols are in place that lay out specific actions to take in the case of certain scenarios.

They’ve spelled out the path forward already, so when things go awry, companies can take action immediately.

That means fewer CEOs pulled from bed in the middle of the night to deal with security crises.

It also means reaping the benefit of taking swift action, which ultimately can ease the damage that security mishaps have on both the bottom line and long-term brand reputation.

More than half of all people in the US – 55% – say they’d be less likely to do business with brands that suffer cyber-attacks, CNBC reported.

The preemptive approach is the culmination of thinking as a cyber-architect.

The entire business must be involved in setting such protocols and brainstorming effective responses.

The cyber-architect will have already broken down business silos and formed relationships with key business leaders.

Landing on protocols will come down to open and honest discussions about how various scenarios would impact the future of the business.

The give and take of security leadership

In today’s world of cybersecurity, relationships must go both ways.

Cybersecurity leaders must respect the priorities of the business. Business leaders must respect the value of cyber.

But make no mistake: executive teams are quickly wising up to the “next tool up” approach to security.

They don’t always fully understand how to adopt a better way, but they’ve grown wary of the same old approach.

That provides security leaders with an opportunity to do the work of educating business leaders on longer-term security thinking, connecting their message to the core tenets of the business’ value.

The ones that do will step into their role as cyber-architect, building trust with their peers on the C-suite and ultimately preparing their organizations to succeed in today’s security environment.

About the company

Deepwatch is a provider of AI and human-driven cybersecurity and resilience solutions.

The Deepwatch Platform enables security teams – regardless of skill level – to enhance their organization’s cyber-resilience and maintain regulatory compliance.

By combining AI, security data, intelligence and human expertise, Deepwatch helps organizations reduce risk through early and precise threat detection and remediation.

The platform also lowers costs, maximizes existing tool investments and enhances security team productivity.

This article was originally published in the special ISC West 2025 March edition of Security Journal Americas. To read your FREE digital edition, click here.