Cybersecurity Is Now a Core Business Discipline

Cyber risk has become the background noise of modern business. We’re seeing nearly two thousand attacks per organization per week in the first quarter of 2025—a 47% rise year-on-year. That surge reflects two realities moving at once: attacks are genuinely increasing because it’s easier and cheaper than ever to mount them, and defenders are getting better at spotting what previously slipped under the radar.

In other words, the problem is growing and we’re measuring it more honestly.

For leaders, the takeaway isn’t panic. It’s clarity. Cybersecurity is now a core business discipline, not an IT specialty. When a household name like Marks & Spencer can take a $400 million hit to trading profits after a major cyber incident, we’ve moved beyond “technology risk” into enterprise resilience. I often say the bad actors only need to get lucky once; defenders must be effective 24/7. That asymmetry won’t vanish. The job of leadership is to run with it; to accept the pace of the threat and build organizations that can withstand, respond, and keep moving.

Three Forces Shaping the Threat Landscape

• Cybercrime has been industrialized. Crime-as-a-service means a would-be attacker no longer needs to be a gifted coder. They can rent malware, buy stolen credentials, and outsource everything from initial access to cash-out. The marketplace rewards specialization and speed, reducing both the cost and the risk for criminals. The result is a steady drumbeat of opportunistic probes across every sector.
• Targeted phishing has gone bespoke. Attackers increasingly put in the legwork to make an email, text, or voice call feel legitimate to one specific individual. When you combine abundant open-source data with deepfake voice tools and polished templates, that “one click” looks a lot more plausible to a busy executive or an accounts payable clerk. This is why so many breaches begin with social engineering rather than a zero-day exploit. Humans are the front door.

• AI has supercharged both sides of the equation. On offense, generative tools remove language barriers, perfect grammar, and personalize lures at scale. On defense, AI helps us triage alerts, spot anomalies, and shorten dwell time. But here’s the rub: the criminals iterate quickly. We cannot out-automate the problem. We can, however, out-govern and out-execute it.

Add geopolitical uncertainty to the mix and the picture gets more restless still. Tensions spill into cyberspace as nation-states and aligned groups blur the lines between espionage, disruption, and criminal profiteering. Supply chains become conduits. Regional crises trigger waves of opportunistic scams. This is why boardroom conversations about cyber cannot be siloed from strategy, operations, or geopolitics. The context matters.

What does good look like in this environment?

Start with an “assume breach” mindset. If bad actors only need to be lucky once, then your business must be designed to fail safely. That means strong identity controls, multi-factor authentication everywhere it makes sense, segmentation that limits lateral movement, and backups that are both tested and recoverable. None of this is glamorous. All of it is decisive. I’ve yet to meet a breached organization that regretted investing in the basics.

Engineer for better human decisions. Traditional awareness training has diminishing returns if it’s divorced from real work. Replace generic modules with just-in-time prompts in the tools people actually use. Add controlled friction to high-risk workflows: payment changes, supplier onboarding, privileged access approvals. Normalize “pause and verify” by making it easy and expected. Culture is created by what gets rewarded and what gets made simple.

Practice response as a team sport. When an incident hits, you don’t rise to the occasion—you fall to the level of your preparation. Run realistic exercises that include legal, communications, operations, finance, and the executive team. Decide in advance what constitutes a material incident, who speaks to whom, and how you’ll continue serving customers while you recover. The aim isn’t a perfect script; it’s muscle memory.

Look hard at your dependencies. Your risk is a function of your partners’ controls as well as your own. Prioritize due diligence on critical suppliers, require incident notification, and build technical and contractual escape hatches. If a third party is compromised, how quickly can you switch, isolate, or continue in a degraded mode? That question should have a clear, practiced answer.

Finally, translate cyber into business terms. Boards don’t need a tour of the threat landscape every quarter; they need to understand impact, options, and trade-offs. Quantify exposure where you can. Tie investments to measurable outcomes—reduced time to detect and recover, improved resilience of revenue-generating processes, lower frequency of high-severity incidents. Cyber is not a bottomless cost center. It’s an enabler of growth, trust, and reliable performance.

It’s worth repeating that rising attack figures are not purely a sign of failure. Part of what we’re seeing is maturation: more comprehensive monitoring, better detection, fewer blind spots. You wouldn’t berate a finance team for finally finding problems that were always there; you’d thank them and fix what matters most. Apply the same logic here.

Final Thoughts

Leaders must set the tone. If you treat cyber as a compliance checkbox, your people will aim for minimums. If you frame it as a strategic capability—one that protects customers, safeguards brand equity, and keeps the enterprise operating under pressure—you’ll get energy and ingenuity. The organizations that thrive in this era will not be those that promise to keep every attacker out. They’ll be the ones that accept the reality of risk, build resilience into the fabric of the business, and earn trust by responding well when the unexpected happens.

We don’t get to choose the threat landscape. We do get to choose how we lead in it.