arrow Back

The CEO’s View of Being Breach Ready

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Gordon Cowan, CEO and Founder of Cybrilliance, to unpack what it really means to build breach readiness in the age of AI. They discuss why visibility, accountability, resilience, and reducing lateral movement are critical to limiting business disruption, protecting digital trust, and staying operational during and after a cyber incident.

Tune in for a practical conversation on cyber resilience, AI-driven threats, breach preparedness, and why organizations must move beyond detection to true operational readiness.

Watch this episode to learn how OT teams, CISOs, and business leaders can collaborate, simplify cybersecurity, and build environments that withstand the next breach.

Agnidipta Sarkar: Hi. Good morning.

Gordon Cowan: Yes. Good morning, Agni. How are you?

Agnidipta Sarkar: I’m good, sir. And Good … for everybody listening in we are back with another session of the Breach Ready Dialogues. You’ve heard about breaches happening, and I think the recent breach was the second anthropic leak that talked about, they’d let out some code. A and I know everyone’s wondering about what’s the new world where there’ll be breaches that are either driven by artificial intelligence or breaches that are targeting artificial intelligence projects, or worse, a human driving an artificial intelligence agent or managing some rogue agents breaking in and then creating havoc.

Agnidipta Sarkar: As usual, and in my efforts to bring breach and breach readiness topics to my audience we will try and cover multiple elements of such breaches. I’ve Gordon here with me, and we will delve into some aspects of what we talked about. Remember it doesn’t matter whether you are a cyber leader or a CISO, but if you are thinking about something which does not have a book, breaches and various aspects of it, this is the show that you want to come in.

Agnidipta Sarkar: But let me introduce my guest first. Gordon the picture behind you introduces you a lot, but please go ahead. Can you give us, give my audience an idea about who you are, what you’ve been up to?

Gordon Cowan: By all means. Thank you, Agni. A pleasure to be with you. Yeah, my name’s Gord Cannon. I’m CEO and founder of Cybrilliance.

Gordon Cowan: We are, we began in this industry as a an organization that looked at cyber as a business and then also looked at where we could fit. And through that journey, I realized that the market is big. It’s saturated in many areas. And for the most part, if you just look at statistics, it’s doing a very good job against threat defense.

Gordon Cowan: However, what we’re reading about are not the successes. We’re reading about the breaches where they have… There have not been successes. And I started my journey saying, okay, where? Why? So really, if I look at the industry stats, I’m not focusing on the 92% that’s being thwarted. I focused on the 8% as… and asked why.

Gordon Cowan: And it’s in that journey of why I was discovering what were… what I saw as the root causes. And it’s not to point fingers or show blame, it’s just simply to understand, acknowledge what’s going on. Once we can accept and acknowledge, then we can begin the journey of fixing. This led me to where I am today, which is in the preparedness and readiness for the inevitable breach, with the objective of the company still has to be operational and available even during or shortly after the breach, not the 17.2-day average.

Gordon Cowan: Most of my career has been focused on what happens when things don’t go as planned. And there’s a lot of planning. There’s a lot of resources spent on the planning and then tooling and then management. One of the issues five years ago, it’s not as much today, but it’s still there is that most of it is spent in the threat detection and blocking area.

Gordon Cowan: Resilience has become a conversation slowly, and I’m gonna say even in the last six to nine months if you look at LinkedIn in the post I’m gonna say it’s swung. The pendulum has swung towards that. The issues that I see that are still happening though are they’re looking at it through the lens of current cyber infrastructure capabilities today because they were not developed with AI in mind.

Gordon Cowan: They were developed at another time, another era, and other issues. Even in the recovery of a cyber breach, and if we’re… other than threat, the detection and so on, if we look at actual recovery, that’s over 30 years old. It’s using backup strategies not meant for active environment time-sensitive recovery.

Gordon Cowan: So I focused on the 8%. I have focused on why were the breaches happening, but most importantly, what can we do? What can we do to change that? And that’s where my journey started, and I got to meet a lot of great people globally, India, Africa, Europe, and got a real sense of there are obviously regional differences and nuances, but we’re all experiencing the same thing.

Gordon Cowan: So our focus is simply preparedness, readiness, and operational status maintained.

Agnidipta Sarkar: Thank you. Yeah. Like I did in the introduction, I said that we are getting into multiple aspects of breaches. We hear breaches are happening. The world wants to go ahead and leverage the power of AI.

Agnidipta Sarkar: And being a former CISO, I have seen digitization projects soon getting into analytics and automation. And one of the key challenges that CISOs usually have is how do I put… how do I wrap cybersecurity around it? And to your point I think we need to shift, and that’s what I’ve been talking about in my podcast as well, that we need to have a foundational shift in how we approach the cybersecurity problem in the age of AI and digitization.

Agnidipta Sarkar: And I think we need to think about how do we make sure that we are prepared for what’s going to happen during a breach and soon after, and we need to do things before a breach happens. And for that purpose and for that purpose only I think like the, like TheDarkSide is using something called as a hackers collective.

Agnidipta Sarkar: I think it is time we build a breach-ready collective where we interact with multiple tools, APIs, and make sure that the input of one is fed into the other so that together during the breach, we are able to take actions to make sure that we are able to, reduce the effects of that breach from affecting the work we do.

Agnidipta Sarkar: For example, if there was a… If we’re talking about AI, and if there was an AI agent, which is trying to execute destructive commands, you need certain kind of modern tools to detect that whatever is happening is not normal behavior. Someone is trying to, let’s say delete capabilities to to operate an AI.

Agnidipta Sarkar: And if that gets flagged off to tools that can actually stop and disconnect networks at will, then you can prevent such things from lateral movement.

Gordon Cowan: Or… And if I may add, you’re absolutely dead on. Dependencies of the current tools are where the gaps are. The issues the the organizations, the clients have is they don’t have the visibility.

Gordon Cowan: And you can’t necessarily depend on going to a vendor, and this isn’t any one vendor, but saying what are the gaps in your… and vulnerabilities of your product? Okay, that’s not what they’re there to talk about. But as the end user client, you have to ask the right ans or questions and go to the right depths.

Gordon Cowan: The depth of the questions stopped at threat detection. Now we have to get into the deeper layers where threat detections are far below what threat detections are now being exploited. And that’s where I think the gaps and the conversation and the some and the resources have to start to target is to get the visibility.

Gordon Cowan: What’s really happening? And then you can start looking at, okay, now what can we do to mitigate this? And the problem is, if you have 40 different technologies in there, that’s a huge undertaking. It’s a huge undertaking, and maintenance is crazy. Whether you have AI or not it’s a lot Yeah.

Gordon Cowan: Yeah.

Agnidipta Sarkar: It was a problem before AI as well. Absolutely. Absolutely. While the rest of the world had, an ERP, there would be three or four kinds. I Yes … I still remember 10 years ago people were discussing that in cybersecurity, there were 160 different technologies that were available Correct

Agnidipta Sarkar: for a company to do something. While, at a minimum of 20 different technologies exist in every company.

Gordon Cowan: Now, so but what’s the common exploitation across those 160? Okay, the common exploitation, I’m gonna put at the head of the head of the snake, human error. Okay? I’m gonna put that there first And process gap

Gordon Cowan: and I’ll come back to that. Yeah. And then I’m gonna suggest to you that the dependencies, the biggest dependency after that in threat detection is known malware. Okay? If you don’t know it, you can’t detect it, you can’t block it. Now, AI has even got around that because they bypass EDR and XDR now, so they don’t even get a chance to look at it.

Gordon Cowan: Okay. And then the dependencies of when the big movement started to happen a number of years ago to the cloud. So that hampers the operational capability as far as post breach. How do you recover from the cloud when the incident response team is taking you totally down? For the right reasons, by the way.

Gordon Cowan: And you slowly bring it back, and then you get into the chaos post breach of which one of the 40 locations globally do you start to bring back first? Rebuilding the time aspects of all that. So those are the areas that I think need the attention. The threat detection is doing a good job. AI has escalated, but it’s also hopefully gonna be to the advantage of the end users, where they’re gonna be able to use that in detection and threat and thwarting and so on.

Gordon Cowan: But I think at the other end right now, what we need to do is say, “What are the real problems? Let’s plug the holes. Let’s get rid of dependencies or mitigate those dependencies as best we can.” That’s where I think the conversation

Agnidipta Sarkar: I think you, you touched upon dependencies a lot, and I think one of the key problems that I find is if I were to…

Agnidipta Sarkar: like you said, there are tools that can bypass EDR. Now, the first thing that happens after EDR gets bypassed is lateral movement. See, if we had a me Yes … if we had a mechanism of, say, reducing the attackable path, in that case what we can find is that the EDR becomes sharper because now they’re not looking at the whole enterprise, but on a sharply defined attack, allowed attack path, which means their findings are more positive than false positive Yes

Agnidipta Sarkar: false things. Yes. The second thing that happens is if you reduce the blast radius of… through the lateral mo by reducing lateral movement, it means that the otherwise, frivolous activity on a network suddenly becomes malicious much faster. So … earlier you thought that, okay, it’s possible when I look at this traffic, it’s probably one of my guys trying to do an RDP.

Agnidipta Sarkar: But I don’t know. As you said the visibility is poor. So I don’t really know, but I’m afraid to stop that connection because I might be beaten down by my managers and my leaders saying, “You disrupted a valid communication.” But the moment you lock down lateral movement, suddenly that connection becomes malicious Yes

Agnidipta Sarkar: which you did not know earlier, which means to your point then, visibility is extremely important, and the right visibility. And if that is if we’ve not given an elbow room to an attacker the experience during breaches are very different then.

Gordon Cowan: Yeah.

Agnidipta Sarkar: And, Yep. Yeah. Yes. So what I was actually trying to conclude is when you get into that kind of a scenario, in that case what you really need is a is the mechanism to do this across IT, OT, or cloud.

Gordon Cowan: Absolutely …

Agnidipta Sarkar: because of the technology that we have developed, we have left OT behind. But if you really go back to OT, OT has the best… I feel that IEC 62443 has the best design approach or an engineering approach on how you can look at cyber resilience.

Gordon Cowan: No there’s very good aspects of that to, to deal with what we’re talking about.

Gordon Cowan: But there, there’s still the dependencies and gaps that, you know, the, that are in there are still dependent on a solution to do something. And the question is, what is the barrier for those solutions to react? Again, you can plan, you can do all of that. You can check the boxes. Sorry that’s not what you’re saying, but you can check the boxes.

Gordon Cowan: But again, you’ve come back to a key. If you don’t have visibility, how, how do you know that it’s happening the way you’re doing it? That’s the issue. One of the big issues. If we take a step back up the ladder, we gotta… it’s, it… There’s some basic fundamentals that I think we don’t look at.

Gordon Cowan: And in my prior life, I used to say to people that were mature companies. When I say mature, 40 years in business. And I said to them, and I was in the insurance risk business, and I said to them, “If you had the ability to go, to get rid of everything you have today, would you build it differently than what you have today?”

Gordon Cowan: And the answer is yes. It’s never been anything else other than that. What do you see the issues are? Oh, okay. John put this in just two years ago. We spent a million dollars and… Yeah, okay. We could be, offending some of the key people, yes. Or how do we justify to the board we just spent a million dollars two years ago, and now you’re coming back in with something different?

Gordon Cowan: But I said, “Use it as a wish list.” It’s your wish. Nobody can challenge your wish. What if we rebuilt this? What would it look like? And that’s where I start the conversations with organizations. But you, they don’t know what they don’t know. So first of all, why don’t we get visibility into what is being exploited and challenged today?

Gordon Cowan: Okay. Not what’s in general, but let’s look at the reach recent breaches in the last five years. let’s align that with what you have and say, “Oh we’ve really got the same vulnerabilities, we just haven’t been attacked yet.” Yes. So do you wanna be prepared? That’s the key. The assumption I always tell people, assume your lens always has catastrophic breach in mind.

Gordon Cowan: That’s catastrophic The adoption is in the prep. And then the catastrophic breach… And when I say catastrophic, I’m not talking about a simple. I’m talking about where wiperware went in and wiped everything. I’m gonna talk about all of that, because the current recovery and restore and everything else is really dependent on, first of all, they have to have operating systems to restore to, but they’ve been wiped.

Gordon Cowan: What’s the time to rebuild? So those are the kind of things that at the deepest layers that they have to start thinking about versus, “Oh, I’ve got backup.” Yeah what if they’re… What if they’re wiped? What if your immutable copy was taken down too? A lot of people get hung up on the word immutable.

Gordon Cowan: “Oh, what can happen? It’s air gap.” No. There’s lots of examples of immutable copies being corrupted too. So anyways, I’m talking at a level that I just like to talk at a level where people can, put it into a practical sense versus theoretical and get it off the paper.

Gordon Cowan: And let’s really look at those issues. So I, I may have der … No, sorry I wanted to say one other thing. The other thing we haven’t really concentrated on in the big way is what motivates the threat actors? Disruption and money. What if we could take disruption and make it maximum an hour? What if we could not only encrypt data, but we could prevent data exfiltration?

Gordon Cowan: If we do those two things, did we take the incentive away from the threat actors? They can’t disrupt, and they’ve got nothing to hold hostage. These are ideals, but what if that existed? So again, it’s the other layer we have to look at, not be reactionary, but be proactive, right?

Agnidipta Sarkar: Yeah. I think I think I’ve been working on very similar lines, as I told you the other day, that there are two parameters that every board should be looking at.

Agnidipta Sarkar: Number one is what is the maximum acceptable material loss that we can deal with? Put a number to it. In… I know first time you may put a number to it, it may be conservative, it may be too aspirational, but it doesn’t matter because you’re going to come back and revisit it and correct it. Because as I said, every business is different.

Agnidipta Sarkar: They have different ways of looking at it. Even if they’re in the same business in the same country, they’re two different businesses. So the Absolutely. So the first thing they need to look at is how much appetite do they have for what is the dollar value for material loss? The second thing that they need to look at, and I’m going back to the two things that you pointed to, because the first thing, the moment you look at the first thing, you’re talking about the incentive that an attacker may have to attack you.

Agnidipta Sarkar: If the attacker finds that this company does not have the appetite, they have taken care because they don’t have enough appetite, they have put in controls, then the incentive goes down because all you’re trying to do is delay or deny the attacker from reaching something that they can make money out of.

Agnidipta Sarkar: And the second parameter is, in the event of a breach, what is the maximum digital business that… What is the minimum digital business that you want operational, that you want to be undisturbed or unaffected, right? Because that then defines, as you said what’s the operational count. How much of your operations do you want to keep going when things go south?

Agnidipta Sarkar: Look at the breaches that have happened recently, right? And every time I hear this I look at a breach, it says, “We’ve had an, we’ve had an unprecedented breach and we’ve had to shut down the operations because of stakeholder interests.” And that pains me because if you had Oh

Agnidipta Sarkar: planned Yes … if you had planned those two parameters, you would find ways to make sure that even if the attack happens Yes … you are able to deal with it because you would keep the rest of your enterprise unaffected. And then Absolutely … you can pull in the big guns and go after that attacker wherever the attack happens and take it out, learn from it.

Agnidipta Sarkar: There’s a lot to learn from it. How did the attack happen in the first place? Sure. As you said, EDR could be bypassed, identities could be misused. And now with AI with so many things happening the way I see it’s not very encouraging. In fact I’m gonna write a blog about it.

Agnidipta Sarkar: Last week… It was last week, I think. Yes, last week. There was a major vulnerability on on a hardware. And the PTC offices in Germany had got a visit from the local police at 3:30 AM Giving them a notice to patch the vulnerability. Now, people may laugh at this, that the police didn’t overacting or, they, they overreached, they overreacted.

Agnidipta Sarkar: But to me, it’s a societal problem now. If we as practitioners don’t come together and build, give the org the world enough confidence that technology will not be misused and it’ll be reliable, then the world will not go to that dystopian future where people distrust technology. As of now, with whatever is happening around us, the distrust is real.

Agnidipta Sarkar: For example, a few years ago, we would be worried about losing personal data. Nobody bats an eyelid anymore.

Gordon Cowan: Yes. Yes. And that’s… you touched on a couple of things that when you say how much can you afford to lose, how much this, how much that there’s two fact, thin things that you can never recover, or very difficult, and one is digital trust.

Gordon Cowan: Okay, I can afford to lose this, but can you, is the question. Okay? I’m just gonna throw out, And it doesn’t even have to be catastrophic. I’m just gonna… And not to pick on CrowdStrike, because CrowdStrike’s a wonderful company, as SentinelOne is. They’re all wonderful companies. But they didn’t even have a breach.

Gordon Cowan: They had a cyber incident. Now, if you really break it down, in my opinion, it was human error. You can break it down into components and say, “Oh, bad patch,” or… no. It was something was released before it was properly addressed. And really, it wa oh, it wasn’t a ransomware, it was just an incident. Just an incident was an average of a nine-and-a-half-hour outage.

Gordon Cowan: What does that mean? What it means is this. They’ve got billion, billions of dollars of lawsuits for nine and a half hours, okay? It’s actually gonna cost more than ransomware if you think about it, right? So

Agnidipta Sarkar: Just in legal fees … pardon me? I said just in legal fees, even if they win the, if they even if they win the court cases.

Gordon Cowan: Yeah. And then there’s the digital trust factor. and so that’s always gonna be a dark cloud hanging over whoever’s head it is, Microsoft, CrowdStrike, or the entity that got hacked, whatever. And then the other thing is the You, as far as time to be down we live in a digital world.

Gordon Cowan: Look at financial services. The banks are online, especially the large global banks. What’s it cost per minute? Not per hour. What’s the cost per minute for them to be down? And then you take the average time financial sectors is down. What’s that really cost? Okay and then you got the digital trust factor always.

Gordon Cowan: Digital trust is the layer that you can’t impact. the damage is done, now you just gotta try, and hopefully time will thin out that dark cloud. Okay? That’s Crypto is a big example

Agnidipta Sarkar: Pardon me? Crypto is a big example of trust that was lost.

Gordon Cowan: Absolutely. Absolutely. So it’s one of the… and by the way, we don’t even know what we’re facing.

Gordon Cowan: AI is really in its infancy. Quantum computing is gonna add another element to speed and and so on. The time is now. Don’t say, “I’ve got what I need now,” because now… and I love Barry Rabkin. He’s a guru in the insurance business. And he thinks there should be no insurance company that’s involved in cyber insurance because there’s no predictability in cyber.

Gordon Cowan: Predictability is good as the next day AI mo evolves. So from a shareholder perspective, and if you think about it, insurance companies have a bigger bag than regulators, in, in many ways. They are really the ultimate at the pinnacle of regulation. I look to them because I’ve come from that industry, but not what they do, but why they’re doing it.

Gordon Cowan: And I’m thinking, yeah, there’s some serious things that we’re all missing here. We’re following the threat actors. We’re not driving the bus, we’re following it, and that’s not good. Okay? So yes.

Agnidipta Sarkar: Absolutely. And, like you said, AI is in its is at its infancy right now. And even if it is at its infancy, we’ve got all these AI gurus going online and saying jobs are going to be lost, and this is going to happen, and that’s going to happen.

Agnidipta Sarkar: AI is going to take over very soon. I think if we are going to be in the situation that we are in, which means our signal is far lower than our noise, adding AI on the top of that noise is only going to make the noise louder. Correct. So instead of AI giving us very good returns… And I think there was a recent study done that said 97% of AI projects are not really doing that well.

Agnidipta Sarkar: The reason is they’ve taken a human attitude They’ve put AI in there to automate it, and in the end, they just have the same system. It works way faster, and its errors are way larger. So we are not doing we are not putting AI the way we should be putting AI. Look at Claude, a fantastic tool. Then you have Claude Bot, a fantastic tool.

Agnidipta Sarkar: What it can do theoretically is phenomenal, but when it comes to, as they say, when the rubber hits the road, if you run the road, if you land on the road with a faulty tire, it is going to burst sooner or later. So we need to fix the tire first. We’re not doing that. We’re in a, we’re in a hurry.

Agnidipta Sarkar: Everybody wants to win in the AI race. Some are succeeding, of course, because they already had good procedures. So to your point, I wanted to add one more factor that I believe is the cause of most breaches, and that is the procedural gaps. Correct. Now, what I mean by that is ideally, and again, as I said earlier, I’m very fascinated with the way factory operations work.

Agnidipta Sarkar: If you really ask me, they have years ago put in procedures which work seamlessly with one another. You take material from one shop, put it in another shop, and there’s hardly any loss. The Whatever losses happen, they’re known and they’re predictable. Correct. I had worked a long time back in the aluminum industry, and if you look at it from bauxite down to, aluminum sheets, every output, everything that happened, all the losses are new businesses.

Agnidipta Sarkar: You take bauxite, you process it, whatever comes out is sold as chemicals. You take that, and then you process the aluminum metal. Whatever falls out goes into cigarette as aluminum those … those small foils, and then you have extrusions, then you have sheets. Yes. Nothing is no, no errors are left out. That’s an excellent … industry. We are nowhere near that with AI.

Gordon Cowan: No. We’re prehistoric in where we are relative to what you just described. I think that visibility, but with visibility has to come accountability, okay? Because you and I are talking, and for the most part, I think we’re inferring private organizations or publicly control organizations.

Gordon Cowan: We’re not talking about governments, Oh, we should no, but I’m saying, though there’s more control in organizations. Now, we’ve had a breach here in Canada in 2024, one of the major cities. And the crux of what happened in that situation was it was demonstrated that they had MFA in place as a but many of the executive decided it was too cumbersome.

Agnidipta Sarkar: So

Gordon Cowan: they opted out.

Agnidipta Sarkar: Been there, yes.

Gordon Cowan: Okay. And I’m not picking on anybody, but this is natural. This is what happens. So the point is, where’s the accountability? Now, in a corporation where you have CEOs and board of directors, there’s some more… There’s additional accountability. But in public sector, it’s politically motivated, funded, and so on.

Gordon Cowan: That’s another area. That’s a huge gap, and they don’t have visibility, and they certainly don’t have accountability I think that is … in most cases …

Agnidipta Sarkar: I think that is where we need to bring in technology. Yes. Because if using technology, we can create bubbles or islands of excellence Yes

Agnidipta Sarkar: where they can exist with all their political will and whatever they want. That would make sure that the public, the society trusts the government because the government Yes … has done investments to protect, to build resilience against cyberattacks Correct … even though they still continue to operate individually or within their organizations, not in a very security conscious way.

Agnidipta Sarkar: as you pointed out, the breach. I looked at that report and I realized that this is not absence of an MFA. No, it was This is absence of leadership will.

Gordon Cowan: Leadership will, and how do you have… How does the people responsible to ensure that policies and procedures are being enforced, where was the visibility to that this was happening?

Gordon Cowan: I’m gonna suggest the executive went to somebody and said, “I don’t wanna do this. Take me off.” But there wasn’t the right visibility to the right people. And then where do you take the CEO of a city To, for accountability in that instance. And I’m not saying the CEO of the city was the issue, I’m just saying, giving that as an example.

Gordon Cowan: So there has to be a structure that puts in the visibility, the accountability. Now, the penalties or the outcomes from that’s another story. But we have to have that before we can do anything else. And but we can turn that to any organization. Absolutely. And it can be a small business. It can even be a small business.

Gordon Cowan: A SME

Agnidipta Sarkar: But I hear that the current government in Canada is serious about cybersecurity, and I think they are putting in newer measures. I is that where you They are …

Gordon Cowan: believe it’s happening? They are. Is it hopeful? I, in my belief Canada is further behind than most Western nations, in my opinion.

Gordon Cowan: My opinion is also that I talk to a lot of privacy and governance consultings and consultant firms. They’re frustrated. Matter of fact, some have left Canada. They’re not gonna do that business in Canada because they don’t take it seriously. One of the provinces here in Canada, Quebec, the they’ve instituted regulations called Quebec Law 25.

Gordon Cowan: It’s very close to the GDPR. They’re just starting to wrestle with that now, but they’re gonna have data sovereignty in their province and blah, blah, blah, blah. But nobody… Not, I shouldn’t say nobody. I’m, that’s an incorrect statement. Very few are picking that up and starting to run with it. And because they relate it, “Ah, we don’t do business in Quebec.”

Gordon Cowan: No, you don’t. You don’t have a facility in Quebec, but your clients are in Quebec. Their information you have is in Quebec. You’re responsible. So it’s, so the Canada is in some ways evolving. Yes, they are. There’s a lot of noise right now. The question is what Yeah. In fact,

Agnidipta Sarkar: I read about a law about the, I think it was a mining industry which came out with a cybersecurity law in Alberta, and, Oh

Agnidipta Sarkar: that, that was very interesting. I’m not up to speed on that one. Yes. That was very interesting because, And they they’re making CEOs accountable for

Gordon Cowan: Yes …

Agnidipta Sarkar: for not having the right cybersecurity programs. I think they have drafted a six point agenda on stuff that they have to put in, and I think the deadline begins mid of this year in 2026.

Agnidipta Sarkar: So if

Gordon Cowan: it… So as I it’s funny the CEOs are gonna be held personally liable. So that brings up the other area of issues is getting the board to buy into What has to be done. So one of the things the boards have to understand is they have personal their personal assets on the line in Canada that if it’s seen that they have not done what is considered their fiduciary responsibility and care they can be sued.

Gordon Cowan: Now, some companies have directors and officers insurance in place. But like all cyber risk right now, that has been cut back, removed totally, or greatly reduced. So the question is gonna become with the CEOs are you gonna put your personal assets, if we’re directors, are you gonna put your personal assets on the line for this company based on cybersecurity status today?

Gordon Cowan: And what visibility do you have to say, “Yeah, we’re good.” Okay? I come back to, to One important thing, and I always ask the C-suite when they tell me, “Oh, we don’t need anything. We’re secure, and we’re compliant.” I say, “Good news. Good news. So where’s your data?” And they go blank. What do you mean where’s our data?

Gordon Cowan: Our database is…” No, I’m not looking for stru Where’s your unstructured data? Data at rest, data in movement. And according to Gartner, only twenty percent of organizations know that, can answer that to some degree, not even to a complete degree. So how does an organ how is a CEO gonna sign off when they don’t even know what they’re securing against or being compliant with, where it even exists?

Gordon Cowan: Okay? So again, I try and bring it back to the basics to say and challenge them not what they have, but do you know this? No. Then how can you have this then? You can’t have that. It’s just impossible. But now the if they’re gonna hold accountability, that comes back to my second mainstay. There has to be accountability.

Gordon Cowan: I don’t want a CEO lose his home. I That’s not the purpose. But they have to understand, it’s no longer a throwaway words of, “Yeah, we’re secure, and we’re compliant.”

Agnidipta Sarkar: God, it was great talking to you. Let me summarize what you just what you said from the very beginning in today’s episode. I think you touched upon the first thing was visibility, the second thing was accountability.

Agnidipta Sarkar: But then you spoke about your experience about breaches, about what happened. And as we discussed, we also realized, both of us probably, that with the advent of AI, the gap of not understanding a breach is only going to become wider.

Gordon Cowan: Yes.

Agnidipta Sarkar: Absolutely. I would like to talk to you once again, maybe on some other day, but it was great talking to you.

Gordon Cowan: Agni, thank you very much for your time, and I wish you well.

Agnidipta Sarkar: Thank you. Let me

In this episode of Breach Ready Dialogues, Agnidipta Sarkar sits down with Gordon Cowan, CEO and Founder of Cybrilliance, to unpack what it really means to build breach readiness in the age of AI. They discuss why visibility, accountability, resilience, and reducing lateral movement are critical to limiting business disruption, protecting digital trust, and staying operational during and after a cyber incident.

Tune in for a practical conversation on cyber resilience, AI-driven threats, breach preparedness, and why organizations must move beyond detection to true operational readiness.

Watch this episode to learn how OT teams, CISOs, and business leaders can collaborate, simplify cybersecurity, and build environments that withstand the next breach.

Agnidipta Sarkar: Hi. Good morning.

Gordon Cowan: Yes. Good morning, Agni. How are you?

Agnidipta Sarkar: I’m good, sir. And Good … for everybody listening in we are back with another session of the Breach Ready Dialogues. You’ve heard about breaches happening, and I think the recent breach was the second anthropic leak that talked about, they’d let out some code. A and I know everyone’s wondering about what’s the new world where there’ll be breaches that are either driven by artificial intelligence or breaches that are targeting artificial intelligence projects, or worse, a human driving an artificial intelligence agent or managing some rogue agents breaking in and then creating havoc.

Agnidipta Sarkar: As usual, and in my efforts to bring breach and breach readiness topics to my audience we will try and cover multiple elements of such breaches. I’ve Gordon here with me, and we will delve into some aspects of what we talked about. Remember it doesn’t matter whether you are a cyber leader or a CISO, but if you are thinking about something which does not have a book, breaches and various aspects of it, this is the show that you want to come in.

Agnidipta Sarkar: But let me introduce my guest first. Gordon the picture behind you introduces you a lot, but please go ahead. Can you give us, give my audience an idea about who you are, what you’ve been up to?

Gordon Cowan: By all means. Thank you, Agni. A pleasure to be with you. Yeah, my name’s Gord Cannon. I’m CEO and founder of Cybrilliance.

Gordon Cowan: We are, we began in this industry as a an organization that looked at cyber as a business and then also looked at where we could fit. And through that journey, I realized that the market is big. It’s saturated in many areas. And for the most part, if you just look at statistics, it’s doing a very good job against threat defense.

Gordon Cowan: However, what we’re reading about are not the successes. We’re reading about the breaches where they have… There have not been successes. And I started my journey saying, okay, where? Why? So really, if I look at the industry stats, I’m not focusing on the 92% that’s being thwarted. I focused on the 8% as… and asked why.

Gordon Cowan: And it’s in that journey of why I was discovering what were… what I saw as the root causes. And it’s not to point fingers or show blame, it’s just simply to understand, acknowledge what’s going on. Once we can accept and acknowledge, then we can begin the journey of fixing. This led me to where I am today, which is in the preparedness and readiness for the inevitable breach, with the objective of the company still has to be operational and available even during or shortly after the breach, not the 17.2-day average.

Gordon Cowan: Most of my career has been focused on what happens when things don’t go as planned. And there’s a lot of planning. There’s a lot of resources spent on the planning and then tooling and then management. One of the issues five years ago, it’s not as much today, but it’s still there is that most of it is spent in the threat detection and blocking area.

Gordon Cowan: Resilience has become a conversation slowly, and I’m gonna say even in the last six to nine months if you look at LinkedIn in the post I’m gonna say it’s swung. The pendulum has swung towards that. The issues that I see that are still happening though are they’re looking at it through the lens of current cyber infrastructure capabilities today because they were not developed with AI in mind.

Gordon Cowan: They were developed at another time, another era, and other issues. Even in the recovery of a cyber breach, and if we’re… other than threat, the detection and so on, if we look at actual recovery, that’s over 30 years old. It’s using backup strategies not meant for active environment time-sensitive recovery.

Gordon Cowan: So I focused on the 8%. I have focused on why were the breaches happening, but most importantly, what can we do? What can we do to change that? And that’s where my journey started, and I got to meet a lot of great people globally, India, Africa, Europe, and got a real sense of there are obviously regional differences and nuances, but we’re all experiencing the same thing.

Gordon Cowan: So our focus is simply preparedness, readiness, and operational status maintained.

Agnidipta Sarkar: Thank you. Yeah. Like I did in the introduction, I said that we are getting into multiple aspects of breaches. We hear breaches are happening. The world wants to go ahead and leverage the power of AI.

Agnidipta Sarkar: And being a former CISO, I have seen digitization projects soon getting into analytics and automation. And one of the key challenges that CISOs usually have is how do I put… how do I wrap cybersecurity around it? And to your point I think we need to shift, and that’s what I’ve been talking about in my podcast as well, that we need to have a foundational shift in how we approach the cybersecurity problem in the age of AI and digitization.

Agnidipta Sarkar: And I think we need to think about how do we make sure that we are prepared for what’s going to happen during a breach and soon after, and we need to do things before a breach happens. And for that purpose and for that purpose only I think like the, like TheDarkSide is using something called as a hackers collective.

Agnidipta Sarkar: I think it is time we build a breach-ready collective where we interact with multiple tools, APIs, and make sure that the input of one is fed into the other so that together during the breach, we are able to take actions to make sure that we are able to, reduce the effects of that breach from affecting the work we do.

Agnidipta Sarkar: For example, if there was a… If we’re talking about AI, and if there was an AI agent, which is trying to execute destructive commands, you need certain kind of modern tools to detect that whatever is happening is not normal behavior. Someone is trying to, let’s say delete capabilities to to operate an AI.

Agnidipta Sarkar: And if that gets flagged off to tools that can actually stop and disconnect networks at will, then you can prevent such things from lateral movement.

Gordon Cowan: Or… And if I may add, you’re absolutely dead on. Dependencies of the current tools are where the gaps are. The issues the the organizations, the clients have is they don’t have the visibility.

Gordon Cowan: And you can’t necessarily depend on going to a vendor, and this isn’t any one vendor, but saying what are the gaps in your… and vulnerabilities of your product? Okay, that’s not what they’re there to talk about. But as the end user client, you have to ask the right ans or questions and go to the right depths.

Gordon Cowan: The depth of the questions stopped at threat detection. Now we have to get into the deeper layers where threat detections are far below what threat detections are now being exploited. And that’s where I think the gaps and the conversation and the some and the resources have to start to target is to get the visibility.

Gordon Cowan: What’s really happening? And then you can start looking at, okay, now what can we do to mitigate this? And the problem is, if you have 40 different technologies in there, that’s a huge undertaking. It’s a huge undertaking, and maintenance is crazy. Whether you have AI or not it’s a lot Yeah.

Gordon Cowan: Yeah.

Agnidipta Sarkar: It was a problem before AI as well. Absolutely. Absolutely. While the rest of the world had, an ERP, there would be three or four kinds. I Yes … I still remember 10 years ago people were discussing that in cybersecurity, there were 160 different technologies that were available Correct

Agnidipta Sarkar: for a company to do something. While, at a minimum of 20 different technologies exist in every company.

Gordon Cowan: Now, so but what’s the common exploitation across those 160? Okay, the common exploitation, I’m gonna put at the head of the head of the snake, human error. Okay? I’m gonna put that there first And process gap

Gordon Cowan: and I’ll come back to that. Yeah. And then I’m gonna suggest to you that the dependencies, the biggest dependency after that in threat detection is known malware. Okay? If you don’t know it, you can’t detect it, you can’t block it. Now, AI has even got around that because they bypass EDR and XDR now, so they don’t even get a chance to look at it.

Gordon Cowan: Okay. And then the dependencies of when the big movement started to happen a number of years ago to the cloud. So that hampers the operational capability as far as post breach. How do you recover from the cloud when the incident response team is taking you totally down? For the right reasons, by the way.

Gordon Cowan: And you slowly bring it back, and then you get into the chaos post breach of which one of the 40 locations globally do you start to bring back first? Rebuilding the time aspects of all that. So those are the areas that I think need the attention. The threat detection is doing a good job. AI has escalated, but it’s also hopefully gonna be to the advantage of the end users, where they’re gonna be able to use that in detection and threat and thwarting and so on.

Gordon Cowan: But I think at the other end right now, what we need to do is say, “What are the real problems? Let’s plug the holes. Let’s get rid of dependencies or mitigate those dependencies as best we can.” That’s where I think the conversation

Agnidipta Sarkar: I think you, you touched upon dependencies a lot, and I think one of the key problems that I find is if I were to…

Agnidipta Sarkar: like you said, there are tools that can bypass EDR. Now, the first thing that happens after EDR gets bypassed is lateral movement. See, if we had a me Yes … if we had a mechanism of, say, reducing the attackable path, in that case what we can find is that the EDR becomes sharper because now they’re not looking at the whole enterprise, but on a sharply defined attack, allowed attack path, which means their findings are more positive than false positive Yes

Agnidipta Sarkar: false things. Yes. The second thing that happens is if you reduce the blast radius of… through the lateral mo by reducing lateral movement, it means that the otherwise, frivolous activity on a network suddenly becomes malicious much faster. So … earlier you thought that, okay, it’s possible when I look at this traffic, it’s probably one of my guys trying to do an RDP.

Agnidipta Sarkar: But I don’t know. As you said the visibility is poor. So I don’t really know, but I’m afraid to stop that connection because I might be beaten down by my managers and my leaders saying, “You disrupted a valid communication.” But the moment you lock down lateral movement, suddenly that connection becomes malicious Yes

Agnidipta Sarkar: which you did not know earlier, which means to your point then, visibility is extremely important, and the right visibility. And if that is if we’ve not given an elbow room to an attacker the experience during breaches are very different then.

Gordon Cowan: Yeah.

Agnidipta Sarkar: And, Yep. Yeah. Yes. So what I was actually trying to conclude is when you get into that kind of a scenario, in that case what you really need is a is the mechanism to do this across IT, OT, or cloud.

Gordon Cowan: Absolutely …

Agnidipta Sarkar: because of the technology that we have developed, we have left OT behind. But if you really go back to OT, OT has the best… I feel that IEC 62443 has the best design approach or an engineering approach on how you can look at cyber resilience.

Gordon Cowan: No there’s very good aspects of that to, to deal with what we’re talking about.

Gordon Cowan: But there, there’s still the dependencies and gaps that, you know, the, that are in there are still dependent on a solution to do something. And the question is, what is the barrier for those solutions to react? Again, you can plan, you can do all of that. You can check the boxes. Sorry that’s not what you’re saying, but you can check the boxes.

Gordon Cowan: But again, you’ve come back to a key. If you don’t have visibility, how, how do you know that it’s happening the way you’re doing it? That’s the issue. One of the big issues. If we take a step back up the ladder, we gotta… it’s, it… There’s some basic fundamentals that I think we don’t look at.

Gordon Cowan: And in my prior life, I used to say to people that were mature companies. When I say mature, 40 years in business. And I said to them, and I was in the insurance risk business, and I said to them, “If you had the ability to go, to get rid of everything you have today, would you build it differently than what you have today?”

Gordon Cowan: And the answer is yes. It’s never been anything else other than that. What do you see the issues are? Oh, okay. John put this in just two years ago. We spent a million dollars and… Yeah, okay. We could be, offending some of the key people, yes. Or how do we justify to the board we just spent a million dollars two years ago, and now you’re coming back in with something different?

Gordon Cowan: But I said, “Use it as a wish list.” It’s your wish. Nobody can challenge your wish. What if we rebuilt this? What would it look like? And that’s where I start the conversations with organizations. But you, they don’t know what they don’t know. So first of all, why don’t we get visibility into what is being exploited and challenged today?

Gordon Cowan: Okay. Not what’s in general, but let’s look at the reach recent breaches in the last five years. let’s align that with what you have and say, “Oh we’ve really got the same vulnerabilities, we just haven’t been attacked yet.” Yes. So do you wanna be prepared? That’s the key. The assumption I always tell people, assume your lens always has catastrophic breach in mind.

Gordon Cowan: That’s catastrophic The adoption is in the prep. And then the catastrophic breach… And when I say catastrophic, I’m not talking about a simple. I’m talking about where wiperware went in and wiped everything. I’m gonna talk about all of that, because the current recovery and restore and everything else is really dependent on, first of all, they have to have operating systems to restore to, but they’ve been wiped.

Gordon Cowan: What’s the time to rebuild? So those are the kind of things that at the deepest layers that they have to start thinking about versus, “Oh, I’ve got backup.” Yeah what if they’re… What if they’re wiped? What if your immutable copy was taken down too? A lot of people get hung up on the word immutable.

Gordon Cowan: “Oh, what can happen? It’s air gap.” No. There’s lots of examples of immutable copies being corrupted too. So anyways, I’m talking at a level that I just like to talk at a level where people can, put it into a practical sense versus theoretical and get it off the paper.

Gordon Cowan: And let’s really look at those issues. So I, I may have der … No, sorry I wanted to say one other thing. The other thing we haven’t really concentrated on in the big way is what motivates the threat actors? Disruption and money. What if we could take disruption and make it maximum an hour? What if we could not only encrypt data, but we could prevent data exfiltration?

Gordon Cowan: If we do those two things, did we take the incentive away from the threat actors? They can’t disrupt, and they’ve got nothing to hold hostage. These are ideals, but what if that existed? So again, it’s the other layer we have to look at, not be reactionary, but be proactive, right?

Agnidipta Sarkar: Yeah. I think I think I’ve been working on very similar lines, as I told you the other day, that there are two parameters that every board should be looking at.

Agnidipta Sarkar: Number one is what is the maximum acceptable material loss that we can deal with? Put a number to it. In… I know first time you may put a number to it, it may be conservative, it may be too aspirational, but it doesn’t matter because you’re going to come back and revisit it and correct it. Because as I said, every business is different.

Agnidipta Sarkar: They have different ways of looking at it. Even if they’re in the same business in the same country, they’re two different businesses. So the Absolutely. So the first thing they need to look at is how much appetite do they have for what is the dollar value for material loss? The second thing that they need to look at, and I’m going back to the two things that you pointed to, because the first thing, the moment you look at the first thing, you’re talking about the incentive that an attacker may have to attack you.

Agnidipta Sarkar: If the attacker finds that this company does not have the appetite, they have taken care because they don’t have enough appetite, they have put in controls, then the incentive goes down because all you’re trying to do is delay or deny the attacker from reaching something that they can make money out of.

Agnidipta Sarkar: And the second parameter is, in the event of a breach, what is the maximum digital business that… What is the minimum digital business that you want operational, that you want to be undisturbed or unaffected, right? Because that then defines, as you said what’s the operational count. How much of your operations do you want to keep going when things go south?

Agnidipta Sarkar: Look at the breaches that have happened recently, right? And every time I hear this I look at a breach, it says, “We’ve had an, we’ve had an unprecedented breach and we’ve had to shut down the operations because of stakeholder interests.” And that pains me because if you had Oh

Agnidipta Sarkar: planned Yes … if you had planned those two parameters, you would find ways to make sure that even if the attack happens Yes … you are able to deal with it because you would keep the rest of your enterprise unaffected. And then Absolutely … you can pull in the big guns and go after that attacker wherever the attack happens and take it out, learn from it.

Agnidipta Sarkar: There’s a lot to learn from it. How did the attack happen in the first place? Sure. As you said, EDR could be bypassed, identities could be misused. And now with AI with so many things happening the way I see it’s not very encouraging. In fact I’m gonna write a blog about it.

Agnidipta Sarkar: Last week… It was last week, I think. Yes, last week. There was a major vulnerability on on a hardware. And the PTC offices in Germany had got a visit from the local police at 3:30 AM Giving them a notice to patch the vulnerability. Now, people may laugh at this, that the police didn’t overacting or, they, they overreached, they overreacted.

Agnidipta Sarkar: But to me, it’s a societal problem now. If we as practitioners don’t come together and build, give the org the world enough confidence that technology will not be misused and it’ll be reliable, then the world will not go to that dystopian future where people distrust technology. As of now, with whatever is happening around us, the distrust is real.

Agnidipta Sarkar: For example, a few years ago, we would be worried about losing personal data. Nobody bats an eyelid anymore.

Gordon Cowan: Yes. Yes. And that’s… you touched on a couple of things that when you say how much can you afford to lose, how much this, how much that there’s two fact, thin things that you can never recover, or very difficult, and one is digital trust.

Gordon Cowan: Okay, I can afford to lose this, but can you, is the question. Okay? I’m just gonna throw out, And it doesn’t even have to be catastrophic. I’m just gonna… And not to pick on CrowdStrike, because CrowdStrike’s a wonderful company, as SentinelOne is. They’re all wonderful companies. But they didn’t even have a breach.

Gordon Cowan: They had a cyber incident. Now, if you really break it down, in my opinion, it was human error. You can break it down into components and say, “Oh, bad patch,” or… no. It was something was released before it was properly addressed. And really, it wa oh, it wasn’t a ransomware, it was just an incident. Just an incident was an average of a nine-and-a-half-hour outage.

Gordon Cowan: What does that mean? What it means is this. They’ve got billion, billions of dollars of lawsuits for nine and a half hours, okay? It’s actually gonna cost more than ransomware if you think about it, right? So

Agnidipta Sarkar: Just in legal fees … pardon me? I said just in legal fees, even if they win the, if they even if they win the court cases.

Gordon Cowan: Yeah. And then there’s the digital trust factor. and so that’s always gonna be a dark cloud hanging over whoever’s head it is, Microsoft, CrowdStrike, or the entity that got hacked, whatever. And then the other thing is the You, as far as time to be down we live in a digital world.

Gordon Cowan: Look at financial services. The banks are online, especially the large global banks. What’s it cost per minute? Not per hour. What’s the cost per minute for them to be down? And then you take the average time financial sectors is down. What’s that really cost? Okay and then you got the digital trust factor always.

Gordon Cowan: Digital trust is the layer that you can’t impact. the damage is done, now you just gotta try, and hopefully time will thin out that dark cloud. Okay? That’s Crypto is a big example

Agnidipta Sarkar: Pardon me? Crypto is a big example of trust that was lost.

Gordon Cowan: Absolutely. Absolutely. So it’s one of the… and by the way, we don’t even know what we’re facing.

Gordon Cowan: AI is really in its infancy. Quantum computing is gonna add another element to speed and and so on. The time is now. Don’t say, “I’ve got what I need now,” because now… and I love Barry Rabkin. He’s a guru in the insurance business. And he thinks there should be no insurance company that’s involved in cyber insurance because there’s no predictability in cyber.

Gordon Cowan: Predictability is good as the next day AI mo evolves. So from a shareholder perspective, and if you think about it, insurance companies have a bigger bag than regulators, in, in many ways. They are really the ultimate at the pinnacle of regulation. I look to them because I’ve come from that industry, but not what they do, but why they’re doing it.

Gordon Cowan: And I’m thinking, yeah, there’s some serious things that we’re all missing here. We’re following the threat actors. We’re not driving the bus, we’re following it, and that’s not good. Okay? So yes.

Agnidipta Sarkar: Absolutely. And, like you said, AI is in its is at its infancy right now. And even if it is at its infancy, we’ve got all these AI gurus going online and saying jobs are going to be lost, and this is going to happen, and that’s going to happen.

Agnidipta Sarkar: AI is going to take over very soon. I think if we are going to be in the situation that we are in, which means our signal is far lower than our noise, adding AI on the top of that noise is only going to make the noise louder. Correct. So instead of AI giving us very good returns… And I think there was a recent study done that said 97% of AI projects are not really doing that well.

Agnidipta Sarkar: The reason is they’ve taken a human attitude They’ve put AI in there to automate it, and in the end, they just have the same system. It works way faster, and its errors are way larger. So we are not doing we are not putting AI the way we should be putting AI. Look at Claude, a fantastic tool. Then you have Claude Bot, a fantastic tool.

Agnidipta Sarkar: What it can do theoretically is phenomenal, but when it comes to, as they say, when the rubber hits the road, if you run the road, if you land on the road with a faulty tire, it is going to burst sooner or later. So we need to fix the tire first. We’re not doing that. We’re in a, we’re in a hurry.

Agnidipta Sarkar: Everybody wants to win in the AI race. Some are succeeding, of course, because they already had good procedures. So to your point, I wanted to add one more factor that I believe is the cause of most breaches, and that is the procedural gaps. Correct. Now, what I mean by that is ideally, and again, as I said earlier, I’m very fascinated with the way factory operations work.

Agnidipta Sarkar: If you really ask me, they have years ago put in procedures which work seamlessly with one another. You take material from one shop, put it in another shop, and there’s hardly any loss. The Whatever losses happen, they’re known and they’re predictable. Correct. I had worked a long time back in the aluminum industry, and if you look at it from bauxite down to, aluminum sheets, every output, everything that happened, all the losses are new businesses.

Agnidipta Sarkar: You take bauxite, you process it, whatever comes out is sold as chemicals. You take that, and then you process the aluminum metal. Whatever falls out goes into cigarette as aluminum those … those small foils, and then you have extrusions, then you have sheets. Yes. Nothing is no, no errors are left out. That’s an excellent … industry. We are nowhere near that with AI.

Gordon Cowan: No. We’re prehistoric in where we are relative to what you just described. I think that visibility, but with visibility has to come accountability, okay? Because you and I are talking, and for the most part, I think we’re inferring private organizations or publicly control organizations.

Gordon Cowan: We’re not talking about governments, Oh, we should no, but I’m saying, though there’s more control in organizations. Now, we’ve had a breach here in Canada in 2024, one of the major cities. And the crux of what happened in that situation was it was demonstrated that they had MFA in place as a but many of the executive decided it was too cumbersome.

Agnidipta Sarkar: So

Gordon Cowan: they opted out.

Agnidipta Sarkar: Been there, yes.

Gordon Cowan: Okay. And I’m not picking on anybody, but this is natural. This is what happens. So the point is, where’s the accountability? Now, in a corporation where you have CEOs and board of directors, there’s some more… There’s additional accountability. But in public sector, it’s politically motivated, funded, and so on.

Gordon Cowan: That’s another area. That’s a huge gap, and they don’t have visibility, and they certainly don’t have accountability I think that is … in most cases …

Agnidipta Sarkar: I think that is where we need to bring in technology. Yes. Because if using technology, we can create bubbles or islands of excellence Yes

Agnidipta Sarkar: where they can exist with all their political will and whatever they want. That would make sure that the public, the society trusts the government because the government Yes … has done investments to protect, to build resilience against cyberattacks Correct … even though they still continue to operate individually or within their organizations, not in a very security conscious way.

Agnidipta Sarkar: as you pointed out, the breach. I looked at that report and I realized that this is not absence of an MFA. No, it was This is absence of leadership will.

Gordon Cowan: Leadership will, and how do you have… How does the people responsible to ensure that policies and procedures are being enforced, where was the visibility to that this was happening?

Gordon Cowan: I’m gonna suggest the executive went to somebody and said, “I don’t wanna do this. Take me off.” But there wasn’t the right visibility to the right people. And then where do you take the CEO of a city To, for accountability in that instance. And I’m not saying the CEO of the city was the issue, I’m just saying, giving that as an example.

Gordon Cowan: So there has to be a structure that puts in the visibility, the accountability. Now, the penalties or the outcomes from that’s another story. But we have to have that before we can do anything else. And but we can turn that to any organization. Absolutely. And it can be a small business. It can even be a small business.

Gordon Cowan: A SME

Agnidipta Sarkar: But I hear that the current government in Canada is serious about cybersecurity, and I think they are putting in newer measures. I is that where you They are …

Gordon Cowan: believe it’s happening? They are. Is it hopeful? I, in my belief Canada is further behind than most Western nations, in my opinion.

Gordon Cowan: My opinion is also that I talk to a lot of privacy and governance consultings and consultant firms. They’re frustrated. Matter of fact, some have left Canada. They’re not gonna do that business in Canada because they don’t take it seriously. One of the provinces here in Canada, Quebec, the they’ve instituted regulations called Quebec Law 25.

Gordon Cowan: It’s very close to the GDPR. They’re just starting to wrestle with that now, but they’re gonna have data sovereignty in their province and blah, blah, blah, blah. But nobody… Not, I shouldn’t say nobody. I’m, that’s an incorrect statement. Very few are picking that up and starting to run with it. And because they relate it, “Ah, we don’t do business in Quebec.”

Gordon Cowan: No, you don’t. You don’t have a facility in Quebec, but your clients are in Quebec. Their information you have is in Quebec. You’re responsible. So it’s, so the Canada is in some ways evolving. Yes, they are. There’s a lot of noise right now. The question is what Yeah. In fact,

Agnidipta Sarkar: I read about a law about the, I think it was a mining industry which came out with a cybersecurity law in Alberta, and, Oh

Agnidipta Sarkar: that, that was very interesting. I’m not up to speed on that one. Yes. That was very interesting because, And they they’re making CEOs accountable for

Gordon Cowan: Yes …

Agnidipta Sarkar: for not having the right cybersecurity programs. I think they have drafted a six point agenda on stuff that they have to put in, and I think the deadline begins mid of this year in 2026.

Agnidipta Sarkar: So if

Gordon Cowan: it… So as I it’s funny the CEOs are gonna be held personally liable. So that brings up the other area of issues is getting the board to buy into What has to be done. So one of the things the boards have to understand is they have personal their personal assets on the line in Canada that if it’s seen that they have not done what is considered their fiduciary responsibility and care they can be sued.

Gordon Cowan: Now, some companies have directors and officers insurance in place. But like all cyber risk right now, that has been cut back, removed totally, or greatly reduced. So the question is gonna become with the CEOs are you gonna put your personal assets, if we’re directors, are you gonna put your personal assets on the line for this company based on cybersecurity status today?

Gordon Cowan: And what visibility do you have to say, “Yeah, we’re good.” Okay? I come back to, to One important thing, and I always ask the C-suite when they tell me, “Oh, we don’t need anything. We’re secure, and we’re compliant.” I say, “Good news. Good news. So where’s your data?” And they go blank. What do you mean where’s our data?

Gordon Cowan: Our database is…” No, I’m not looking for stru Where’s your unstructured data? Data at rest, data in movement. And according to Gartner, only twenty percent of organizations know that, can answer that to some degree, not even to a complete degree. So how does an organ how is a CEO gonna sign off when they don’t even know what they’re securing against or being compliant with, where it even exists?

Gordon Cowan: Okay? So again, I try and bring it back to the basics to say and challenge them not what they have, but do you know this? No. Then how can you have this then? You can’t have that. It’s just impossible. But now the if they’re gonna hold accountability, that comes back to my second mainstay. There has to be accountability.

Gordon Cowan: I don’t want a CEO lose his home. I That’s not the purpose. But they have to understand, it’s no longer a throwaway words of, “Yeah, we’re secure, and we’re compliant.”

Agnidipta Sarkar: God, it was great talking to you. Let me summarize what you just what you said from the very beginning in today’s episode. I think you touched upon the first thing was visibility, the second thing was accountability.

Agnidipta Sarkar: But then you spoke about your experience about breaches, about what happened. And as we discussed, we also realized, both of us probably, that with the advent of AI, the gap of not understanding a breach is only going to become wider.

Gordon Cowan: Yes.

Agnidipta Sarkar: Absolutely. I would like to talk to you once again, maybe on some other day, but it was great talking to you.

Gordon Cowan: Agni, thank you very much for your time, and I wish you well.

Agnidipta Sarkar: Thank you. Let me