As cyber threats become faster and more sophisticated, the traditional security playbook no longer suffices. Cloud, AI, remote work, and constantly expanding attack surfaces have created environments where the time between exploit disclosure and weaponization is measured in hours, not weeks.

“Nowadays, it’s imperative to have a proactive program in place—but also the ability to react when, as I call it, ‘shit hits the fan,’” said Guy Dulberger.

This shift isn’t just about attackers getting smarter—it’s about the business needing to move faster. Legacy silos between SOC teams, red teams, and IT can’t keep up. Instead, security teams must think holistically about both preventing and responding to incidents.

Dulberger emphasized building a mature security posture anchored in frameworks like NIST and tools like EDR/MDR. But technology alone isn’t enough—processes must evolve too.

“It’s hard to find security engineers fluent in DevSecOps. You need tools like Veracode or Snyk—but you also need processes that enrich findings and build developer awareness.”

He also called out the value of identity and MFA, while cautioning that even these controls aren’t bulletproof unless well-implemented. And he highlighted threat exposure management—not just vulnerability scanning—as a smarter way to prioritize based on real business risk.

Tim Brown added that secure development practices must shift left: “True DevOps teams are moving so fast—10 to 100 releases a day. Tools that check code at check-in and inspect GitHub workflows are helping bake security into the process.”

Despite a strong proactive stance, Brown reminded the audience that “stuff still happens.” Case in point: the SolarWinds breach. “We had to react fast. But the lesson was: assume breach, contain lateral movement, and prioritize real risk over perceived risk.”

That means building effective incident response protocols and running realistic tabletop exercises. Both CISOs stressed the value of treating every minor incident like a dry run for something major.

“A good tabletop puts people in uncomfortable positions—that’s when you really test the reactiveness of folks and where gaps emerge,” said Dulberger.

Brown agreed, noting that micro-exercises—like simulating a stolen laptop at a conference—are just as important as full-blown annual drills. “You build muscle memory that way.”

The conversation returned often to the human element. Whether it’s contextual phishing attacks or unauthorized use of GenAI tools, people remain the weakest link—or strongest asset—depending on how well they’re trained and supported.

“You can train users all day, but contextually aware phishing still works,” said Brown. “The key is preventing output—training finance, for example, to never wire money without a call.”

They also touched on the rise of “shadow AI,” where employees use unapproved generative tools. Updating acceptable use policies and educating teams about data exposure is essential.

If there was one theme both CISOs hammered home, it was the need to focus on what truly matters.

“The more we prioritize real risk, the more trust and efficiency we build across the organization,” said Brown.

Dulberger added that data is key: “If you can show risk to your crown jewels and track KPIs in dashboards, you’ll have better conversations with your board and better alignment with your teams.”

The job of a CISO is never finished—and that’s not a failure. It’s the reality of working in a dynamic, high-stakes environment.

“We don't look at something and say, ‘It’s perfect,’” said Brown. “We look at it and say, ‘If we could improve it by 10%, that would still be a win.’”

Dulberger concluded: “Even if your board hands you $10 million and 100 people, by the time you implement it all, two years will have flown by. It's a long journey. Stick with it.”

Bottom Line: Proactive and reactive security aren't either/or. They're interdependent. To thrive, cybersecurity teams must embrace both mindsets—planning for the worst while preparing to prevent it.

Want to accelerate your own journey? Learn how NopSec's exposure management platform helps unify and mature both sides of the security equation.