With expertise in AI, machine learning, and blockchain, Dominic Jainy has a unique vantage point on the evolving landscape of corporate risk. In our conversation, we explore the seismic shifts in executive concerns, where the persistent threat of cyber-fraud now overshadows ransomware. We delve into why the most resilient companies are already looking past today’s scams to the emerging dangers of AI, the critical but overlooked vulnerabilities in the AI supply chain, and how the tremors of global geopolitics are reshaping corporate cyber defense strategies. The discussion also sheds light on the alarming security gaps in operational technology and the complex relationship between regulation and genuine security improvement.
Cyber-enabled fraud is now a top executive concern, eclipsing ransomware. Why has this shift occurred, and how should security leaders adjust their strategies and budgets to combat both simple scams and complex ransomware attacks? Please share a detailed example of a successful defensive tactic.
The shift is deeply personal and psychological. Ransomware is a terrifying, monolithic threat, but cyber-fraud is a death by a thousand cuts that executives are now experiencing firsthand. When you hear that nearly three-quarters of leaders have been affected or know someone who has, it’s no longer an abstract IT problem; it’s a palpable risk that hits home. It’s the constant barrage of phishing emails, the CEO fraud attempts, the invoice scams. This pervasiveness makes the threat feel more immediate and constant than the “what if” of a massive ransomware event. Security leaders must now fight a two-front war. They can’t defund their ransomware defenses, but they must redirect resources to address the high-volume, low-complexity attacks. A tactic I’ve seen work wonders is “human-centric defense.” Instead of just relying on an email filter, a company created an internal “threat-spotting” competition. They used safe, simulated phishing campaigns and rewarded employees who reported them fastest. It gamified security, turning every employee into a sensor and creating a culture of hyper-awareness that technology alone could never achieve.
CEOs at highly resilient firms focus more on emerging AI threats than on fraud. What specific, practical steps can a less mature organization take to strengthen its core defenses so it can also begin preparing for these future risks? Please outline the first three actions.
This is a classic case of security maturity. The less resilient organizations are drowning in the basics—they’re so busy patching critical vulnerabilities and fighting off common fraud that they don’t have the luxury of looking at the horizon. They’re in survival mode. To get ahead, they need to build a stable foundation. First, they must automate and master the fundamentals of cyber hygiene, especially patch management for traditional software flaws. This stops the bleeding from known exploits. Second, they need to shift from a signature-based defense to a behavior-based one. This means investing in tools that can spot anomalous activity, which is crucial for detecting both sophisticated ransomware and novel AI-driven attacks. Third, they must develop and relentlessly pressure-test a robust incident response plan. It’s not enough to have a plan on paper; they need to run drills until responding to a breach becomes muscle memory. Only by quieting the noise of today’s fires can they free up the strategic capacity to prepare for the AI-powered infernos of tomorrow.
Executives worry about AI-driven data leaks and hacker advancements, yet almost no one cites vulnerabilities in the AI code supply chain. Why does this significant blind spot exist, and what are the potential cascading consequences for a business? Can you provide a hypothetical scenario?
This blind spot exists because the fear is focused on the output of AI, not its ingredients. A deepfake video or a massive data leak, which concerns about 30% of CEOs, is a tangible, frightening outcome. The AI supply chain, however, is abstract and buried deep within the technical stack. The fact that a mere 6% cite it as a concern is alarming because it’s where the most insidious threats lie. Imagine a financial services company that incorporates a popular, open-source AI module to help with fraud detection. A threat actor has subtly poisoned that open-source code. For a year, the system works perfectly, but it has a hidden, dormant function. Triggered by a specific date, it begins to misclassify a tiny fraction of massive international transfers as “safe,” allowing illicit funds to flow undetected. The cascading consequences are devastating: the company becomes an unwitting vehicle for money laundering, faces colossal regulatory fines, and suffers an irreversible loss of institutional trust, all from a vulnerability in a component they never built and barely understood.
Two-thirds of CEOs say geopolitical volatility has changed their cyber strategies. Beyond gathering threat intelligence, what specific operational changes are companies implementing to protect themselves from nation-state activity? Please describe two key metrics for tracking the effectiveness of these changes.
The realization that a company can become collateral damage in a conflict between nations has forced a move from passive defense to active resilience. Beyond just gathering intelligence, a major operational change is aggressive network segmentation. Companies are creating digital “bulkheads” in their systems, isolating their most critical operational technology and intellectual property from their corporate IT networks. If a nation-state actor breaches the email server, they can’t pivot to shut down a factory. Another change is a strategic diversification of their technology and service providers to reduce dependency on any single country, mitigating the risk of supply chain compromise. To measure effectiveness, we look at two key metrics. The first is “Breach Impact Reduction,” which tracks whether a breach in one segment can spread to another; a successful segmentation strategy keeps this number at or near zero. The second is “Recovery Time Objective (RTO) for Geopolitically-Motivated Scenarios,” measured through wargaming. This tracks how quickly they can restore essential services after a simulated nation-state attack, a direct measure of their operational resilience.
With very few companies monitoring operational technology security or reporting it to the board, what are the most critical first steps for securing OT assets? Can you detail a process for gaining executive buy-in and establishing a dedicated OT security function from scratch?
The numbers are genuinely concerning—only 20% have a dedicated OT security team, and a paltry 16% report on it to the board. This is a massive, silent risk. The first critical step is simply visibility: you must map the entire OT environment to know what assets you have. You can’t protect what you don’t know exists. To get executive buy-in, you must speak their language, which is risk and money, not packets and protocols. The process starts by conducting a Business Impact Analysis. Don’t talk about firewalls; talk about the per-hour cost of a halted production line. Frame the risk in terms of lost revenue, reputational damage, and potential safety incidents. Present this stark financial reality to the board. Once they’re listening, propose a crawl-walk-run approach. Start with a pilot program to secure one non-critical facility. Use that success to justify hiring or training one dedicated OT security specialist. This person’s sole job is to build on the pilot, create a baseline of security, and demonstrate measurable risk reduction. This creates a powerful feedback loop of investment and results, providing the foundation to build a full, dedicated OT security function.
Many leaders feel cyber regulations improve security awareness, but support is lower in heavily regulated regions like North America. What are the key trade-offs between compliance burdens and actual security improvements, and how can executives in these regions maximize the benefits while minimizing the friction?
The fundamental trade-off is between compliance-driven activity and security-driven outcomes. In heavily regulated regions, there’s a real danger that security teams spend more time generating reports and checking boxes for auditors than they do hunting for actual threats. The compliance burden can stifle innovation and create a “checklist security” culture, where the goal is to pass the audit rather than stop an attacker. However, as nearly 60% of leaders acknowledge, the undeniable benefit is that regulation forces security into the boardroom and establishes a non-negotiable floor for cyber hygiene. To maximize the benefit in North America, executives need to champion a “security-first, compliance-as-an-outcome” philosophy. This means designing a robust security program based on their specific risk profile, not on a generic regulatory framework. When you build a genuinely strong defense, you find that you meet or exceed most compliance requirements by default. This reframes regulation from a bureaucratic hurdle into a validation of an already-excellent security posture.
What is your forecast for the intersection of AI-enabled fraud and nation-state cyberattacks over the next five years?
My forecast is for a troubling and dangerous fusion of these two domains. We are going to see nation-state actors adopt AI-powered fraud not just for espionage or financial gain, but as a primary tool of geopolitical destabilization. Forget simple phishing; think about hyper-realistic, AI-generated deepfake videos of executives announcing fabricated corporate scandals to crash a rival nation’s stock market. Imagine AI crafting millions of unique, highly personalized disinformation messages to sow chaos during an election, or using synthetic voice generation to impersonate military leaders and issue false commands. This convergence will move beyond attacking infrastructure to attacking the very fabric of trust in our economic and political systems. The line between cybercrime and information warfare will effectively disappear, creating a new breed of hybrid threats that are incredibly potent and almost impossible to attribute.