Key takeaways

• Retire the “not us” myth: Resilience is earned in the 361 days between board updates. Treat security as a continuous, real-time pursuit rather than a quarterly ritual
• Make identity dynamic: Replace standing privileges with just-in-time, risk-based access and loop identity signals into the SOC to shrink the impact of an attack
• Build secure-by-design paths: Translate risk into plain language and default-safe workflows so the secure choice is the easy, standard way work gets done
• Measure behavior, not attendance: Track actionable indicators, such as MFA coverage, phishing outcomes, policy adherence and employee-initiated incident reports, to prove culture change
• Use AI on both fronts: Accelerate AI for security to automate detection and response, while enforcing security for AI to govern agent identities, data and prompts amid a rising democratization of destruction

Hosted by Rishi Mehta, CISO at HCLTech, a recent LinkedIn Live on the HCLTech Trends and Insights channel brought together Daniel Bernard, Chief Business Officer at CrowdStrike; Chris Gossett, Chief Growth Officer at SailPoint and Amit Jain, EVP and Global Head of Cybersecurity at HCLTech. The conversation moved from foundational myths and identity friction to AI’s dual edge and the cultural metrics that actually shift behavior. The overall message was practical: resilience emerges from everyday choices, such as how access is granted, how incidents are reported and how AI is governed, not from ceremony or slogans.

The biggest myth: “It won’t be us”

Mehta opened by asking each leader to puncture a stubborn myth. “The myth that I hear most often…is the myth that it’s not going to be me,” said Bernard. He framed security as “a continuous pursuit,” warning leaders not to treat it as a quarterly ritual. “You can’t tell your board you’ll worry about security four days a year,” he said. “It’s what you do the other 361 days that really matters.”

That framing matters because optimism bias still seeps into strategy. The panel agreed the risk is not episodic; it compounds in the gaps between formal touchpoints. Culture, investments, partnerships and talent decisions, made on ordinary days, determine whether a breach becomes inevitable or avoidable.

Identity without guesswork

Turning to identity, Mehta asked where friction could be made “invisible.” Gossett suggested that most organizations still don’t have a clean grip on who can access which applications and data, let alone why. The result is an access model that forces employees to guess. “You’ve got end users requesting access to things they don’t entirely understand…they’re kind of hunting in the dark,” he said, arguing that the Amazon-style shopping metaphor simply does not fit enterprise risk. “Access really isn’t like that…there’s all this nuance and inference,” so the goal is to get out of “choose-your-own-adventure” requests and toward structured, role-appropriate access.

Gossett described the target state: “Remove a massive amount of standing privileges…move more into a just-in-time model where people are getting the right access at the right time, based on risk, based on signals in the environment.” He pointed to joint work with CrowdStrike that pushes rich identity context into the SOC, and brings SOC signals back into access decisions, so managers and app owners are not asked to design “really complex security models” they don’t understand.

The panel also urged enterprises to reframe identity as a dynamic process. Entitlements should be flexible by context, such as who, where, when and what the person (or agent) is doing, rather than remain static. Treating identity as living telemetry shrinks the impact when things go wrong and aligns access with how work happens.

Secure-by-design: Making the secure path the easy path

On secure-by-design, the panel emphasized translation and defaults. Employees do not think in risk models; they need intelligible context and well-defined paths that make good choices easy. As Gossett put it, give people the “context of what the heck all this stuff is” and pair it with tools that implement safer patterns by default; do that and “we really empower people to be much, much smarter about the decisions they’re trying to make.” That’s how organizations can retire excessive access by design and ensure risky privileges time-out automatically.

This is not just a design pattern; it is a governance imperative. Identity signals must inform detection and response, and SOC findings must flow back into access governance. When those loops are closed, the attack surface narrows, incident response accelerates and security becomes part of service delivery and not a bolt-on step at the end.

Measuring culture: From attendance to behavior

Mehta then asked about how to quantify a “culture of security.” Jain’s answer reframed the scoreboard. “Completion is compliance…and behavior is culture,” he said, adding that the real North Star is whether “an employee behaves securely when no one’s watching.” He advocated metrics that track action, including phishing outcomes, adherence to top hygiene policies, pervasive MFA and, crucially, employee-initiated incident reporting into the SOC. “Even with the advent of AI, our people will be our first line of defense,” he said.

Jain argued for combining CISO pulse surveys with technology-led, behavior-derived telemetry, like data loss prevention. Over time, leaders should expect to see fewer repeat offenders, faster reporting and more projects voluntarily entering security review. “We have to bring in technology-led, scientific measurement...besides compliance training,” he added, so that culture change is evidenced in trends, not anecdotes.

AI for security and security for AI

The conversation inevitably turned to AI. “There’s security for AI and then AI for security,” said Bernard. On the latter, he predicted an accelerated shift: “It’s going to take just three to five years for AI to become pervasive…AI is going to fundamentally change security,” with a future where trusted AI handles more of the SOC’s core loop while humans focus on reasoning and decisions. On the former, he warned that AI systems, the “agentic employees” with identities and privileges, must be protected against prompt injection and safeguarded at the data layer that powers them.

Mehta characterized today’s challenge as a real-time data problem and the panel pushed further, highlighting execution, not just visibility. AI should help right-size access automatically, trigger targeted step-up authentication and contain risk in ways that are reversible when signals normalize. In short, resilience will be built by closing the loop from analytics to action.

The democratization of destruction

Asked about AI’s double edge, Bernard said: “We call it the democratization of destruction,” because it has become “easier for anybody to operate a lethal attack” without years of hacking experience. The only sustainable response, he argued, is to field security that can “keep up and [be] one step ahead,” which now depends on a new value chain: the best data trains the best models, the best models yield the best agents and the best agents deliver security in real time. “It’s no longer a minutes-and-hours discussion; it’s a real-time, proactive [and] predictive discussion.”

Jain cautioned boards not to view AI narrowly as a cost lever. “AI is not a tool; AI is a system that we are all living in today,” he said. Because attackers and even nation states are weaponizing AI, defenders must use it to drive better security outcomes on complex, probabilistic problems “that we are not able to solve [fast enough]” with humans alone.

Leadership blind spots: Speed without security

Mehta then asked about blind spots that erode resilience. Jain highlighted decisions taken “for speed and experience” without security in the equation, noting that progress over the last few years shows secure-by-design can keep business velocity intact. The remedy is early integration: if security is part of the accepted definition of speed, then shipping fast and safe becomes the norm. “Without security, there is no experience…it’ll be a bad experience,” he said.

Bernard added that security is now mainstream because of its societal stakes; treating it as a side topic is no longer tenable. Culture and governance must bring security “closer to the code” and “closer to the business,” because being five steps behind “doesn’t cut it.”

Making resilience investable

Though much of the conversation focused on practice, the panel repeatedly returned to outcomes. Resilience should be priced in terms boards recognize, such as fewer and shorter disruptions, faster restoration of critical services and improved continuity metrics. When identity, telemetry and AI are bound into day-to-day operations, leaders can connect controls directly to availability, customer trust, and brand, turning security from a compliance cost into an operating capability.

Five years to different jobs and a different culture

The session closed on a forward look. “Five years out, everybody in a security team should be doing a fundamentally different job than they’re doing today…if everybody’s doing the same thing, we’ve all failed.” The point is not to eliminate teams but to elevate them and to focus human judgment where it matters, while trusted AI handles more of the manual tasks.

If resilience is the destination, the route is now clear. Retire the “not us” myth. Turn identity from guesswork into just-in-time access governed by live signals. Measure behavior, not attendance. Build secure-by-design paths that people can follow without becoming security engineers. And treat AI both as a force-multiplier for defense and a surface that demands first-class protection. Cultures that make secure behavior the path of least resistance will win the ability to secure their organization year-round, and stay a step ahead in an agentic era that isn’t slowing down.