As AI accelerates the speed and frequency of cyberattacks, organizations must adopt a new defensive strategy centered on continuous adaptation.
Global CISO Jess Vachon explains why security is no longer about perfect protection but a race of relative speed.
The approach advises defenders to replace slow annual reviews with continuous testing, focus on the biggest risks like vendor security, and adopt a mindset of constant learning.
The views expressed in this article belong to Jess Vachon and do not necessarily reflect the official policy of any organization.
The clock is ticking faster than ever for cybersecurity defenders. With threat actors conducting reconnaissance that once took weeks in just a few hours, the result is a new reality for most organizations. Now, the advantage goes to those who can adapt the fastest, most securely, and strategically. To do so successfully, striking the right balance between human evolution and technical innovation will be essential first.
Jess Vachon, the Global Chief Information Security Officer for a leading financial services firm, is an expert on this new reality. Having led large-scale, multi-million-dollar security programs at major organizations like Brooks Automation and SIG SAUER, Vachon is a digital transformation expert with experience across finance, manufacturing, and healthcare alike. Today, her question for leaders is no longer if an attack will happen, but how fast their organization can neutralize it when one inevitably occurs.
"The time a threat actor had to spend on research, collecting information, and doing the OSINT piece, now happens in a matter of hours," Vachon says. "Your defensive tools will need to be running constantly so that every change is tested immediately, you get the results instantly, and you have live threat feeds analyzing what's happening across industries." In today's high-speed environment, perpetual vigilance is the only path forward, she explains.
Beat the clock: Calling her strategy a "Cadence Shift," Vachon explains how it helps accelerate an organization's entire security rhythm—from automated code reviews to high-level strategic planning and exercises that address real threats reported in the news. "Doing our pen tests and code reviews annually or semiannually is not enough. We're going to need to run continuous tests at the press of a button."
In an environment of accelerated threats, effective defense requires intelligent prioritization, Vachon explains. For example, she describes social engineering as a fight where defensive tools are keeping pace with attacks. "While social engineering is always in the mix, security vendors are keeping pace by putting AI into their products. From my viewpoint, that front has become a case of AI battling AI."
Mind the gap: According to Vachon, leaders should concentrate their efforts on the real weak spots instead. "The biggest low-hanging fruits are in third-party risk management, where smaller vendors often lack robust security, and in rapidly deployed code. Threat actors using AI can now find and exploit that unpatched software much faster than they were able to in the past."
Catch me if you can: Here, success is a game of relative speed. "If you're not running, not constantly reading, and not learning about the newest technology, you're going to be a victim," Vachon says. From her perspective, the situation is like a race between predator and prey—survival is less about the perfect defenses and more about the right mindset. "The attackers are trying to be the fastest lion, and we as defenders must be the fastest gazelle to avoid being the meal."
Beyond quickening the pace, the new reality also introduces a difficult dilemma for defenders: "Defenders must operate within a financial framework that doesn’t detract from the profitability of the company. But threat actors don't have that problem. They are well-funded, well-staffed, and can spend whatever it takes to get their return on investment," Vachon says.
More speed, more problems: For most organizations, operating at this new velocity also creates friction. As AI-powered defensive tools cast a wider net, security teams face a higher volume of false positives, Vachon explains. "I'd rather have a false positive than a true positive. With AI, the alert volume will inevitably go up, and teams will have to learn a new workflow: let the tool do the first verification, with a human performing the final check."
Ultimately, Vachon’s advice for this new environment is surprisingly traditional: master the basics first. For her, a rigorous focus on fundamentals is often the most powerful defense against AI. "The intent of attacks has always been consistent. If you've been following the basic standards of defending your organization, those still hold true."
Meanwhile, a proper balance between AI and human oversight is still emerging, Vachon says. And as hurdles like tool interoperability are solved, AI's role will only grow. "Within the next six to twelve months, we will have agents able to interact, pass relevant information, and hand that off to humans for a final review. It will still be a few years before we move to a 90/10 ratio, but that's my perspective on it," she predicts.
But Vachon's final message is one of adaptation, not fear. AI is simply the latest reality for leaders to master, she concludes. "Humans tend to fear change, and AI is a monumental one. But this is not something defenders should be fearful of. We must learn about it, leverage it, and adapt. If we maintain that attitude of constantly running and learning, we will hold our own against the attackers."
