AI is accelerating both cyber defense and cybercrime, increasing speed and scale while exposing gaps in governance, ownership, and readiness.
Gary Hibberd, Co-Founder of Consultants Like Us, argues that AI should be treated as a strategic, tactical, and operational risk, not a shortcut to resilience.
Hibberd says organizations must refocus on human fundamentals like decision ownership, emotional intelligence, risk differentiation, and rehearsed response plans to make AI work safely at scale.
AI’s rapid rise has transformed cybersecurity into a space where speed often outpaces clarity. The same technologies now shape both defensive systems and offensive attacks, leaving security teams to sift through competing claims of capability as adversaries quietly improve efficiency and scale. In many organizations, AI is adopted with urgency but little governance, creating more blind spots than resilience. The result is a growing realization that while automation can accelerate response, it can't close the deeper gaps rooted in human decision-making, responsibility, and readiness.
For an expert's take we turned to Gary Hibberd, Co-Founder of the cybersecurity consultancy Consultants Like Us. Known as "The Professor of Communicating Cyber," Hibberd has a career spanning over two decades in information security and business continuity, with leadership roles at GE Money, Irwin Mitchell, and Cyberfort Group. He believes that navigating the AI era requires a return to human-centric fundamentals.
"AI is a strategic, tactical, and operational risk. That's really what it all comes down to," says Hibberd. In his view, taking a multidimensional view of risk helps organize the chaos. With mounting pressure to deploy AI, security leaders face a marketplace packed with offerings that claim, often dubiously, to be "AI-enabled." This creates a general fog of confusion and raises core questions: What is authentic AI, and how can it be used, in practice, to safeguard the organization?
No rules, new tools: Internal confusion is heightened by a threat landscape that changes by the day. Adversaries are using the same technology to scale their attacks, and that constant pressure is stretching security teams and leaders thin. "We've got to recognize that cybercriminals are using AI to become more efficient and effective AI, the same way that we're using it. The only difference is that they're not constrained by the same ethical boundaries that we all are," says Hibberd.
The blame game: Although cybersecurity leaders recognize the need for a "no-blame culture," it often fails in practice. The disconnect between responsibility and authority can contribute to burnout, and even in an officially blameless culture, a leader will likely internalize the failure. "In large, established institutions, blame becomes institutionalized. If there's a problem, someone is to blame. That's a cultural issue, and to change culture takes a long time."
It's this seemingly inescapable cycle of blame that leads Hibberd to offer his most counter-intuitive advice. Instead of trying to overwrite the existing organizational culture, he suggests leaders work with it to earn influence by first understanding what the business values. "When you try to instill a security culture, you're saying you can come into a business that has been operating for 100 years and make the entire organization think differently. That is the road to hell. You might as well be standing on the beach and trying to stop the ocean. It's not going to happen."
Human on standby: Hibberd's human-centric philosophy extends to managing technology itself. As many organizations look to deploy agentic AI systems, a key challenge often lies in defining the boundary between human and machine. "I liken it to the autopilot on a plane," Hibberd explains. "The pilot flicks a switch, and it will fly the plane. However, autopilot is switched off for landing and takeoff. If there's a problem, the system does its best to diagnose it, but at a certain point it recognizes its limits and hands control back to the human."
Feelings first: In a human-AI hybrid model, technology supports expert judgment. Defending against today's threats often involves leveraging uniquely-human strengths, like emotional intelligence. "With phishing, the number one thing we train people on is to look beyond the words and identify the emotion a message is trying to evoke from you," says Hibberd. "A non-negotiable is training people to be more human so that they can recognize these emotionally manipulative attacks."
A vital, but often overlooked core tenet of the national cybersecurity framework is simple preparedness. Hibberd points to a common oversight where organizations develop incident response plans that have never been rehearsed. "Still to this day, I have conversations with leaders who tell me their business continuity plan is just part of their disaster recovery plan. When I ask when they last walked the team through it, they admit they haven't done it."
Back to basics: For Hibberd, preparedness basics begin with becoming well-versed in risk management. "You cannot protect what you don't understand," he says, stressing the need for a data asset register and a realistic view of threats. A fundamental gap Hibberd observes is that many leaders still struggle to differentiate between strategic, tactical, and operational risks. "You have to understand those three elements to protect your business," he advises.
With technology moving at breakneck speed, Hibberd’s core message is a return to the foundations that have defined security for decades. He finds the perfect metaphor in his own personal discipline. "I'm a black belt in Bujinkan Budo Taijutsu. But after 30 years of training, I still practice the basics," he shares. "Because the basics will help you. Irrespective of who your adversary is or how technically capable they are, the basics will win out."
