Compliance opens the door. Risk decides the priorities.
Compliance is often an external business requirement — something customers increasingly expect before they even start the conversation. “Without CMMC certification, you simply cannot do business with US defence companies,” Cornette said during the Cyber Security Coalition panel discussion. Compliance is no longer about governance or audit readiness; it directly determines whether organisations can access customers, markets and partnerships. “Customers contact the business first and then they both contact me,” he said. “That is where I can show the value of cybersecurity.”
For Boards, however, risk remains the more powerful language. Regulations such as NIS2 and CRA can feel abstract: business risk is easier to understand. Koen De Maere approached the same topic from an academic perspective. In theory, he explained, organisations should treat cybersecurity like any other business risk: controls should remain proportional to the value they protect. “With the level of penalties today,” he noted, “the cost of mitigation often becomes lower than the cost of non-compliance.”
AI is creating a new insider risk
According to Cornette, many organisations underestimate how much access AI receives behind the scenes. “The user may not even know they have access to sensitive data,” he warned. “But the AI agent will find it.” That creates a new type of insider risk: not from malicious employees, but instead from overprivileged AI systems operating with broad access rights and little oversight.
“You cannot stop innovation,” Cornette said. “People will always find another way to use AI.” Blocking tools entirely therefore makes little sense. The better approach is controlled enablement: managing permissions carefully, limiting access, and training employees to use AI safely. Once AI agents gain access to emails, documents or internal systems, a simple permission mistake can quickly turn into a large-scale security incident. Managing identities and access rights therefore becomes just as important for AI as it is for employees.
Cybersecurity leadership is learned on the job
If compliance provides the baseline and risk determines the priorities, someone still needs to translate both into business decisions. According to Koen De Maere, that requires a different kind of cybersecurity leader than many organisations traditionally look for. Drawing on his research involving more than 400 senior executives, he found little evidence that a specific educational background leads to better cybersecurity leadership — suggesting that these capabilities are primarily developed on the job. What matters far more is diversity of experience. “The greater the number of different functions the executives have held during their careers, the better leaders they become,” he noted. By understanding each other’s perspectives, cybersecurity and business leaders can build mutual trust, forming the foundation for strong and effective working relationships.
That finding is particularly relevant in a world where cybersecurity decisions increasingly touch operations, legal, supply chains, customers and executive management. A leader who understands how the business works is often better equipped to balance compliance requirements against operational realities.
Security depends on relationships
Both speakers repeatedly returned to the same idea: cybersecurity is about collaboration. For Cornette, influencing business units or subsidiaries often depends less on authority and more on relationships. Many entities operate independently, with their own leadership and priorities. “You need friends in the business, and that starts with understanding their operations and priorities”.
De Maere described the same challenge through four organisational layers that determine cybersecurity maturity: individual skills, collaboration between IT and business, decision-making power, and integrated governance structures. Without those foundations, even strong technical controls struggle to succeed.
The broader takeaway from the panel was clear: compliance and risk are not competing objectives. Compliance creates the baseline. Risk determines the priorities. The organisations that succeed will be led by cybersecurity leaders who can connect both to business reality.
