Hard Realities of Cyber Threats
21 Jan 2026 10:30h - 11:15h
Hard Realities of Cyber Threats
Session at a glance
Summary
This World Economic Forum panel discussion focused on the evolving landscape of cyber threats and the need for enhanced cybersecurity resilience in an increasingly interconnected world. The panel, moderated by Samir Saran, brought together leaders from Europol, telecommunications, financial services, and cybersecurity to examine how cyber risks are changing and what responses are needed.
Michelle Zatlyn from Cloudflare highlighted that cyber attacks are becoming “bigger and more,” with DDoS attack records being broken 25 times in 2025 and AI-powered bot impersonation increasing by 1400%. She noted a growing divide between well-protected organizations, particularly financial institutions, and vulnerable smaller enterprises that haven’t adopted modern security solutions. Catherine De Bolle from Europol described how the “DNA of crime” is changing, with criminals now treating data as a weapon following a “steal, deal and repeat” cycle, while organized crime groups are increasingly investing in in-house digital capabilities and AI tools.
Hatem Dowidar emphasized the shift from traditional criminal behavior to weaponized cybercrime involving state actors, particularly threatening critical infrastructure across multiple nations. Michael Miebach from Mastercard stressed that cybersecurity is now systemic, cutting across physical, geopolitical, and corporate domains, and argued that without trust in AI systems, their adoption will be limited. The panelists agreed that traditional law enforcement approaches are insufficient and that new forms of public-private partnerships are essential.
Key solutions discussed included moving from permission-based to trust-based security architectures, implementing zero-trust frameworks, improving threat intelligence sharing, and addressing supply chain vulnerabilities. The discussion concluded with calls for better workforce training, enhanced digital literacy, stronger identity systems, and treating cybersecurity as a fundamental business responsibility requiring board-level attention rather than just technical oversight.
Keypoints
Major Discussion Points:
– Evolving Cyber Threat Landscape: The panel discussed how cyber threats are becoming “bigger and more” with AI accelerating new attack types. DDoS attack records were broken 25 times in 2025, and AI bots impersonating humans increased by 1400%. The convergence of physical and digital threats, along with geopolitical tensions, is creating a more complex security environment.
– Digital Divide in Cybersecurity Preparedness: There’s a growing gap between organizations with modern cyber defenses (particularly financial institutions) and those still relying on legacy systems. Large corporations are generally better protected, while small businesses remain vulnerable as the “weakest link” that fraudsters target.
– Blurred Lines Between Criminal and State Actors: The weaponization of cyberspace by nation-states has complicated the threat landscape. Organized crime groups are hiring digital experts and investing in AI capabilities, while state actors use criminal groups as proxies, creating challenges for traditional law enforcement approaches.
– Need for Enhanced Public-Private Partnerships: The discussion emphasized that traditional law enforcement methods are insufficient for modern cyber threats. New collaborative models are emerging, including information sharing between law enforcement agencies like Europol and private sector companies, though legal and trust barriers still exist.
– Trust-Based Security Architecture and AI Agents: The conversation explored the transition from permission-based to trust-based security systems, particularly as AI agents become more prevalent. This includes implementing zero-trust architectures and developing guardian systems to monitor AI agent behavior within organizations.
Overall Purpose:
The discussion aimed to examine the current state of cybersecurity threats and resilience strategies, focusing on how leaders can adapt to an increasingly complex threat environment that combines traditional cybercrime, state-sponsored attacks, and emerging AI-powered threats. The panel sought to identify practical solutions and partnership models for protecting organizations and critical infrastructure.
Overall Tone:
The discussion maintained a serious but constructive tone throughout. While acknowledging the severity and complexity of current cyber threats, the panelists balanced concern with optimism about available solutions. The tone was collaborative and solution-oriented, with participants building on each other’s insights rather than debating. There was a sense of urgency about the need for action, but also confidence that with proper investment, partnerships, and modern defenses, organizations can effectively protect themselves against evolving threats.
Speakers
– Samir Saran: Moderator of the panel discussion
– Catherine De Bolle: Executive Director of Europol, speaking on international partnerships and criminal perspective on cybersecurity
– Michelle Zatlyn: Co-Founder and President of Cloudflare, working on keeping organizations safe from cyber threats
– Michael Miebach: Chief Executive Officer of MasterCard USA, part of the International Business Council, working on cyber resilience and cyber threats
– Hatem Dowidar: Group Chief Executive Officer, EN, from the UAE, bringing perspective from telecommunications and critical infrastructure management across 20 countries
– Audience:
Additional speakers:
– Dave: Chief Technology Officer for Pearson (the world’s largest learning company) – audience member who asked a question about AI agents and cybersecurity training
Full session report
Comprehensive Report: World Economic Forum Panel Discussion on Cybersecurity Resilience
Executive Summary
This World Economic Forum WEF26 panel discussion, moderated by Samir Saran, brought together senior leaders from law enforcement, telecommunications, financial services, and cybersecurity to examine the rapidly evolving landscape of cyber threats and the urgent need for enhanced cybersecurity resilience. The panel featured Catherine De Bolle (Executive Director of Europol), Michelle Zatlyn (Co-Founder and President of Cloudflare), Michael Miebach (Chief Executive Officer of MasterCard USA), and Hatem Dowidar (Group Chief Executive Officer, EN, UAE).
As Saran noted in his opening remarks, the discussion was framed by findings from a global cybersecurity outlook report and focused on “convergence of real threats, physical threats, supply chain threats, digital threats, the geopolitical moment, the polarizations, the lack of international cooperation” and the struggle for “defining partnerships for the future that can keep up with technology.”
The discussion revealed a consensus amongst industry leaders that cyber threats have fundamentally transformed, becoming exponentially more sophisticated, frequent, and dangerous. The panellists agreed that traditional approaches to cybersecurity are insufficient and that new forms of collaboration between public and private sectors are essential for addressing these evolving challenges.
The Evolving Cyber Threat Landscape
Unprecedented Scale and Sophistication
Michelle Zatlyn opened the discussion by highlighting the dramatic escalation in cyber threats, noting that cyber attacks are becoming “bigger and more” with artificial intelligence serving as a significant accelerator. She presented striking statistics demonstrating this escalation: according to Zatlyn’s data, DDoS attack records were broken 25 times in what she referenced as 2025, and AI-powered bot impersonation increased by an extraordinary 1400%. These figures underscore the rapid evolution of the threat landscape and the role of AI in amplifying both the scale and sophistication of attacks.
Zatlyn also highlighted emerging insider threats, noting concerning examples of Iranian government employees working within organizations, demonstrating how traditional security perimeters are being compromised from within.
The Changing DNA of Crime
Catherine De Bolle provided a law enforcement perspective on this evolution, describing how “the DNA of crime is changing” through digitalisation. She introduced the concept of criminals following a “steal, deal and repeat” cycle, treating data not merely as a target but as a weapon in their operations. This fundamental shift represents a move from traditional one-off criminal activities to systematic, repeatable business models that leverage digital assets.
De Bolle explained that organised crime groups are increasingly investing in in-house digital capabilities and utilising AI tools to facilitate their business models. This professionalisation of cybercrime has created more sophisticated and persistent threats that require new approaches from law enforcement.
Convergence of Criminal and State Actors
The discussion revealed a particularly concerning development: the blurred lines between organised crime groups, non-state actors, and legitimate state operations. When Saran raised questions about the weaponisation of cyberspace by legitimate state actors, De Bolle provided detailed insights into this complex landscape.
“We see that the lines between state actors, non-state actors, organised crime groups are blurring,” De Bolle explained. She described how criminals might work for states during the day and launch independent attacks at night, creating a complex threat environment where traditional distinctions between different types of adversaries are becoming increasingly meaningless.
This convergence has necessitated new approaches to defense, requiring what De Bolle termed closer cooperation between “defense, police, and intelligence services” to address threats that span multiple domains and jurisdictions.
Hatem Dowidar emphasised the shift from traditional criminal behaviour to weaponised cybercrime involving state actors, particularly threatening critical infrastructure across multiple nations. This convergence has created what Michael Miebach characterised as fundamentally systemic threats, cutting across physical, geopolitical, societal, and corporate domains.
The Digital Divide in Cybersecurity Preparedness
The “Messy Middle” Problem
One of the most significant concerns raised during the discussion was the growing divide in cybersecurity preparedness between different types of organisations. Zatlyn identified what she termed a “separation of the field,” where some organisations—particularly financial institutions—have implemented modern defences and are well-protected, whilst others in the “messy middle” have not adopted modern solutions for various reasons.
This digital divide creates systemic vulnerabilities, as Miebach pointed out that small businesses, despite being the largest employers globally, often represent the “weakest link” that fraudsters specifically target. The challenge is particularly acute because these smaller organisations may lack the resources, expertise, or awareness necessary to implement adequate cybersecurity measures.
Implications for Systemic Security
The existence of this digital divide has implications beyond the individual organisations that are poorly protected. In an interconnected digital ecosystem, the security of the entire system is only as strong as its weakest components. This reality means that the cybersecurity challenges of small and medium-sized enterprises become everyone’s problem, as they can serve as entry points for attacks on larger, better-protected organisations through supply chain vulnerabilities.
Public-Private Partnership Solutions
Inadequacy of Traditional Approaches
There was unanimous agreement amongst the panellists that traditional law enforcement approaches are insufficient for addressing modern cyber threats. De Bolle explicitly stated that “traditional law enforcement activities are not sufficient anymore” and emphasised the need to explore new ways of working with the private sector.
Emerging Collaborative Models
The discussion highlighted several emerging models for public-private collaboration in cybersecurity. De Bolle described specific collaborative projects, including Europol’s “Asset” project, which demonstrates how information sharing between law enforcement agencies and private sector companies enables immediate protective actions. When law enforcement identifies new threats or attack patterns, they can quickly share this intelligence with private sector partners, allowing them to implement protective measures before attacks occur.
Miebach noted that despite broader geopolitical fragmentation, new partnership models are emerging in cybersecurity because cyber threats transcend national borders. He referenced MasterCard’s acquisition of “Record the Future,” a threat intelligence company, as an example of how private sector organisations are investing in enhanced threat detection capabilities. He also highlighted the development of cybersecurity centres that bring together private sector organisations and law enforcement agencies, though he acknowledged that these solutions tend to be pragmatic and localised rather than comprehensive global arrangements.
Dowidar provided concrete examples of successful collaboration models, describing the UAE’s national cybersecurity council that brings together government and private sector stakeholders. He also highlighted the role of international industry bodies like the GSMA security center for the telecommunications industry, which facilitates threat information sharing across the sector.
Challenges in Collaboration
Despite the recognised need for enhanced collaboration, the panellists acknowledged several barriers to effective public-private partnerships. These include legal constraints around information sharing, concerns about liability in litigious societies, and the need to balance transparency with operational security requirements.
Trust-Based Security Architecture and Zero-Trust Implementation
Transition from Permission-Based to Trust-Based Models
The discussion explored the fundamental shift from permission-based to trust-based security architectures. Zatlyn explained this transition using a practical analogy: traditional security was like having one key to your house, but modern zero-trust architecture requires verification at every access point, similar to having multiple locks and verification systems throughout a building.
Miebach elaborated on the zero-trust approach, explaining that it requires verification at every access point using multiple data signals for authentication. He noted that modern defences utilising AI and multiple data sources can provide high-probability transaction validation, enabling organisations to make real-time decisions about the legitimacy of activities within their systems.
Practical Implementation Challenges
The panellists discussed practical challenges in implementing zero-trust architectures, particularly in organisations with legacy systems and established workflows. The transition requires not only technical changes but also cultural shifts in how organisations think about access control and verification.
AI Agent Security Framework
Audience Engagement on AI Agent Challenges
A significant portion of the discussion was devoted to addressing questions from Dave Treat, CTO of Pearson, who raised important concerns about AI agent security. Treat asked how to create AI agents that are “inherently suspicious and not easily fooled by the same tactics that fool humans,” highlighting the unique challenges of securing autonomous AI systems.
Treating AI Agents as Workforce Extensions
The panellists quickly reached consensus that AI agents should be treated as extensions of the existing workforce, with the same zero-trust principles applied to their activities. Zatlyn advocated for treating AI agents like employees within existing security frameworks, noting that “we should treat agents like we treat employees” with appropriate access controls and monitoring.
Guardian Agent Architecture
Dowidar introduced the concept of hierarchical guardian agents that monitor AI agent behaviour, drawing parallels to human call monitoring systems in customer service environments. He explained that just as human agents are monitored for quality and compliance, AI agents require similar oversight mechanisms to ensure they operate within acceptable parameters.
This approach recognises that AI agents, like human employees, may make mistakes or be compromised, requiring systematic monitoring and intervention capabilities.
Integration with Existing Payment Systems
Miebach suggested that existing payment security frameworks could be extended to protect agentic commerce transactions, viewing AI agents as additional entities within current ecosystems rather than requiring entirely new security approaches. This perspective reflects a pragmatic approach to AI security that builds upon proven methodologies rather than starting from scratch.
Global Standards for AI Governance
De Bolle highlighted the need for worldwide standards for AI agent monitoring and governance that are accepted globally. This requirement reflects the international nature of both AI development and cyber threats, necessitating coordinated approaches to ensure consistent security standards across different jurisdictions and organisations.
Supply Chain Vulnerabilities and Third-Party Risks
Interconnected System Risks
The discussion identified supply chain vulnerabilities as representing major risks in increasingly interconnected systems. Zatlyn emphasised that third-party vulnerabilities can compromise even well-protected organisations, as attackers often target the weakest links in complex supply chains to gain access to their ultimate targets.
Contractual Security Standards
As a solution to supply chain risks, Zatlyn suggested that large organisations should insist on cybersecurity standards in contracts with third-party suppliers. This approach would help raise the overall security posture across supply chains by requiring smaller suppliers to meet minimum security requirements as a condition of doing business with larger, better-protected organisations.
Crown Jewels Protection and Nth-Degree Assessment
Miebach introduced the concept of identifying and protecting organisational “crown jewels” with what he termed “nth-degree supply chain security assessment.” This approach recognises that whilst organisations cannot apply maximum security to every aspect of their operations, they must identify their most critical assets and ensure these receive the highest levels of protection, including comprehensive assessment of all supply chain components that could affect these critical systems.
Dowidar emphasised that companies must prioritise security assessment of supply chains as a business prerequisite, noting that critical infrastructure requires intelligent networks that can monitor and isolate unusual behaviour before it spreads throughout interconnected systems.
Leadership and Workforce Development Challenges
Executive-Level Engagement
A recurring theme throughout the discussion was the need for cybersecurity to receive greater attention at board and C-suite levels. Zatlyn emphasised that cybersecurity must be treated as a business topic rather than merely a technical issue, requiring executives to develop personal expertise rather than delegating entirely to technical teams.
This perspective reflects the recognition that cybersecurity decisions have strategic business implications that extend far beyond technical considerations. When cybersecurity is viewed only as a technical concern, organisations may fail to allocate appropriate resources or make necessary strategic adjustments to address evolving threats.
Workforce Shortage Crisis
Miebach highlighted a massive cybersecurity workforce shortage, noting that there are over 700,000 unfilled cybersecurity positions in the United States alone. This shortage represents a critical constraint on organisations’ ability to implement and maintain effective cybersecurity programmes.
The workforce challenge extends beyond simply hiring cybersecurity professionals to include training existing employees on incident response procedures. Miebach noted that many organisations have security measures in place but their workforces are not prepared to respond effectively when attacks occur, often freezing during ransomware attacks rather than following established procedures.
Educational and Training Reform
De Bolle emphasised the need for investment in digital literacy and critical thinking skills for society as a shared responsibility. This perspective recognises that cybersecurity is not solely the responsibility of cybersecurity professionals but requires a digitally literate population that can recognise and respond appropriately to cyber threats.
Dave Treat from the audience criticised current cybersecurity training methods as ineffective, advocating for embedding security learning into daily workflows rather than conducting separate training sessions. This approach would make cybersecurity awareness a natural part of employees’ regular activities rather than an additional burden that may be ignored or forgotten.
Infrastructure and Identity Solutions
Global Identity Systems
Miebach identified the development of better global identity systems as fundamental infrastructure needed across both private and public sectors. He described the current situation as a “smorgasbord” of divergent identity solutions across the world, with too much fragmentation creating vulnerabilities that can be exploited by attackers.
Dowidar provided specific examples of identity verification technologies, highlighting SIM card technology and location-based verification systems that combine telecommunications and financial data to provide robust identity confirmation. These technologies demonstrate practical approaches to solving identity verification challenges in a mobile-first world.
Critical Infrastructure Protection
Dowidar, speaking from his experience managing telecommunications infrastructure across 20 countries, emphasised the need for intelligent networks that can monitor and isolate unusual behaviour. This capability is particularly important for critical infrastructure, where attacks can have cascading effects across multiple systems and potentially affect national security.
The protection of critical infrastructure requires not only technical measures but also coordination between different sectors and jurisdictions, as these systems often span multiple countries and involve numerous stakeholders with different security capabilities and requirements.
Trust as an Enabler of Innovation
AI Adoption and Trust
Miebach made a particularly insightful observation about the relationship between cybersecurity and innovation, noting that “if people don’t trust AI, they will not use it.” He reframed cybersecurity from a defensive necessity to an enabler of innovation and economic growth, arguing that without trust in AI systems, their adoption will be limited.
This perspective shifts the cybersecurity conversation from cost centre to value enabler, making it a strategic business imperative rather than just a technical requirement. If organisations cannot demonstrate that their AI systems are secure and trustworthy, they will struggle to realise the potential benefits of these technologies.
Building Trusted Technology Layers
The discussion emphasised the need to build trusted layers around new technologies from the outset rather than attempting to add security as an afterthought. This approach requires collaboration between technology developers, cybersecurity professionals, and business leaders to ensure that security considerations are integrated into the design and deployment of new systems.
Panelists’ Key Recommendations for Leaders
In response to Saran’s final question about “one big idea or one big investment that leaders need to be making now,” each panelist provided specific actionable advice:
Catherine De Bolle emphasised the need for investment in digital literacy and critical thinking skills as a shared societal responsibility, recognising that cybersecurity requires an educated and aware population.
Michelle Zatlyn advocated for treating cybersecurity as a business topic requiring executive-level expertise, moving beyond delegation to technical teams to direct leadership engagement.
Michael Miebach highlighted the critical need to address the massive cybersecurity workforce shortage, particularly the 700,000+ unfilled positions in the United States, as a fundamental constraint on organisational security capabilities.
Hatem Dowidar stressed the importance of intelligent network infrastructure that can monitor and isolate threats before they spread, particularly for critical infrastructure protection.
Areas of Strong Consensus
Threat Evolution Recognition
All panellists demonstrated remarkable consensus on the fundamental evolution of cyber threats. They agreed that attacks are becoming more sophisticated, frequent, and dangerous, with AI serving as a significant accelerator. This shared understanding provides a foundation for coordinated responses and policy development.
Partnership Necessity
There was universal agreement that traditional approaches are inadequate and that effective cybersecurity requires unprecedented collaboration between law enforcement, government agencies, and private sector organisations. This consensus spans technical, organisational, and policy dimensions, indicating maturity in the field’s strategic thinking.
AI Agent Integration
Despite the novelty of AI agents as business tools, the panellists quickly reached consensus that these systems should be integrated into existing security frameworks rather than requiring entirely new approaches. This agreement suggests that the cybersecurity community is developing pragmatic approaches to emerging technologies.
Workforce Development Priority
All speakers recognised the critical need for better cybersecurity education and training, though they focused on different aspects of the solution. This consensus on the importance of human capital development reflects an understanding that technology alone cannot solve cybersecurity challenges.
Unresolved Challenges and Future Considerations
Geopolitical Complexities
Despite the consensus on many technical and operational issues, the discussion revealed several unresolved challenges. The weaponisation of cyberspace by legitimate state actors creates complex situations where traditional good-versus-evil narratives break down. How to maintain cybersecurity cooperation whilst navigating geopolitical tensions remains an open question.
Scaling Solutions
Whilst the panellists agreed on the need to protect smaller organisations in the “messy middle,” practical solutions for scaling enterprise-level security to small businesses remain elusive. The resource constraints and expertise gaps that affect smaller organisations cannot be easily addressed through the collaborative mechanisms that work for larger enterprises.
Training Effectiveness
Although there was consensus on the need for better cybersecurity training, the most effective methods for delivering this training remain unclear. Traditional approaches are widely recognised as ineffective, but alternative methods that embed security awareness into daily workflows are still being developed and tested.
Global Standardisation
The need for global standards in areas such as identity systems and AI agent governance is clear, but the mechanisms for developing and implementing such standards in a fragmented geopolitical environment remain challenging.
Conclusion
This World Economic Forum panel discussion revealed a cybersecurity community that has developed a sophisticated understanding of the challenges facing organisations in an increasingly connected and threatened digital environment. The high level of consensus amongst leaders from different sectors and regions suggests that there is a shared foundation for coordinated action.
The discussion moved beyond traditional cybersecurity talking points to address fundamental questions about the role of cybersecurity in enabling innovation, the need for new forms of public-private collaboration, and the systemic nature of modern cyber threats. The panellists demonstrated an understanding that cybersecurity is not merely a technical challenge but a comprehensive business and societal issue that requires coordinated responses across multiple domains.
The substantive audience engagement, particularly around AI agent security, demonstrated the practical relevance of the discussion and the community’s ability to quickly develop consensus around emerging challenges. The panellists’ specific recommendations for immediate action provide concrete guidance for leaders seeking to improve their organisations’ cybersecurity posture.
However, the discussion also highlighted significant unresolved challenges, particularly around scaling solutions to protect smaller organisations, developing effective training methods, and navigating the complex geopolitical dimensions of cybersecurity. These challenges will require continued collaboration and innovation to address effectively.
The overall tone of the discussion was urgent but constructive, with panellists demonstrating confidence that with proper investment, partnerships, and modern defences, organisations can effectively protect themselves against evolving threats. This optimism, combined with a realistic assessment of the challenges ahead, provides a foundation for the continued development of cybersecurity capabilities and collaborative mechanisms.
The discussion’s emphasis on trust as an enabler of innovation, the need for executive-level engagement with cybersecurity issues, and the importance of treating AI agents as extensions of existing workforces provides practical guidance for organisations seeking to improve their cybersecurity posture whilst embracing new technologies. These insights reflect a mature understanding of cybersecurity as a strategic business enabler rather than merely a defensive necessity.
Session transcript
to engage with this conversation through the hashtag WEF26. Do send in your thoughts as well. Now, we have a fantastic panel, which has Catherine De Bolle, Executive Director of Europol, and she’s going to be speaking on international partnerships and also from a criminal prism perspective, we will have Hatem Dowidar, Group Chief Executive Officer, EN, from the UAE, and he’s gonna bring in a different perspective from his vantage point.
Michael Miebach, Chief Executive Officer, MasterCard USA, and of course, part of the International Business Council. Michael is going to, MasterCard has been working on cyber resilience and cyber threats for a while, and we’re going to hear from you, Michael, the big picture. And of course, Michelle Zatlyn, Co-Founder and President of Cloudflare, someone who’s been at the forefront of keeping us all safe.
So this is the panel, and to just set the context, this panel is actually going to form on its point of departure, the convergence of real threats, physical threats, supply chain threats, digital threats, the geopolitical moment, the polarizations, the lack of international cooperation, and of course, the struggle for defining partnerships for the future that can keep up with technology and keep pace with technology.
There’s a global cyber security outlook report, please tune into that, it has some interesting findings, but most important question that I derive from that report is the kind of leadership that we need to respond to this moment, which once moves beyond the hard reality, then starts thinking about AI and other emergent technologies that will fuse into the questions of cyber security, will become an interesting board poser for the board-level officers, the C-suite officers.
So without further ado, let us set a baseline. Let us ask each of the panelists first, how is the threat changing? How has the world changed from a cyber resilience perspective?
And what are you in your jobs finding different or similar to what happened before? So let’s start with you. Great.
Well, thank you so much. And I think you covered so much, Samir, in your opening
remarks and I’m excited to dig into all of that. And so some of the things that we’re seeing changing at Cloudflare is that bigger and more. So there are more cyber risks and cyber attacks and they’re larger and scarier.
And so just to give you an example, in 2025, we saw the record for a certain type of attack called a distributed denial of service attack, also known as a DDoS attack. The record was beat 25 times in 2025. So there was like a record beat and then it got beat another 24 times.
So that is bad. That is a bad news. I think that we’ll get into it, but just I do think that some of the solutions today are getting a lot better.
So that’s the good news. But it is absolutely something that leaders have to stay top of mind. And then AI is accelerating the new types of attacks.
And so in addition to more and bigger, there’s a lot more new ones that are scary and so a lot more phishing. And so the other data point is AI bots that impersonate humans, we see up 1400% over the year. And those are very credible, very real.
And as leaders, it’s very scary. There’s a lot of impersonation happening. You know, before I turn to Catherine, let me ask you one more question.
How are the different sorts of enterprises responding to this new age? The big enterprises versus the smaller ones? So it’s interesting.
I think that there’s a dividing. As quickly the field is getting divided. There are some organizations, actually a lot of financial institutions, including MasterCard, who take cybersecurity very seriously.
When you’re dealing with money, you have to. You’ve had to deal with anyone dealing with money for a long time has taken cybersecurity very seriously. And so they have very modern defenses.
And so they’re actually very well protected. What I worry a lot about are some of the enterprises who haven’t adopted the modern solutions because the legacy solutions are falling over and not meeting the need. And so what happens is this often happens on a Friday night, a Saturday morning when the teams aren’t online and it becomes an emergency and a crisis in these organizations.
and it’s very stressful and so there’s a separation of the field and so there’s a group of organizations who have modern defenses and are in good positions but there’s kind of the messy middle where they haven’t quite adopted it for a bunch of reasons we can get into and they are feeling the impact and that is worrisome.
Catherine, let me turn to you. How is the nature of cyber risk changing, especially in the geopolitical context, in the context that the physical and the virtual are fused and of course the world we live in today is far more exciting.
So we call it in fact that the DNA of crime is changing and the DNA for us is a digitalization online that is making, that is the new crime area we need to work on. It’s nurtured online and it’s accelerated by AI so all the crime areas we saw before we see them now but accelerated much more and the reach to regular people is much bigger. So when we were talking before about data, data it is something static, it’s something we own, we protect.
When we look at criminals now it’s a feature, it’s a weapon and how we describe the cycle of digital data it’s steal, deal and repeat. It’s really another way of working with data. If they have the data it’s an asset by itself, you get it, you can sell it, you can sell it again and it is not staying stable anymore.
So the steal, deal and repeat thing for us it’s very important. What we are confronted with is law enforcement, of course we still work on national level. We have a lot of police cooperation but I think what we need to do much more is align with private sector to see how we can make our system.
or a digital ecosystem safer for the future? I’m going to come to that as a separate thread of conversation. But let me ask you another question.
How is the linkage between organized crime and cyber crime now playing up in your world? When I look at the period of Corona, the COVID-19 period, then we saw that organized crime groups, they hired in digital people. Now we see that organized crime group, they invest themselves to have the digital people in-house, to make their own digital safe environment and to make abuse of their digital environment.
And we also see that AI is massively used by organized crime groups because it facilitates the business model. You only need a computer. You need a bit of people that are technically schooled and you can reach a lot of people.
Where we saw in the past that the drugs cartels were the most important ones for destabilizing our economies and our rule of law. Now we predict that in the future it will be the digital crime. Frauds are much more easy.
You don’t need an infrastructure and you gain a lot of money and you reach a lot of people with that. So we see that everything is moving online and that is very worrying because we do not always have the right protection tools to prevent crime.
Therefore, I’m going to come back to you a little later on the cross-border partnerships and relationships we need to foster to respond to it. From your perspective, Hatim, how is this change in a geography? You’re in a geography which is perhaps a digital first geography, which is an exciting, dynamic, fast-growing economic unit, which is based on technology and adoption of technologies being the service hub and innovation hub.
How are you seeing this play out?
I think there’s definitely the same threats that we talked about, which is the threats on organizations and companies. But also now, there is the worry that with the increase of cyber threats on infrastructure, on some of the things like self-driving cars, as we’re getting now into a drone environment, so that cyber threat is going from just normal criminal behavior that will try to have a financial side to a very disruptive, almost weaponized cyber crime as well.
So we’ve seen also this coming from, let’s say, criminal organizations to state actors. And at the moment, I mean, in addition to our normal businesses in technology like FinTech and content and so on, we run critical infrastructure in 20 countries, so mobile networks and fiber networks and we see over that a huge increase.
So you know, Michelle just mentioned, you know, the increase of DDoS attacks 25 times. We see that. And it’s now important not only to protect organizations, sometimes there are whole nations that get that pressure on their networks, which is very, very disruptive to the ecosystem overall.
So this is one side that we see and we need to move as fast as these, let’s say, bad actors are moving to provide the protection. But on the other side, we have the great opportunity that we see coming with AI and also a lot of exposure coming from AI, because as more and more companies are implementing AI agents, that become another potential loophole where, again, the bad actors can come.
So as these agentic AI processes and agents are able to talk to systems within companies, we need to make sure that we create more of the zero trust systems to prevent the incursion of new threats coming from these new technologies.
So it’s a As much as opportunity is coming now, we have to all be very, very careful. I don’t think it’s optional anymore whether to invest in cyber security or not. It’s become essential.
I want to ask you a specific question that I think is also coming from the surveys of large organizations. They find supply chain challenges, third-party vulnerabilities. It is the component integrations into your fiber networks and other networks that you manage as being one of the key determinants of secure systems, right?
Yes. How are you managing cyber resilience and cyber threats when you are dependent on so many external parties to service your big, large networks and businesses? So, again, as I said, the opportunity and the threat are there.
So, we’re using a lot of new tools. I mean, we cooperate with lots of partners. Cloudflare is one of them, but with a lot of other partners to make sure that also from a network perspective, from an infrastructure perspective, we are looking at any unusual behavior.
So, sometimes you need to isolate a certain customer to prevent a whole network or a whole nation from being under threat because of an attack on that customer until you can remove that threat. So, we need more intelligent networks. We need to continuously monitor for different behaviors.
And the same way that people are using AI capability or agents for hacking or for bad action, we also have agents that are looking at new behavior or different behavior and isolating it early on to be able to protect the network.
So, you are, in some sense, more cognizant of malicious hardware being embedded in your systems today.
Very much so. Okay. Michael, I want to take this conversation to a higher level.
I think there are a number of points raised right now. One, of course, is the digital divide. Big corporations are safer than smaller ones.
And I think Mastercard has been working on this, and I probably want a perspective on how you are onboarding many of your customers to a safer plane. But generally, from… from where you sit, and we heard that financial systems need, where there’s money, there needs to be safety. How are you assessing this new landscape where you have hardware and the digital sphere now deeply interconnected and in many ways mutually beneficial or harmful?
Yeah, it’s a great question.
So, underlining a lot of what was said here before. Headline for me is like, it’s systemic and cutting across the physical world, it’s cutting across the geopolitical world, it’s cutting across the societal world and the corporate world. So, these cyber threats are all there.
I think we are realizing the magnitude of the problem. We’re far away from having all of the answers. Hatem, you just laid out a lot of options there that certainly need to happen in the corporate space.
I think there’s another angle to this. We just raised how AI can help and defend. But if you take a step back and think about the promise of AI as a technology that can do so much for a path to prosperity, for driving growth and so forth.
If people don’t trust AI, they will not use it. So, this is not the defense side of this conversation, it’s the offense side of the conversation. So, if we don’t build in a trusted layer around these technologies, the use will not be there.
So, we have a strong partnership with CloudFare and that’s exactly for that point. We say, this is kind of, cyber proof is a very big word, so I don’t wanna go there, but embedded security, we’re using all the threat intelligence there is and you as a consumer or as a small business, you can trust that.
And so, let’s talk about small business for a moment. We just talked large corporations. Where do the fraudsters go?
They go for the weakest link. And small business, largest employer in the world, and they are unprotected. And so, we feel really, for us as larger corporations and people who are focused solely on cyber security, we have to do a much better job in protecting that.
So, those are all things that come together to take this to a higher level, but I think we’re all alert in the fact that we even having this conversation is gonna take this forward. You know, Michael, I think I heard a conversation yesterday.
In fact, I moderated a session yesterday where on the barometer, cooperation barometer that was produced by McKinsey and WEF. One of the interesting outcomes was that even as collaboration is tapering off and some of the partnerships are seeing a steep fall, new forms of arrangements are coming up, new innovative systems, multilateral, sorry, mini-laterals or public-private partnerships, new relationships are emerging.
Are we seeing in the cyber threat domain some new kind of partnerships that are essential and that are emerging and that are actually responding to some of these threats?
So let me respond with just a slightly different angle to start with. So we see some geopolitical fragmentation, no question. We’re seeing a more focus on self-sufficiency and resilience in countries across the world.
But it’s very interesting. Wherever I travel, you bring the topic of cybersecurity on the table. Topics of sovereignty and so forth recede a little bit to the background and say, oh yeah, we should talk.
Because the hackers and scammers, they don’t care about borders. They’re not interested. So it’s all about partnership.
Now, there’s different variations on how much you partner and all of that. And here’s where, in a more specific answer to your question, Samir, the idea of kind of digital spheres that are secured where you find different kind of arrangements. I think that’s definitely true.
So Europol, there is a focus on international, yes, but there’s a focus on Europe. With that in mind, we put up a cybersecurity center in Europe to bring together the private sector, to bring together law enforcement and say you have the law enforcement authority, private sector has the innovation, can bring the latest technologies.
That’s a model. You go somewhere else, you have different kind of models, but the thinking is there. We need to find something.
Clearly, it covers everything. Solution is a dream. That will not happen.
So, we got to be pragmatic. But it’s also very clear. Like this morning, I was in a conversation on stable coins.
Yeah, it was all about excitement, all the things that stable coins will solve. And I think there will be the answer to a lot of things, not everything. But it was also clear, hey, this technology will not deliver if there is a question on who’s behind the transaction.
How do we deal with fraud? What happens if something goes wrong? So, there was suddenly a conversation on a partnership where you have the crypto players and the stable coin players and established organization and banks, we got to come together.
I think it’s still early days to say here’s five models emerging, but there’s enough to go with. So, Catherine, let me turn to you. Europol, catering to Europe, not necessarily
international. So, let me now ask you that question, that the cross-border nature of criminals, and we discussed some of that in your previous intervention. How are law enforcement agencies keeping up in this moment when politics is failing us?
So, how are institutions continuing to keep the train running? Yeah. When I look at Europe, the European Union and the partner countries, we have around 50 countries in our home, in the headquarters, working together.
There is really an understanding that we need to fight together to tackle crime. And that we also have a responsibility to share the knowledge we get out of the criminal activities, to share that with the private sector, so that you can develop tools to protect the ecosystem, the networks.
Traditional law enforcement activities are not acceptable anymore. It’s not enough for the future. So, we need to look at other ways of working.
And for me, this is, and for Europol, we invest a lot in working together, not only with, for instance, our national partners like the intelligence community, but also the private sector. That’s why we were really vocal on having an agreement from the political level to allow us to work together with the private sector. and we are setting up different projects worldwide with private sector.
For instance, we have this project Asset, where we put the countries together with cases of frauds, where we put all our experts together to do the crypto tracing and where we put the financial sector with us, also Mastercard, PayPal and so.
And there is a direct communication about the activities of criminals we see in the digital environment, so that private sector immediately can take actions too. So I think that is the future. I saw this in Singapore working very well already and I think also in Europe we need to work in that space.
But yes, we have laws, we have to convince people and we have to have this open mindset. But what is very much important for me is that out of the operational data, we take the lessons to share with the private sector so that you can, in fact, help us to make sure that the ecosystem is more secure and that people still believe and keep the trust in the ecosystem they use on a daily basis.
So I’m going to ask you a slightly, maybe a slightly provocative question. Yes. And it’s for all of us and maybe you might be best placed to respond to it, others might shy away from it.
So here is my question to you, Catherine. National governments and formal actors today are weaponizing cyberspace. In the last two to three years, we have seen a massive, overwhelming weaponization of the space by actors of all colors.
And let’s be honest, all of us have weaponized the space. How does this development, where now it is seen as a legitimate arena of contest, color the capabilities to keep businesses safe? Because now we are dealing in a real world, right?
So how does it influence your operations as an institution that is actually meant to keep us all safe when your armies and your governments use the same domain for conducting operations against adversaries?
And maybe, you know, I’m going to come to you as well because you would have seen this.
Yes, we see indeed the blurred lines between state actors, non-state actors and criminal groups. We see that state actors are using criminal groups for their own purposes to launch DDoS attacks and during the day they use the infrastructure of the state and during the night they launch the attacks for the state.
So for both there is something in, for the state they can hide after the criminals and for the criminals they can hide after the state and they do not have to make the investment because the infrastructure is already there.
Then when you look at our traditional system of policing it’s not enough that police forces are working on that, that’s why we need to cut the lines between and to reflect really on the future how will defence, police, intelligence services work together to tackle this, also together with the private sector and that’s where we are working on at the moment.
It takes time, it takes discussion, we need to respect the boundaries of the different agencies but if we do not put the information and the intelligence together to tackle that we will never win the battle and there is a readiness to discuss that and to work already together.
We did set up also some activities and some operations in that area and it’s working if we have clear understanding and if you can work in a trusted environment with trusted partners of course. Do you ever have a
conversation where you tell the governments can you keep away from this domain and stop making my life more difficult? Do you ever have to say that to them? Yes.
I mean don’t answer that.
I want to hear the answer don’t you? Yes, yeah. No, I mean Samir you bring up a good point where there are some very sophisticated bad actors out there and as an organization whether you’re a small organization or a large organization that’s scary because it feels like the adversary is very well funded and very sophisticated and that absolutely is happening.
We’ve seen in a lot of different ways. Catherine took us through some examples. We see that and I think that’s one of the and they are sophisticated and very well resourced.
We do see this especially the nation state attacks. The other part that actually hasn’t been brought up, and this is also very scary since COVID, is how many insider threat issues there are. There’s been some very well-documented cases from just last year where people are employed, but they’re really working for the Iranian government, and they’ve been employed by many organizations, many organizations in this room, and it took a long time to catch those people, and their identities.
It’s very sophisticated. So these things are happening, and I work in cybersecurity. When we first started to, I mean, we’re 15 years old, when we started to talk about cybersecurity, everyone said, you need to use more fear, uncertainty, and doubt to sell your services.
I’ve never been one to use fear, uncertainty, and doubt to sell my services. It’s more about, hey, let’s help protect and find the solution, but these things are scary. You have to take it seriously.
The good news is that even with these nation state advances, which are happening, if you’re an organization, small or large, there are good modern day defenses that will help you, and Cloudflare is one solution.
There are many others. It’s not just us, and the same resources they’re using to launch these attacks, modern day defenses are using the same things to help protect the organizations, and the name of the game is to have better defenses than the adversary, and it’s possible, and so this is back to your point about large networks, and the capacity, and so the modern day solutions have that, including ours, and we can just see how effective it is, and so I think that is the good news.
So it’s a very scary time, but if you’re an organization taking this seriously, you can protect yourself, and you can never say you’re 100% protected, because that word just never doesn’t exist in cyber, because you know that you have to stay ahead, but you can be doing all the right things, and be in a much better position than not, and so I think that’s the good news, and I hope that more entrepreneurs and more organizations keep to provide the solutions, so as these other threats emerge, which are scary, you say, well, at least there’s a solution, something I can do about it.
Yes, I’m going to get to Hatim here, and I want to just draw a little bit of a convergence here. I think she brings us back to the point on trust. Now, you know, when identity can be faked, you know, when the permission-led systems are over, the idea that you would give access through permissions is over, and you have to build a culture of trust within and outside the ecosystems you work in.
And I think I’m going to come back and ask you a little bit on that, that how do you create that trust-based ecosystem, but Hatem, first to you.
Okay, so I think there are some best practices to address this question, and I think…
Well, I thought you were going to tell me how do we stop nations from weaponizing cyberspace.
Yes, this is it. So this is it. I haven’t… I have something on the trust, which I will add later after Mike, but on this level, I think the best practice is to have a lot of sharing of information, and that can happen at two levels.
One is the national level, and the best practice is to have a national entity that coordinates between all the different… between the police, the intelligence, the network operators, and the big, let’s say, critical infrastructure companies.
Actually, for example, in our whole market at the UAE, there is a cybersecurity council that does exactly that. The gentleman who runs that was speaking in one of the sessions in the morning. So this is one level where we share information on a national level, and we have that in quite a few of our markets, but not everywhere.
And then the other one is sharing information, for example, on a police level, so on security level, or, for example, as a telecommunication network in the GSMA, which is our industry body, we have a security center where we share immediately when we see any new threats, so that people know that these threats are there and understand either that we have found a way to prevent it, or at least other people can help work and prevent it.
So this is on these two levels. So one is sharing internationally with like-minded organizations how to protect, and the other one is on a national level. So this is happening today, and is effective to a great extent.
And of course, having global partners that see also on a global scale, and they talk to their customers, including us, like Cloudflare, for example, saying, look, this is happening, be careful. And they send that to everyone. So, while the sophistication is increasing, also the defences are increasing.
Michael, lots to unpack. One, of course, the weaponization of the space by state actors. Those, the good guys, I’m talking about the good guys weaponizing the space as well.
And that’s a serious issue. But also the question of moving from permissions to trust. And how do you create that transition?
I just want to comment on a couple of things before we get there. The trust point you talked about, Catherine, when it comes to information sharing. You know, we live in litigious societies and sharing that you’ve been compromised is not everybody’s first thought.
So, you know, there are some complications in that. And it does really require to take a look at the legal environment to say, you know, this is good, it’s permitted. You’re not going to get in trouble with your shareholders and all these kind of things.
So, I think lowering that threshold to get more trust in information sharing is important. And I think to your point, yes, there is information sharing going on. It’s effective.
We’ve been leading in the U.S. across the whole financial sector for a while coordinating exactly that across sector. You know, you’re doing a cyber defence range and all these exercises.
The problem is if a participant is attacked and then shares, it’s already happening. So, speed is the problem. So, we’ve addressed that and said, OK, we’ve got to kind of get into the business of predicting.
So, I cannot just sit here and react. And even if it’s the best reaction, it’s too late. So, what can I do to pick up signals earlier?
So, we acquired a threat intelligence company to do exactly that, record the future. And this is what we now do with our customers and partners and across the industry to basically say, hey, there is this activity. You should expect that there is a set of, you know, threat vectors that are emerging very, very quickly.
Please raise your defenses because nobody can outspend this problem. You cannot defend against everything. So, if it’s not intelligence led.
You’re going to lose. So we’ve got to be much more targeted. So I think this all adds up to a pretty good plan.
And Samir, your question was? My question was exactly what you just pointed to. But of course, within organizations for the insider, for the insider threat, as companies move from a permission-based architecture of the past where you actually had passwords to allow people entry to certain domains, now a trust-based architecture, how are big corporations like MasterCard thinking about?
Yeah. So the whole zero-trust approach obviously goes through you only get as far as you need all that.
I think most organizations, developed organizations would do that. When it comes to how we take these solutions and expose them in the digital economy for our customers and their customers, take banks, take businesses that bank with banks and so forth is get as many signals as possible.
So we just talked about bigger threats, but it comes down to other things. Could be identity. You raised identity earlier.
It could also be your location data. It’s many, many data sets that come together with a 99% probability score. This is a good transaction.
Let it happen. So more data, which requires organizations to have access to their data. So a lot of work has to happen to make the data available.
So if I sit a lot of data, and I cannot use it and use it quickly, then it’s obviously a problem. A lot of people are organizing their data for a whole different reason. They want to make use of AI solutions.
So this is actually where the two topics come together very nicely. You can use the updated data infrastructure and lineage work and everything that you’re doing to also drive the defenses and say, I’m going to take 10 signals, and now I can say, this is good.
Let it go. OK. I’m going to open this up to all of you now, and you can come in and pose your questions to this wonderful panel.
But as you prepare your questions and thoughts, let me just put one. And I can see a hand there. We can get the mic here, please, if we can get a mic to the gentleman here.
To this gentleman here, but let me also just put a question out there for all of you Which I’ll come back to later and just think about it What is that one big idea or one big investment that leaders need to be making now?
To keep their organizations and the ecosystem safe And I’m just keeping out there and we’ll use it as a concluding thoughts from each of you as we move towards the last five Minutes, but please go ahead a quick introduction and pose your question Dave treat
I’m the chief technology officer for Pearson the world’s largest learning company I appreciate the the human element that you’ve brought into this different piece We know we need to do a better job at you know We have enough difficulty getting we’re biologically suspicious as humans to you know And yet we still can’t get training to be done, right?
You know the pencils down Let me go somewhere else and take a 20 minutes course then answer multiple choice questions doesn’t work So we’re focused on how do we embed those learnings into people’s lives?
But the question I want to raise hot to me you triggered and and Michael and Michelle you you reinforced it As we think about applying agents within our environment Agents again, unless you’ve messed with the weights of the models underneath See tend to want to please and so the notion of how do we how are we collectively sharing insights around?
How we’re creating and tuning these agents to be suspicious and to be able to not be fooled by the same Ploys and tactics that humans are fooled with I’m just I’m simultaneously Motivated and terrified that we have enough difficulty getting the humans trained to be effective at preventing cyber attacks now I’ve got to do it for humans and agents in the combination I’d love what one I’d love to work on it with anybody But but I’d love your perspectives on progress being made to get agents Inherently tuned or a guardian agent that’s embedded into the workflow in an agent agent basis Progress around how do we do I like this?
I like the way he’s posed the question and implicated each one of you
I think actually you you you touched on it. So the same way with human agents that you need to have a monitoring system. So with human agents, you know, remember many, many years ago, we started saying all calls are recorded for quality purposes.
So the same way that this is happening today in the way human agents are there, where you have a monitoring system to see how the agent is performing and what they do. We would need to create that also for AI agents. So we need to set up guardrails and having kind of guard agents that are in a separate system that look into how your AI agents are behaving and immediately flagging anything that is going out of the ordinary.
Because as you say, again, many of these agents are being programmed in plain language, and it’s very easy that the programming goes a little bit awkward if something goes out of context that lets the agent do something that they shouldn’t do.
So having these guardrails and having these guardian agents that overlook your AI agents is essential. We never could have relied 100 percent on a human agent to work if there is no supervision. And that will hold true.
So now we will have a hierarchical supervisory architecture for agents as well. But it’s much cheaper. It’s much cheaper.
I would add one of the things I would just add, because I think that you did a great job describing that is so this word zero trust has come up a little bit. And what that just means is it’s you have to prove who you are every single time you’re doing something. So instead of like if you get into the front door of your house, you can get it through the whole house.
Now it’s you get through the front door of the house, but then there’s a key for the drawer in your kitchen. And you have a different key for the vaults in your house. Anyhow, so that’s what zero trust means in a corporation.
And what’s interesting with agents is you need to think about it as an extension of your team. So you think about them as an extension of your employee base. So just like this idea, organizations are adopting zero trust for their employees so that if something happens, they can’t get very far.
The same thing will happen with agents. And so you’ll have the checks and balances, but then you’ll also have the other security systems that you can use. Now, your question wasn’t quite like that.
You were more about the LMs going into it, into the content. I think it’s interesting. We have a lot of these technologies where you don’t want any of your company data to be leaked.
So those are more like data loss prevention. The same things will be happening with the agent side, but then how do you train them in a way that makes it, and again, these are all solvable issues, and I’m excited for these conversations to come together and people will go solve the problems as they arise.
So you can work, you can be working with us. So now you’ve got your answer. Michael, you wanted to come in.
Yeah.
So it’s a great question, and you know, we sit here today and we talk about the answers. I will expect that the answers how to deal with keeping our world safe with a lot of agent, they will evolve, but there are some examples today, and in my view, a lot of our existing defenses, although they are imperfect, but they’re getting better as we have just spent 20 minutes talking about, they actually do work for agents.
So if you think about an agentic experience that touches our lives increasingly, and you know, it happens in companies, but where are we all exposed to that is in the context of agentic commerce. So you know, you’re going to go to your favorite chatbot, and you’re going to ask the chatbot for whatever you want to buy, and it gives you 10 recommendations, and you’re going to say check out. So suddenly, there’s somebody conducting a payment on your behalf.
So how do we keep that safe? That’s a very practical example to your question, what are we going to keep it safe the exact same way as every other payment? Because the same set of rules, they’re extended, is exactly Michelle, when you said, just think about another team member.
It’s just another payment entity in the existing ecosystem. So for now, that will serve us well for some time while we think where the world is going. I would argue agentic commerce is one of the use cases that touches our lives, AI use cases that will really touch our lives rather quickly, while the rest is being talked about here in Davos quite intensely, but it hasn’t reached us.
But that will, and we’ve got to keep it safe from day one. Otherwise, the digital economy and digital commerce will kind of lag.
Catherine, you want to come in?
Yes, I think the monitoring of this is extremely important and having standards worldwide that are accepted worldwide.
I just want to have a look behind me, if someone wants to come in and pose a question here. I just want to make sure that I’ve covered the room. Otherwise, as we move into the last five minutes, I really want to come back to that leadership question.
That AR, has cyber now really got the space at the boardrooms that it deserves and merits and necessitates? And two, what should be that big idea, big investment that companies and leaders should be making at this particular moment as we move into a whole brand new world? So, who wants to start?
Let me start with you. Okay, sure. Great.
Well, thank you. I think we can do more at the sea level and the board on the topic of cyber. What I see is some of the business leaders outsource it to their technical teams because it is a pretty technical topic.
But I do think it’s a business topic. And I do think CEOs need to have a point of view. And actually, I think Michael is an incredible example of a CEO of a large organization that has a point of view on it.
And so, I think there’s still room to grow there. Of course, we all love our security teams and our technical teams. But as a business leader, you can also understand the basics of this.
And you’re going to need to because it’s really important for both making sure that your revenue keeps flowing and minimizing risks. So, I think that’s just point one on that that hasn’t been brought up. And then just the big idea.
This panel is about supply chain. We touched on it a little bit. But in a more interconnected world, and we are absolutely more interconnected, that is a huge risk for organizations.
And you can do, especially if you are at a large organization, you actually can help raise the standards there. And what I mean by that is you can insist within your contracts with these third-party services saying, hey, what kind of security posture do you have? And insist that they meet the need.
And I do think that will raise all bars. Because right now, what’s happening is… there’s a lot of taking advantage of some of these third-party services that don’t have such strong security postures and that’s how they’re getting into these other larger organizations that have very good security posture and if we don’t solve that it’s going to be hard to continue to push forward a lot of the interconnectedness work that we’ve been able to make happen the last five years
but we really have to solve that piece and so that does concern me and I think that there’s still work to be done there. So in a climate change vocabulary we have to be now worried
about the more tree vulnerability. A thousand percent, thank you. So Catherine.
I think it’s a responsibility from all of us private sector, public sector that we build more and more on the resilience of society, of children, digital literacy and then also the critical mindset of the people in the future who will use all these tools more than we do now.
So I think we need to make a big investment in that to have the training schemes and the schools up to date
because we are not there yet. I think it’s also a responsibility to us. So from a telecom perspective
I think there are two sides. So one is building security into the connectivity. So observing what’s happening in a connection whether it’s for a single customer or a corporation and being able to immediately flag when something wrong seems to be happening.
So this is one side and then the other side I remind you of something although telecommunication is you know considered a little bit old technology we still have the SIM card whether it’s physical or it’s an eSIM but the identity associated with a phone number is still a very very strong way to protect people and businesses because it’s unique and it’s and it’s safe and now we work for example with as GSMA not us only in EAN but the whole industry for example with MasterCard that with the customer consent if they’re using their card we can check immediately if they are in the place where their card is.
supposed to be used or not, and flag if something is going wrong. So there is also an evolving technology by working together, telecommunication provider, the owners of the cyber crime prevention software, and of course financial institutions, other institutions, by working together we can protect people more.
And a very quick question, are you looking at the supply chains as a business prerequisite when you make decisions on procurement or partnerships?
Of course we are.
So that’s the response to your question. Michael?
Yeah, let me just add on that point. You know, what we’re finding as a company, what we’re finding with our customers, not everything matters the same way in your company. So you will have as a business the crown jewels, whatever it is in your business, you know, it is a lot.
So if you look at that and say, for that, I want to go to the nth degree of third-party dependency. So it’s not third-party dependency, it’s like tenth-party dependency. So you really have to do that.
You cannot do this for your whole company. But I think that is a really important part of what we should all do. I feel there’s a fundamental investment that needs to be made across the private sector and the public sector, and it should be a joint initiative, and that is truly building on what you just said, Hatim, is we need better identity.
We generally need better identity. And the kind of smorgasbord that we have on identity solutions across the world, like India has done a great job, there’s other models elsewhere, but the number of times I live in the United States, it’s your local driver’s licence.
Estonia. And, you know, there’s too much divergence there, and that is a big building block in terms of somebody is behind any activity. And if that’s a fraudulent activity, if you know who it is, at least that makes it a lot easier.
The final thing I do want to say is… the human aspect of it. You touched on capacity building.
So, you need a cyber workforce. In the U.S., we have 700,000 open cybersecurity jobs that are not filled. You know, that’s a problem.
And then, I don’t know the numbers from other countries, but they will be big. So, putting that capacity behind it, but it’s also in the company. So, yes, we have zero trust, and yes, we have the board focus, but what happens in an attack?
How do you avoid it? Everybody freezes and doesn’t know what to do in a ransomware attack. So, really, you know, training the workforce constantly on dealing with that.
On how do we respond to all sorts of situations. Really important. We are completely out of time, and we’ve had a fantastic conversation.
No need for a wrap-up. Just watch this again. Please join me in thanking the panelists for their wonderful answers.
Michelle Zatlyn
Speech speed
200 words per minute
Speech length
1568 words
Speech time
469 seconds
Cyber attacks are becoming bigger, more frequent, and more sophisticated with AI acceleration
Explanation
Zatlyn argues that cyber threats are escalating in both scale and frequency, with AI technology accelerating new types of attacks. She emphasizes that while attacks are getting worse, modern security solutions are also improving to counter these threats.
Evidence
In 2025, the record for DDoS attacks was beaten 25 times. AI bots that impersonate humans increased by 1400% over the year, creating very credible and scary impersonation attacks.
Major discussion point
Evolving Nature of Cyber Threats
Topics
Cybersecurity
Agreed with
– Catherine De Bolle
– Hatem Dowidar
– Michael Miebach
Agreed on
Cyber threats are escalating in scale, sophistication, and frequency
There’s a separation between organizations with modern defenses (like financial institutions) and those with legacy solutions
Explanation
Zatlyn describes a growing divide in cybersecurity preparedness where some organizations, particularly financial institutions, have adopted modern security measures and are well-protected, while others still rely on outdated legacy solutions. This creates a vulnerable ‘messy middle’ of organizations that haven’t upgraded their defenses.
Evidence
Financial institutions like MasterCard take cybersecurity very seriously because they deal with money and have modern defenses. Legacy solutions are falling over during off-hours like Friday nights and Saturday mornings when teams aren’t online, creating emergency situations.
Major discussion point
Digital Divide in Cybersecurity Preparedness
Topics
Cybersecurity
Agreed with
– Michael Miebach
Agreed on
There is a significant divide in cybersecurity preparedness between organizations
Nation-state attacks involve sophisticated, well-funded adversaries including insider threats
Explanation
Zatlyn highlights the serious threat posed by nation-state actors who are well-resourced and sophisticated, making them particularly dangerous for organizations of all sizes. She also points to the growing problem of insider threats, where employees are actually working for foreign governments.
Evidence
Since COVID, there have been well-documented cases of people employed by organizations who were actually working for the Iranian government, and it took a long time to catch these sophisticated insider threats.
Major discussion point
Convergence of Organized Crime and State Actors
Topics
Cybersecurity
Large organizations should insist on security standards in contracts with third-party services
Explanation
Zatlyn argues that supply chain vulnerabilities represent a major risk in our interconnected world, and large organizations have the power to raise security standards by demanding better cybersecurity postures from their third-party vendors. This approach can help protect the entire ecosystem by preventing attackers from using weaker third-party services as entry points.
Evidence
Attackers are taking advantage of third-party services that don’t have strong security postures to get into larger organizations that do have good security measures.
Major discussion point
Supply Chain Vulnerabilities
Topics
Cybersecurity
Cybersecurity needs greater attention at board and C-suite level as a business topic, not just technical issue
Explanation
Zatlyn contends that business leaders often outsource cybersecurity decisions to technical teams, but CEOs and boards need to develop their own understanding and point of view on cybersecurity. She argues this is fundamentally a business issue that affects revenue and risk management, not just a technical concern.
Evidence
She cites Michael Miebach as an example of a CEO of a large organization who has developed a strong point of view on cybersecurity.
Major discussion point
Leadership and Workforce Development
Topics
Cybersecurity
AI agents should be treated as extensions of employee base with same zero-trust principles applied
Explanation
Zatlyn suggests that organizations should approach AI agents with the same security mindset they use for human employees, implementing zero-trust architecture where agents must prove their identity and authorization for each action. This extends existing security frameworks to cover AI-driven processes.
Evidence
Zero-trust means having different keys for different areas – like needing separate keys for the front door, kitchen drawer, and vault in your house, rather than one key accessing everything.
Major discussion point
AI Agents and Security Challenges
Topics
Cybersecurity
Agreed with
– Hatem Dowidar
– Michael Miebach
– Audience
Agreed on
AI agents require similar security oversight as human employees
Catherine De Bolle
Speech speed
161 words per minute
Speech length
1107 words
Speech time
411 seconds
The DNA of crime is changing through digitalization, with criminals using ‘steal, deal and repeat’ approach to data
Explanation
De Bolle explains that criminal behavior has fundamentally transformed due to digitalization and AI acceleration, with criminals now treating data as a dynamic weapon rather than static information. The new criminal model involves stealing data, selling it multiple times, and repeating the process, making data an ongoing asset rather than a one-time target.
Evidence
Criminals now view data as a feature and weapon, following a ‘steal, deal and repeat’ cycle where data can be sold multiple times and doesn’t remain static.
Major discussion point
Evolving Nature of Cyber Threats
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Hatem Dowidar
– Michael Miebach
Agreed on
Cyber threats are escalating in scale, sophistication, and frequency
Organized crime groups are investing in in-house digital capabilities and using AI to facilitate their business models
Explanation
De Bolle describes the evolution of organized crime from hiring external digital experts during COVID-19 to now building internal digital capabilities. These groups are leveraging AI to scale their operations efficiently, requiring only computers and technically skilled personnel to reach large numbers of victims.
Evidence
During COVID-19, organized crime groups hired digital people externally, but now they invest in having digital experts in-house. AI facilitates their business model because you only need a computer and technically skilled people to reach many victims. Digital crime is predicted to become more destabilizing than drug cartels in the future.
Major discussion point
Convergence of Organized Crime and State Actors
Topics
Cybersecurity
There are blurred lines between state actors, non-state actors, and criminal groups working together
Explanation
De Bolle highlights the complex relationships where state actors use criminal groups for their purposes, such as launching DDoS attacks, while criminals use state infrastructure for their operations. This creates a symbiotic relationship where both parties can hide behind each other and share resources.
Evidence
State actors use criminal groups to launch DDoS attacks, with criminals using state infrastructure during the day and launching attacks for the state at night. Both can hide behind each other – states behind criminals and criminals behind states.
Major discussion point
Convergence of Organized Crime and State Actors
Topics
Cybersecurity
Traditional law enforcement activities are insufficient; collaboration with private sector is essential
Explanation
De Bolle argues that conventional policing methods cannot adequately address modern cyber threats, necessitating new approaches that involve partnerships with private sector organizations. Law enforcement agencies need to share intelligence and knowledge with private companies to develop better protective tools and secure digital ecosystems.
Evidence
Europol has agreements to work with private sector and has set up projects like Asset, where countries collaborate on fraud cases with crypto tracing experts and financial sector companies including MasterCard and PayPal for direct communication about criminal activities.
Major discussion point
Public-Private Partnership Solutions
Topics
Cybersecurity
Agreed with
– Hatem Dowidar
– Michael Miebach
Agreed on
Public-private partnerships are essential for effective cybersecurity
Information sharing between law enforcement and private sector enables immediate protective actions
Explanation
De Bolle emphasizes that sharing operational intelligence from criminal investigations with private sector partners allows companies to take immediate protective measures. This real-time information exchange helps secure the broader digital ecosystem and maintains public trust in digital services.
Evidence
Through projects like Asset, there is direct communication between law enforcement and private sector about criminal activities in the digital environment, allowing private companies to immediately take protective actions.
Major discussion point
Public-Private Partnership Solutions
Topics
Cybersecurity
Global standards for AI agent monitoring are essential for security
Explanation
De Bolle stresses the importance of establishing worldwide standards for monitoring AI agents to ensure consistent security practices across different jurisdictions and organizations.
Major discussion point
AI Agents and Security Challenges
Topics
Cybersecurity
Investment in digital literacy and critical thinking skills for society is a shared responsibility
Explanation
De Bolle argues that building societal resilience against cyber threats requires a collective effort from both private and public sectors to improve digital literacy and critical thinking skills. This includes updating training programs and educational curricula to prepare people for the digital tools they will increasingly use.
Evidence
Training schemes and schools need to be brought up to date because current digital literacy levels are insufficient for future needs.
Major discussion point
Leadership and Workforce Development
Topics
Cybersecurity
Agreed with
– Michael Miebach
– Audience
Agreed on
Investment in cybersecurity workforce and education is critical
Hatem Dowidar
Speech speed
158 words per minute
Speech length
1331 words
Speech time
502 seconds
Cyber threats are expanding from organizational attacks to weaponized infrastructure attacks by state actors
Explanation
Dowidar explains that cyber threats have evolved beyond traditional criminal activities targeting organizations to include weaponized attacks on critical infrastructure like self-driving cars and drone systems. These attacks are shifting from financially motivated crimes to disruptive, state-sponsored cyber warfare that can affect entire nations.
Evidence
EN runs critical infrastructure in 20 countries including mobile and fiber networks, and they see huge increases in attacks. Sometimes whole nations experience pressure on their networks, which is very disruptive to the entire ecosystem.
Major discussion point
Evolving Nature of Cyber Threats
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Catherine De Bolle
– Michael Miebach
Agreed on
Cyber threats are escalating in scale, sophistication, and frequency
Organizations must invest in cybersecurity as it’s no longer optional but essential
Explanation
Dowidar emphasizes that cybersecurity investment has become a fundamental business requirement rather than an optional expense, driven by the increasing sophistication and frequency of cyber threats. Companies must move as quickly as bad actors to provide adequate protection.
Major discussion point
Digital Divide in Cybersecurity Preparedness
Topics
Cybersecurity
National coordination entities and international industry bodies facilitate threat information sharing
Explanation
Dowidar describes a two-level approach to cybersecurity information sharing: national entities that coordinate between police, intelligence, network operators, and critical infrastructure companies, and international industry bodies that share threat intelligence globally. This coordinated approach helps organizations prepare for and defend against emerging threats.
Evidence
In the UAE, there’s a cybersecurity council that coordinates between different agencies. In telecommunications, the GSMA security center immediately shares new threats so organizations can learn prevention methods or get help from others.
Major discussion point
Public-Private Partnership Solutions
Topics
Cybersecurity
Agreed with
– Catherine De Bolle
– Michael Miebach
Agreed on
Public-private partnerships are essential for effective cybersecurity
Critical infrastructure requires intelligent networks that monitor and isolate unusual behavior
Explanation
Dowidar explains that protecting critical infrastructure requires advanced monitoring systems that can detect unusual network behavior and take immediate action, including isolating affected customers to prevent threats from spreading across entire networks or nations. This involves using AI-powered agents to identify and respond to threats in real-time.
Evidence
Sometimes they need to isolate a certain customer to prevent a whole network or nation from being under threat because of an attack on that customer. They use agents that look for new or different behavior and isolate it early to protect the network.
Major discussion point
Supply Chain Vulnerabilities
Topics
Cybersecurity
AI agents require supervisory architecture similar to human agent monitoring systems
Explanation
Dowidar argues that just as human agents require monitoring and supervision (like recorded calls for quality purposes), AI agents need similar oversight systems with guardrails and guardian agents. This supervisory architecture should monitor AI agent behavior and flag anything unusual, as AI agents programmed in plain language can easily go out of context.
Evidence
Many years ago, organizations started saying ‘all calls are recorded for quality purposes’ for human agents. The same monitoring approach is needed for AI agents, with guardian agents in separate systems overseeing AI agent behavior.
Major discussion point
AI Agents and Security Challenges
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Michael Miebach
– Audience
Agreed on
AI agents require similar security oversight as human employees
Michael Miebach
Speech speed
187 words per minute
Speech length
1925 words
Speech time
616 seconds
Cyber threats are systemic and cut across physical, geopolitical, societal and corporate worlds
Explanation
Miebach emphasizes that cyber threats are not isolated technical issues but systemic challenges that span multiple domains including physical infrastructure, geopolitical tensions, social structures, and corporate operations. He argues that while we’re beginning to understand the magnitude of the problem, we’re far from having comprehensive solutions.
Major discussion point
Evolving Nature of Cyber Threats
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Catherine De Bolle
– Hatem Dowidar
Agreed on
Cyber threats are escalating in scale, sophistication, and frequency
Small businesses are the weakest link and primary targets for fraudsters despite being the largest employers globally
Explanation
Miebach points out that fraudsters target the most vulnerable organizations, which are typically small businesses that lack adequate cybersecurity protection. Since small businesses represent the largest employment sector worldwide, their vulnerability creates a significant systemic risk that larger corporations and cybersecurity specialists need to address.
Evidence
Small businesses are the largest employer in the world and are unprotected, making them the target for fraudsters who go for the weakest link.
Major discussion point
Digital Divide in Cybersecurity Preparedness
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
Agreed on
There is a significant divide in cybersecurity preparedness between organizations
New partnership models are emerging despite geopolitical fragmentation, as cyber threats transcend borders
Explanation
Miebach observes that while there’s increasing geopolitical fragmentation and focus on self-sufficiency, cybersecurity creates a unique space for cooperation because cyber criminals don’t respect national borders. This has led to the emergence of new partnership models and digital security spheres with different arrangements for collaboration.
Evidence
Wherever he travels, when cybersecurity is discussed, topics of sovereignty recede to the background and people say they should collaborate. MasterCard has established a cybersecurity center in Europe bringing together private sector and law enforcement.
Major discussion point
Public-Private Partnership Solutions
Topics
Cybersecurity
Agreed with
– Catherine De Bolle
– Hatem Dowidar
Agreed on
Public-private partnerships are essential for effective cybersecurity
Zero-trust approach requires verification at every access point with multiple data signals for authentication
Explanation
Miebach explains that zero-trust architecture means users only get access to what they specifically need, and organizations must gather multiple data signals (identity, location, etc.) to create high-probability authentication scores. This approach requires organizations to make their data readily available and usable for quick decision-making.
Evidence
Zero-trust means you only get as far as you need. Multiple data signals including identity and location data combine to create 99% probability scores for transaction validation.
Major discussion point
Trust and Identity in Zero-Trust Architecture
Topics
Cybersecurity
Modern defenses using AI and multiple data sources can provide high-probability transaction validation
Explanation
Miebach describes how modern cybersecurity systems can analyze multiple data signals simultaneously to make rapid authentication decisions with high confidence levels. This requires organizations to organize their data infrastructure properly, which aligns with AI implementation efforts, creating synergies between cybersecurity and AI initiatives.
Evidence
Taking 10 signals together can provide 99% probability scores for transaction validation. Organizations working on AI solutions are also organizing their data infrastructure, which supports both AI and cybersecurity defenses.
Major discussion point
Trust and Identity in Zero-Trust Architecture
Topics
Cybersecurity
Existing payment security frameworks can be extended to protect agentic commerce transactions
Explanation
Miebach argues that as AI agents increasingly handle commerce transactions on behalf of users, the same security frameworks used for traditional payments can be adapted and extended to protect these agentic transactions. He views AI agents as additional payment entities within existing ecosystems rather than requiring entirely new security approaches.
Evidence
Agentic commerce example: users ask chatbots for purchase recommendations and say ‘check out,’ with agents conducting payments on their behalf. These can be secured using the same payment security rules extended to treat agents as team members.
Major discussion point
AI Agents and Security Challenges
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Hatem Dowidar
– Audience
Agreed on
AI agents require similar security oversight as human employees
Massive cybersecurity workforce shortage requires capacity building initiatives
Explanation
Miebach highlights the critical shortage of cybersecurity professionals, noting that the US alone has 700,000 unfilled cybersecurity positions. He emphasizes that this workforce development challenge extends beyond hiring to include training existing employees on how to respond effectively during cyber attacks to avoid panic and poor decision-making.
Evidence
The US has 700,000 open cybersecurity jobs that are not filled. Organizations need training on how to respond during ransomware attacks to prevent employees from freezing and not knowing what to do.
Major discussion point
Leadership and Workforce Development
Topics
Cybersecurity
Agreed with
– Catherine De Bolle
– Audience
Agreed on
Investment in cybersecurity workforce and education is critical
Better global identity systems are fundamental infrastructure needed across private and public sectors
Explanation
Miebach argues that improving identity verification systems globally is a critical investment that both private and public sectors should jointly undertake. He criticizes the current fragmented approach to identity solutions worldwide and suggests that better identity systems are essential building blocks for cybersecurity, as knowing who is behind any activity makes fraud detection much easier.
Evidence
Current identity solutions vary widely – India has done well, Estonia has good systems, but the US still relies on local driver’s licenses. This fragmentation creates problems for cybersecurity.
Major discussion point
Leadership and Workforce Development
Topics
Cybersecurity
Samir Saran
Speech speed
176 words per minute
Speech length
1671 words
Speech time
568 seconds
The weaponization of cyberspace by legitimate state actors complicates law enforcement efforts
Explanation
Saran raises the provocative point that national governments and formal state actors have increasingly weaponized cyberspace for legitimate military and intelligence operations, creating a complex environment where the same domain used for business and civilian activities is also used for state-sponsored cyber warfare. This blurs the lines between legitimate and illegitimate cyber activities.
Evidence
In the last two to three years, there has been massive, overwhelming weaponization of cyberspace by actors of all colors, with all nations having weaponized the space.
Major discussion point
Convergence of Organized Crime and State Actors
Topics
Cybersecurity
Organizations must transition from permission-based to trust-based security architectures
Explanation
Saran argues that traditional permission-based security systems (like password-protected access) are no longer adequate in an environment where identities can be easily faked. Organizations need to move toward trust-based architectures that continuously verify and validate user behavior and context rather than relying on static credentials.
Evidence
When identity can be faked and permission-led systems are over, organizations need to build a culture of trust within and outside their ecosystems.
Major discussion point
Trust and Identity in Zero-Trust Architecture
Topics
Cybersecurity
Audience
Speech speed
205 words per minute
Speech length
289 words
Speech time
84 seconds
AI agents need to be trained to be suspicious and not easily fooled like humans, requiring guardian agents for monitoring
Explanation
The audience member argues that AI agents, like humans, tend to want to please and can be fooled by the same tactics that compromise human security. They suggest the need for guardian agents embedded in workflows to monitor and prevent AI agents from being manipulated by malicious actors.
Evidence
AI agents tend to want to please unless you’ve modified the underlying model weights. There’s difficulty getting humans trained effectively to prevent cyber attacks, and now the same challenge exists for both humans and agents combined.
Major discussion point
AI Agents and Security Challenges
Topics
Cybersecurity
Agreed with
– Michelle Zatlyn
– Hatem Dowidar
– Michael Miebach
Agreed on
AI agents require similar security oversight as human employees
Current cybersecurity training methods are ineffective and need to be embedded into people’s daily workflows
Explanation
The speaker criticizes traditional cybersecurity training approaches that involve taking people away from their work for separate training sessions with multiple choice questions. They advocate for embedding security learning directly into people’s work processes to make it more effective and practical.
Evidence
Traditional ‘pencils down, go somewhere else and take a 20 minutes course then answer multiple choice questions’ approach doesn’t work for cybersecurity training.
Major discussion point
Leadership and Workforce Development
Topics
Cybersecurity
Agreed with
– Catherine De Bolle
– Michael Miebach
Agreed on
Investment in cybersecurity workforce and education is critical
Agreements
Agreement points
Cyber threats are escalating in scale, sophistication, and frequency
Speakers
– Michelle Zatlyn
– Catherine De Bolle
– Hatem Dowidar
– Michael Miebach
Arguments
Cyber attacks are becoming bigger, more frequent, and more sophisticated with AI acceleration
The DNA of crime is changing through digitalization, with criminals using ‘steal, deal and repeat’ approach to data
Cyber threats are expanding from organizational attacks to weaponized infrastructure attacks by state actors
Cyber threats are systemic and cut across physical, geopolitical, societal and corporate worlds
Summary
All speakers agree that cyber threats have fundamentally evolved, becoming more sophisticated, frequent, and dangerous. They recognize AI as an accelerating factor and acknowledge that threats now span multiple domains beyond traditional cybercrime.
Topics
Cybersecurity
Public-private partnerships are essential for effective cybersecurity
Speakers
– Catherine De Bolle
– Hatem Dowidar
– Michael Miebach
Arguments
Traditional law enforcement activities are insufficient; collaboration with private sector is essential
National coordination entities and international industry bodies facilitate threat information sharing
New partnership models are emerging despite geopolitical fragmentation, as cyber threats transcend borders
Summary
There is strong consensus that traditional approaches are inadequate and that effective cybersecurity requires collaboration between law enforcement, government agencies, and private sector organizations through information sharing and coordinated responses.
Topics
Cybersecurity
AI agents require similar security oversight as human employees
Speakers
– Michelle Zatlyn
– Hatem Dowidar
– Michael Miebach
– Audience
Arguments
AI agents should be treated as extensions of employee base with same zero-trust principles applied
AI agents require supervisory architecture similar to human agent monitoring systems
Existing payment security frameworks can be extended to protect agentic commerce transactions
AI agents need to be trained to be suspicious and not easily fooled like humans, requiring guardian agents for monitoring
Summary
All speakers agree that AI agents should be integrated into existing security frameworks with appropriate monitoring and oversight, treating them as extensions of the workforce rather than requiring entirely new security paradigms.
Topics
Cybersecurity
There is a significant divide in cybersecurity preparedness between organizations
Speakers
– Michelle Zatlyn
– Michael Miebach
Arguments
There’s a separation between organizations with modern defenses (like financial institutions) and those with legacy solutions
Small businesses are the weakest link and primary targets for fraudsters despite being the largest employers globally
Summary
Both speakers recognize a critical gap where well-resourced organizations (especially financial institutions) have strong defenses while smaller organizations remain vulnerable, creating systemic risks.
Topics
Cybersecurity
Investment in cybersecurity workforce and education is critical
Speakers
– Catherine De Bolle
– Michael Miebach
– Audience
Arguments
Investment in digital literacy and critical thinking skills for society is a shared responsibility
Massive cybersecurity workforce shortage requires capacity building initiatives
Current cybersecurity training methods are ineffective and need to be embedded into people’s daily workflows
Summary
There is consensus that current cybersecurity education and workforce development approaches are inadequate, requiring fundamental changes in how we train both cybersecurity professionals and general users.
Topics
Cybersecurity
Similar viewpoints
Both speakers recognize the convergence of state and criminal actors in cyberspace, where traditional distinctions between different types of threat actors are becoming increasingly blurred.
Speakers
– Catherine De Bolle
– Hatem Dowidar
Arguments
There are blurred lines between state actors, non-state actors, and criminal groups working together
Cyber threats are expanding from organizational attacks to weaponized infrastructure attacks by state actors
Topics
Cybersecurity
Both emphasize that cybersecurity must be elevated from a technical concern to a strategic business issue requiring executive leadership and sophisticated authentication approaches.
Speakers
– Michelle Zatlyn
– Michael Miebach
Arguments
Cybersecurity needs greater attention at board and C-suite level as a business topic, not just technical issue
Zero-trust approach requires verification at every access point with multiple data signals for authentication
Topics
Cybersecurity
Both advocate for breaking down traditional barriers between law enforcement and private sector to enable real-time threat intelligence sharing and coordinated responses.
Speakers
– Catherine De Bolle
– Michael Miebach
Arguments
Information sharing between law enforcement and private sector enables immediate protective actions
New partnership models are emerging despite geopolitical fragmentation, as cyber threats transcend borders
Topics
Cybersecurity
Unexpected consensus
Cybersecurity transcends geopolitical boundaries and enables cooperation despite broader fragmentation
Speakers
– Michael Miebach
– Catherine De Bolle
– Hatem Dowidar
Arguments
New partnership models are emerging despite geopolitical fragmentation, as cyber threats transcend borders
Traditional law enforcement activities are insufficient; collaboration with private sector is essential
National coordination entities and international industry bodies facilitate threat information sharing
Explanation
Despite the panel’s acknowledgment of increasing geopolitical tensions and fragmentation, there was unexpected consensus that cybersecurity creates a unique space for international cooperation because cyber threats don’t respect national borders, leading to pragmatic collaboration even among otherwise competing nations.
Topics
Cybersecurity
AI agents can be secured using existing security frameworks rather than requiring entirely new approaches
Speakers
– Michelle Zatlyn
– Michael Miebach
– Hatem Dowidar
Arguments
AI agents should be treated as extensions of employee base with same zero-trust principles applied
Existing payment security frameworks can be extended to protect agentic commerce transactions
AI agents require supervisory architecture similar to human agent monitoring systems
Explanation
Rather than viewing AI agents as requiring revolutionary new security approaches, there was unexpected consensus that existing security frameworks can be adapted and extended to cover AI agents, treating them as additional team members rather than fundamentally different entities.
Topics
Cybersecurity
Overall assessment
Summary
The panel demonstrated remarkably high consensus across all major cybersecurity challenges, from threat evolution to solution approaches. Key areas of agreement included the escalating nature of cyber threats, the necessity of public-private partnerships, the digital divide in preparedness, and the need for workforce development.
Consensus level
Very high consensus with no significant disagreements identified. This strong alignment suggests that cybersecurity professionals and leaders have developed a shared understanding of the challenges and necessary responses, which could facilitate coordinated action and policy development. The consensus spans technical, organizational, and policy dimensions, indicating maturity in the field’s strategic thinking.
Differences
Different viewpoints
Unexpected differences
Overall assessment
Summary
The discussion showed remarkable consensus among speakers on the fundamental challenges and solutions in cybersecurity, with no direct disagreements identified. All speakers acknowledged the evolving threat landscape, the need for public-private partnerships, and the importance of addressing AI agent security.
Disagreement level
Very low disagreement level. The speakers demonstrated strong alignment on core issues while offering complementary perspectives on implementation approaches. This high level of consensus suggests a mature understanding of cybersecurity challenges among industry leaders and law enforcement, though it may also indicate that more nuanced debates about trade-offs and priorities were not fully explored in this format. The lack of disagreement could be beneficial for coordinated action but might also suggest that some contentious issues around sovereignty, regulation, and resource allocation were not deeply examined.
Partial agreements
Partial agreements
Similar viewpoints
Both speakers recognize the convergence of state and criminal actors in cyberspace, where traditional distinctions between different types of threat actors are becoming increasingly blurred.
Speakers
– Catherine De Bolle
– Hatem Dowidar
Arguments
There are blurred lines between state actors, non-state actors, and criminal groups working together
Cyber threats are expanding from organizational attacks to weaponized infrastructure attacks by state actors
Topics
Cybersecurity
Both emphasize that cybersecurity must be elevated from a technical concern to a strategic business issue requiring executive leadership and sophisticated authentication approaches.
Speakers
– Michelle Zatlyn
– Michael Miebach
Arguments
Cybersecurity needs greater attention at board and C-suite level as a business topic, not just technical issue
Zero-trust approach requires verification at every access point with multiple data signals for authentication
Topics
Cybersecurity
Both advocate for breaking down traditional barriers between law enforcement and private sector to enable real-time threat intelligence sharing and coordinated responses.
Speakers
– Catherine De Bolle
– Michael Miebach
Arguments
Information sharing between law enforcement and private sector enables immediate protective actions
New partnership models are emerging despite geopolitical fragmentation, as cyber threats transcend borders
Topics
Cybersecurity
Takeaways
Key takeaways
Cyber threats are becoming exponentially more sophisticated, frequent, and dangerous, with AI acceleration enabling new attack vectors like AI bot impersonation (up 1400%) and record-breaking DDoS attacks
A dangerous digital divide exists where organizations with modern defenses (especially financial institutions) are well-protected, while small businesses and those with legacy systems remain highly vulnerable as the weakest links
The convergence of organized crime, state actors, and cyber criminals has created blurred lines of responsibility, with criminals using ‘steal, deal and repeat’ data strategies and state actors weaponizing cyberspace for legitimate operations
Traditional law enforcement approaches are insufficient – success requires unprecedented public-private partnerships with real-time information sharing and coordinated response capabilities
Organizations must transition from permission-based to zero-trust security architectures, treating AI agents as extensions of their workforce with the same security protocols
Supply chain vulnerabilities represent critical systemic risks that require contractual security standards and comprehensive third-party risk assessment
Cybersecurity must be elevated from a technical issue to a board-level business priority, with CEOs developing personal expertise rather than delegating entirely to technical teams
Building societal resilience through digital literacy, critical thinking skills, and better global identity systems is essential infrastructure for the digital economy
Resolutions and action items
Large organizations should insist on cybersecurity standards in contracts with third-party suppliers to raise overall security posture across supply chains
Companies must implement AI agent monitoring systems with guardian agents and supervisory architectures similar to human agent oversight
Investment needed in cybersecurity workforce development to address massive shortage (700,000+ open positions in US alone)
Joint public-private initiatives should be established to develop better global identity systems as fundamental security infrastructure
Organizations should prioritize identifying and protecting their ‘crown jewels’ with nth-degree supply chain security assessment
Information sharing mechanisms between law enforcement and private sector should be expanded with legal protections to encourage participation
Training programs needed for workforce on incident response procedures to avoid freezing during ransomware attacks
Unresolved issues
How to effectively stop nation-states from weaponizing cyberspace while maintaining legitimate defensive capabilities
Balancing the need for information sharing with legal liability concerns in litigious societies
Developing global standards for AI agent security monitoring and governance
Addressing the fundamental tension between cybersecurity needs and geopolitical fragmentation
Scaling modern cybersecurity solutions to protect small businesses that cannot afford enterprise-level defenses
Creating effective training methods that go beyond traditional ‘pencils down’ cybersecurity education to embed learning in daily workflows
Establishing clear boundaries and coordination mechanisms between defense, police, and intelligence services in cyber operations
Suggested compromises
Pragmatic approach to partnerships – accepting that comprehensive global solutions are unrealistic, focus on regional ‘digital spheres’ with secured arrangements
Hybrid public-private coordination models where private sector provides innovation and technology while law enforcement provides authority and legal framework
Tiered security approach where organizations apply maximum security to critical assets (‘crown jewels’) while using standard protections for less critical systems
Extending existing security frameworks (like payment security) to new technologies (like agentic commerce) rather than building entirely new systems
Shared responsibility model where large organizations help raise security standards for smaller partners through contractual requirements and knowledge sharing
Thought provoking comments
We call it in fact that the DNA of crime is changing and the DNA for us is a digitalization online that is making, that is the new crime area we need to work on. It’s nurtured online and it’s accelerated by AI… When we look at criminals now it’s a feature, it’s a weapon and how we describe the cycle of digital data it’s steal, deal and repeat.
Speaker
Catherine De Bolle
Reason
This comment reframes cybercrime from a static threat to an evolving ecosystem with its own lifecycle. The ‘steal, deal and repeat’ framework provides a clear conceptual model for understanding how cybercriminals operate differently in the digital age, treating data as a renewable weapon rather than a one-time target.
Impact
This shifted the conversation from discussing individual cyber threats to understanding cybercrime as a systematic, evolving business model. It established the foundation for later discussions about the convergence of organized crime and cyber operations, and influenced how other panelists framed their responses about the changing nature of threats.
If people don’t trust AI, they will not use it. So, this is not the defense side of this conversation, it’s the offense side of the conversation… If we don’t build in a trusted layer around these technologies, the use will not be there.
Speaker
Michael Miebach
Reason
This comment fundamentally reframes cybersecurity from a defensive necessity to an enabler of innovation and economic growth. It connects cybersecurity directly to AI adoption and business value, making it a strategic business imperative rather than just a technical requirement.
Impact
This perspective shift elevated the entire discussion from technical threat management to strategic business enablement. It influenced subsequent conversations about small business protection and the need for embedded security solutions, and helped establish cybersecurity as a prerequisite for digital transformation rather than an afterthought.
National governments and formal actors today are weaponizing cyberspace… How does this development, where now it is seen as a legitimate arena of contest, color the capabilities to keep businesses safe? Because now we are dealing in a real world, right?
Speaker
Samir Saran
Reason
This provocative question directly addresses the elephant in the room – that legitimate state actors are contributing to the weaponization of cyberspace. It challenges the traditional good guys vs. bad guys narrative and forces the panel to confront the complexity of operating in a domain where allies and adversaries use similar tactics.
Impact
This question created the most tension and depth in the discussion, forcing panelists to acknowledge the blurred lines between legitimate and illegitimate cyber activities. Catherine’s response about ‘blurred lines between state actors, non-state actors and criminal groups’ became a pivotal moment that shaped the conversation toward more nuanced solutions involving multi-stakeholder cooperation.
There’s a separation of the field and so there’s a group of organizations who have modern defenses and are in good positions but there’s kind of the messy middle where they haven’t quite adopted it for a bunch of reasons… and that is worrisome.
Speaker
Michelle Zatlyn
Reason
This observation identifies a critical vulnerability in the global cybersecurity ecosystem – the digital divide in security capabilities. It moves beyond technical solutions to highlight systemic inequalities that create weak links affecting everyone’s security.
Impact
This comment introduced the theme of cybersecurity inequality that ran throughout the discussion. It influenced Michael’s later emphasis on protecting small businesses as the ‘weakest link’ and shaped conversations about supply chain vulnerabilities and the need for collective defense mechanisms.
We need better identity. We generally need better identity… the smorgasbord that we have on identity solutions across the world… there’s too much divergence there, and that is a big building block in terms of somebody is behind any activity.
Speaker
Michael Miebach
Reason
This comment identifies identity as the fundamental building block for cybersecurity, cutting across all other technical solutions. It connects cybersecurity to broader issues of digital governance and international cooperation, suggesting that fragmented identity systems are a core vulnerability.
Impact
This insight tied together multiple threads from the discussion – from insider threats to agent supervision to cross-border cooperation. It provided a unifying framework for understanding why many cybersecurity challenges persist and influenced the conversation toward systemic solutions rather than point fixes.
The same way that people are using AI capability or agents for hacking or for bad action, we also have agents that are looking at new behavior or different behavior and isolating it early on to be able to protect the network.
Speaker
Hatem Dowidar
Reason
This comment introduces the concept of an ‘AI arms race’ in cybersecurity, where both attackers and defenders are leveraging the same technologies. It suggests that the solution isn’t to limit AI but to ensure defensive AI capabilities evolve as quickly as offensive ones.
Impact
This perspective influenced the later detailed discussion about AI agent supervision and guardrails. It helped frame AI not as a threat to be contained but as a tool to be properly managed, leading to practical discussions about monitoring systems and zero-trust architectures for AI agents.
Overall assessment
These key comments fundamentally elevated the discussion from a technical cybersecurity briefing to a strategic conversation about the future of digital society. The most impactful insights reframed cybersecurity as an enabler of innovation rather than just a defensive necessity, acknowledged the complex reality of state actors weaponizing cyberspace, and identified systemic vulnerabilities like the cybersecurity digital divide and fragmented identity systems. The conversation evolved from discussing individual threats to understanding cybersecurity as an ecosystem challenge requiring new forms of public-private cooperation, better identity infrastructure, and recognition that defensive capabilities must evolve as quickly as offensive ones. The panelists’ willingness to engage with provocative questions about state weaponization and systemic inequalities created a more honest and nuanced discussion that moved beyond typical cybersecurity talking points to address the fundamental challenges of securing an interconnected digital world.
Follow-up questions
How can different sorts of enterprises (big vs. small) better respond to the new age of cyber threats, particularly addressing the ‘messy middle’ of organizations that haven’t adopted modern solutions?
Speaker
Michelle Zatlyn
Explanation
Zatlyn identified a concerning divide where some organizations have modern defenses while others in the ‘messy middle’ haven’t adopted modern solutions and are vulnerable to attacks, often becoming emergencies on weekends when teams aren’t online.
How can law enforcement agencies better align with the private sector to make digital ecosystems safer for the future?
Speaker
Catherine De Bolle
Explanation
De Bolle emphasized that traditional law enforcement activities are not sufficient anymore and there’s a need to explore new ways of working together with private sectors to tackle evolving cyber crimes.
How should defense, police, and intelligence services work together to tackle the blurred lines between state actors, non-state actors, and criminal groups?
Speaker
Catherine De Bolle
Explanation
De Bolle noted the need to reflect on future collaboration models between different agencies while respecting boundaries, as traditional policing systems are insufficient for addressing sophisticated cyber threats involving multiple actor types.
How can organizations better manage cyber resilience when dependent on so many external parties for supply chain and third-party integrations?
Speaker
Samir Saran
Explanation
This addresses the critical vulnerability of supply chain security and third-party dependencies that organizations face, which was identified as a key challenge in maintaining secure systems.
What new forms of partnerships and arrangements are emerging in the cyber threat domain to respond to these challenges?
Speaker
Samir Saran
Explanation
Saran referenced emerging innovative systems like mini-laterals and public-private partnerships as potential solutions, seeking to understand what new collaborative models are developing in cybersecurity.
How can we create and tune AI agents to be inherently suspicious and not be fooled by the same tactics that fool humans?
Speaker
Dave Treat (Audience member)
Explanation
This addresses the critical challenge of securing AI agents in enterprise environments, particularly how to embed security awareness into AI systems and create guardian agents for monitoring.
How can we collectively share insights around creating guardian agents and establishing proper guardrails for AI agent supervision?
Speaker
Dave Treat (Audience member)
Explanation
This focuses on the need for industry collaboration in developing best practices for AI agent security and supervision, recognizing that this is a shared challenge requiring collective solutions.
How can we better address the human element in cybersecurity training, moving beyond traditional ‘pencils down’ training methods to embed learning into people’s daily lives?
Speaker
Dave Treat (Audience member)
Explanation
This addresses the fundamental challenge that current cybersecurity training methods are ineffective and there’s a need for more integrated, practical approaches to security awareness.
How can we develop worldwide standards for AI agent monitoring and governance that are accepted globally?
Speaker
Catherine De Bolle
Explanation
This addresses the need for international coordination and standardization in AI security practices, recognizing that cyber threats are global and require coordinated responses.
How can we build better identity solutions globally, moving beyond the current ‘smorgasbord’ of divergent identity systems?
Speaker
Michael Miebach
Explanation
Miebach identified the lack of consistent, robust identity solutions as a fundamental building block problem that needs joint public-private sector investment to solve.
How can we address the massive cybersecurity workforce shortage (700,000 open jobs in the US alone) and build necessary cyber capacity?
Speaker
Michael Miebach
Explanation
This addresses a critical resource constraint in cybersecurity defense capabilities, highlighting the need for workforce development and training programs.
How can we better prepare organizational workforces to respond effectively during actual cyber attacks, moving beyond just prevention to incident response training?
Speaker
Michael Miebach
Explanation
This addresses the gap between having security measures and actually knowing how to respond when attacks occur, particularly avoiding the tendency for people to freeze during ransomware attacks.
Disclaimer: This is not an official session record. DiploAI generates these resources from audiovisual recordings, and they are presented as-is, including potential errors. Due to logistical challenges, such as discrepancies in audio/video or transcripts, names may be misspelled. We strive for accuracy to the best of our ability.
Related event
World Economic Forum Annual Meeting 2026 at Davos
19 Jan 2026 08:00h - 23 Jan 2026 18:00h
Davos, Switzerland