Head of cyber at CrowdStrike on emerging risks, identity exploitation, data leaks and AI wars

CrowdStrike head of cyber on emerging risks: Identity exploitation, data leaks and AI wars

Joe Kornik:Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we're joined by CrowdStrike Regional Head of Cyber Security Services Asia, Ajay Kumar. Ajay has more than 25 years of corporate experience working in cybersecurity, data privacy, and AI. Aside from his corporate responsibility, Ajay serves as the Chair of Cyber SIG and Board of Director ISACA Singapore Chapters. Ajay also serves as the anchor of the DSCI Singapore Chapter, which unites the public and private sector with Singapore's cybersecurity community for awareness and advocacy. He will sit down today with my colleague, Protiviti Director Bernard Tan, who leads the technology consulting practice in Singapore. Bernard, I'll turn it over to you to begin. 

Bernard Tan: Thanks, Joe.Thank you, Ajay, for joining me today. 

Ajay Kumar: Thank you very much. 

Tan: Let me jump into the questions right away. In 2025, right, what is the single biggest cybersecurity risk most people are still underestimating, in your opinion? 

Kumar: Thank you so much, Bernard, for this question. This is a very interesting question, which we have been hearing a lot, actually, for the last several months. As you know, identity is the new perimeter, and that's where, actually, we have been seeing, we have been hearing from all the security leaders that the single biggest cyber risk organizations are underestimating in 2025 is the identity exploitation in the cloud. If you look at it, most of the security leaders did think that in terms of malware, or a DDoS, or a system attack, but actually attackers are taking advantage of the cloud environment. What they are doing is that they know the fastest way is through weak identity controls. They are not going to break anything. They're not going to break any system. Simply, they are going to log in and move laterally from there, and that is what we have been seeing in the SaaS or a multi-cloud environment. In multi-cloud environment, if you look at it, or in the digital world or AI-driven world, securing identity is actually securing the enterprise, and that's the biggest risk which we have been seeing in 2025. 

Tan: Right. Totally. I agree, Ajay, with you. So, with the recent high-profile breahes, especially in the cloud, right, what lessons can we learn as a practitioner in this cybersecurity space?

Kumar: Yes, that's an interesting question, and the reason is that I've been part of several incident response and forensic investigations. We see, actually, a lot of learning, a lot of challenges, a lot of concerns there. What the learnings are, actually, for the security leaders is the key. They can actually understand what has happened previously or what has happened in another organization and can learn, actually, to protect their organization in the future. If you look at it, there are multiple learnings or lessons, which I can probably talk about here. One of the things which we have been seeing is, the attackers increasingly exploit identity, which I mentioned, or a supply chain, not just systems. It is not limited to the systems or endpoints. The lesson which we have been seeing right now is that you need the visibility of the entire environment. You need to have a visibility of your own boundary, into vendors, partners, risk, or identity trust. You need to understand who all our partners are, what is a risk they carry. We need to understand from that perspective. That is one lesson which generally we recommend. 

Another one is the misconfiguration, sort of weak encryption in the cloud environment. This is something which we always talk about, that the security by default is not recommended. Secure defaults are not always secure, and that's the reason you look at it. The exploitation of the cloud environment is not the exploitation of the infrastructure of the cloud. The exploitation of the misconfigurations or the policy issues actually in your instance, if you are a customer, using the multi-cloud environment. This is another lesson which we have been seeing. 

The third one which I can probably cover is that detections are delayed. By the time you get a detection, a lot of things are already done by threat actors. We need to have a zoom breach mindset. We need to be ready always to take a proactive action, and we need to think that way that we are already breached, and we take it from there to protect our organization. 

Another lesson probably I can talk about is breaches impact, or a breach impact goes beyond the data leak. There is no more just a data leak impact because there is an operational or reputational risk for the organization as well, and that's the reason we need to look at it. How we can be resilient, how we can have a business continuity plan in place, and how we can have a proper crisis communication within the organization and outside the organization. I think these are the few lessons which we have been seeing in the recent high-profile breaches. 

Tan: Right, Ajay. I know that your focus is really into cybersecurity insurance, and with these breaches and all this data leakage, right, how can cyber insurance protect organizations? 

Kumar: I think from a cyber insurance perspective, if you look at the cyber insurance, the cyber insurance is to transfer the risk. That's the reason we always say that if you take a cyber insurance policy, then you are not only covered by the risk which you transfer, but actually you get a lot of support from cyber insurance carriers. For a moment, organizations can get support to have a breach coach. Organizations can get the benefit of having the external councils who can advise at the right time whether you need to pay ransom or not, it is allowed or not, or there are regulatory issues. They can also advise on the data privacy implication on the organization. Not only that but they can bring actually their in-panel vendors who can perform forensic investigation the way they want, actually, with the speed and precision with the entire skilled team. I think cyber insurance is not just transferring the risk, but they cover a lot of things beyond that. 

In fact, the biggest impact for the organization of any breach is the disruption. The cost of a disruption is killing even the cyber insurance carrier. What they do is that they bring the capability and capacity to reduce the business interruption, which can help organization to recover faster. I think there are multiple benefits to have a cyber insurance in place from my understanding perspective.

Tan: Yes, that's right. I think many organizations, many CEOs, cyber… CISOs you're talking to, right, are going into cyber insurance space. I know, Ajay, you speak to a lot of CEOs, CISOs, C-suites. What is the main key point that most of the CEOs can do to turn cybersecurity into a competitive advantage rather than a cost center itself? 

Kumar: Yes, I mean, this is a great question where we say that the cybersecurity is everyone's responsibility and how we can convert the cybersecurity into competitive advantage in terms of a brand, is something which CEOs are more interested in. For a moment, if you reframe the entire security as trust infrastructure, because the trust and reputation is very important for any organization's brand. It's not just avoiding breaches. It's about building trust in the digital environment and experiences or digital transformation journey. That's the reason we always say that CEOs need to position cybersecurity as a foundation of customer confidence. They need to use cybersecurity to enable growth. They need to position that they trust the organization, and the customers can trust them because they are very cybersecurity savvy. That's where they actually build the confidence and reputation in the market. We always say that we need to look at how we can make a digital-first culture within the organization. Cybersecurity, in a nutshell, for the CEOs is not just a defense. It is a trust currency of any digital economy, and that's the reason companies that trust cybersecurity as a growth enabler will win customers, regulators, and the markets which we see it.

Tan: You mentioned about cybersecurity is everybody's responsibility. In organizations, right, how have you seen organizations build or create a culture that every employee feels responsible for cybersecurity hygiene? Yes, that's very important because we know that organizations have been doing education, awareness training, but have you seen real-life organizations that actually imbued cybersecurity culture into every employee in organizations? 

Kumar: Absolutely. I mean, this is one of our recommendations whenever we engage on a very strategic advisory services with organizations. We always say that you need to create a culture of a shared cyber responsibility. It is not the responsibility of one person. It's lead from the top. And when I say lead from the top is that employees take cues from the leadership. When CEOs are talking about joint awareness program or any cyber hygiene, they listen, employees listen. Make cybersecurity part of a business conversation, not just IT update. It is not that you're going to have a town hall, and you're going to give update on IT initiatives within the organization. Make it very personal. What it means? It means that if any organization is impacted because of the cyber breach, it is going to impact employees as well. It is going to impact actually that employee's family as well. It is a reputation risk, it is a financial risk, and that's the reason it becomes the responsibility of everyone. It needs to be in the muscle memory of what we need to do, that we need to embed cybersecurity in each and everyday process. As I said, it should be natural that everybody needs to think about it. 

Organizations, like CEOs or C-levels, also look that they should actually reward or recognize good behavior, what we call them cyber champions. Whoever is following the best practice actually, needs to be rewarded. Coming back to the bottom line of this question is, create a culture of a cyber hygiene—not just to scare people, scare employees, but making security very simple, personal, rewarding, and then actually show that every employee is a guardian of the customer trust. That is a reputational thing for every organization which they need to be proud of. 

Tan: We cannot talk about cybersecurity without emerging threats. What do you see in the next 12 months, 18 months in terms of the emerging threats? For example, now we are talking AI-driven threats, attacks, supply chains compromise, as well as the upcoming quantum PQC. In your opinion, what do you see? What are the emerging threats in the next one year or one and a half years?

Kumar: Absolutely. I mean, this is the big concern for every security leader—what is going to come next? They're already facing the challenge and I can say it is not going to come next, it is now. If you just mentioned AI-driven attacks. AI driven attacks are at a scale. This sophisticated technology actually has not helped only defenders but has helped actually the attackers as well. Generative AI-powered phishing and social engineering is creating a lot of problems, and it looks like, that this is a legitimate communication, it not just started or initiated by any AI engine. And that's the reason we have been seeing deep fake videos, deep fake voice could undermine payment authorization or KYCs. That's actually a big concern for security leaders. 

Another point which you mentioned, the supply chain. Absolutely. I mean, if you look at it, any supply chain, or a third-party vendor compromise, and you can see how attackers actually can infiltrate thousands of organizations by compromising one single vendor. That is a supply chain risk which we have been seeing. Another which I mentioned earlier, the cloud misconfiguration, the multi-cloud complexity. I mean, we have been seeing, the ideal case for any organization is to go multi-cloud, not too dependent on single cloud, and that's the reason, because of the multi-cloud SaaS ecosystem, the complexity is increasing, and because of that complexity, actually, we have been seeing a lot of misconfigurations and identity sprawler or a shadow IT actually issues in the environment. The cloud identity and access management weaknesses are another thing which we have been seeing. 

Lastly, I can cover one more point, we call it a ransomware 2.0 double extortion. If a ransomware organization is attacked, it's no more just a pure ransomware. What the threat actors are doing before encrypting the system, they are exfiltrating the data. Data exfiltration has been sort of their strategy, and why? Because if you decide to rebuild and reimage your systems, they can actually leak that information or the data or sensory data or PII actually on the dark web, or they can even reach out to law enforcement agencies or regulators. We have seen in those cases where organizations are helpless because at one end, they can recover by rebuilding and reimaging, but on another end, they are carrying the risk of their data leak on dark web, and there could be implication from the regulators, from a data privacy perspective. I think these are a couple of the challenges which we’ll be seeing in next 12 to 18 months. 

Tan: Right. Definitely, and I agree with you. AI is one of the up-and-coming emerging threats in the near future, if it's not happening now. Ajay, in your opinion, right, can offensive security AI outpace attackers’ AI? Because we are talking about a good AI and a bad AI and know that both the dark side and also the defensive side, are using AIs to manage the innovations in the attacks. Can offensive AI actually outpace the attackers’ AI? 

Kumar: This is actually a debate we always do in a lot of discussions with security leaders or in the different events which are talking about AI and security. AI and cybersecurity are dual forces. Definitely, there are a lot of benefits to have AI as part of the cybersecurity strategy for defenders, but it is working for attackers as well, as you rightly mentioned. Attackers will always have the advantage of surprise. It's not that they are going to give a notification or intimation that we are going to attack. No, they always come with a surprise. But defenders can actually flip the script by using AI to scale resilience or anticipate any attack. We have seen those tools and technologies actually, or strategies where you can anticipate that, or even you can automate your response. Though it is going to benefit threat actors to use the sophistication of the technology, but actually defenders can take advantage of that as well. 

Now, if you look at the offensive security, AI won't eliminate the threat. If somebody is thinking that I'm going to use artificial intelligence or machine learning or even the agentic AI, and I can be 100% secure, it is not going to happen. They cannot eliminate threat at all, but it can give defenders the speed, and that speed is needed by those defenders, and the foresight, to stay one step ahead. That is what is needed, but it needs to be paired with a human judgment, human-augmented strategy, and the strong governance— this is what we feel. As I said, in a nutshell, it benefits both sides, but I think defenders can take advantage of this technology to stay one step ahead if they actually use this in the right manner. 

Tan: Thank you very much, Ajay. Thanks for your time today. I really enjoyed our conversations. 

Kumar: Thank you very much, Bernard. 

Tan: Joe, let me turn back over to you.

Kornik: Thanks, Bernard, and thanks, Ajay. Thank you for watching the VISION by Protiviti interview. On behalf of Bernard and Ajay, I'm Joe Kornik. We'll see you next time.