Security expert Tom Vartanian: Amid all the chaos, boards need to refocus on cyber and AI

Security expert Tom Vartanian: Amid all the chaos, boards need to refocus on cyber and AI

Joe Kornik: Welcome to the VISION by Protiviti. Interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, where we focus on issues that will impact the C-suite and executive boardrooms worldwide. Today, I'm joined by Tom Vartanian, Executive Director of the Financial Technology and Cybersecurity Center. Tom's nearly 50-year career as an attorney, author, regulatory expert, CEO chairman and expert witness on financial regulation and technology makes him uniquely qualified to advise business leaders on economic uncertainty, geopolitical risk and ongoing cyber threats and AI, among the many challenges facing business leaders today. Tom, thanks so much for joining me. 

Tom Vartanian: Thanks, Joe. It's pleasure to be back.

Kornik: Thanks for coming back. Tom. So, where do we start? How about current events: economic uncertainty, tariffs, trade wars, so much facing business leaders and boards these days. What's your advice for managing through all the chaos? 

Vartanian: Yeah, that's a terrific question. I'll answer it, both as a lawyer who's advised boards and management on how to avoid liability, because that's obviously a baseline that everybody's concerned about, and then also as a business strategist, after 50 years of advising companies in doing what they're doing and staying out of trouble, but in also creating financial strategies that work. First thing, I think you have to try to figure out is what kind of economic environment we're in. I mean, there's a U-shaped one, there's a V-shaped one, or there's a straight-line economic distress period much as the depression represented. And so I think the first thing you have to ask yourself is, what's the nature of the chaos? And I think right now, I think you define the chaos as at least involving tariffs, changes in economic policy and changes in the federal bureaucracy, and those, I think, are roiling the markets in ways that we understand they did not anticipate—because if the markets did anticipate this, they wouldn't be moving the way they're moving. And so I think there's an enormous amount of uncertainty. 

I think one of the problems I see in running a business these days is the 180-degree swings we get when you go from Republican to Democrat and Democrat to Republican. That makes it almost impossible to run a business. You know, you can't tack left for four years and then tack right for four years. And that's a problem, I think, of the highest degree here. But it's not a pass for directors to say that policies are changing so quickly we don't know how to manage the company. It's not a pass for CEOs and executives to say, gee, it's hard to manage the company. That's just life. You got to be able to manage the company. So when I talk to management and boards of directors, what I've always emphasized is, to be able to sort of balance a number of things at the same time, or juggle more than three balls. And what that means is, you have to have a defensive strategy. The defensive strategy has to be, how do we make sure, if we get these unanticipated financial consequences, that we don't fail, that we don't have a tremendous downturn in our business, that we're not surprised by the fact that we have to move manufacturing from one country to another? You ought to have plans that at least defend against any of the possible, reasonable and worst-case scenarios happening. And if you haven't been doing that, it's a little late now, frankly. 

But what I always tell management and boards of directors is to have both a defensive and offensive strategy. The offensive strategy here is, obviously, in times like this, there's opportunities. There's always opportunities when the markets are forced downward so rapidly and in such a volatile fashion. There'll be opportunities and investments, in real estate, in mergers and acquisitions, and if you're if you're one of the companies that that's ready to take care of those, take advantage of those opportunities, you're going to be in as good a shape, I think, as you can possibly be. But again, there's a defensive strategy you have to articulate, and there's an offensive strategy.

Kornik: You know, companies, Tom, have relied on traditional risk management in times of distress. But this feels different. What messaging should the C-suite be communicating up to the board right now? 

Vartanian: Yeah, I don't know what traditional risk management is anymore. Things have changed so dramatically, and to the extent that you have not been able to anticipate what's going on, I think it really, really taxes your risk management. But it seems to me, what the C-suite wants to be communicating to the board is, we are on top of this, as much as we can possibly be, we are on top of this. We may have missed A, B and C, but with the rest, we're on top of it. And here's how we're on top of it, and here's what we're doing. And that means responding to the velocity of political swings, the velocity of economic swings, the velocity of technological swings, which I think we'll get to in a little bit, the velocity to globalism versus isolationism, and what that means in terms of what's happening throughout the world. But again, I think it's up to management to tell the board, communicate to the board, “We've identified the risks, we have accounted for those risks, or we are accounting for those risks in the following ways, and we've identified the opportunities, and here's where, how we're going to take advantage of those opportunities.” 

Kornik: How about the boards themselves? Where should the board be focused, and what steps should they be taking right now?

Vartanian: What I always tell boards of directors is, it's your job to ask the right questions. And in my mind, the right questions fall into three different categories these days. First, economic; second, cybersecurity; and thirdly, artificial intelligence. I think those are the three most pressing issues that boards of directors are going to have to confront. And the problem with some of this is, I think boards of directors are pretty familiar with the economy issues, the financial issues, these things. They know the glossary of terms, and they know accounting principles are important. I'm not so sure they're as up-to-date on cybersecurity and artificial intelligence. And I think those are the risks that can sneak up on companies and boards of directors, particularly given the fact now that the government seems to be pulling back in terms of what the Trump administration is doing on people, processes, overseeing cybersecurity and what's going on in the cyber world.

Kornik: Tom, you mentioned cyber and AI, so let's go there. That's where you spend the majority of your time these days. Amazing, right? How we've sort of stuck a pin in those two issues in 2025 with everything else going on, but they're still as important as ever, right? 

Vartanian: You know, after helping companies for 50 years, or at least now the last 30, get into get into cyberspace, do business online and offer new technological products—you know, I spent another three or four years researching my book, The Unhackable Internet—and putting together my experience with what I was researching and learning about, cybersecurity, artificial intelligence algorithms, large language models and the whole thing, I really began to scare myself in terms of what I saw in practice, which was a pretty understated approach to cybersecurity by most companies, and where that could lead in terms of cyber-attacks, intellectual theft and the like. And so I really believe that we are at a tipping point here in cyberspace. Because, look, if the Trump administration pulls back on some of those areas, I know what the watch words are, because the government has written about this for the last 20 years, and that is, let technology be technology, so we will be number one in the world. The problem with that is, there needs to be a balance. Because while there are enormous benefits to technology in everything from healthcare to traffic control, enormous benefits that will that will make the quality of life so much better for people, there are enormous detriments. 

I mean, if you just look at something like cryptocurrency, it is now financing the largest scale of crimes across the globe that we have ever seen, and the most heinous sorts of crimes, frankly. And so there's got to be a balance between the good and the bad. And I think that's the role the government has to play. The government can't really control cyberspace, because it doesn't belong to governments, right? If you look at 95% of cyberspace, it belongs to corporations and individuals. So those individuals have to be smart, those corporations have to be smart, and they can't sit there saying, gee, if the government lets this happen, it must be okay, because that's not the answer. If the government lets this happen, someone must be protecting me. They're not. If the government's letting this happen, this is safe. It's not safe. 

And so we started in 1969 with an internet that was handed off by ARPANET to four universities to help them trade information and research, and that is the internet that we've built everything on since 1969. It wasn't secure in 1969, and it isn't secure today. And what I typically say in the number of my speeches is, if we wanted to build a way for our adversaries to take maximum advantage of us, we would build the internet we have. You know, why are we swimming in the same cyber waters with Russia, North Korea, Iran, China? I mean, that just doesn't make any sense to me. And so that's a fundamental problem that's only getting larger, because experts will tell us that we're building invulnerabilities twice as fast as we're building the solutions. 

So where did all that lead? It leads with governments coming together to encourage businesses and individuals to look at cyberspace differently. There needs to be real authentication, there needs to be real forms of government, and there needs to be real enforcement. Until we get that, I think we're all in peril in terms of what we're doing online and who's looking at it and who's got access to it, and that's only getting worse now. Well, the benefits are getting better and the risks are getting worse because of artificial intelligence. 

That's another area where businesses, individuals and the government can't say, let's let it go on there by itself and do what it's going to do so we don't, we don't inhibit its growth. Because at some point AI, particularly when AI is coding AI—I mean, we're now talking about all the coding for AI, and everything software being done by AI. Look, at some point with the emergent capabilities and the generative capabilities that AI has, and to the extent it begins to think for itself, it's going to do what its programmers do in those situations. It's going to take care of itself, right? It's going to look at its own best interests. And we get to that point, and I think we've crossed the line we can't go back on.

So from the point of view of corporations looking at this, I would say you have to evaluate these two things from the risk point of view, not just the profit potential you get from these things, and understand that unless we put in some controls now at the corporate level and at the government level, we may lose control of artificial intelligence at some point. And that's not me saying that. That's the experts in the world.

Kornik: Well, thank you Tom. I appreciate the conversation, and thanks for the time today, as always, incredibly insightful. 

Vartanian: Thank you, Joe. 

Kornik: Thanks, Tom, and thank you for watching the VISION by Protiviti interview. On behalf of Tom Vartanian, I'm Joe Kornik. We'll see you next time you.