Silence in the Breach: Why Cybersecurity Is a Leadership Problem
Silence in the Breach: Why Cybersecurity Is a Leadership Problem
https://www.techerati.com/news-hub/silence-in-the-breach-why-cybersecurity-is-a-leadership-problem/
Publish Date: 2026-03-20 11:19:00
Source Domain: www.techerati.com
Using an unordered list, summarize the following article with between 4 and 8 key points. At Tech Show London, Former Chief Security Advisor at Microsoft, Sarah Armstrong-Smith, delivered a keynote that reframed one of cybersecurity’s most persistent assumptions.Rather than centring on tooling, encryption, or perimeter defences, she examined leadership culture, psychological safety, and the structural conditions that allow risk to escalate. The issue, she suggested, is not employee carelessness. It is whether organisations are designed in ways that make silence the rational response.She began by highlighting a phrase that is, in her words, “guaranteed to kind of wind me up”:“The weakest link.”For Armstrong-Smith, the idea that people are inherently the weakest link obscures deeper structural failings. Phishing simulations, repeat-offender policies, and internal jokes about uninformed and reckless users may be intended to increase vigilance, but they can also entrench blame culture. At a time when attacks are becoming more sophisticated, simplistic narratives fail to address systemic vulnerabilities.Shadow IT, Shadow AI and Structural Blind SpotsArmstrong-Smith reminded the audience that workarounds are not a new phenomenon.“We’ve all always had Shadow IT.”Employees adopt unsanctioned tools when official systems feel restrictive or slow. More recently, she noted, organisations are contending with “Shadow AI” – the informal use of AI tools outside established governance frameworks.The underlying issue is visibility. If leadership teams do not understand how technology is actually being used — rather than how policy assumes it is used – then controls become misaligned from reality. The gap between assumed behaviour and operational behaviour creates exposure.“What you think you’re protecting and what you’re actually protecting are two completely different things,” she illustrated through examples.In this context, security failure is often less about technical capability and more about structural blind spots.Apathy as Organisational RiskArmstrong-Smith argued that the most consequential vulnerability is neither Shadow IT nor AI-enabled attack vectors. It is disengagement.“The most dangerous thing in your organisation… is when we start to have apathy.”She described employees who feel overlooked, undervalued or fearful of repercussions. When mistakes occur in such environments, they go unreported.“Do you know what? I don’t care. I don’t care anymore.”Silence allows risk to compound.She also addressed insider threats, noting that they are not always accidental or naïve.“30% of all inside threats are now super malicious users.”In these cases, individuals understand organisational systems well enough to exploit them deliberately. Yet the conditions that allow such behaviour to persist often stem from cultural disengagement rather than technical weakness.AI, Deepfakes and the Escalation of Social EngineeringThe keynote also examined how AI is reshaping deception.Phishing emails no longer rely on obvious grammatical errors. Deepfake technology can replicate voice and likeness with increasing precision. Attackers monitor social media and tailor language to specific individuals.The distinction between human and machine deception is narrowing.“How if the machine can’t tell the difference, how can a human?”Armstrong-Smith questioned the fairness of expecting employees to detect deception that advanced detection systems struggle to identify. Despite this, when breaches occur, responsibility frequently returns to the individual rather than the system.Cybersecurity as Enterprise RiskA central theme of the keynote was the need to reposition cybersecurity within organisational governance.“This is a business problem. So this is an Enterprise risk.”While boards acknowledge cybersecurity in principle, she argued that it is still too often framed as a CIO concern rather than a strategic one. Risk reporting dashboards are frequently sanitised, shifting red indicators toward amber or green to avoid discomfort.“I don’t actually care about the green… what I want is the red.”Effective oversight requires confronting vulnerabilities directly. Backup systems that exist only on paper provide little resilience.“Have you done your due diligence?”Testing recovery processes and rehearsing worst-case scenarios are not optional exercises; they are structural safeguards.Psychological Safety as a Security ControlArmstrong-Smith positioned psychological safety as a front-line defence.When an employee clicks a malicious link or suspects compromise, rapid disclosure can significantly reduce impact.“I should feel empowered to be able to say it without repercussion.”Where fear of blame suppresses reporting, attackers gain time. The organisation loses visibility precisely when it needs it most.Her conclusion centred on leadership behaviour rather than technology. Resilience depends on transparency, accountability and openness to uncomfortable truths. Threat actors will continue to innovate. AI will accelerate both attack and defence. Incidents will occur.What organisations can control is how quickly people feel able to speak up.In environments where silence persists, risk accumulates. In environments where psychological safety is embedded, disclosure becomes an early warning mechanism rather than a reputational threat.Cybersecurity, in this framing, is not only a technical discipline. It is a function of how organisations lead, communicate and respond under pressure.From Zero Trust to AI risk, security leaders share how they are strengthening resilience across complex enterprise environments.
