Cyber security is a relentless race to keep pace with evolving threats, where staying ahead isn’t always possible. Advancing cyber maturity demands more than just reactive measures—it requires proactive strategies, cultural alignment, and a deep understanding of emerging risks.
I had an opportunity to share my thoughts on staying informed about threats, defining cyber maturity, and aligning security metrics with business goals with Corinium’s Maddie Abe ahead of my appearance as a speaker at the upcoming CISO Sydney next month.
Staying Ahead of Emerging Threats
“It begins with understanding your organisation’s threat profile and threat actors’ tactics, techniques, and procedures,” Zinatullin asserts when asked how he stays informed about cyber threats. “Threat intelligence feeds augment your detection and response capability.”
For Zinatullin, maintaining a proactive mindset is equally critical. “The team understands the impact of our work and our duty to safeguard critical services, data, and trust,” he says. Regular external tests and incident simulation exercises play a pivotal role in refining response strategies. “These exercises help us drill some common scenarios, including crisis communications,” he explains.
Another crucial aspect of staying prepared is collaboration. “One of the most important aspects of maintaining situational awareness is the community,” he highlights. “Ongoing collaboration with industry peers, government, and academic partners is key for building resilience.”
Defining Cyber Maturity
When it comes to cyber maturity, Zinatullin believes in a balanced approach. “A common way to measure maturity is to map your controls to an established framework like NIST Cyber Security Framework or the Essential Eight,” he says. However, he warns that a tailored approach may sometimes be more effective.
Zinatullin emphasises that maturity should focus on outcomes rather than checkboxes. “To advance maturity, focus on uplifting controls that result in the most cost-effective risk reduction,” he advises. He also stresses the importance of streamlining compliance efforts. “Although worded differently, controls from different frameworks often aim to achieve the same objective. Maintaining cross-framework control mapping can help streamline your compliance program.”
But compliance is only part of the journey. “An organisation can be compliant but still insecure,” Zinatullin points out. “Security leaders should go beyond compliance and actively manage risks, focusing on overall security posture and risk reduction.”
Aligning Security Metrics with Business Goals
The alignment of security metrics with organisational goals is another area where Zinatullin offers actionable advice. “Security leaders have access to amounts of data never seen before,” he says. “Antivirus software, firewalls, data loss prevention solutions—they all generate a staggering amount of alerts.”
The challenge lies in presenting this data meaningfully. “Do metrics tell a story to the Board?” Zinatullin asks. “10,000 ‘attacks’ blocked. What does this mean? More importantly, so what? Are we reporting on what is easily available rather than what actually matters to the business?”
He cautions against simply reporting on the number of attacks, alerts, or incidents. “You can indeed look backwards on the number of attacks, alerts, incidents and these can be useful in some contexts,” he says. “Some would argue this acts as a justification for the investment in security tools that have been implemented to detect these intrusions. But this runs the risk of overwhelming the business with numbers that may carry little meaning or relevance to their concerns.”
“If you must communicate technical details that correlate with the maturity of cyber capabilities, I recommend forward-looking metrics,” Zinatullin suggests. “For example, a number of systems with the latest patches applied, number of systems scanned for vulnerabilities, or the number of systems with multi-factor authentication enabled. These will change over a specified period and can demonstrate increased coverage, maturity, and trends. Measuring time between incident detection, response, and recovery, alongside other parameters, can be a useful proxy for cyber resilience.”
He adds that this approach can help businesses better define their risk appetite. “Does the Board want you to move faster, increase coverage, or shorten response times? If so, are they prepared to fund relevant initiatives or would they rather accept the associated risk?”
Zinatullin recommends ensuring that the ‘so what?’ question is always addressed. “Tailor your messaging to organisational objectives and business risks. If available, check the company’s annual report: there is usually a section on business risks, so it’s a good idea to align security risks to those in order to speak the same language.”
He concludes by emphasising how cyber security can contribute to broader business goals. “Cyber security can support launching new products and services, expanding to new markets, acquiring new entities, and reducing insurance premiums, among other things. Know what the business objectives are and align your security metrics to them to get buy-in and stay relevant.”
The bottom line, according to Zinatullin, is that KPIs and metrics should always be tied to business objectives and leadership expectations. “There is no one-size-fits-all approach to security metrics. They should be selected based on the organisational context and demonstrate the security function’s progress towards achieving the desired level of compliance, risk reduction, and business enablement.”
Key Lessons from Past Incidents
When reflecting on past security incidents, Zinatullin shares a critical lesson he learned about the importance of leadership and values in times of crisis. “Managing a significant security incident requires strategic leadership, resilience, and effective communication,” he states. “Crisis events like data breaches often create an atmosphere of chaos, with rapid changes and high tension. This is something I had to navigate through in one of my previous organisations.”
For Zinatullin, one of the most valuable lessons was the importance of maintaining a clear focus on the organisation’s values even in the midst of an incident. “Responding to a cyber incident requires modifying your work activities instantly and making decisions under extreme time pressure. A key lesson learned for me personally is that even in a crisis, it’s important to put your values at the centre of every decision you make.”
He continues, stressing the importance of leadership in refocusing teams during a crisis. “In the midst of an incident, it is easy for people to lose sight of the organisation’s overarching mission. Security leaders play a vital role in refocusing their teams, reminding them of the greater purpose they serve.”
Zinatullin also highlights the importance of empathy during a data breach. “A data breach affects not only the organisation but also the people whose information has been compromised. As a security leader, it is important to demonstrate empathy towards those affected, acknowledging their concerns and fears. Remind your stakeholders of the broader mission – to protect customers. Your steadfastness will show not only in your plans but also in your values.”
In terms of communication, Zinatullin underscores the need for transparency. “Communicate honestly, frequently, and transparently. Provide realistic interpretations of events, avoiding both overly optimistic and pessimistic viewpoints. By sharing what is known and acknowledging uncertainties, security leaders can maintain credibility and foster trust.”
Emerging Cyber Security Threats
As the cyber threat landscape evolves, Zinatullin points out several concerning trends. “Adversaries leveraging AI is a concerning trend,” he says. “Cybercriminals use AI to increase efficiency, speed up attacks, lower their costs, and mitigate the challenges of attracting skilled staff in an already constrained environment.”
Social engineering, according to Zinatullin, remains one of the most prevalent attack vectors. He notes the shift in how AI is changing the game: “Historically, crafting a believable phishing email required significant labour—days, sometimes weeks of research. Now, AI accelerates the process, allowing attackers to analyse large data sets, prioritise victims, and even adjust ransom demands based on a victim’s profile.”
The threat posed by AI-powered social engineering is becoming more sophisticated. “AI is used to create and tailor phishing emails and websites based on data profiles. Trust is built through long conversations with victims on social media using chatbots, which can impersonate people’s writing styles and interact over extended periods without human involvement.”
Zinatullin also highlights the alarming use of AI for deep fake videos and voice impersonations. “AI is making social engineering attacks much more dangerous. The ability to create convincing deep fake voice and video that can impersonate people you know significantly exceeds traditional deception techniques.”
Furthermore, AI enables attackers to stay more anonymous and distant from their victims, reducing the need for direct engagement. “Autonomous weapons, for instance, show how AI increases anonymity and psychological distance. Attackers are no longer required to pull the trigger and observe the impact of their actions.”
The Next Step in Cyber Maturity
Looking forward, Zinatullin sees AI playing a pivotal role in the future of cyber defence. “Just like adversaries leverage AI to improve effectiveness, we need to explore opportunities to better leverage AI for defence,” he states. “AI can support human decision-making, where people are aided by AI systems to combat cyber attacks more effectively.”
AI is already being used to predict new threats and malware based on existing patterns. “Machine learning techniques are being employed to monitor system and human activity to detect potential malicious deviations,” Zinatullin explains. “But there is much more potential—can AI help influence user behaviour towards safer choices, or help us develop better cyber threat prevention mechanisms?”
To realise this potential, Zinatullin advocates for a multidisciplinary approach. “We need a socio-technical approach to mitigating cyber threats. This should include technologists, psychologists, academia, and government partners working together to develop responsible and trustworthy AI solutions. These solutions must use data while maintaining personal privacy.”
He further stresses the importance of a people-centred approach to AI development. “Participatory co-design and a people-centred approach can help develop personalised and contextualised solutions to address ethical, legal, and social challenges—things that cannot be solved with AI automation alone.”
Cyber Security Leadership 