“Agentic AI for security is at a firewall moment,” Grossman says. “It could be the first time since the advent of the firewall where defenders have an advantage. Agentic AI enables cybersecurity expertise to be democratised and give defenders an advantage over attackers.”
An evolved way to assess cyber risk
With the average cost of cyberattacks passing $4M in Australia, Grossman says we need to look at new ways to understand risk and to measure the potential cost of an attack. Those costs are multi-dimensional and span operational downtime, revenue at risk, regulatory exposure, and brand impact. Quantifying the risks means focussing on outcome-based metrics. And that demands an evolution from the traditional likelihood and impact-based risk assessment.
“Cyber Risk Quantification [CRQ] means using tools to carry out automated penetration tests continuously and assessing the impact of a successful penetration. This needs to be coupled with CTAM [Cyber Threat Exposure Management] which assesses the external threat and risk environment. This tells you what actions to prioritise based on a more mature, combined approach.” Grossman says.
These tools make it possible to quantify the impact of a potential risk in terms the C-suite and board can use to make decisions. And for boards making decisions on what cybersecurity projects should be approved, this level of quantification enables them to make better decisions based on the return on investment.
Engage with your board
For CISOs, developing a security-first mindset at board level takes time. Grossman says a big part of that is developing relationships with board members. That’s not a new concept but Grossman advocates a direct approach. He says CISOs should seek regular meetings with individual board members.
“Offer to meet them over lunch or for coffee. Then take the time to understand what level of knowledge they have so they can learn to ask the right questions. I’ve spoken with board members who are focussed strongly on the revenue side of the business. I talk to them about how a soccer team works. While there might be significant investment in goal-scoring strikers and mid-fielders, there needs to be a reliable goalkeeper to ensure defences are strong. And that also requires an investment.”
These discussions, Grossman says, enable the conversation to elevate to a platform and strategy discussion rather than a short-term tactical one that focusses on point solutions. And that makes it possible to talk about emerging threats and opportunities. It’s the building of those relationships and trust that becomes an enabler for conversations about agentic AI and the opportunities it brings.
It's critical, Grossman says, that CISOs elevate those conversations above the technical.
Cyber is business
“Today’s CISOs and CIOs must be business-people. To be trusted advisors, they must understand what the business needs and have empathy,” says Grossman. “When you’re asked for something, you need to find ways to not say ‘No’ but to come back with a way to solve problems in a responsible way that won't break the business.”
A good example of that is the rush towards using AI in business processes – particularly agentic AI. Grossman says we're shifting towards an agentic era where AI agents will not just augment the human but change the workflows. But those soon-to-arrive fleets of AI agents will open a new security challenge.
CyberArk’s research has found that the ration of machine accounts to people is about 80:1 in the average organisation. And with more AI agents coming, that number is set to multiply. That makes having a robust identity and access strategy increasingly critical.
Grossman says, “I think about the tens of thousands or millions of AI agents around the corner. While APIs might expose capabilities, agents execute decisions and this shifts the control plane from simple validation to intent, scope and even privilege management. Identity and access management, and endpoint controls must extend to cover agentic identities. You need to be able to audit everything from a future compliance perspective.”
The speed and scale at which agentic AI will operate demands changes in how organisations approach governance. Monthly compliance reviews will no longer be adequate as automated systems will be working at machine speeds to carry out actions. Grossman suggests that guardian bots will be needed to identify potential anomalies and refer them to human operators for review.
“We’ll continue to need people but rather than having a human in the loop, we’ll have people overseeing processes and reacting to bots that notify them of actions or decisions that might fall outside acceptable norms,” he adds.
Sitting at the heart of the agentic AI revolution lies the need to ensure sufficient governance. At the foundation, identity and access management - deployed at scale to manage a fleet of thousands or millions of AI agents - will be key. CyberArk, Grossman says, stands ready to meet that challenge.
To lear more please visit Securing Agentic AI: Identity as the Foundation of Defense
Digital NSW 2025 Showcase
_(17).jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
