The Director’s Cut: AI Speeds Up Attacks, Not Patching

AI Speeds Up Attacks, Not Patching

Security teams are entering a period where AI can identify software weaknesses and accelerate exploit development faster than organizations can validate, prioritize, and remediate them. The practical effect is a shrinking time-to-exploit that turns routine weaknesses and configuration mistakes into business disruption and data loss.

Concerns are heightened by recent reporting that an advanced, unreleased Claude AI model could materially increase offensive capability, though current models already accelerate the speed, scale, and sophistication of attacks. As models improve, the time between a flaw becoming known and being exploited shrinks further, turning more routine weaknesses into time-critical business risks.

For boards, the central issue is asymmetry. Fixing vulnerabilities still requires change management, testing, uptime tradeoffs, and coordination across owners and vendors. Attackers, meanwhile, need only one exposed asset or one missed patch to create enterprise-wide consequences. In this environment, “patch faster” is an incomplete strategy, particularly if the architecture allows broad lateral movement once an initial foothold is achieved.

The governance implication is clear. Boards should push a first-principles approach that puts architecture ahead of algorithms. Security must still hold when AI finds the first crack, with controls that restrict lateral movement and remove implicit trust. That makes zero trust a strategic requirement, not a technical project, with continuous real-time verification of every identity and connection, including autonomous agents.

Questions Directors Should Ask Management

• What are our current median remediation times for critical vulnerabilities and misconfigurations, and what concrete changes will reduce them this quarter?
• Where we cannot patch quickly, what compensating controls do we use to prevent exploitation and contain impact, and how do we verify they are effective?
• If one endpoint or identity is compromised, what technical controls prevent lateral movement and limit the blast radius across core systems and sensitive data?

On the Radar

When Legitimate IT Tools Become the Weapon

Geopolitical conflict in the Middle East continues to raise the threat of opportunistic attacks from groups linked to or aligned with Iran. In a recent incident affecting medical technology company Stryker, attackers abused legitimate endpoint administration capabilities to issue wipe/delete-style commands to at least 80,000 endpoints, disrupting operations without the kind of malware footprint security software is optimized to detect.

If an adversary gains access to an administrator account, they can turn everyday device management tools and identity systems into a weapon and wipe large numbers of machines without ever installing the kind of malicious software many defenses are built to catch. Privileged identity hardening is the primary mitigation: accounts used for high-impact administrative actions (like mass device wipes) should be separated from normal day-to-day business use, and high-impact actions should require added safeguards such as a second approval and close monitoring to detect misuse quickly.

Question Directors Should Ask Management:

• If an attacker compromises an admin account, what prevents them from using our endpoint management tools to wipe systems at scale? How do we test those safeguards?

M&A Creates a Cyber “Window of Exposure”

Research from FTI Consulting shows cyber incidents around M&A routinely damage deal outcomes. More than two-thirds of organizations that experienced an incident say it negatively impacted the transaction, often reducing value, delaying or pausing closing, or impairing the ability to hit post-deal financial targets. Yet CISOs are frequently sidelined during diligence, and most organizations struggle with security integration after close, creating a predictable exposure point at exactly the moment sensitive data access and system connectivity expand.

Boards must resist the instinct to just connect the networks to move faster. A safer approach is identity-first, application-specific access, where users connect to approved applications, not the acquired network. This access should be delivered through a controlled path that can be monitored and adjusted centrally. Integration then happens in phases. Start with rapid discovery of required apps and users, keep environments segmented by default, and expand connectivity only when minimum security requirements are met. This lets the business move quickly without creating an open-ended pathway for a breach to spread.

Question Directors Should Ask Management:

• On Day 1, are we using a zero trust overlay to get users productive while containing acquired risk? By Day 2 and beyond, who owns the plan and timeline to expand and optimize that model to reduce technical debt and run-rate costs?

Supply Chain Risk in the Living Room and Server Room

A new FCC rule bans the import and sale of new foreign-made consumer routers, citing national security concerns. The agency points to supply chain compromise risk and the possibility of deliberately insecure devices that can be leveraged for espionage, disruption, and intellectual property theft. The FCC also cited recent state-backed campaigns that have exploited consumer routers at scale, using them as footholds to attack households and as infrastructure to support broader operations.

The scope of the action raises an important governance question. The rule targets new consumer routers, but it does not appear to cover enterprise routing gear. That gap matters because businesses also rely on routers, which are frequently targeted by ransomware groups because a single compromise can provide access to large parts of the network. If foreign supply chain risk is significant enough to justify a consumer ban, directors should ask what risk controls exist for enterprise-grade networking equipment, how procurement is managing country-of-origin and component risk, and whether segmentation and monitoring assumptions hold if an edge device is compromised.

Directors can check their home routers are secure by following this guidance from the Cybersecurity & Infrastructure Security Agency.

Question Directors Should Ask Management:

• If one of our routers is compromised, what can an attacker reach, how quickly can we detect and contain it, and are we treating routers as untrusted with zero trust controls?

***

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email Rob Sloan ([email protected]), VP Cybersecurity Advocacy at Zscaler, to learn more or to get a free hardcopy version of Cybersecurity: Seven Steps for Boards of Directors.