The Director's Cut: How AI Might Drive A Digital Divide

How AI Might Drive A Digital Divide

Artificial intelligence brings immense opportunities for business efficiency and growth, but it also amplifies risks in ways that demand board-level attention.

The UK’s National Cyber Security Centre (NCSC) projects that over the coming years AI will bolster adversaries’ ability to identify system weaknesses, automate development tools to exploit those vulnerabilities, and craft sophisticated social engineering attacks to target users. Critical systems and supply chains, particularly those tied to operational technology and AI-enabled infrastructure, are at heightened risk of compromise.

Boards must ensure their organizations' defenses can adapt to this rapidly evolving landscape or risk operational, reputational, and legal consequences. A growing "digital divide" may emerge, where organizations with robust defenses keep pace, while others fall behind, creating tiered risks across industries. The divide is felt most acutely by smaller businesses, which often lack the technical capabilities and budgets to adapt.

Governance implications go beyond safeguarding AI-operated systems: directors must oversee how new AI risks could impact supply chains, partnerships, and the integrity of critical systems, while monitoring emerging attack vectors tied to AI, such as vulnerabilities in training data management or model design. 

Questions For Management:

• How are we addressing AI’s dual role as a cybersecurity tool and a growing source of risk to critical systems?
• Does our recovery strategy account for AI-enabled threats, and how frequently is it rigorously tested?
• Are we benchmarking our cybersecurity strategies against competitors and supply chain peers to remain resilient across industries?

On The Radar: 

Do Incident Response Plans Ensure Recovery Without Relying On Ransom Payments?

Paying ransoms rarely resolves cybersecurity breaches and often creates new risks. Tech Crunch highlights the PowerSchool data breach, where hackers were paid to delete data, shows how ransom payments rarely ensure resolution. Several affected school districts report continued extortion attempts, underscoring the dangers of relying on criminal assurances.

Boards should address this risk proactively. Ransom payments set dangerous precedents and expose businesses to sustained financial, regulatory, and reputational threats. Prevention and not reaction must drive recovery strategies, with an emphasis on securing systems, auditing third-party vendors, and establishing robust data backup protocols.

What Is Our Roadmap For Implementing Zero Trust, And How Will We Measure Its Impact On Resilience, Cost Efficiency, And Regulatory Compliance?

Geopolitical instability and the shift to hybrid work environments are reshaping the cyberthreat landscape, says Jay Chaudhry, CEO, founder and chairman of Zscaler. He argues that legacy network architectures built on static perimeters and outdated hardware no longer match today’s security needs. Chaudhry highlights Zero Trust as a strategic imperative that minimizes attack surfaces, enhances resilience, and reduces reliance on costly hardware-heavy models.

Zero Trust replaces outdated VPNs and firewalls with a framework that continuously validates identity, device posture, and risk signals before granting system access. This approach is vital for reducing risks tied to supply chain disruptions, insider threats, and escalating cyberattacks. Additionally, Zero Trust enhances operational efficiency by aligning security models with cloud-first business strategies, while offering indirect benefits such as lower insurance premiums due to reduced chances of breaches.

How Early Are Cisos Involved In Strategic Initiatives, And How Is Their Value Measured?

The 2025 EY Global Cybersecurity Leadership Insights Study found that cybersecurity contributes a median of $36 million, or 11%-20% of value, to each enterprise-wide initiative it supports. Early integration of cybersecurity, especially involving CISOs at the strategy design phase, proactively reduces risks and drives growth. However, only 13% of CISOs report being consulted early.

Organizations often underestimate cybersecurity as a value-creating function, with budgets declining from 1.1% to 0.6% of annual revenue over the last two years. This limits the ability of cybersecurity teams to fully protect against threats and capitalize on their potential as a growth enabler. Boards should reassess how funding decisions align with cybersecurity's role as a growth enabler and advocate for investments that allow CISOs to deliver both risk mitigation and business-value creation.

*****

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email (rsloan[@]zscaler.com) Rob Sloan, VP Cybersecurity Advocacy at Zscaler, if you would like to learn more.