Modern threats demand modern discipline

What it takes to run modern security operation

When looking at the far reaches of the current threat landscape, typically we articulate change through the by highlighting the most active threat actors, their tactics and techniques, and what role shifting technology plays. However, when applying this information to security strategy, resilience and operational maturity are the result.

In a recent Security Insider Conversation with Capgemini’s Vice President of Cloud and Infrastructure Services, Mona Ghadiri, the discussion moved quickly beyond novel techniques and into something more consequential: what it actually takes to run modern security operations at scale. Governance that produces proof, not paperwork. Security programs that reinforce good behavior instead of just flagging failures. And resilience that extends far beyond disaster recovery.

The takeaway for security leaders is straightforward: emerging technologies don’t change the fundamentals of security. They expose whether those fundamentals were strong to begin with.

1. The experimentation phase is over

Many organizations have spent the past year piloting new capabilities, testing agents, or proving ROI. That phase is ending. What follows is lifecycle management.

New capabilities, especially those deeply embedded into workflows, must be treated like any other production system. This means governed from the start, operationally owned, and continuously maintained. Innovation without operational discipline creates compounding risk. The real work begins after deployment.

Scroll to timestamp ~00:01:00 for more on this topic.

2. Governance is about proof, not compliance

Regulatory frameworks and standards establish a floor. They do not establish assurance. The harder question is: Can you prove what your systems are doing and detect when something deviates from expected behavior?

To do so requires meaningful event logging, observability integrated into your SIEM and other monitoring platforms, and visibility across identity, LLM model behavior, data access, and provider layers.

Scroll to timestamp ~00:03:00 for more on this topic.

3. Use the carrot, not the stick

Most security programs are built to detect failure. While that is status quo, it does not scale adoption. If your engineers are conducting pre-prod testing, expanding identity best practices, and regularly validate their code, this should be recognized. Celebrating secure execution strengthens alignment between builders and defenders.

Scroll to timestamp ~00:06:30 for more on this topic.

4. Making the right thing the easy thing

Self-policing rarely works when it depends on willpower. It works when the secure path is the path of least resistance. Developers rarely bypass controls intentionally.

They bypass them because they are cumbersome or not articulated well. Raising the cost of insecure behavior, without increasing friction for secure behavior, is a design challenge, not a compliance exercise.

Scroll to timestamp ~00:09:00 for more on this topic.

5. Risk accumulates over time

All cyber threats and risks are not created equally, and they typically don’t appear overnight. Even incidents take time before the alarm bells go off. In most cases they build slowly, erode visibility over time, and misconfigurations are incrementally exploited.

Although push does come to shove, security leaders need to communicate to the board and other stakeholders about becoming resilient rather than reacting in the moment.

Scroll to timestamp ~00:09:00 for more on this topic.

6. Resilience is not recovery

Resilience spans continuity, organizational strength, and of course recovery. Backups and disaster recovery plans matter. So do snapshots of detection logic, operational playbooks, and infrastructure configuration. Resilience isn’t a single capability, but more so the ability to endure disruption without losing control.

Scroll to timestamp ~00:14:00 for more on this topic.

Watch the video