A new report shows that many large companies around the world do not have a top leader for cybersecurity. This leader is often called a Chief Information Security Officer, or CISO. Because they are missing this key person, these companies are facing much higher risks from digital attacks. The information comes from a study by a group called Heidrick & Struggles.

Companies at Risk

The report found that nearly one third of large global companies operate without a CISO. For these organizations, responsibility for security is often split among different managers who already have other full-time jobs. Without a single expert leader, it is very difficult for a company to create a strong and clear safety strategy. This structure leaves big businesses vulnerable to increasingly smart cybercriminals.

A Growing Problem

This problem is likely to get worse before it gets better. More and more devices are connecting to the internet every day, which creates even more paths for attackers to use. Criminals are also starting to use advanced technology, like artificial intelligence, to make their attacks more effective. Businesses that ignore the need for a dedicated security leader are taking a dangerous chance.

This shortage of security leaders proves that successful technology use must always start with professional leadership to manage the risks.

Technology leaders, often called CISOs, have a lot on their shoulders. A key part of their job is reviewing risks to keep their company safe. Microsoft shared a helpful guide with eight smart ways for these leaders to check on security risks and talk about them with others.

Making Reviews Work

These smart steps help technology leaders prepare better and speak clearly about risks. One major idea is to understand the language of business, not just computer language. Leaders should explain how a risk might stop work, cost money, or hurt the company's name. They also need to be ready before a review starts by studying the data and knowing what they will talk about.

Focus on Communication

Another essential point is to create trust. Technology leaders should meet regularly with different groups in the company, not just when there is a serious problem. Reviews should not be about pointing fingers at people who make mistakes. They should be about finding ways to improve and make the whole company safer together.

Using these simple yet powerful steps help technology leaders build a safer, more reliable future for everyone they serve.

Building security directly into a system from the start is much more effective than trying to add it later. This "secure by design" approach treats security as a fundamental part of engineering, similar to how a bridge is built to withstand physical weight. History shows that adding security tools to a finished product often fails to stop vulnerabilities from rising.

Artificial intelligence introduces new challenges because it often mixes data with instructions, making it hard to control. One practical way to manage these risks is to place "deterministic boxes" or strict guardrails around AI agents. These constraints use traditional software and identity management to limit what an AI can actually do, such as preventing it from deleting a database.

AI agents are becoming a new type of identity that does not fit perfectly as a human or a simple software workload. Organizations should give these agents their own unique identities to track their actions separately from the humans who control them. Relying on a foundation of zero trust—which focuses on identity and data security—is essential for managing these new technological risks.

Security firms Checkmarx and Bitwarden were recently singled out in a sophisticated supply-chain attack. Supply-chain attacks are dangerous because they do not attack a company directly. Instead, they sneak bad code into trusted software that the company uses every day. In this case, attackers placed malicious software packages on npm, a major registry where programmers get reusable pieces of code for building their applications.

A Trick with Names

The bad software packages were designed to look very real. They had names and code structure that seemed standard. The attack was specifically built to steal secrets from developers who work at security companies. By taking these secrets, the attackers hoped to access other parts of the network to steal information or cause more harm. Security experts at both Checkmarx and Bitwarden found the bad software very quickly and removed it before any damage was done, but the attack proves that no one is perfectly safe.

This targeted attack against security providers demonstrates the clever ways criminals attempt to break trust to compromise our essential computer systems.

Workers are quickly using artificial intelligence, often without any help from their companies. A new report found that 31 percent of workers who use AI at work have received zero training on how to use it properly. This is happening mostly with generative AI, which helps create new words or pictures, but can accidentally share secrets.

The Rise of Shadow AI

When people use tools without permission from the technology department, it is called shadow IT. Now, with many new AI tools, it is becoming shadow AI. Even though technology leaders know about the risks, many are still trying to figure out how to manage all these new tools correctly. The numbers from the survey by a group called the Ponemon Institute show that this problem is huge, as workers look for quick ways to get their jobs done.

Urgent Need for Oversight

This silent use of AI without guidance is dangerous. It puts companies at a major risk because private business information could easily be shared outside the company without anyone realizing. It is extremely clear that every business must create strong and easy to understand policies for using AI immediately.

The large medical technology company Medtronic officially confirmed that its computer systems were broken into. This confirmation came after a known group of hackers, who go by the name ShinyHunters, threatened to release stolen information unless a ransom was paid. The security incident happened when criminals found a way to use login details belonging to an outside person.

Stolen Records

The hacker group has already listed the data for sale, claiming they have nearly 400,000 sensitive records. These records could include confidential employee details. ShinyHunters is a well-known group that has famously broken into other very large corporations like Ticketmaster and Santander in the past. Medtronic immediately started investigating the breach with help from professional digital forensics experts and law enforcement to see exactly what went wrong.

Impact on Business

At this moment, Medtronic stated that the computer attack has not messed up their regular operations. No details have surfaced suggesting that patient medical devices themselves were affected by this hack. This event is extremely critical because medical data is highly valuable on the black market and can be utilized for serious identity theft or harmful blackmail schemes.

This serious data breach clearly demonstrates that even massive global companies are vulnerable if criminals can compromise a single trusted account.