Conversation with Leah Santos, CISO and Cyber Resilience Advisor
Q: Why are executives still the weakest cybersecurity link?
“CEOs and CFOs aren’t just busy—they’re under constant pressure. Hackers exploit that. One mistyped character in an email or a forgotten password can unlock the entire corporate vault. Studies show that 51% of organizations saw their executives targeted in 2025, up from 43% in 2023, and deepfake attacks rose from 34% to 41% in the same period.”
Q: But isn’t executive training well established? Where’s the gap?
“Training is targeted at junior staff, not leaders. Ironically, it’s senior executives who often skip social-engineering drills, thinking they’re beyond that. This exclusion creates a blind spot. And with almost 70% of execs believed to reuse compromised personal passwords, threats aren’t just digital—they’re behavioral.”
Q: What are the emerging threats executives need to know about?
“Attack methodologies are evolving fast:
- BEC and whaling attacks trick finance teams into approving fraudulent transactions.
- Deepfake voice cloning can impersonate executives in real time.
- AI-generated phishing and quishing campaigns are indistinguishable from real emails now.
- And CFOs? They’re being targeted with pinpoint spear phishing tied to financial deadlines.”
Q: What’s the right approach to defend executives effectively?
“Start with inclusion. Execs must be part of penetration and red-team testing, not exempt from it. Layered defenses include:
- Digital protection for personal devices and family accounts,
- Zero-trust validation—even if the request seems to come from the CEO,
- Budgeting for insider-risk and AI threat detection tools, plus physical protection measures.”
Q: What are the non-negotiable best practices for CISOs and IT leaders?
“Here’s a quick checklist:
- Include execs in phishing, vishing, and deepfake simulations.
- Run executive-tailored training on deepfakes, whaling, and social engineering.
- Enforce MFA and secure password management.
- Empower help desk staff to verify any unusual executive request.
- Monitor digital footprints and domain spoofing attempts.
- Allocate budget for executive resilience—digital, physical, and psychological.”
Q: Final takeaway — how can leaders turn risk into resilience?
“Inclusion, preparation, and constant vigilance. Treat the “C” in C-suite not as a target, but as a frontline in your defense. When executives lead by example—training, testing, and digital hygiene—they don’t just reinforce cybersecurity—they embody it.”
