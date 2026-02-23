This Conversation with the Experts section is produced by the LA Times Studios team in conjunction with Miller Kaplan and VegaNext.

Corporate cybersecurity breaches continue to escalate, and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing, AI and other online innovations.

While tools to prevent breach incidents have become more sophisticated, so have the methods of hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security?

The LA Times Studios team has turned to two uniquely knowledgeable cybersecurity experts for their thoughts and insights about the threats businesses face in today’s digital world and what executives can do to safeguard the privacy of their organizations and employees as well as customers and other stakeholders.

Q: How has the rise of AI changed both cyberattacks and cyber defense strategies?

Pervez P. Delawalla, Founder & CEO, VegaNext: AI has fundamentally accelerated the arms race. Attackers now deploy machine learning for sophisticated phishing, deepfakes and automated vulnerability discovery. Threats that once required skilled hackers can be generated at scale. But defenders benefit, too: AI-powered detection identifies anomalies humans would miss, automates threat hunting and dramatically reduces response times. The key is integration – AI augments skilled analysts rather than replacing them. We’re embedding these capabilities throughout our VegaProtect platform, because static defenses can’t counter adaptive threats. Organizations that fail to adopt AI-driven security will increasingly find themselves outpaced.

Q: What role does leadership play in fostering a culture of cybersecurity, and what best practices would you recommend?

David Lam, Partner, CISSP, CPP, Miller Kaplan: Leadership is the most essential element of cybersecurity. Policies help define the expectations of your information security management program, but without leaders who reinforce their importance, model good practices and allocate the right resources, those policies are little more than good intentions. Once that foundation is in place, you can start aligning your efforts to an industry-standard framework. And you don’t have to tackle everything all at once – take it in manageable pieces that fit your organization’s size and risk profile, and you’ll be surprised at how quickly you can make progress.

Q: What role does employee training play, and how often should it be refreshed?

Delawalla: Your people are simultaneously your greatest vulnerability and strongest defense. Phishing remains the dominant attack vector, and no firewall stops a well-crafted social engineering attempt. Training must be continuous, not annual. I recommend quarterly refreshers with monthly micro-learning moments – simulated phishing tests, brief security updates and real-world breach case studies. Make it relevant and role-specific. Your finance team faces different threats than your developers. Culture matters too: Employees should feel comfortable reporting suspicious activity without fear. Security awareness isn’t a checkbox; it’s an ongoing conversation.

Q: Which cyber risks are executives most likely to underestimate or misunderstand entirely?

Lam: The most frequent “invisible” finding we see is vulnerability management. Many organizations assume software patches are applied automatically and consistently, and the simple truth is that they are not. In my 18 years of working in information security, I have yet to encounter an organization without a formal cybersecurity program that truly has patching under control. We uncover this with a simple vulnerability scan. Organizations can greatly reduce exposure, strengthen their security posture and avoid costly consequences. The first steps are easy: Get that vulnerability scan and make patching a priority.

Q: How should leadership teams prepare for a cyber incident before one happens?

Delawalla: Preparation separates organizations that recover from those that collapse. Every leadership team needs a tested incident response plan – not a dusty document, but a living playbook practiced through tabletop exercises. Know your communication chains: who contacts legal, insurers, customers, regulators? Establish relationships with forensic partners before you need them urgently. Ensure backups are immutable and recovery procedures verified. At VegaNext, we guide clients through these scenarios regularly, because the worst time to build your response capability is during an actual breach. Preparation isn’t paranoia – it’s leadership.

Q: How might quantum computing impact cybersecurity strategies in the next decade?

Delawalla: Quantum computing presents both existential risk and transformative opportunity. Current encryption standards – RSA, ECC – will eventually fall to quantum attacks, potentially exposing everything from financial transactions to state secrets. The threat isn’t immediate, but “harvest now, decrypt later” attacks mean sensitive data captured today could be compromised tomorrow. Organizations should begin transitioning to quantum-resistant cryptography now, following NIST’s post-quantum standards. Inventory your cryptographic dependencies, prioritize long-retention data and engage vendors on their quantum roadmaps. This isn’t science fiction – it’s strategic planning for inevitable technological evolution.

Q: What does “cyber resilience” mean in practical business terms, beyond basic security controls?

Lam: Cyber resilience means that you can recover from an attack. We demonstrate this quite often, leveraging a tabletop exercise, where we walk through the elements of an incident. For most of these, we are discussing ransomware, through which malicious actors keep companies from using their systems by encrypting its data and threatening to release that data to the public. What we often find is that 1) backups are not appropriately protected, making them susceptible to deletion or corruption by said bad actors, and 2) restoration processes are not being thoroughly tested. True cyber resilience requires solid architecture and regular testing to ensure recovery plans will work under real-world pressure.

Q: How can smaller or mid-sized businesses build strong security without enterprise-level budgets?

Delawalla: The misconception that robust security requires deep pockets holds many growing businesses back. The reality? Strategic partnerships matter more than massive budgets. Prioritize fundamentals: multi-factor authentication, endpoint protection, regular patching and employee awareness. Then consider managed security services that deliver enterprise-grade protection at predictable costs. At VegaNext, we’ve built our model around exactly this – giving SMBs access to 24/7 threat detection without requiring in-house SOC investments. Start where risk is highest, scale deliberately and treat security as operational infrastructure, not optional overhead.

Q: What are the most common mistakes businesses make when selecting cybersecurity vendors or tools?

Lam: One of the most common mistakes we see businesses make is prioritizing fancy tools over basic system hygiene. For many companies, a straightforward and cost-effective vulnerability scan provides far more value than an advanced log-correlation engine that can cost thousands of dollars per month. Without the basics, even the most sophisticated tools will fail to meaningfully reduce risk. Another frequent misstep is underutilizing technology already in place. For example, millions of businesses use Microsoft 365, yet don’t configure the security settings in accordance with the best practices that provide valuable protection.

Q: What best practices should companies adopt to secure sensitive customer and employee data?

Delawalla: Data protection demands layered discipline. Start with classification – you can’t protect what you haven’t identified. Implement least-privilege access, encrypt data at rest and in transit, and maintain rigorous access logging. Regular audits matter: Review who has access and why. Don’t overlook data minimization; collect only what’s necessary and retain it only as long as required. Ensure your vendors meet equivalent standards – supply chain vulnerabilities are increasingly exploited. Finally, prepare for breach notification requirements before incidents occur. Trust is hard-won and easily lost. Treat sensitive data accordingly.

Q: How should boards and senior leadership stay informed without becoming technical experts?

Lam: Boards and senior leadership should seek guidance from independent experts who can help them translate risk into business terms. Qualified experts should not profit from the tools that may be used or recommended – finding someone who has no interest in system spend is an important consideration. Additionally, ensuring that teams are properly certified and experienced, for example, with the CISSP certification, helps to ensure effective advice.

Q: How can businesses address the cybersecurity talent shortage?

Delawalla: The talent gap is real – and widening. Competing for scarce professionals with enterprise budgets isn’t viable for most organizations. Instead, think differently: Invest in training promising internal candidates, partner with universities and embrace diverse hiring pipelines. Most importantly, consider whether you need all capabilities in-house. Managed security partnerships extend your team with specialized expertise without the recruiting burden. At VegaNext, our 50+ certified experts effectively become extensions of our clients’ organizations. Focus your hiring on roles requiring deep institutional knowledge and leverage partners for scalable security operations.

