Ahead of CIISec LIVE 2025 we spoke with Jim Shook, Director of Dell’s Cybersecurity and Compliance Practice, about what keeps him up at night, resilience, regulation, AI, and future-proofing organisations.
With a background in the legal sector, Jim has worked in the cyber security, compliance and resilience functions of Dell for almost 20 years, transferring his skills in law to fighting cyber criminals. His global role and background offer a unique perspective, giving first-hand insight into the current state of the profession, common pitfalls and best practice.
The world’s cyber threat landscape seems to evolve daily. What’s one trend that keeps you up at night?
AI – but not for the reasons most other cybersecurity professionals worry about. Most of the conversation around AI in cybersecurity is centred on what threat actors are doing to improve their phishing and their campaigns, or the potential for rogue AI and poisoning attacks.
But a big danger is being missed. Organisations are spending so much money on building AI models and agents that are going to run significant parts of their business autonomously in the near future. But these aren’t being protected adequately. What happens if there’s a ransomware attack and the models are stolen or encrypted? It could be months before an LLM, for example, could be rebuilt, and an entire business segment could effectively be taken offline whilst these models or agents are restored. Not to mention the time, resources and budget needed to essentially duplicate work.
How should organisations be protecting their AI from cyber attacks?
There’s no magic involved here. If organisations are deploying infrastructure – whether in the cloud or on-prem – to build out and deploy AI, they’ll be spending a lot of time, resources and money on it. So, knowing who is responsible for ensuring AI and its supporting components are resilient is vital. This means understanding the security requirements for all the infrastructure components powering an AI model, from the source data feeding it for training, to the vector database supporting a RAG model, to the inputs and outputs for Large Language Models. Organisations also need the ability to get AI back up and running quickly if it’s destroyed or encrypted, which requires resilient backups.
These are all similar security measures organisations have for other elements of infrastructure, so the processes shouldn’t really be anything new for security professionals. But we’re not seeing it. Organisations are moving so fast with AI that security often falls by the wayside as cybersecurity professionals don’t want to slow their company down. Good governance around all those components isn’t always instilled, as R&D teams are being pushed to move as fast as they possibly can, with cybersecurity to be bolted on later – never a great plan.
Where are you seeing businesses get cyber resilience right, and what can others learn from them?
My practice works globally across all industries, which gives me a good vantage point to have a broad perspective on issues like risk, data sovereignty and regulations.
Typically, businesses doing well are those that have more at stake, and typically have more regulation enforced upon them. So financial services and banks are often at the top. Not that they’re perfect, but they have a lot of regulatory concerns, plus the staff and the budget to get things done. Risk is also recognised as being very high – attacks on these companies can cost tens of millions of dollars a day and impact economies.
At Dell, we talk about building cyber resilience as reducing the threat funnel through three phases. So doing things to make it harder for the threat actors to breach a company in the first place – shrinking the attack surface, hardening everything and aligning to zero trust principles. Then organisations need the ability to detect and respond, so threat actors can be stopped if they do get in. And then the third phase, having the ability to recover efficiently and within known timeframes.
This phased approach is in three simple parts: secure, detect, and recover. Cybersecurity professionals can’t focus on protecting everything and thinking they’re going to stop every threat actor every time. Cybersecurity has to work across all those parts.
And the other piece of the puzzle is recognising the importance of the business in this process of building resilience. When I started my practise, we talked to Chief Information Security Officers (CISOs), and they were out there trying to protect absolutely everything. You just can’t do that. The business has to inform the process of what’s most important and requires more focus.
I’ve been very impressed with the work the Bank of England’s done with the banks around impact tolerances, working from the services level down into the infrastructure. Banks established the key services they provide and then considered how long they can be offline if they are attacked. And finally, how to recover these services. This risk-based approach has enabled banks to really focus on securing the most critical areas first.
From Dell’s vantage point, what does the gold standard of resilience look like beyond technology?
This is nothing new, but culture has to be top-down and can’t just be words. Every company wants to build a cyber secure culture. But the tone must be set at the top to demonstrate that security is important. So, it’s not just saying, “hey, we’re going to be secure” or “we’re going to build a security culture” or “here’s some training”. It has to be demonstrated and supported.
Some organisations that I meet with are very big into physical safety and start meetings with a three-to-five-minute discussion about safety: “We’re in this room. Here are the exits. I’m the leader if something goes wrong”. And it’s not optional. That’s how you build a culture of safety.
But when it comes to cybersecurity, leadership in some organisations still think that their disaster recovery capabilities will protect them during a massive cyberattack. But if you talk to anybody working on their infrastructure, they know that’s not the case. Disaster recovery just isn’t designed for that, but the leaders don’t understand this because the culture doesn’t enable those in the know to surface these risks. So, budget isn’t allocated, and these risks get unknowingly assumed.
I’m not expecting boards or the C suite to be totally cyber literate – it’s just not what they do. So that’s where leadership comes in – creating the culture, delegating to those who have the knowledge and can help to create the culture of cybersecurity.
And building culture is a two-way process. Cybersecurity leaders also have to get better at communicating with leadership, the C-Suite and the board. It’s no use telling them how many alerts have been resolved. The board needs to know what the risks are, and what can be improved if budget is allocated. That’s not easy to do, but if cybersecurity professionals get senior leaders more engaged and involved, understanding increases.
Regulation is tightening worldwide – do you see it as a driver of resilience, or is compliance a burden?
I think compliance needs to be seen as a floor, not a ceiling. If organisations are using regulations as a goal or a benchmark, they’re probably taking on more risk than they realise. We hear about this ‘dark risk’ all the time, where companies aren’t aware of how much risk they truly have. So, regulation is useful at setting the minimum standard.
But regulation can also be a pain. A lot of companies I meet with are very good at governance, but then they have to actually show regulators, in detail, how they’re compliant on a regular basis. That takes a lot of time and resources.
I’m also seeing a lot of activity driven by ‘soft law’ – the standards and frameworks that organisations don’t have to comply with, but help to manage risk, like the NIST CSF. There’s nothing that says organisations have to achieve these standards, but if they’re looking to get cyber insurance or if they’re a publicly traded company, falling below these standards drives up risk. These soft laws give a little bit of a boost to that regulatory environment.
What’s your one piece of advice to boards looking to future-proof against cyber risk?
It’s hard to predict what the future will bring, but it’s likely that threat actors will stay ahead of us – especially on aspects like AI – and it’ll be hard to keep up. We’re at a place where the technology in cybersecurity is generally doing a good job, but organisations are still struggling to winnow down the threat funnel. For example, studies have shown that even with staff heavily trained against phishing, there’s still a 7 to 10% failure rate – so the odds are with the attackers, who can attempt to spoof thousands of people at once and improving their odds using AI. So, a mixture of first-rate tech, and a greater emphasis on culture would be my advice.
So overall, a better security culture, where staff are trained, systems are penetration tested, compliance isn’t just seen as a tick box exercise, and the entire company realises that they have a role in security, gives organisations a chance to reduce the volume, severity and impact of attacks.
