Chris Inglis, former National Cyber Director and Deputy Director of the NSA, argues that the future of cybersecurity will be defined not by technological advancements but by the strategic decisions organizations make in deploying and managing those tools. Speaking to SC Media at the Hybrid Identity Protection Conference, Inglis outlined how intentional choices can either fortify or undermine an organization’s defenses.“The difference between a good future and a not-good future is fate—or at least that’s what many believe,” Inglis explained. “I fundamentally disagree. It’s based on the choices we make—how we assign duties, respond to challenges, and prepare for the unexpected.”(Note: Video above is Chris Inglis, former National Cyber Director, former Deputy Director of the National Security Agency interviewed by SC Media's Paul Wagenseil at the Semperis 2024 Hybrid Identity Protection (HIP) conference.)He pointed to the concerning trend of heightened cyberattacks during holidays, a time when many organizations reduce their security staffing. This assertion is supported by data from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), which reveal that holidays and weekends see a significant increase in ransomware incidents.For example, the 2021 Colonial Pipeline ransomware attack occurred just before Memorial Day weekend, highlighting the vulnerability of reduced staffing periods. Additionally, CISA notes that 72% of ransomware attacks happen during holidays and weekends, mirroring Inglis’s observation about attackers exploiting moments of perceived weakness.[For additional coverage of Semperis' 2024 Hybrid Identity Protection (HIP) conference see additional coverage: Semperis HIP conference Day One: Microsoft mea culpa, a call for cybersecurity coalitions and Semperis HIP conference Day Two: Ransomware, resilience and identity reckoning]Inglis emphasized that resilience stems from preparation beyond technical solutions. He underscored the importance of augmentation strategies, where organizations prepare to scale their defenses during crises by leveraging pre-arranged external resources or partnerships. “Organizations that think their resources are fixed—that they can only go to the dance with what they arrived with—often find themselves outmaneuvered,” Inglis said.While he acknowledged the value of tools like Active Directory and other technologies, Inglis cautioned against viewing them as standalone solutions. “You have to understand what you want them for and deploy them correctly,” he advised, stressing that technology must be part of a broader, strategic framework that anticipates both known and unknown threats.Reflecting on the broader security ecosystem, Inglis likened effective cybersecurity to the safety infrastructure of transportation systems, where manufacturers, road designers, and regulators share responsibility. He argued for a similar harmonized approach to cybersecurity, one where organizations work collectively to maintain agility and adaptability. “It’s about creating a system where every party has a role to play, and the sum is greater than its parts,” he said.Inglis’s points align with broader research, such as Gartner’s findings that emphasize the need for a well-defined cybersecurity strategy, and the Biden-Harris Administration’s National Cybersecurity Strategy, which prioritizes public-private collaboration to address systemic vulnerabilities.As Inglis sees it, the key to cybersecurity lies in recognizing and addressing human and doctrinal challenges as much as technical ones. “It’s not the fire raging across the prairie that will burn itself out,” he said. “We must stand in, act, and decide our future.”
Chris Inglis: We live in a period of great change—that’s probably an understatement. My keynote focuses on the strategic trends driving those changes. I’m exploring whether the "why" of digital infrastructure has changed, how our circumstances have evolved, and, most importantly, how our responsibilities have shifted. That last point is particularly interesting—our choices define our future.For example, a recent report revealed that 72% of cyberattacks on enterprises occur during holidays. It’s not because attackers suddenly have free time but because they know we often reduce staffing at those times. That’s a conscious choice. It might not be top of mind, but it’s a choice to withdraw strength when we should rise to meet potential threats.Q: How do you approach the role of choices in shaping cybersecurity outcomes?
Inglis: I use a hypothetical conversation between a CEO and a Chief Information Security Officer (CISO) to illustrate this. The CEO asks, “How are we doing in cybersecurity?” and the CISO nervously replies, “In one word? Bad.” The CEO presses for two words, and the response is, “Not good.”The reality is, the gap between a good and bad outcome isn’t fate—it’s the choices we make. It’s how we assign duties, prepare teams, and respond to threats. Cybersecurity is less about technology or expertise and more about doctrine. Choices about how we structure defenses often matter more than the tools themselves.Q: How should organizations prepare for unexpected crises?
Inglis: Organizations need augmentation strategies. They must know how to transition from “peace and tranquility” to “emergency crisis” mode. Those that prepare by arranging additional resources—whether legal, technical, or operational—are better equipped to weather crises.On the other hand, organizations that assume resources are fixed often struggle. Attackers can outmaneuver them by knowing their weaknesses better than they do. Successful organizations know their architecture better than any adversary. Even if attackers infiltrate, defenders must be agile and audacious in protecting their systems.Q: What role does collaboration play in cybersecurity resilience?
Inglis: Collaboration is crucial. Organizations need coalitions and partnerships to ensure robust defenses. When an adversary attacks, they must face not just one company but an entire team—technology, people, and systems working together. This approach flips the script: attackers have to beat everyone, not just a single entity.Q: What are your thoughts on regulations in cybersecurity?
Inglis: I’ve often leaned toward minimal regulation, believing in innovation and individual initiative. However, cybersecurity is different. Safety and resilience in cyberspace cannot be discretionary. For too long, innovation and market efficiency have taken precedence over safety.We need balanced regulations that harmonize responsibilities without stifling innovation. Think about the transportation sector—vehicle manufacturers, road designers, and regulators all contribute to safety. Similarly, cybersecurity should be a collective responsibility with systems built to navigate safely despite challenges.Q: How do you view the current state of cybersecurity threats?
Inglis: We’re living through a slow-motion crisis. Cyber threats are constant, but they’re diffuse—spread across time and space. It’s not one massive event, but countless smaller incidents. If we concentrated these failures into a single moment, we’d see the severity more clearly.The reliance on digital infrastructure demands immediate action. Organizations must invest in technology, expertise, and assigning clear roles and responsibilities. Identity systems like Active Directory are particularly vulnerable and need to be a central focus of defense efforts.Q: Any final thoughts?
Inglis: Cybersecurity is about making choices—not just during crises, but in the day-to-day operations that set the stage for resilience. Technology is important, but strategy, preparation, and collaboration are what truly determine whether we succeed.
Transcript of Interview Between SC Media and Chris Inglis
What follows is an edited transcript of Chris Inglis' remarks at the Hybrid Identity Protection Conference.Q: What is your keynote address about today?Chris Inglis: We live in a period of great change—that’s probably an understatement. My keynote focuses on the strategic trends driving those changes. I’m exploring whether the "why" of digital infrastructure has changed, how our circumstances have evolved, and, most importantly, how our responsibilities have shifted. That last point is particularly interesting—our choices define our future.For example, a recent report revealed that 72% of cyberattacks on enterprises occur during holidays. It’s not because attackers suddenly have free time but because they know we often reduce staffing at those times. That’s a conscious choice. It might not be top of mind, but it’s a choice to withdraw strength when we should rise to meet potential threats.Q: How do you approach the role of choices in shaping cybersecurity outcomes?
Inglis: I use a hypothetical conversation between a CEO and a Chief Information Security Officer (CISO) to illustrate this. The CEO asks, “How are we doing in cybersecurity?” and the CISO nervously replies, “In one word? Bad.” The CEO presses for two words, and the response is, “Not good.”The reality is, the gap between a good and bad outcome isn’t fate—it’s the choices we make. It’s how we assign duties, prepare teams, and respond to threats. Cybersecurity is less about technology or expertise and more about doctrine. Choices about how we structure defenses often matter more than the tools themselves.Q: How should organizations prepare for unexpected crises?
Inglis: Organizations need augmentation strategies. They must know how to transition from “peace and tranquility” to “emergency crisis” mode. Those that prepare by arranging additional resources—whether legal, technical, or operational—are better equipped to weather crises.On the other hand, organizations that assume resources are fixed often struggle. Attackers can outmaneuver them by knowing their weaknesses better than they do. Successful organizations know their architecture better than any adversary. Even if attackers infiltrate, defenders must be agile and audacious in protecting their systems.Q: What role does collaboration play in cybersecurity resilience?
Inglis: Collaboration is crucial. Organizations need coalitions and partnerships to ensure robust defenses. When an adversary attacks, they must face not just one company but an entire team—technology, people, and systems working together. This approach flips the script: attackers have to beat everyone, not just a single entity.Q: What are your thoughts on regulations in cybersecurity?
Inglis: I’ve often leaned toward minimal regulation, believing in innovation and individual initiative. However, cybersecurity is different. Safety and resilience in cyberspace cannot be discretionary. For too long, innovation and market efficiency have taken precedence over safety.We need balanced regulations that harmonize responsibilities without stifling innovation. Think about the transportation sector—vehicle manufacturers, road designers, and regulators all contribute to safety. Similarly, cybersecurity should be a collective responsibility with systems built to navigate safely despite challenges.Q: How do you view the current state of cybersecurity threats?
Inglis: We’re living through a slow-motion crisis. Cyber threats are constant, but they’re diffuse—spread across time and space. It’s not one massive event, but countless smaller incidents. If we concentrated these failures into a single moment, we’d see the severity more clearly.The reliance on digital infrastructure demands immediate action. Organizations must invest in technology, expertise, and assigning clear roles and responsibilities. Identity systems like Active Directory are particularly vulnerable and need to be a central focus of defense efforts.Q: Any final thoughts?
Inglis: Cybersecurity is about making choices—not just during crises, but in the day-to-day operations that set the stage for resilience. Technology is important, but strategy, preparation, and collaboration are what truly determine whether we succeed.
