Adrianus Warmenhoven, a veteran cybersecurity expert and NordVPN advisor, speaks with Global Finance about cybersecurity and how AI is raising the stakes for companies.
Global Finance: With AI advancing fast—enabling deep fakes and lowering barriers for attackers—and quantum computing threatening to break legacy cryptography, which do you see having the greater impact on cybersecurity?
Adrianus Warmenhoven: There are two completely different areas where they attack. Quantum computing is about the armor around the data; when it arrives, it will be like an atom bomb. But we’re not there yet. AI, on the other hand, is mostly about attacking people and processes.
In the short term, AI will have the biggest impact. It makes not only advanced attacks but also simple ones, like phishing, much easier. It’s horribly easy for me to tell an AI [tool] that I want to make a business, and my business is getting data off a computer. I can fabricate a story so that AI will help me.
Even if I don’t know anything about cyber criminality, AI can help me to build up a proper cybercriminal venture: suggesting tools, markets, and behavior. Anyone online who just has the moral inclination to be so, can become a cybercriminal.
Once quantum computing comes through, we’ll have another data leak problem. And that will be huge, because it can decrypt all the stored data that we have now, and things will happen there as well.
GF: What metrics or narratives resonate with senior executives, like CFOs, at the firms you’ve advised?
Warmenhoven: I’ve been [chief information security officer] at the largest Dutch-owned cybersecurity company, and in those discussions, one thing is obvious: If you do security well, nothing happens. It doesn’t feel nice to spend a lot of money to have nothing happen, but that’s what security is. Once you start playing around with AI, though, things start happening. That’s why so many executives are pushing AI into their tools.
Cybersecurity isn’t just an IT issue. One of the points that I keep trying to hammer on is that this is a societal issue. Every transaction, every interaction today is digital. That means small security lapses now have enormous consequences because everyone, everywhere, is online. Criminals exploit every angle: phishing, social engineering, gamification on websites, and even targeting low-wage staff with physical access, like USB drops. It’s not purely technical; it’s crime, now mostly cybercrime, but crime nonetheless.
At the executive level, leaders need to understand that the threats extend beyond IT. Supply chain vulnerabilities, human resources processes, and human behavior are all attack vectors. The North Korean hacker cases showed how attackers infiltrate companies by manipulating people, not just technology. Cybersecurity is critical because society has gone digital, but true security involves every aspect of the organization: people, processes, and systems. Everyone is trying to get their “spies” inside everywhere else. It’s like a Cold War thing.
GF: You’ve spoken about major breaches at companies like AT&T and Salesforce, and recently the European Space Agency reported two significant cyberattacks. What can C-suite executives and large corporations learn from these incidents?
Warmenhoven: A recent example is a PayPal leak of 140,000 banking credentials and email addresses. Even companies with strong security can be victims. The biggest issue today is business process outsourcing.
Take the Salesforce-Zendesk breach; an employee at a third-party provider caused data to leak. Outsourcing lowers costs, but increases risks we don’t control. Compliance often gives a false sense of security. Seeing an ISO certificate doesn’t mean the data is safe; criminals move faster than audits, and compliance alone isn’t your defense.
Companies rarely dig deeply into what third parties or their chains of providers are doing, and that complexity itself is a huge risk. It feels to me that nowadays, compliance, or GRC [governance, risk, and compliance], is more used as a Get Out of Jail Free card—or a cover-your-behind methodology—rather than actual security. A lot of businesses outsource it to their insurance company or say, “This is on the user: the third party.” It’s the blame game, but formalized.
GF: CrowdStrike just acquired SGNL. Does consolidation make a difference?
Warmenhoven: I’ve done a lot of cybersecurity mergers and acquisitions. It’s always like this train wreck; two companies crashing into each other. Both companies have smart people, both do security, but their processes differ. During a merger, responsibilities can become unclear, and that small window of confusion is exactly when criminals can exploit long-term vulnerabilities. Security isn’t just about technology, it’s about processes being correctly enacted.
I’ve seen too many times that when you do a merger, those processes go out of the window. There’s a small window of time where nobody has any idea who does what and when, and for a criminal, that’s the moment when you insert all those long-term attack methods and insert your people. I don’t think the guiding of M&A on the security level is being done well enough now. The financial part? Sure.
GF: Do you expect more consolidation in this space?
Warmenhoven: Absolutely. I saw the same thing happen when we were doing ISPs. In the 1990’s, everybody grew and then you got consolidation. As soon as something gets commoditized, the big players won’t stop. Cybersecurity is at the point where we start to commoditize it.
GF: Do you see the insurance industry as being an important partner for corporate leaders in this field?
Warmenhoven: I am a firm believer in cyber insurance. It has to be an essential of your risk strategy. Something will happen. And there’s no use in being ashamed about it. In fact, I see some companies doing that. For instance, Hiscox, an insurer that works together with cybersecurity companies, conducts a review for their clients and guides them on best practices, so that they’re able to get any situation in control. It makes sense. Obviously, if there’s nothing happening for an insurer, that’s a bonus point.
GF: If the insurance industry is not fully prepared to handle what’s coming in cybersecurity, should governments be more involved?
Warmenhoven: That’s a rather difficult question. Our government is responsible for a lot of our food safety, automobile safety laws: a lot of stuff in the physical domain. I think the government, independent of insurers, should be more involved in the digital domain.
GF: Do you see big differences across geographies when it comes to cybersecurity?
Warmenhoven: Geography and culture are a personal quest of mine. I try to connect with people all over the world to understand how they experience security. If you only look at top-performing cybersecurity companies, they all look the same: often US-style, cookie cutter organizations. But that doesn’t reflect how mid-sized or smaller businesses experience the internet.
A lot depends on how people connect and how much business they do online. In Asian app development, for example, you often use a framework that does 99% of the work, then add what you need. The downside is those frameworks ask for enormous permissions. That’s why the first version of Temu rang alarm bells. But it’s a normal development style there. You see something similar in parts of Africa: more all-in-one apps, because hardware is older and can’t run many applications at once.
Geographically, you also see differences in maturity. In highly digitized countries, people learn how to deal with threats as part of daily life. Lithuania is a good example; it ranked number one in national privacy tests in 2025, because everything is digital. Security isn’t separate from life; it’s ingrained. Where digital life still feels separate, security becomes harder.
GF: Do attitudes differ by industry? Are some sectors better prepared or investing more in cybersecurity than others?
Warmenhoven: Yes, some are much further behind. The operational technology (OT) sector is catching up fast. For a long time, OT wasn’t a target, because criminals couldn’t make money from it. Now, with nation state actors, the goal isn’t money, it’s disruption. That changes everything. Hospitals, electricity grids, water systems, buildings: suddenly all of it matters.
I spoke with someone responsible for Dutch government buildings, and the scale is enormous. Buildings are designed for 20 or 30 years, but now within that lifecycle, entirely new attack vectors appear. The same applies to shipping, navigation, even farming. Modern farms rely heavily on robotics, GPS, and automation. If that fails, food production fails. Almost every sector now must act. But OT must run much harder, because its equipment was built for decades-long returns, not constant cyber threats.
GF: AI is now autonomously generating cyberattacks. Does that effectively make attacks infinite?
Warmenhoven: We need to be careful here. AI isn’t doing James Bond–style attacks; large language models don’t work like that. Training AI on a zero day vulnerability would be more effort than just using the vulnerability itself.
But what AI does do is make previously unprofitable targets profitable. In the past, hacking required a lot of grunt work: research, reconnaissance, correlation. AI can now do that work at scale. It can find vulnerabilities, write simple payloads, and target poorly maintained systems much faster.
I haven’t seen AI independently create new zero days yet. What we’re seeing instead is volume. The attacks aren’t more sophisticated; they’re more accessible. AI raises the average attacker’s capability, not the ceiling. The best hackers are still better. But there will be many more attackers, and that’s the real shift.
