Ian C. Ballon, Andrew B. Serwin and Gene Yoo Share What Businesses Need to Know About Cybersecurity and Data Privacy in 2025

The Cybersecurity and Data Privacy Roundtable is produced by the LA Times Studios team in conjunction with DLA Piper; Greenberg Traurig, LLP; and Resecurity, Inc.

Corporate cybersecurity breaches continue to escalate, and the threats (and fines) are growing as we become increasingly reliant on cloud-based computing, AI and other online innovations.

While tools to prevent breach incidents have become more sophisticated, so have the methods of hackers and cybercriminals. What actions can business owners take to protect their private data and that of their customers and employees? How can C-suiters and IT teams sleep better at night when there are so many mounting threats to our digital security?

The LA Times Studios team has turned to three uniquely knowledgeable cybersecurity experts for their thoughts and insights about the threats businesses face in today’s digital world and what executives can do to safeguard the privacy of their organizations, employees, customers and other stakeholders.

Q: How can businesses address the cybersecurity talent shortage?

Gene Yoo, Chief Executive Officer, Resecurity, Inc.: I believe that we have a shortage of cybersecurity professionals, not because there is a lack of candidates but a lack of maturity from the hiring managers. So many times, I’ve asked for a job requisition on a role, and it’s always littered with certificates, products and exotic requirements that don’t even align with the role. These “requirements” are something they can attain in their job function. The reality is that human resources uses them to weed out the right candidate when they are skills that I don’t believe are crucial. Additionally, there are so many internal resources at our IT partners, but we don’t give them the opportunity to be mentored to become great cybersecurity professionals. From a management perspective, we need to better educate our managers and identify candidates who can grow and learn. As far as I can remember, in close collaboration with my HR partners, I would request ALL resumes be sent to me directly, and I would spend time with my managers and go through them and discuss. We know what’s written and what we’re looking for, and we have a shortage because we’re also not investing our time to properly recruit candidates.

(Anita Barcsa)

Ian C. Ballon, Shareholder; Co-Chair, Global Intellectual Property & Technology Practice Group, Greenberg Traurig, LLP: Outsourcing responsibility to outside law firms and/or fractional CISOs can help bridge the gap.

Q: What emerging cybersecurity threats should businesses prioritize in 2025 and beyond?

Andrew B. Serwin, Partner, Chair of Data Protection, Privacy and Security Practice, DLA Piper: We are seeing an ever-increasing number of attacks on the private sector. The use of automated attacks is increasing as the use of AI is increasing, and some of our near-peer/peer nation-state competitors are increasingly using AI to fuel attacks. We are also seeing an increase in insider threats that feed cyber attacks.

Ballon: While companies continue to face internal challenges (employee training, employee mistakes, vendor access, etc.), there are two external threats that present major challenges in 2025 and beyond. First, AI presents opportunities and challenges in 2025. Companies should use AI to test and monitor their security. But AI also is being used externally by threat actors to challenge those same systems. Second, the personnel turnover and dramatic changes in the early weeks of the new Trump Administration pose cybersecurity risks for private companies, which could grow over time this year. Mass firings of government employees at the FBI and DOJ and encouragement to all federal employees to retire immediately may mean federal resources to monitor, investigate and stop cybersecurity threats will be diminished. State actors and criminals will almost certainly seek to exploit this situation. In addition, aggressive actions taken against friends and foes and with respect to hot spots, such as Gaza, could result in increased cyber warfare by state actors.

Q: How can businesses accurately assess and manage supply chain risks in cybersecurity?

Yoo: The most important aspects of supply chain risk come down to two things. First, the inventory – there are too many sources of truth and not enough discipline to consolidate and manage your entire supply chain in its totality. This inventory should be reviewed and audited at least quarterly. This is a great starting point. The second important aspect is to correctly classify what the supply chain actually does. You need to better categorize what products or services are being rendered by them in order to classify them while identifying their risk. These two areas are the foundation for assessing and managing, but as our supply chain grows, we need to have a way (not a solution) to continuously monitor them for threats and risks to the organization. This is a process that requires many groups to work together from one source of truth.

Q: How are geopolitical events influencing cybersecurity risk management?

Serwin: Cyber and national security issues have become enmeshed in many ways, and that will only increase. We are seeing an increase in data balkanization which influences the cyber threat surface.

Ballon: Increased friction with other countries, along with trade sanctions and threats of territorial conquest, could increase cyber warfare by state actors and potentially non-state actors such as terrorist groups.

Q: How can executives ensure that cybersecurity strategies align with business goals?

Serwin: We believe cyber should be aligned with the fiduciary duties that directors and certain officers of companies owe the company. Typically, that means focusing on two core risks – resiliency and legal compliance. Cyber is a root cause that causes either or both of these risks.

Yoo: This is the first problem with expecting cybersecurity strategies to be aligned with business goals. If you think about the people, process, technology, policies, etc., there is so little room to “align” governance, control, compliance and security. Cybersecurity is in place to be a control mechanism for business, just like finance departments (as in what, why, and how you should spend money), and enable the flow of information through a technological ecosystem. Yes, we can improve efficiencies, reduce attack surfaces and get to X percent of compliance or frameworks, but in the end, be seen as almost completely irrelevant and misaligned to business. We need to stop asking this question, and businesses should be working closely with cybersecurity teams to understand how business executives can support cybersecurity.

Q: What common mistakes do businesses make during a cybersecurity breach, and how can they be avoided?

Ballon: The biggest mistake companies make is not planning ahead. When a security incident occurs, there are literally dozens of decisions that need to be made that determine how the markets (for public companies), consumers, regulators and class action lawyers perceive the situation. We help clients organize tabletop exercises with key decision-makers so that when an incident does occur everyone knows their role and the things they need to do in the first 24, 48 and 72 hours after an incident is uncovered. Messaging is very important. For example, a security breach is a legal term that triggers certain notifications and other legal obligations. Not every security incident amounts to a security breach. Yet, casual use of language can have legal consequences. Likewise, initial speculation about the cause of a security incident may be mistaken. In the dozens of security incidents that I have handled with or for clients, I have rarely seen an instance where what the company thought occurred in the first 24 hours after discovery of a security incident turned out to have actually been the cause of the breach (if any). Companies need to balance a desire to quickly alert customers and regulators with the need to gather evidence so that what is communicated externally in fact is accurate. A common mistake made by companies is to not properly lock down as privileged internal communications about a security incident in the first hours and days after a potential breach is discovered. Communications to third parties such as PR firms or among employees (other than lawyers) typically are not privileged and may prove embarrassing or harmful when produced in litigation and shown to a judge or jury – especially because (as noted) initial impressions about what happened often are wrong. For example, a stressed executive may seek to deflect responsibility or assign blame in text or Slack messages or emails that when presented in court appear to be definitive statements on the part of the company. Even when a lawyer is involved, the communication may not be deemed privileged. In-house counsel often performs both legal and business functions. Communications with in-house counsel that are deemed to concern business matters will not be protected. Likewise, communications with large numbers of employees (more than just those needed to seek or obtain legal advice) may be found to be unprotected. To encourage free discussion while a company tries to investigate and resolve a cybersecurity incident, it is best to involve outside litigation counsel who can rely upon additional protections beyond the traditional attorney-client privilege. It also is important for companies not otherwise subject to legal or regulatory obligations to produce written reports, to minimize unnecessary written communications where conjecture or speculation could later be misconstrued by the court or a jury. This may not be as easy as it sounds to do, which is why outside litigation counsel should be involved in discussions as soon as a breach occurs and in tabletop exercises preceding any breach.

Q: What are the key considerations for securing multi-cloud and hybrid environments?

Yoo: We are beyond the stages of greenfield and brownfield. There are continuous evolving costs, innovation and now artificial intelligence. Also, given the staffing shortage of knowledge experts or trying to be product agnostic, organizations must not think that they are in a box. I know we always talk about “thinking outside the box” in today’s world. This means that regardless of what cloud or vendor, the fundamental activity for securing the environment shouldn’t be unique. There are identities, networks, processing, storage, and on and on. The interface you use may be different from one vendor to another, but what you are trying to provision, set up and administer in its purity is the same thing. Meaning, regardless of vendor cloud A vs. B, access control framework, provisioning, hardening and monitoring practices are exactly the same. And stop buying another security solution. Instead, understand how you can maximize what’s available from the vendors.

Q: How should organizations balance investments in prevention, detection and response?

Serwin: Organizations need to balance investments in prevention, detection, response and recovery. While all reasonable steps should be taken to prevent and detect attacks, some may get through, and it is important to also invest in recovery.

Q: How might quantum computing impact cybersecurity strategies in the next decade?

Ballon: Quantum computing could make it easier for threat actors to decrypt encrypted communications that today are deemed secure. This means we will need to enhance current security methods, including potentially developing enhanced encryption capabilities.

Q: What are the best practices for assessing and managing third-party vendor risks?

Yoo: The first thing is to realize that third parties are single components of the overall supply chain. When we talk about third-party vendor risks, we have common practices such as conducting due diligence, collecting security standards and attestations, and ensuring adherence to contractual agreements. But this base activity is a single component to managing the overall vendor risks, not just about some security rating or score. The most important practice for assessing and managing this risk is to a) have a process for onboarding and b) have a method for continuous monitoring. From products, goods or services being rendered, you need to monitor continuously throughout the end of the contract or completion of the product/goods acquisition. It’s a process and not a technology.

Q: How can businesses ensure that cybersecurity policies are effectively communicated and enforced at all levels?

Ballon: There is no substitute for regular periodic training and periodic meetings. Tabletop exercises and frequent training and internal meetings can make a big difference. Lawyers, security professionals, IT and marketing executives should meet regularly if only to share information informally about legal changes and new products or software updates that could require adjustments to company practices and procedures.

Q: How can organizations ensure that their incident response plans remain effective amid evolving threats?

Yoo: Practice, practice and more practice. There are two parts to this. First is the testing of the effectiveness of the incident response plan. Generally speaking, to properly test, you have to get everyone involved and go through tabletop exercises. From top to bottom, everyone who needs to be involved needs to be in this exercise. This is the most critical part, and everyone involved needs to take these exercises seriously. This is not the time for socializing. In parallel, both the technology and security teams must get into the habit of reviewing all the playbooks and documentation – to make sure that what’s written down is exactly how it’ll be done. So, documentation, documentation and documentation. Second, as it relates to “evolving threats” – you need to have the right vendor that can provide actual intelligence as to what’s going on, who’s targeting you and if you have material risks or defects that need to be addressed. In order to reduce the evolving threat and its blast radius of the event, you need to have great patch management, vulnerability management and network segmentation.

Serwin: Review of plans is important, as is conducting exercises to test and realign the plan as needed.

Q: How can organizations build resilience against the increasingly sophisticated cyber threat landscape?

Yoo: Cyber warfare and sophisticated threats from low-level criminals to state-sponsored adversaries will grow exponentially. Beyond international politics and warfare, the vast majority of these actors’ or groups’ actions are profitable. Even more, these threats are not based on just money but also on individual beliefs, agendas, heroism, you name it...there’s a reason for it. Simply, given the current technological ecosystem and its constructs, if someone wants to disrupt, damage or destroy your environment, it’s not going to take a lot. So what do you do? You may have heard of cyber hygiene, third- or fourth-party risk management, zero trust, continuous monitoring, etc. All of these are important and help with building resilience – and having a good and tested incident response plan is the key to building resilience. You don’t know what your organization is capable of until you test your recovery and make sure everyone, from executives on down, is part of the process. With evolving geo-political and global events, you also need to look above the horizon (outside of your firewall), to make sure you have a great overwatch program. Meaning, beyond your firewall and beyond your walls, what do you see? While everyone is addressing “behind the firewall,” you need a better program to monitor outside of your firewalls.