Interview and reflections by Helena Hagan, based on a conversation with Touseef Gul, cybersecurity specialist and ethical hacker.
I recently had the opportunity to speak again with Touseef Gul, a cybersecurity specialist and ethical hacker who actively shares insights, analysis and reflections on digital risk, cyber threats and information security.
What struck me most during our conversation was not only the technical side of cybersecurity, but the way this topic reveals something much deeper: how companies think about risk. Or, in many cases, how they fail to think about it at all.
Today, many people assume that because artificial intelligence is evolving so quickly, we are automatically becoming safer. Tools are faster, systems are more advanced and automation seems able to manage complexity on our behalf.
But this perception can be dangerously misleading.
Touseef made one point very clear: technology evolves quickly, but the mindset of many companies does not evolve at the same speed. And it is precisely in this gap that many vulnerabilities are created.
Cybersecurity and Global Scenarios: Attacks Now Target Perception Too
One of the most interesting points that emerged from our discussion was the increasingly strong connection between cybersecurity and global events.
During periods of geopolitical tension, cyberattacks tend to increase significantly. Not randomly, but strategically.
Touseef explained that in recent conflicts, attackers have not focused only on infrastructures such as energy systems, financial institutions or government networks. They have also targeted people directly, using mass messages, fake alerts and phishing campaigns designed to generate panic.
Even when the information being spread was false, the psychological impact was very real.
This is where we can clearly see how cybersecurity has changed. It is no longer only about protecting systems. It is also about protecting perception, trust and social stability.
Why Small Companies Are Also at Risk
When I asked Touseef about private companies, his answer was very direct.
Many businesses still believe they are too small, too ordinary or too irrelevant to become a target. But this is no longer how cybercrime works.
Attackers often look for indirect access. They identify smaller companies connected to larger organizations and use them as entry points. This is what is commonly known as a supply chain attack.
In practical terms, this means that even if a company is not the main target, it can still become part of a much bigger problem.
A small supplier, a local partner, an external consultant or a minor technology provider can become the weak link in a much larger chain.
That is why cybersecurity cannot be treated as a problem only for banks, governments or multinational corporations. Today, every company that is connected to other systems, clients, partners or platforms is part of a wider digital ecosystem.
And every weak point matters.
The Biggest Problem Is Not Technical. It Is Cultural.
One of Touseef’s strongest observations was this: the main problem is not technical. It is cultural.
Many companies still treat cybersecurity as something secondary. Something to think about later. Something to deal with only after a problem has already happened.
Systems are not updated with enough attention. Security is not truly integrated into development processes. In many cases, there is not even a dedicated person responsible for cybersecurity in a serious and continuous way.
Companies invest in design, development, marketing, sales and operations. But too often they forget to invest in someone who is able to think like an attacker.
And this is a serious mistake.
Because attackers do not care about your internal excuses. They do not care if your company is small, if your team is busy, if your budget is limited or if cybersecurity is not your priority.
They only need one weak point.
Certifications Matter, But Real Experience Matters More
We also discussed how companies choose cybersecurity professionals.
Touseef challenged a very common assumption: the idea that certifications alone are enough.
Certifications can certainly have value. They show commitment, study and knowledge of specific frameworks or methodologies. But they are not enough on their own.
What really matters is field experience.
A strong cybersecurity professional should have dealt with real incidents, solved concrete problems, worked under pressure and faced complex situations where theory alone was not enough.
Cybersecurity is not only about knowing definitions. It is about making decisions when systems are under attack, when time is limited and when the consequences of a mistake can be serious.
This is why companies should not look only at certificates on a CV. They should also look at practical experience, critical thinking, problem-solving ability and the capacity to understand how attackers actually behave.
Artificial Intelligence Is Useful, But It Does Not Replace Human Judgment
Of course, another central topic in our conversation was artificial intelligence.
More and more companies are relying heavily on AI tools. Sometimes because they reduce costs. Sometimes because they seem easier to use. Sometimes because they give the impression that complex processes can finally be automated without too much human effort.
But this creates another misunderstanding.
AI is powerful, but it remains a tool.
It can speed up processes, analyze data, identify patterns and support decisions. But it cannot replace human judgment.
If we rely too heavily on artificial intelligence, we risk losing our ability to think critically. And this becomes a major problem when something goes wrong.
Systems can fail. Tools can be unavailable. Data can be manipulated. An external attack can compromise automation. A technical issue can block access to essential platforms.
At that point, the question becomes very simple:
Do we still know how to operate without it?
This is a question many companies should ask themselves honestly.
Because artificial intelligence can support security, but it cannot replace a security culture. It can help detect threats, but it cannot compensate for a lack of awareness, poor processes or weak decision-making.
Data Privacy: The Risk Is Also in Superficial Use of Technology
We also touched on another crucial topic: data privacy.
Today, more and more users share sensitive information with artificial intelligence tools, often without fully understanding the risks.
These systems may be designed with security in mind, but no technology is risk-free. There have already been cases where data was exposed, misused or handled improperly, even without malicious intent.
The real issue is not whether we should use technology. Avoiding it completely would be unrealistic and, in many cases, counterproductive.
The real issue is using technology with awareness.
Companies and individuals need to understand not only the benefits of AI tools, but also their limits. They need clear policies, internal rules and a basic culture of data protection.
Because the problem is often not the tool itself.
The problem is how carelessly the tool is used.
The Real Lesson: Cybersecurity Is a Mindset
If I had to summarize this conversation in one idea, it would be this:
Cybersecurity is not only about tools. It is about mindset.
And unfortunately, this mindset is still missing in many organizations.
As long as cybersecurity is seen as a secondary cost, something to deal with only when a problem appears, many companies will continue to expose themselves unnecessarily.
The truth is simple: artificial intelligence can help, but it will not save you on its own.
Without risk culture, attention, skills, awareness and critical thinking, no technology is enough.
Cybersecurity is not just an IT issue. It is a business issue, a cultural issue and, increasingly, a leadership issue.
Companies that understand this will be better prepared.
Those that do not will keep believing they are safe.
Until the day they discover they are not.
