Cybersecurity is no longer a narrow IT function. It’s a whole-business capability that blends people, process, and technology across offices, facilities, vehicles, devices, and third-party ecosystems. The perimeter has dissolved; work happens everywhere; vendors connect into core systems; payments move through unattended kiosks; and artificial intelligence is changing both how defenders detect threats and how attackers deceive.

In this first part of our two-part series, we explore how organizations can strengthen security today, with practical insight from leaders across security and compliance. Their perspectives converge on a few central truths: people are the new perimeter, incident response must be rehearsed not merely written, supplier ecosystems introduce risk that must be actively governed, and payment environments demand uncompromising discipline. The result is a playbook for securing the people, partners, and places that keep businesses running.

ABM Contributors:

---

Stacy Hughes, SVP & CISO

---

Robert Yager, VP, Deputy CISO

---

Margaret Kann,‍ Senior Director, Business Security

---

Emi Kustal,‍ Director, IT Risk & Compliance

‍

Key Takeaways:

• ‍People are the perimeter. Culture, continuous awareness, and a normalize-the-pause mentality reduce social-engineering success. ‍
• Plans must be practiced. Response improves when roles, decisions, and recovery are rehearsed in realistic scenarios. ‍
• Suppliers extend your attack surface. Vet before you sign, contract what you expect, monitor continuously, and mentor strategically. ‍
• Payments demand discipline. In unattended environments, combine PCI rigor with boots-on-the-ground inspections and documented evidence. ‍
• Places are part of cyber. As facilities become connected, physical context belongs in the cybersecurity threat model. ‍
• Do the basics beautifully. Verification, documentation, and cross-functional decision-making turn minimums into maturity.

Cyber resilience isn’t a destination; it’s an operating posture. When organizations invest in people, practice the plan, and govern the partners and places that keep the business moving, they turn today’s risks into tomorrow’s advantages. ‍

‍

The big shifts: Human risk and AI—two sides of the same coin

Ask security leaders what has changed most, and two themes surface immediately:

1) The human element

Social engineering continues to drive a large share of successful intrusions. Attackers target individuals because it works—especially when employees are busy, helpful, and surrounded by communications channels that look legitimate at a glance. The most effective defenses aren’t only technical; they’re cultural. A security-first mindset, consistent awareness training, and a “pause-and-verify” reflex across the workforce do more to blunt modern attacks than any single tool.

2) Artificial intelligence

AI is transforming the landscape in both directions. On defense, organizations are using AI-powered analytics to spot unusual behavior and enrich threat intelligence. On offense, adversaries use the same advances to craft credible phishing, impersonate executives with synthetic voice and video, and adapt messages in real time. The lesson isn’t to fear AI, but to govern it, instrument it, and be transparent about how it’s used.

These shifts are universal, but industry context matters. An airline may extend connectivity onto aircraft, introducing distinct network boundaries and safety considerations. Education institutions often operate with constrained resources and have been frequent ransomware targets. Even in commercial environments, physical access remains part of the picture: who’s in the building after hours, what devices they connect to, and how services are delivered in spaces that weren’t originally designed for today’s connectivity needs.

Incident response: A plan you practice, not a binder on a shelf

Effective incident response is as much about coordination as it is about controls. Organizations should think beyond the document to the capabilities that make that document real:

• ‍Clear roles and decision rights. Security coordinates, but response requires cross-functional skill sets—IT, application teams, legal, communications, operations, and business leadership. Define the committee that makes materiality calls and regulatory disclosures; know how it’s convened; and pre-decide what data that committee needs to act quickly. ‍
• A communication plan. Map internal and external stakeholders in advance—executives, board, employees, clients, regulators, public relations—and articulate who says what, when, and on which channels. ‍
• A severity matrix. Agree on impact levels and the response posture that each level triggers. When seconds matter, arguing about definitions costs time. ‍
• Third-party muscle memory. Pre-contract a forensic incident-response firm and ensure your cyber insurer and outside counsel are coordinated. Many cyber events quickly intersect with regulators and law enforcement; independent expertise and attorney-client privilege can be decisive. ‍
• Recovery choreography. Treat restoration as a parallel workstream, not a sequel. Backups, alternate environments, and disaster-recovery runbooks should be ready to execute as soon as containment reaches “all clear.” If clients rely on an affected system, time to recovery is as reputational as it is technical.

Just as important as the plan is how you test it. Annual tabletop exercises satisfy auditors; they don’t necessarily prepare people. Mature programs layer three levels:

1. ‍Executive tabletops to rehearse decisions, disclosures, and tradeoffs. ‍
2. Technical tabletops to walk through detect-triage-contain-eradicate-recover. ‍
3. Mini tabletops inside individual business units, tuned to their reality—so front-line teams recognize an incident in their context and know whom to call.

Common blind spot: environment knowledge. When containment begins, responders ask: What does the environment look like? If network maps, connectivity diagrams, and system ownership are incomplete or outdated, closing doors is slow. Documentation isn’t a compliance chore; it’s a response accelerator.

People as the new perimeter: Culture turns risk into resilience

If the network perimeter once lived at the firewall, today it lives with the user. Identities, devices, and SaaS connections form the true boundary of the enterprise. That boundary is resilient when two things are true:

A security-first culture. People naturally want to help—and attackers exploit that instinct. Organizations that routinely talk about risk, celebrate “pause-and-verify” behavior, and invite questions before action convert good intentions into smarter actions. Proactive questions are a maturity signal: when employees pause to ask, “Is this okay?” the program is working.

Training that mirrors the real world. Annual slides won’t move the risk needle. What works: continuous, targeted awareness that reflects current threats. Phishing simulations designed from actual campaigns employees are receiving force pattern recognition in context. Metrics from those simulations guide the next training sprint, while repeat testing measures whether messages stick. The goal isn’t to “catch” employees; it’s to build the reflex to slow down, verify, and escalate.

Social engineering: Verification beats persuasion

Modern social engineering blends psychology and technology. Three patterns dominate:

• ‍Help-desk impersonation. Attackers phone or chat support, pose as an employee, and request a password reset or MFA update. If they succeed, they “walk in with a key” and may blend into normal activity for days. ‍
• Executive impersonation. A text says it’s the CEO: urgent, confidential, time-boxed. With AI voice or video, the pressure feels real. ‍
• Context-aware pretexting. Details harvested from public sources (org charts, out-of-office notices, recent events) make messages feel authentic.

The practical counter is verification. Require multi-step checks for identity changes and password resets. Consider manager-in-the-loop confirmation, and deliver reset credentials via a separate, pre-approved channel. Teach employees to cross-verify on another system—for example, DM the purported executive in a known collaboration tool rather than replying to a text. And most importantly, normalize the pause: if something feels urgent and secret, that’s a red flag worth checking.

Securing the supplier ecosystem: Vet, contract, monitor, mentor

Third parties often hold privileged access to systems, facilities, and data. That access is essential—and it’s a persistent risk. A resilient approach spans the full supplier lifecycle:

• ‍Pre-onboarding assessment. Evaluate security posture before a contract exists. Do they meet your minimum controls? Can they demonstrate how identities, devices, and data are protected? What do their incident processes and SLAs look like? ‍
• Contractual guardrails. Bake expectations into the agreement: security requirements, breach notification times, right to audit, data location and retention, vulnerability remediation timelines, and minimum insurance. ‍
• Ongoing monitoring. Trust is not a one-time decision. Use questionnaires, attestations, control evidence, and where appropriate, technical signals to ensure posture stays aligned. Periodically test incident-response expectations with joint exercises. ‍
• Targeted mentorship. In diverse supplier ecosystems, some partners won’t have enterprise-grade programs. Where the relationship is strategic, mentoring and enablement (templates, playbooks, shared training) help raise the floor without lowering your standards.

This blend of diligence and partnership turns supplier security from a checkbox into a capability that improves the whole ecosystem.

Payments in the real world: Compliance and vigilance in parking

Payment security offers a concrete window into how these principles come together. In managed parking environments across aviation, healthcare, and business & industry, a significant portion of transactions happen in unattended settings—kiosks, gates, and “scan-to-pay” signs. The operational realities here are instructive.

Compliance as table stakes. Processing hundreds of millions in card payments annually places operators into PCI DSS Level 1—the highest merchant tier. That means an independent annual assessment and proof that the environment meets stringent technical and process controls. It’s non-negotiable for banks and card brands.

Owning the stack. When acting as merchant of record, the operator is responsible for the secure build and operation of the payment environment: firewalls, endpoint protection, patching, and ensuring no end-of-life equipment lingers. Compliance evidence—vulnerability scans, anti-virus logs, skimming-inspection records—must be complete and retrievable.

The threats are physical and digital.

• ‍Skimming devices remain a prime risk. As more sites move unattended, criminals target kiosks to capture cards—unless operators inspect routinely and document those inspections. ‍
• QR code scams have surged. Fraudsters place stickers over legitimate codes, redirecting drivers to malicious payment pages. In one case at a major urban destination garage, postcards with a fake “overdue balance” and a QR code were placed on vehicles. Rapid detection, removal, and evidence sharing with law enforcement stopped the scheme within hours.

Documentation defends. Card issuers look for common point of purchase (CPP) patterns when cards are compromised. If a nearby restaurant suffers a breach, any garage whose patrons also parked there may face questions. Being able to prove through logs and scans that your environment was uncompromised is how you avoid being swept into someone else’s incident.

Vendor discipline reduces exposure. In specialized domains like parking, not every processor or device fits. Favor established partners with deep vertical integration and point-to-point encryption (P2PE)—shifting risk to the gateway and shrinking the scope of what you must defend. This isn’t conservatism for its own sake; it’s risk math: fewer moving parts, fewer surprises.

Cross-functional alignment matters here too, but it looks different. Security and operations must lead on gateway selection, device standards, and encryption methods; procurement supports rather than dictates. When the environment is specialized, security expertise—not generic purchasing preference—determines acceptable vendors.

Places still matter: Physical context in a digital threat model

Cybersecurity and physical security are converging. After-hours teams enter buildings with connected devices; IoT sensors track occupancy and cleanliness; EV chargers interact with networks; robotics and automation add new interfaces. The more we instrument places, the more those places belong in the cyber threat model.

Two implications follow:

1. ‍Identity, access, and asset hygiene must extend to the edge—contractor devices, kiosks, sensors, and building systems. ‍
2. Operational playbooks should anticipate blended incidents: a social-engineering call that unlocks a door; a compromised device at a kiosk; a facility outage triggered by both cyber and physical events.

This is not a call to centralize everything under one team. It’s a call to design shared situational awareness—so facilities, operations, and security see the same picture and can act together.

From minimums to maturity: What good looks like

Across these domains, mature programs share a few characteristics:

• ‍They’re documented and current. Network maps, data flows, system owners, vendor inventories, and AI use cases are knowable and known. ‍
• They practice together. Executive, technical, and business-unit tabletops build muscle memory before incidents occur. ‍
• They verify by default. Password resets, identity changes, wire instructions, and urgent executive requests trigger human-in-the-loop checks. ‍
• They measure and adapt. Simulation metrics drive the next training sprint; CPP inquiries refine inspection regimes; supplier reviews prompt targeted mentoring or tougher terms. ‍
• They decide with context. Security is a partner to the business, not a hall monitor. The best risk decisions happen when operations, legal, finance, and security solve tradeoffs together.

Most importantly, they make it easy to do the right thing. If the fastest path for an employee is also the secure one—pre-approved tools, quick channels to ask questions, crisp guidance when something looks off—risk drops because friction drops.

Practical actions you can start this quarter

If you need a short list to move from talk to traction, consider these steps:

1. ‍Run two tabletops: one executive, one technical. Capture decision gaps and update your severity matrix, comms plan, and SEC/contractual disclosure triggers. ‍
2. Stand up “mini tabletops” in two business units. Use their systems, their scenarios, their rosters. ‍
3. Harden help-desk flows for identity and credential changes. Add manager-in-the-loop steps and out-of-band confirmation. ‍
4. Tune your phishing program to mimic real campaigns your employees are actually seeing; use results to drive the next awareness topic. ‍
5. Refresh third-party onboarding with minimum control baselines, contractual language, and right-to-audit clauses. Identify five strategic suppliers for a joint security review. ‍
6. For payment environments: confirm PCI scope, inspection cadence (kiosk + QR), and evidence retention; validate encryption and gateway choices. ‍
7. Map the physical-digital edge: list IoT/OT systems in your facilities portfolio and assign owners, patch cycles, and monitoring responsibilities.

Each item is small enough to start now and big enough to reduce real risk.