Podcast Summary: Cyber at the Top - Beyond Confidentiality: The New Priorities in Information Security

Podcast: RSAC
Host: RSAC
Guest: Bjorn Watney, Global CISO of Interpol
Date: March 5, 2026

Episode Overview

This episode explores the shifting priorities in information security, moving beyond the traditional focus on confidentiality to embrace the critical importance of integrity and availability. RSAC host interviews Bjorn Watney (Global CISO of Interpol) about how digitalization, OT/IT convergence, supply chain complexity, and emerging technologies have reshaped both the risk landscape and the CISO’s role. Listeners are guided through practical strategies, memorable stories, and actionable advice for balancing the three pillars of information security.

Key Discussion Points & Insights

The Changing Security Landscape

• Traditional Focus vs. Evolving Priorities
  • Historically, security was “almost always concerned with protecting confidentiality… but now there’s this growing importance of integrity and availability.” (A, 00:20)
• Drivers of Change
  • “The digitalization of society as a whole and the convergence between IT and OT are the two big elements in why this is changing.” (B, 02:53)
    • 20 years ago, internet outages were nuisances; now, disruptions affect critical infrastructure and even basic needs like buying food.
    • Example: Norway is almost 100% digital for payments; a system outage could stop people from buying essentials.

Risks Re-Defined: From Theft to Disruption

• Shift in Threats
  • “The last few years, we see… changing toward systemic disruption instead [of data theft]. Ransomware as a service… is now very popular.” (B, 05:29)
    • Modern attackers often use multi-level extortion (theft + denial of service).
    • OT/physical infrastructure as new threat vectors.
    • Supply chain attacks complicate risk further.

Balancing Confidentiality, Integrity, and Availability (CIA)

• Beyond Confidentiality-Only Classification

  • “We need to classify whether availability of a system outweighs the need for confidentiality or integrity, or vice versa.” (B, 08:56)
    • Not every system is best protected with confidentiality-first measures; in some cases, availability or integrity are more important.
    • Risk classification should include availability and integrity requirements, not just data sensitivity.

• Memorable Story:

  • “He might get ill while driving, paramedics can’t access his medical record due to confidentiality, so they administer a drug he’s allergic to... At least his data was kept confidential.” (B, 07:30)
    • [Dark humor, but underscores the need to rethink security priorities.]

Complexity and Measurement Challenges

• Visibility Difficulties
  • “Complexity… exploded into tiny, tiny bits and pieces that are now connected globally.” (B, 10:47)
    • Globalized supply chains and cloud adoption amplify difficulty in tracking all dependencies.
    • Misconfiguration (especially in the cloud) is still a leading cause of breaches, mostly due to human error.

Impact of AI & Automation

• Technological Enablers and New Risks
  • “These technologies… are enablers, but they do also come with some challenges.” (B, 12:58)
    • Cloud expands availability but introduces new dependencies.
    • Automation boosts policy enforcement but can magnify errors quickly.
    • “Agentic AI… it might actually do real damage. So it might pay out money, for example, to the wrong account. And that is a completely different threat.” (B, 13:26)
    • Caution: “Wear your seatbelt and do not speed.” (B, 14:29)

Building a Culture Around Integrity & Availability

• Raising Awareness

  • “Confidentiality has been the poster boy of information security… We need to look at security not as the barrier… but as a quality and resilience enabler.” (B, 15:34)
    • Calls for rebranding the CISO as a Chief Risk and Resilience Officer.
    • Security as business continuity, not just safeguarding secrets.

• Industry Examples

  • Maersk and Norsk Hydro — losses in the hundreds of millions after cyber-attacks halted core operations. Both saw their identity as non-IT companies erased by outages:
    • “Would they say they were an IT company? No… but if the IT systems are out, that whole thing stops.” (B, 17:14)

Evolving CISO Role & Organizational Value

• Skillset Shift
  • “When I started… it was either police or military. Now? Tech backgrounds… and a business education. Because a CISO needs to be focused on the business outcomes…” (B, 19:11)
    • The CISO as a key business leader, not just a technologist or gatekeeper of secrets.

Measuring Integrity & Availability

• Change in Metrics
  • “Start asking questions like: what happens if these data are wrong, or what happens if this system isn’t available?… Broaden the risk mindset.” (B, 21:00)
    • Move from prevention-only to resilience and recovery planning.
    • The test of readiness: Is your playbook rehearsed, or gathering dust?
    • “If that is just a paper tiger hidden in a drawer… you will be very sad when that first thing goes bad.” (B, 21:55)

Actionable Advice for Leaders

• Three Steps for Resilience
  • “Find your crown jewels, assume breach, and rehearse… It’s not enough to just do a tabletop and write a piece of paper. This needs to be tested.” (B, 22:38-23:59)
    • Identify your most critical services and products (“crown jewels”).
    • Build disruption-resilient processes and practice recovery scenarios.
    • “Because you can almost always recover from a data leakage. But if your system is taken offline, that’s harder.” (B, 23:56)

Notable Quotes & Memorable Moments

• On why the shift beyond confidentiality matters:
  • “If availability fails, for example, the entire business can come to a halt.” (A, 18:17)
• On preparing for disruption:
  • “Train, train, and practice. Train, train.” (A & B, 24:12)
• On changing the role of security:
  • “We need to look at security... as a quality and resilience enabler.” (B, 15:34)
• On the real cost of outages:
  • “Hundreds of millions in losses. What is more important: that some confidential data leaked or that your systems were able to restore and continue?” (B, 17:34)
• Action slogan:
  • “Find your crown jewels, assume breach, and how do we restore?... And train, train, train.” (A & B, 24:02-24:14)

Key Timestamps

• 00:20 – Why integrity and availability have caught up with confidentiality
• 02:53 – Digital dependencies, IT/OT convergence, and risk
• 05:29 – Ransomware, systemic disruption, and the evolving threat landscape
• 08:56 – System classification for CIA priorities
• 12:58 – Cloud, AI, automation: opportunities and risks for integrity & availability
• 15:34 – Changing security culture: resilience as a key value
• 17:14 – Business impact stories: Maersk and Norsk Hydro
• 19:11 – The modern CISO: business alignment
• 21:00 – New mindset: resilience and playbook rehearsals
• 22:38 – Practical advice: prioritize, plan, and practice for resilience
• 24:02 – Slogan for success: “Find your crown jewels, assume breach, and how do we restore?”

Summary Conclusion

This episode delivers a compelling argument for re-balancing information security to equally prioritize integrity and availability alongside confidentiality, emphasizing resilience, business outcomes, and human factors. Bjorn Watney’s experience, pragmatic advice, and vivid stories underscore the urgency for CISOs and organizations to adapt—starting with risk-based system classification, cultural change, embracing new enablers with caution, and relentless preparation for disruption. The actionable guidance and real-world anecdotes make this essential listening for anyone seeking to future-proof their security strategy.