What Are You Waiting For? Delaying Cyber Modernization Is Putting You at Risk

Tony Scott’s career spans some of the most consequential technology environments in the world — CIO roles at Disney, Microsoft, VMware, and ultimately the U.S. federal government under President Obama.  

Few leaders have seen more legacy systems collide with modern cyber realities.

In our conversation on The Segment: A Zero Trust Leadership Podcast, current Intrusion CEO Tony shared a message that every CIO and CISO needs to hear: transformation isn’t optional, and waiting for a breach or infrastructure failure to force change is a losing strategy.

“It’s like putting off a roof replacement,” he said. “The longer you wait, the more it costs.”

Tony believes that cyber leaders must see what’s coming, acknowledge what’s broken, and act now before a crisis makes the decision for them.  

Here’s what today’s leaders can learn from Tony’s approach to modernization, resilience, and people-first cybersecurity leadership.

Transformation starts with radical honesty

Every system, every piece of hardware, and every architectural decision has a shelf life. And Tony believes that too many organizations still rely on outdated structures and infrastructure.

“Nothing should go unexamined or unmanaged forever,” he said.

In Tony’s experience, CIOs must be ruthless about inventory.

• What’s still useful?
• What’s outdated?
• What’s a liability?

The habit of deferring upgrades — “we’ll handle it next quarter, next year, next administration” — is what guarantees crisis. The U.S. Office of Personnel Management (OPM) breach in 2015 was one such moment.  

Tony inherited an IT environment where basic cyber hygiene had been neglected for over a decade. MFA adoption sat at 50%, patching was inconsistent, and privileged access controls were all over the place.

He acted fast.

In just over two months, Tony’s team led a federal “cybersecurity sprint” that brought MFA adoption above 90%, reduced elevated privileges by two-thirds, and slashed unpatched vulnerabilities from hundreds of thousands to just a few hundred.

The change wasn’t about new tools. The team’s decisive leadership buy-in and urgency made the transformation possible.

Today’s cyber reality leaves no room for complacency

Tony has seen cybersecurity from both sides — as a CIO in the private and public sectors, and now as CEO of a cybersecurity company.  

His verdict? The old ways of doing cybersecurity just don’t work anymore.

For decades, the firewall defined the network perimeter. That era is over. Cloud, remote work, third-party risk, and always-on connectivity have blown up the perimeter model.

“Attackers can now easily get through the firewalls and other cyber tech companies have put in place,” he said.

Cybersecurity now requires continuous awareness and full visibility into how systems, users, and data interact across the entire enterprise.

Tony compares it to medical diagnostics: “If you really want to know what’s going on in your body, check your blood.” The same is true for your network. You need to understand how everything communicates to see the real risks.

AI could be the disruption that forces change if leaders let it

Tony sees AI as a potential solution, but it’s a double-edged sword. AI is a powerful driver of efficiency but also a wake-up call for outdated systems and siloed teams.

Too often, organizational structure dictates technology, not the other way around. Business units operate their own tech stacks, causing visibility gaps to multiply and friction to grow.

But AI might finally change that. Tony believes it gives us a real opportunity to unify processes and break down silos, only if leaders are willing to reimagine how their organizations work.

“We may, for the first time, have the ability to use technology to erase or undo some of the friction that often occurs in any business structure,” he said.

To do that, leaders need clarity — about where they are, where they’re going, and how to get there.

“It all starts with contextual sensitivity,” Tony said. “It’s hard to get anywhere if you don’t know where you’re at or where you’re trying to go.”

Resilience is more than recovery

Cyber resilience is a board-level priority. But Tony argues that many organizations misunderstand what resilience really means.

It’s not just about disaster recovery or backup plans. It’s about designing systems that stay operational even when things go wrong.

He points to recent major outages, including cloud service disruptions, manufacturing shutdowns, and critical infrastructure attacks, as reminders of how fragile our digital infrastructure still is.

To Tony, resilience means assuming failure will happen and making sure it doesn’t take your whole business down with it.

People still make the difference

Through all the technology shifts he’s seen in his career, Tony’s biggest takeaway hasn’t changed: cybersecurity still comes down to people.

“Hard problems attract people who want to solve them,” he said. “And cybersecurity is full of hard problems.”

The best leaders, he believes, know how to attract and empower the right teams. Especially as the threat landscape evolves, that clarity and trust in people becomes your greatest strength.

Modernize now before it’s too late

Tony has seen firsthand what happens when organizations delay modernization and how fast things can change when they stop waiting for permission to act.

The stakes are higher than ever. CISOs have a shrinking window to fix what’s outdated, build resilience into the core of their organizations, and lead with clarity before circumstances make the choice for them.

Don’t wait for a breach to validate your priorities. And don’t let a crisis define your leadership.

Act now while you still have the option to lead on your own terms.

Listen to the full episode of The Segment: A Zero Trust Leadership Podcast on Apple Podcasts, Spotify, or Unsere Website.