Bengaluru, 19th September 2025: In a world where cyber threats evolve faster than regulations, automation reshapes the engineer’s toolkit, and business leaders must make high-stakes security decisions with incomplete information, the role of cybersecurity professionals has never been more demanding, or more influential. From switching between offensive “attacker thinking” and building defensive resilience, to balancing agility with compliance, the modern security leader wears many hats.
In this conversation with Mr. Marquis Fernandes, Director – India Business at Quantic India, Mr. C Sonaimani Ganesan, Associate Director – Information Security at FIS PSS, reflects on how today professionals must constantly shifts gears between creativity and discipline. He shares why the human edge remains irreplaceable in an age of automation, how culture, not just technology, shapes resilience, and why reframing cybersecurity as a shared responsibility is essential. His insights reveal how AI, intuition, and leadership are transforming security from a defensive shield into a catalyst for trust and innovation.
Q. You’ve worked across cyber forensics, application security, and information warfare. How do you mentally switch between offense and defense modes in your role, and what mindset shift is most crucial for emerging security professionals?
When I am operating in offense, my mindset is that of an attacker, questioning, nimble and constantly testing for vulnerabilities that other people miss. I don’t merely look at surface-level misconfigurations; I also probe into subtle errors in logic, workflows, and assumptions of design that may be vulnerable. The offensive mindset feeds on determination, because the most effective breaches are often developed from stringing together a series of small findings that seem harmless individually. It is less about checklist compliance and more about imagination, considering the ways a system could be abused that the designers themselves couldn’t conceive of. This takes technical competence as well as the capacity to think like a stubborn opponent who defies conventional norms.
Defensive work requires a vastly different perspective. Rather than examining all possibilities, I work to determine what is most likely, through use of threat models and risk tolerance. Defensive thinking is risk oriented. I aim to create resilience, enhance detection, and prepare for containment when something goes wrong. I implement a layered security that would minimize the blast radius of any breach. That is, it involves creating, monitoring, redundancy and response playbooks so incidents are caught and dealt with swiftly. For upcoming professionals, the most important skill is learning how to intentionally shift gears. When to allow curiosity to guide probing examination, and when to use disciplined thinking to defend what is most important.
Q. With increasing automation in vulnerability assessment tools, what areas do you believe still require the irreplaceable human touch?
Automation in the context of vulnerability assessment plays a crucial role as it introduces scalability, consistency and speed across massive infrastructures. Tools are capable of scanning thousands of systems in a matter of minutes. They flag common misconfigurations, outdated libraries, and known CVE (Common Vulnerabilities and Exposures). All this, while ensuring no errors due to fatigue or human biases. They are especially great at ensuring no obvious issues slip through and at meeting compliance requirements. The one drawback that is observed in a lot of these tools is that they are limited by what they’re programmed to do. They work by finding known patterns and signatures. While this is good for many common use-cases, they fail to detect any complex attack patterns or new emerging threats. They are also not able to understand the business context, which is crucial when prioritizing remediation efforts in real life cases.
These are the places wherein the human element becomes irreplaceable. For example, skilled testers can look at a set of low-severity findings and logically conclude that it may be a part of a higher-severity threat, which automation would completely miss and overlook. The human element also includes things like creativity, intuition and an experienced understanding of how system work in relation to business processes, a combination of which help understand the true risk rather than just the technical severity of the vulnerability. A scanner may flag a vulnerability as a medium level threat but a human can see how, given the context and the workflow, it could lead to major issues, like a large-scale data leak. In a world wherein attackers innovate, pivot and think creatively, automation cannot replicate the skills needed to understand, analyze and tackle an attack by said attackers.
Q. As someone who has worked independently on high-pressure security projects from concept to implementation, how do you ensure balance between agility and compliance?
Balancing compliance and agility begin with treating compliance as a baseline standard instead of an obstacle. Organizations very often see regulations as checkboxes to be ticked at the completion of a project, which results in friction and holdup. My strategy is to fold in lightweight security controls right from the outset of a project so that they are fully immersed in the workflow. This allows developers and engineers to move fast while still meeting necessary standards. By addressing issues early instead of late, we avoid the “last-minute scramble” that hinders innovation and angers teams. Compliance, then, becomes a quality enabler, not a chokepoint.
Another critical factor is how documentation and audit readiness are managed. Rather than maintaining inflexible compliance reports that hinder change, I maintain records in a modular and dynamic manner such that they grow in tandem with the project. This keeps evidence of compliance in current without introducing undue overhead. By tying security to business objectives, I establish a harmony where agility and compliance are mutually reinforcing rather than adversarial. Teams stay quick and innovative, but regulators and stakeholders continue to believe that risks are managed. Practically, this balance keeps organizations bold in their innovation while ensuring trust and accountability.
Q. What’s one thing you wish more people understood about cybersecurity, especially outside the tech world?
One of the greatest myths is that security is only a technical problem managed by experts. The truth is, security is highly interlinked with behavior and culture. The majority of breaches don’t start with advanced zero day attacks. They initiate with poor passwords, phishing clicks, or a person carelessly disclosing data they shouldn’t. Attackers tend to take advantage of trust and human behavior more than technology. If more individuals grasped that everyday little actions, such as turning on MFA, patching software, and being careful online, are equally effective as firewalls or encryption, the overall security posture of organizations would significantly enhance.
Cybersecurity is a collective responsibility, not just something that is left for the IT or the security teams to do. All employees, partners, and even customers have a share in keeping data and systems secure. When others outside of tech view security as something that is within the scope of their job description, and not as an added responsibility, the risks really fall off dramatically. For instance, a watchful employee who flags a questionable email can stop an entire breach. It is the shift in thinking from “security is someone else’s responsibility” to “security is everyone’s responsibility” that actually makes us resilient against today’s threats.
Q. Which non-tech skill do you secretly wish you were a pro at?
If I had to pick one, it would have to be negotiation and influence. In security, technical superiority is no guarantee of adoption, what usually counts more is the skill to bring together different stakeholders, articulate the risk in business terms, and influence the decision-makers to take action. Security teams often encounter resistance because their advice is perceived as holding things up or increasing expenses. Being a good negotiator is about being able to manage conflicting demands, promote trust, and frame security not as a barrier but as a promoter of business objectives.
Influence comes down to how you communicate, how well you understand others, and how you present your ideas. The power to describe a complicated risk in a manner that will connect with executives, developers, or other non-technical personnel is enormous. A timely, well-framed discussion can hold off opposition and gain approval for vital security projects. This ability is particularly important in critical environments where time and collaboration are in short supply. Basically, technical skill puts you on the table, influence gets your ideas on the agenda, accepted, and executed.
Q. How do you think AI will change the day-to-day life of engineers?
AI is already changing engineering by automating repetitive and time-wasting work. Code generation, automated testing, scanning for vulnerabilities, and even routine troubleshooting are all getting done quicker and more efficiently with the support of AI. This change implies that engineers will do fewer routine fixes and spend more time on innovative thinking, problem-solving, and designing. Rather than digging through logs manually or debugging line by line, they’ll be able to leverage AI insights to find the root cause. AI will be the intelligent assistant in many ways such as speeding up workflows, minimizing human error, and enabling teams to deliver much quicker.
But in this shift, the engineer’s role also shifts. It will no longer be a matter of memorizing syntax or adhering to strict procedures, but one of knowing how to ask the right questions, verify AI results, and exercise critical thinking. Engineers will have to master how to push AI, identify its blind spots, and make sure automation does not introduce hidden dangers. The most valuable engineers will be those who can integrate technical skill with judgement, imagination, and supervision. Briefly, AI won’t substitute engineers, but will rewrite their job, magnifying their impact if they know how to use it reliably.
Q. What skills and mindset do you think are non-negotiable for today’s leaders to succeed?
In the modern world, flexibility is an essential quality. Leaders are confronted with perpetual uncertainty, whether it is sudden technological changes, worldwide disruptions, or changing customer requirements. They need to be capable of shifting approaches without losing their way. No less critical is empathy, the capacity to understand and relate to individuals within various groups and cultures. Empathetic leaders create trust, which equates to more effective cooperation and greater resilience in times of adversity. Decision-making based on incomplete information is another key characteristic, waiting for ultimate clarity generally means losing the window of opportunity.
In addition to these competencies, the appropriate mindset is equally important. Today’s leaders have to adopt a habit of continuous learning, since yesterday’s solution may already be yesterday’s news. They have to provide spaces where risk-taking is ok, errors are accepted as opportunities to learn, and creativity is facilitated. Empowering teams, rather than trying to control everything, builds agility and responsibility. Simply put, today’s leaders are not successful because they know everything, but because they inspire confidence, empower their people, and navigate organizations effectively through change.
Cybersecurity has moved far beyond the shadows, it now stands at the forefront as a driver of trust, innovation, and resilience. The path ahead belongs to professionals who can adopt the mindset of attackers yet serve as protectors, who harness automation while valuing the irreplaceable power of human judgment, and who combine technical expertise with influence, empathy, and continuous growth. From supporting teams through fatigue, to blending agility with compliance, to using AI as a force multiplier, one message is clear: cybersecurity is shaped as much by people and culture as by technology. And within that harmony lies the true strength to safeguard the future.
