"I think a fundamental piece is truly identifying risk, and I think one thing for us is not just taking that generic off the shelf risk, but really taking the items we see, putting a business context to it and technical severity. What's the tailored risk? What type of data is present in these solutions?" — Jeremy Koppen
Jeremy Koppen on tailored risk, identity controls and governance
Jeremy Koppen, who joined Equifax in 2025 as executive vice president and CISO, used the company's post‑breach investments to frame what he called a practical path forward: identify risk with business context, harden identity controls and discipline governance. After Equifax’s 2017 breach, the company invested $1.5 billion on technology, hired new staff and improved governance to prevent future attacks — moves Koppen cited while urging organizations to move past “generic off the shelf” risk ratings to tailored, data‑specific assessments.
Koppen’s career background was noted in the discussion: before Equifax, he served as managing director at Mandiant, where he led cyber engagements for Fortune 500 firms and advised boards and government leaders on advanced threats and resilience. In the panel, he emphasized that pairing business context with technical severity produces a clearer picture of which assets and identities demand the highest protection.
Christiaan Beek: attackers prefer access, defenders miss early compromise
Christiaan Beek, senior director of threat analytics at Rapid7, summarized current attacker behavior plainly: intrusion is often secondary to access. “I think honestly, threat actors are getting so smart, they use the default vulnerabilities that are out there or valid accounts and we are still lacking to see if a password or an account has been compromised to actually catch it in the early days,” Beek said.
Beek, who leads strategic research at Rapid7 and brings more than 20 years of experience in cybersecurity research, threat intelligence and data science, argued that exploitation of identities and valid accounts has made identity systems the primary attack surface. His framing focuses defenders on earlier detection of compromised credentials rather than solely on stopping technical intrusions after they occur.
Visibility gaps across cloud, supply chains and AI‑driven systems
The panel identified a recurring operational fault line: visibility and control frequently lag behind rapidly evolving environments. The briefing noted that cyber breaches rarely begin with the unknown — misconfigurations, unpatched systems and stolen credentials continue to open the door to attackers — and that as organizations deepen their reliance on cloud services and expand AI‑driven systems, those gaps can widen.
Panelists linked the rising complexity of cloud and supply‑chain ecosystems to a reduced ability to see and govern where sensitive data and privileged identities reside. That loss of visibility makes the early detection that Beek described more difficult and increases reliance on identity controls and tailored risk assessments that Koppen advocated.
Episode 2 of Anatomy of a Breach: incident response in focus
The discussion was part of ISMG’s three‑part “Anatomy of a Breach” series; Episode 2 centered on incident response. Koppen and Beek joined Anna Delaney, ISMG’s executive director of productions, and Tom Field, ISMG’s senior vice president of editorial, to examine practical steps and organizational changes tied to readiness and response.
- Why identity systems have become the primary attack surface;
- How visibility gaps across cloud and supply chains persist;
- How governance and risk context drive stronger readiness.
What this means for technologists, affected enterprises, and adversaries
Technologists and security teams should prioritize identity detection and tailored risk scoring: Koppen’s call for business‑contextualized risk, paired with Beek’s focus on catching credential compromise early, points to investments in identity telemetry and response playbooks rather than generic inventory lists.
Affected enterprises and procurement leaders can look to Equifax’s example of remediation investment — $1.5 billion, staffing increases and governance changes — as an indication that large‑scale remediation often requires sustained funding and structural change, not one‑off fixes.
Adversaries and threat actors, the panel warns, will continue to favor valid accounts and default vulnerabilities; defenders’ inability to detect compromised passwords or accounts “in the early days” remains a strategic advantage attackers exploit.
For organizations preparing for the next inevitable incident, the synthesis from the panel is clear: increase visibility where identities touch data, tailor risk to business impact, and build governance that sustains detection and response. Whether those three levers can keep pace with cloud complexity and AI‑driven expansion is the practical question Koppen and Beek left on the table.
