CNME Editor Mark Forker managed to secure an exclusive interview with cybersecurity expert Jens Monrad, Head of Mandiant Intelligence for EMEA, in an effort to dig a little deeper into some of the key findings that emerged from its comprehensive Cybersecurity Forecast 2025, as we enter the ‘second phase’ of AI in action in the global cybersecurity landscape.
Jens Monrad has spent almost 30 years in the cybersecurity industry, and has enjoyed a decorated and distinguished career to date.
Monrad is the Head of Mandiant Intelligence for the EMEA region after joining the company in 2021.
Monrad has held a number of notable executive positions during his career, and has worked with cybersecurity leaders such as FireEye and Cisco Systems.
In September 2022, Mandiant was acquired by Google Cloud for $5.4bn – and the cybersecurity company had established itself as a real leader when it came to deep threat intelligence.
Despite the acquisition Mandiant was allowed to maintain its brand and now operates under the umbrella of Google Cloud.
CNME was afforded the opportunity to sit down with Monrad before the end of 2024, to take a deep dive into Google Cloud’s Cybersecurity Forecast 2025.
Sunil Potti, General Manager of Google Cloud Security said that 2025 would be the first year where we would see the second phase of AI in action when it comes to security.
That’s where our conversation began, and as Monrad pointed out the challenge now is how security leaders use the progress that has been made in relation to summarisation and start applying that into automated rulesets.
“In order to go into detail on what the second phase of AI is going to entail, I think it’s a good idea to look at the first phase of AI. Essentially, the first phase of AI was all about summarisation and finding ways of really utilising these LLMs to transform the way we work. For example, a threat report containing 500 pages can now be summarised into 1-page using AI tools and LLMs. When we examine the second phase of AI, there’s the realisation that we can use it to summarise things, but how can we use AI to actually apply what is contained in these reports in a more automated fashion? In the current climate, when analysts read reports, they take the technical parts of it and translate it into a ruleset, and they then build that ruleset and test it within their respective security controls. However, imagine you could say give me all the rules that are compatible with my security controls, and apply them in my environment immediately based on the report. That is a gamechanger, and what this ultimately empowers enterprises to do is build that link between summarisation capabilities into automation and orchestration,” said Monrad.
Monrad pointed out that the report robustly stresses the benefits this will yield for the cybersecurity ecosystem, although he did acknowledge that initially it will be highly likely that there will be a lot of false positives.
“We also mentioned in the report that we believe there will be so many benefits from this process, even though there may initially be a lot of false positives. We also stress in the report that we are still a firm believer that all of this does require human oversight in what we do with AI, and how we apply it. That being said, when you weigh in the time efficiency of building out these rules and applying automation where you can using AI then it’s a no-brainer in all reality. We often talk about how we can reduce toil and remove some of the repetitive and mundane tasks that we have to do anyway, and we can do this by using AI,” said Monrad.
Analysts are know to be quite anal (pardon the pun) when it comes to the way they extract knowledge from reports, and have their own unique way of working.
Will AI help or hinder them?
“Look, there is a learning curve with all of this, and there’s no doubt about that, but we have to embrace change. If you speak to Tier 1 analysts then they’ll tell you that a lot of what they do in the Security Operations Centre involves a lot of repetitive tasks, and in these types of scenarios you can actually give them time back by using AI. It’s evident that by leveraging AI it is going to be more valuable for both the organisation and the analyst to address security challenges that are not repetitive, and not have to perform the same mundane task that needs to be completed every single day. It is going to empower cybersecurity professionals to do more,” said Monrad. 
Google Cloud’s Cybersecurity Forecast 2025 doesn’t pull any punches, and doesn’t sugar coat the fact that malicious actors will continue to adopt AI-based tools for attacks.
The following quote from the report paints a stark picture.
“As AI capabilities become more widely available throughout 2025, enterprises will increasingly struggle to defend themselves against these more frequent and effective compromises.”
When asked what advice Monrad would give enterprises looking to bolster their cyber hygiene, is answer was simple, establish best practices in terms of how you respond to an attack and do it now.
“I honestly do think that organisations need to foster a culture where they engage in a lot of practices, or for a want of a better word fire drills to ensure there is a level of preparedness from top to bottom. It’s not something that we have overemphasised, or covered very deeply in our forecast report, but when it comes to compromises that we do see, especially in the cloud, a lot of the issues arise from misconfigurations. We also see a problem when we respond to incidents in terms of a real lack of processes and procedures from organisations, which inevitably causes major delays in terms of responding to cyberattacks. It is so important that organisations establish best practices in order to be able to effectively respond to a breach,” said Monrad.
Monrad also advocated for enterprises to implement SIEM solutions to help them scale and centralise their information.
“Enterprises need to look at solutions that they can adopt, or implement that enhance their ability to respond to incidents. Can we implement SIEM solutions that will help us understand and scale our operations in a way in which we can actually centralise information? Can we improve on security orchestration? Can we automate on certain things when it comes to a response scenario? These are the types of questions that organisations have to ask themselves in order to really become cyber resilient. We also really have to do a better job when it comes to handling who has access to our information, how do we validate and authenticate users, do we still rely on username and passwords? Businesses need to move to a passkey, security key, or multifactor authentication to make their organisations more secure,” said Monrad.
There has been a lot written about how these new open-source AI models can be used as a new form of cyberattack, but as Monrad points out, nobody has the advantage in that regard, citing that everyone was on the same ‘learning curve’.
“When it comes to AI from an adversary perspective, we need to be cognisant of the fact that both the good guys and the bad guys are on the same learning curve, nobody has the upper hand at this point in time. Let’s be frank, these adversaries are still being successful in compromising victims through phishing emails using stolen credentials, so the appetite from them in terms of learning more about AI from an adversary perspective is still very much in its infancy. There is a high cost in terms of learning it, and given the fact that they can still monetise unauthorised access via phishing emails, then they may opt against investing the time and money needed to learn about AI, but it will come at some stage, there is no doubt about that,” said Monrad.
The new NIS2 directive has been designed to significantly reshape cybersecurity practices across EMEA in 2025.
Many independent analysts believe that many enterprises across the EMEA region may find difficulty in complying with this new directive.
However, Monrad believes the fact that the NIS2 has more scope is a good thing and thinks the fact that enterprises are being compelled to comply will accelerate better practices across the board.
“NIS2 obviously has a much wider scope than the initial NIS directive, and whilst it is covering more industries and organisations, I also think it is a much more mature recognition of the value of digitalisation in our day-to-day life. A good example of that is the fact that NIS2 is also looking into what is critical for society and the economy, energy, transport, healthcare and public infrastructure are all areas that NIS2 is focusing heavily on. I think due to the expanded scope of the NIS2 directive, then there is that added layer of complexity with much stricter requirements for organisations. It is evident that organisations need to invest in people, processes and technologies to achieve a certain degree of compliance and naturally that is going to put stress on some organisations,” said Monrad.
Monrad firmly believes that the new directive will deliver an uplift in terms of cybersecurity posture across the EMEA region.
“Some organisations will be asking how they can find these people, how can they retain them, and how can they provide education for them to ensure they are well trained and informed on new things emerging within the cybersecurity ecosystem? However, I do think that there is a major upside in the fact that it will enhance resilience, it undoubtedly drives an uplift in cybersecurity posture across the EMEA region because it will force organisations to get into line and mature themselves,” said Monrad.
The Cybersecurity Forecast 2025 also regretfully highlighted that geopolitical tensions in Ukraine and the Middle East, which look unlikely to be resolved anytime soon, are going to ‘drive’ threat activity in 2025.
CNME asked Monrad what governments and large organizations need to do to in order to mitigate or prevent these types of cyberattacks?
“In 2016, NATO made an announcement that back then didn’t really resonate very loudly if truth be told, when they said they were recognising cybercrime as a theatre for potential war and conflict. I think everything that we see in the cyberspace does contain some sort of geopolitical flavour to it. I think you have to look at it from an adversary perspective because there are certain benefits from attacking countries and organisations in the cyberspace domain as opposed to sending in troops on the ground. There is less risk and there is also a cost saving element attached to it also. Organisations today really do need to have a better grasp on what is happening geopolitically because we do see that it comes in different flavours within the cyber domain. You see countless examples in the ongoing war between Ukraine and Russia, when EU countries, or NATO members lend their support to one side of the conflict there is a response in the cyber domain, either through DDos attacks and so on, or something else,” said Monrad.
Monrad concluded a brilliant interview by stressing the need for organisations to really invest time and energy into being more well versed and informed on geopolitical issues globally.
“The geopolitical agenda in today’s climate will have a very big focus in cybersecurity, because we are so dependent on digital solutions, and as a society we are now so digitalised, so when these attacks happen then they can cause so much disruption. If you want to send a message, or really disrupt a country then there is a very cheap entry way to do it via cyberattacks. We are still trying to determine what the appropriate response is from a defence perspective to cyberattacks. As a cybersecurity community we are still trying to figure that out and navigate that challenge, so this is something that we will unfortunately will continue to see and it will require organisations to be much more informed on geopolitical affairs on a global scale,” said Monrad.
