Jul 08 2026
Security

Q&A: Why Security Readiness Matters More Than Security Coverage in the AI Era

CDW’s Nik Alleyne explains why detection, response and adaptability matter more than simply adding security tools.

Organizations are facing growing pressure to prove that their cybersecurity programs can do more than satisfy compliance checklists. We sat down with Nik Alleyne, the head of managed services security for CDW, to discuss why many companies still lack confidence in their security posture despite years of investment, how AI is reshaping both threats and defenses, and why measurable detection and response capabilities are becoming the true indicators of security readiness.

BIZTECH: Organizations have invested heavily in security tools yet still lack confidence in their security posture. Why?

That lack of confidence stems from the hype that surrounds the technologies they invested in. Some technology companies promise to stop breaches rather than to reduce the chances of a breach or the number of breaches. Every new security provider promises to stop the next major attack. Then there are those who claim their solution would have stopped it. This cycle continues. Organizations have to ensure they’re looking at security primarily from a risk-based perspective. Once that is understood, they can then figure out which tools best mitigate that risk, without getting emotionally attached to the technology.

Click the banner below to learn how to start building security confidence. 


BIZTECH: What’s the difference between having security “coverage” and having real security readiness?

Security readiness starts with a mindset. It is the organization looking at security from a risk-based perspective. Every organization knows it needs to consider risk as part of its operations, whether that is financial risk, reputational risk or some other risk. Security readiness must be seen from this perspective. Based on its risk appetite and risk tolerance, that will then influence how effective its security readiness is.

Having coverage suggests that the organization is more inclined to meet compliance requirements from the perspective of some framework, so they can conclude, “We have coverage of XYZ.” And that’s great. However, when something deviates from these frameworks, is your security program designed to adapt quickly to this new threat?

Security readiness is about being able to not only adapt but also evolve to the ever-changing security landscape. Security readiness rather than coverage becomes even more critical in the world of Anthropic’s Mythos and other AI-based tools and threats. 

EXPLORE: Identity and access management solutions protect endpoints.

BIZTECH: Many teams are flooded with alerts, dashboards and threat data. What can they do about alert fatigue?

Alert fatigue is real. The problem, as new security technologies come online, is that they all promise to reduce alert fatigue, when in fact they contribute more to it.

The assumption today is that AI will help us to solve alert fatigue. I think it will. However, at the same time, while AI may help us to address the alert fatigue problem, we may be bringing on a new problem. The assumption is there should always be a human in the loop for “certain” AI decisions.  What does that mean in the context of an evolving threat landscape?

The other issue, while we move from the traditional Tier-1 role to more of an AI governor role, are the Tier 1 folks now going to just click “accept” or “approved” on whatever the AI produces? If this happens, we no longer have an alert fatigue problem but now greater automation bias. Our Tier 1 now trusts the automation workflow because the AI says so.  

Nik Alleyne, CDW
Alert fatigue is real. The problem, as new security technologies come online, is that they all promise to reduce alert fatigue, when in fact they contribute more to it."

Nik Alleyne Head of Managed Services Security, CDW

BIZTECH: Why do detection and response capabilities matter more today than simply adding more preventive controls?

The ability to detect, which is measured by your mean time to detect, your ability to respond, measured by your mean time to respond, as well as your ability to contain, measured by your mean time to contain, are more critical today than they have ever been. The primary reason for this is the speed with which threat actors can increase the scope of their attacks. Using machine learning and AI tools, threat actors can execute their attacks with speed. This means we have to be able to detect, respond and contain with similar speed.

Add the complexity of the impact of tools such as Mythos and their ability to not only detect vulnerabilities but to create exploits for those vulnerabilities, and the situation has become more perilous. The risk of running any technology based on software — which is almost everything today — means you must figure out at the time of design or via the procurement process how to ensure security is the No. 1 priority.

At the early stage, the enterprise can make the decision on how to address the risk. Should the risk be avoided? Should it be accepted? Should the risk be transferred? It is more likely that the risk is going to be mitigated via technical controls. Those technical controls will ultimately aid the prevention. However, when prevention fails, at least there will be a clear understanding of how to detect, respond and contain. 

BIZTECH: What are the most common signs that an organization’s security program looks mature on paper but is weaker in practice?

To determine how effective and robust an organization’s security program is, the organization does not have to look far. One question that organizations can is ask is, “How measurable is my security program?” The good part is your security program can, in many cases be measured quantitively rather than being subjective and speculative.

Here are eight keys things the organization can consider:

1. Vulnerabilities identified. Every software has vulnerabilities, whether intentional or accidental. For example, Mythos Preview found a 27-year-old vulnerability in OpenBSD, which is known to be one of the most secure operating systems. The fact that it was not found yesterday does not mean it will not be found tomorrow. In fact, we should expect that it will be found tomorrow. Another clear example is Mozilla using Mythos to uncover 271 bugs in Firefox 150.

2. Vulnerabilities remediated. Now that we know we cannot escape the world of vulnerabilities, and that more of them will be identified even faster, how do we remediate them faster? This is going to be a major challenge. Think about Microsoft Patch Tuesday, which is once a month. Even with patches being released once a month, organizations have a difficult time patching. Can you imagine what will happen now in the world of Mythos and other such tools, where vulnerabilities and will be identified with greater speed, but application of those patches will be take longer?

RELATED: Why businesses are drowning in too many cybersecurity tools.

3. Threats prevented. Threat actors are always targeting your infrastructure. Do you have visibility into those attacks? If you have visibility via your security platforms, kudos. This gives you numbers you can measure: “We had 10 attacks that targeted the organization via malware, 12 via phishing, five via business email compromise,” etc.

4. Threat detected. We know that even though we have firewalls, proxies, endpoint detection and response, extended detection and response, managed detection and response, e-mail filtering, and all of these preventive technologies, organizations are still being compromised. These threats are also coming through different vectors. For example, the FBI reports that for 2025, business email compromise resulted in more than $3 billion in losses, data breaches cost just over $400 million, and phishing/spoofing just over $200 million. There is a serious economic impact to your business if you are unable to prevent or even detect these threats. There is also the impact to business reputation, etc.

5. Mean time to detect. Now that we know we must detect the threats, how quickly are you doing so? Is a mean time to detect of 24 hours fast enough for your organization, or are you expecting detection within an hour? This obviously can be sooner, depending on the security and threat detection tools you have deployed, as well as the SLAs you have defined with your managed security service provider (MSSP) or MDR provider. Outside of the tools or MDR provider, you must depend on some level of threat hunting to proactively detect these threats. One can argue, if we provide an agentic AI solution with the right the data and ask it to analyze the activity, it may find things faster than a human. This is true. However, does the AI have the appropriate context?

6. Mean time to respond. So you detected a threat. What do you do next? Do you leave it there, or do you try to address it immediately? One hopes the objective is to deal with it immediately. However, personal experience tells me this is not always the case, as there are usually competing priorities.

7. Mean time to contain. Once you have identified the threat, even if you cannot fully act on it, you should at least try to contain it. You can always remediate later if you have competing priorities.

8. Lessons learned from those past incidents. The only way to truly ensure your security readiness, as we spoke about above, is to ensure your security program evolves. This evolution can come through your own experience or, more important, what is happening in other sectors or to other companies in your vertical.

Click the banner below to learn why cyber resilience is essential to enterprise success.


BIZTECH: How are staffing shortages and skills gaps affecting security confidence in 2026?

The staff shortage issue, like alert fatigue, is real. With the advent of AI and its role within the security workspace, the need for higher-level skills becomes more important as the Tier 1 security analyst role evolves. This is now the real challenge. Previously, we could take a Tier 1 and train them up to take on more advanced roles. However, if we are leveraging AI to take over the Tier 1 role, how do we then develop those people to take on more advanced roles when they never did the grunt work? This is the real challenge as we look to the future.

READ MORE: Learn how to take your endpoint security to the next level.

BIZTECH: What role can MDR play in turning security investments into measurable outcomes?

MDR plays a significant role in helping organizations address the risks as organizations evolve. Make no mistake, MDR (or any service from an MSSP) is not a silver bullet. For this to work well, the entity leveraging the MDR provider must be an active participant and not a spectator in the relationship. For the organization to be security-ready, it must take feedback from the MDR provider and implement that feedback with some level of urgency. Similarly, it must provide the MDR provider feedback so that it can also evolve its program. This symbiosis ensures neither partner becomes stale or stagnant.

The MDR provider’s role is to help the organization and its security program. One of the biggest and first overall benefit is cost. It is much more cost-effective to work with an MDR provider such as CDW, rather than to stand-up an in-house SOC.

More important, the MDR provider can look across its client’s landscape and provide suggestions for your improvement as it improves those clients. Best practices can be shared, and critical threat intelligence data can be shared. These are all things that are done by default with CDW managed security services.

MSSP/MDR providers allow the organizations to interact at different levels. There can be daily, weekly and or monthly meetings with the security team for tactical and operational tasks. At the same time, there can be quarterly business reviews at the senior level to help drive the strategic initiatives of the organization’s security program.

valentinrussanov/Getty Images
Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.