Why an Emboldened Iran Should Worry Every CISO

An emboldened Iran should concern every CISO, not only those in the Middle East. When Tehran or its proxies feel strategically cornered or politically validated, cyber becomes an attractive tool of statecraft: deniable, scalable, relatively cheap and capable of delivering psychological, economic and operational impact well beyond the immediate theatre of conflict. Recent reporting for Palo Alto Unit 42 has again pointed to elevated risk from Iran-linked cyber activity, including destructive attacks, phishing at scale and targeting of critical infrastructure and organizations seen as aligned to geopolitical adversaries.

The important point is that Iranian cyber operations have long shown a willingness to cross the line from espionage into disruption and destruction. That matters because destructive cyberattacks are not really about data theft or even ransom; they are about breaking trust, slowing response, degrading operations and forcing the victim to operate in fog and friction. The same report from Unit 42 also highlighted a renewed risk of wiper activity tied to Iran, while earlier public reporting has also documented Iranian state actors conducting destructive operations against government targets.

I say that with some first-hand perspective. I was directly involved in incident response during an Iranian attack that crippled a major Gulf energy company. What stayed with me was not just the scale of the destruction, but the operational confusion it created: systems gone, visibility degraded, trust in technology badly shaken and every recovery decision suddenly carrying strategic weight. That is the real significance of an emboldened Iran in cyberspace. The risk is not merely more alerts, more scanning or more nuisance activity. The risk is more organisations around the world finding themselves on the receiving end of attacks designed to destroy, disorient and delay regardless of whether they support the current conflict or not.

For defenders, the lesson is simple. If geopolitical tensions continue to rise, organisations should assume that destructive tradecraft may once again be used well beyond the immediate conflict zone by highly-skilled adversaries, especially against critical infrastructure, supply chain partners and brands with symbolic or strategic value.

The question is no longer whether Iran-linked actors can do this, history has already shown they can. The question is whether potential targets have built the appropriate resilience to investigate, contain, remediate and recover to a trusted state when they do.