Senthil Muthu is a global cybersecurity strategist, | Cybersecurity Executive | CISO | Cybersecurity Researcher | Founder.gettyI remember the day my mentor drew a triangle on a whiteboard. Three edges. Three words: confidentiality, integrity, availability."Master these," he said, "and you will understand cybersecurity."He was right. For the world that existed then.Twenty-five years later, having led cybersecurity across four continents for some of the world's most critical industrial operations, I can say that the triangle has not disappeared. But it has been fundamentally transformed by operational realities that no whiteboard ever captured.This is the story of that transformation, told through the shape of security itself.The Triangle: Where Every Cyber Professional BeginsThe CIA Triad is elegant in its simplicity. Protect data from unauthorized access. Ensure it has not been tampered with. Keep systems available when needed.For enterprise IT environments, this model is both necessary and sufficient. Standards like ISO 27001 and China's GB/T 22080, and regulations like SOX, HIPAA and PCI DSS, all trace their security requirements back to these three pillars.When I began my career, the triangle was the entire universe.It was the right model. For that world.The First Evolution: How OT Changed The PrioritiesThe most significant shift came when I began working with operational technology environments.In traditional IT, confidentiality often receives the greatest attention. In a refinery, chemical plant, liquefied natural gas (LNG) facility or power generation site, the priorities invert entirely.Availability comes first. If an email server goes down, operations are disrupted. If a safety system or industrial process becomes unavailable, the consequences can be catastrophic. Production stops. Safety is compromised. Environmental incidents occur.Integrity remains essential because inaccurate process data leads to dangerous operational decisions.Confidentiality remains important, but is no longer the primary driver.Frameworks like IEC 62443, the international standard for industrial automation and control systems security, codify exactly this priority inversion, placing process continuity and operational safety above data confidentiality.Same triangle. Entirely different priorities.The Second Evolution: When Safety Entered The EquationAs industrial environments became increasingly connected and organizations adopted frameworks such as ISA/IEC 62443, the NIST Cybersecurity Framework and CISA guidance for critical infrastructure protection, another realization emerged: Cybersecurity was no longer solely about protecting information. It was about protecting people, operations, communities and the environment.The triangle became a square: safety joined availability, integrity and confidentiality.The question was no longer only "what data is at risk?" It was "what physical consequence could this attack enable?"The Pentagon: Where We Stand TodayNow consider the AI era. Autonomous systems. Large language models in industrial environments. Supply chain attacks targeting model integrity. Adversarial inputs manipulating AI behavior at scale.Neither the triangle, the inverted triangle, nor the square is sufficient anymore.The model has evolved into a pentagon with five interconnected priorities.1. SafetyThe sanctity of human life remains the master priority. In AI-augmented OT environments, this now includes AI safety: ensuring autonomous systems do not endanger people through adversarial manipulation, hallucination or model drift.Chemical manufacturing operators across the European Union are subject to the EU NIS2 Directive, which mandates security measures for critical infrastructure and explicitly includes the chemical sector. Safety is no longer purely an engineering concern. It is a regulatory and cybersecurity obligation.2. ResilienceThis is a deliberate evolution beyond availability. Availability asks, is the system on? Resilience asks, can the system absorb a blow and keep functioning? These are not the same question. IEC 62443's zone-and-conduit model and NIST CSF 2.0's respond and recover functions operationalize resilience as a structured discipline. Uptime without resilience is an illusion.3. Regulatory ComplianceCompliance has become a structural priority. Organizations I have worked with simultaneously navigate regulatory requirements such as EU NIS2, SOX, HIPAA, MTSA and IRDAI cybersecurity mandates, while aligning with frameworks and standards including NIST CSF 2.0, IEC 62443, China's GB/T 22080, PCI DSS and Australia's Essential Eight across multiple geographies.Noncompliance is no longer merely a legal risk. It is an operational, reputational and existential risk.4. IntegrityIn the AI era, integrity extends beyond data to model integrity. A poisoned training dataset, a backdoored model weight or a manipulated AI output in a clinical or industrial context carries consequences that overshadow a corrupted database record. NIST CSF 2.0 incorporates supply chain integrity under its "identify" function. Integrity must be monitored across the entire AI and ML life cycle.5. ConfidentialityStill essential. Still foundational. But now it's the fifth edge, not the first. In the environments where I have operated, a breach of confidentiality rarely carries the immediate life-safety consequences of a failure in resilience, integrity or safety. The lesson of the pentagon is not that confidentiality matters less. It is that context determines priority.Remove any one of these five elements, and organizational resilience weakens. Together, they form the modern cybersecurity pentagon.A Final ReflectionThe CIA Triad remains one of the most important concepts ever introduced to our profession. It provided the foundation upon which everything was built. But cybersecurity evolves because the world evolves.The frameworks we rely on today are not bureaucratic constraints. They are the codified lessons of industries that learned security priorities the hard way.The triangle taught me how to think about information security. The pentagon taught me how to think about organizational resilience.In a world where digital systems power every aspect of society, resilience may be the most important security objective of all.The triangle was the beginning. The pentagon is where we are. And the next shape is already forming.Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
From Triangle To Pentagon: The Expanding Scope Of Cybersecurity Leadership
The triangle taught me how to think about information security. The pentagon taught me how to think about organizational resilience.










