Benny Czarny created OPSWAT more than 20 years ago, to develop a common language for security applications. Today, the business is best known for its “firewall of data” approach to detecting and removing malware.

In the first of an occasional series of interviews with founders, we speak to Czarny about his journey as an entrepreneur and as a business leader in cybersecurity. And we discuss his new book, Cybersecurity Upside Down.

These include credentials, API keys, AI tokens and MCP configuration files.

And AI is making the problem worse, with AI-assisted commits adding to this "secrets sprawl".

Unless developers control how they manage secrets in their code, we are leaving the door open to malicious actors. And the growth of non-human identities (NHIs) only makes it worse.

Our guest is Dwayne McDaniel, principal developer advocate at GitGuardian, which recently published their research into secrets sprawl.

In this episide, editor Stephen Pritchard caught up with Ameet Jugnauth, president of ISACA's London Chapter at their recent conference.

They discuss building resilience, why we have reached a tipping point in boards' understanding of cyber risk and why, despite a growing threat landscape, Jugnauth's outlook for the industry is positive.

What lessons can you learn?

And why is resilience moving up the cybersecurity agenda?

In this special episode, we speak to Edwin Moraal, CISO at Dutch public safety body Veiligheidsregio Noord- en Oost-Gelderland (VNOG), about his experiences. And he's joined by Tim Pfaelzer, Veeam GM for EMEA, whose team helped with the recovery.

However prepared you think you are, there are always lessons to learn.

But how close is "Q Day", and is a cryptographically relevant quantum computer a realistic prospect?

Is it something malicious actors will be able to obtain, and if so, how would they use it and what threat does that pose to confidentiality of our files, as well as our communications?

Our guest today is Moona Ederveen, an author, speaker and consultant who has been studying the impact of quantum computing on security.

Here, she discusses the scale of the threat, the steps organisations need to take to mitigate it, and why cybersecurity teams need to act with urgency.

Listeners can also access the Post-Quantum Preparedness Framework mentions in the episode here.

Security teams are better at detecting and blocking DDoS attacks than they were. But malicious actors have not stood still.

They are now using complex, multi-vector attacks rather than relying on volume alone; they are using AI to design attacks, and compromised IoT devices to launch them, according to research from NETSCOUT.

In this episode, we look at how DDoS is evolving, and what CISOs can do to reduce their impact.

Our guest is Darren Anstee, CTO for security at NETSCOUT.

Our guest is Mike Baker, vice president and global chief information officer at DXC Technology.

Above all, he says, the CISO's role is to build a resilient team.

Interview by Stephen Pritchard.

In this Insights Interview, we discuss developments in the threat landscape with Haider Pasha, CSO for EMEA at Palo Alto Networks, following the company’s recent Ignite event in London.

As he describes it, Europe faces its own pressures, as malicious actors exploit differences between countries, their policies and even cultures.

But security leaders in Europe, and elsewhere, also face challenges from AI, quantum computing, and a fragmented and increasingly complex regulatory landscape.

So how do security teams close those gaps?

Interview by Stephen Pritchard.

Security teams now have access to multiple sources of information on threats and threat actors. These come from industry, from law enforcement, and even their own networks and SOCs.

But how effective is it against an ever-changing roster of adversaries? And how do CISOs become informed consumers of intelligence?

We invited Rafe Pilling, director of threat intelligence at Sophos, to discuss how threat intelligence has developed, in the context of some of the recent attacks and threat groups.

In this CISO Interview, we speak to Kim Larsen, CISO at Keepit, a service provider specialising in protecting data for SaaS applications.

With a career spanning policing, government and the private sector, he has witnessed the growing influence of geopolitics on cybersecurity. And he suggests both businesses and public sector bodies need to think about not just where their data are, but how to guarantee access to their technology if the worst does happen.

Interview by Stephen Pritchard

We go through the results of the research, and what it might mean for cybersecurity professionals at all points in their careers, with ISC2's COO, Casey Marks.

Interview by Stephen Pritchard

We discuss the key findings of his team's 2026 Security Navigator report, how AI is tipping the balance of power in favour of malicious actors, and why resilience and agility should be on the CISO's agenda for this year.

Cyber defence is often a highly pressured working environment. And it can be lonely too. But if teams are unable to function at their best, attackers will exploit this.

In the second of our two episodes on cyber resilience, we look at its human side.

Our guests are Rebecca Taylor, threat intelligence knowledge manager and human intelligence researcher at Sophos, and Amelia Hewitt director of cyber consulting at Principle Defence. They're also known as the Cyber Agony Aunts.

They discuss steps organisations, and individuals, can take to improve their resilience with Stephen Pritchard.

Increasingly, it is less about defence and more about resilience.

Organisations have to be able to withstand and recover from an attack. It's no longer about preventing breaches: the sheer volume of cyberattacks means that is no longer possible.

Instead, security teams and boards should assume an attack will happen, prepare keep the organisation operating during an incident, and aim to recover as quickly as possible.

Our guest is James Blake, VP of global cyber resilency strategy and consulting services at Cohesity.

He argues that this means integrating  business continuity and disaster recovery with cybersecurity. And organisations should rehearse for cyber incidents, training staff to operate under what can be extreme pressure.

A good playbook, Blake suggests, is not enough.

Interview by Stephen Pritchard.

Businesses continue to face cybercrime and state-sponsored attacks, especially ransomware.

AI is proving to be a double-edged sword, helping both defenders and malicious actors.

And there are the ongoing issues of skills, recruitment and retention.

How, then, do cybersecurity professionals navigate their way through all these challanges? And what should they prioritise for 2026?

For this episode, we're pleased to welcome back Chris Dimitriadis, chief global strategy officer at ISACA.

Interview by Stephen Pritchard

And as the conflict approaches its fourth year, there is little sign of that changing.

Strikes against infrastructure, though, are only part of the picture. Since Russia’s full-scale invasion, and even before, Ukraine’s defenders have waged an equally intense, but less visible, cyber war.

What lessons can we draw from Ukraine’s experience?

And how can states and businesses protect their critical national infrastructure during war and conflict? And how do the public and private sector deal with the prospect of both kinetic and cyber threats?

We discuss this with Mihoko Matsubara, author, associate fellow at the International Institute of Strategic Studies and chief cybersecurity strategist at NTT Corporation.

But how do these programmes operate, and how do CISOs ensure that they are run ethically? What are the risks of inviting researchers to hack your organisation? How do bug bounties stack up against other methods of security testing?

And what are the benefits to security researchers themselves, as the programmes cannot work without hackers?

We cover the pros and cons of bug bounties with Ottilia Westerlund, hacker engagement manager at bug bounty platform Intigriti, and herself a former software engineer and published security researcher.

DDoS attacks continue to grow in their frequency and volume. And increasingly, they’re aligned to geopolitical events.

A driver is sites offering “DDoS for hire”. The groups behind these sites even offer DDoS as a service attacks for free. But cybercrime groups are making use of AI too.

This is leading to what researchers at NETSCOUT describe as a “digital battlefield", with DDoS attacks overwhelming underprepared defenders.

Our guest is Richard Hummel, director of threat intelligence at NETSCOUT.

And why have initiatives to close the skills gap made relatively little impact?

In this episode, our guests Thom Langford, of Rapid7, and Lee Munson, of the ISF, discuss career changes, hiring practices, certifications and what needs to change with editor Stephen Pritchard

What, then, can leaders in the sector do to bolster their defences, especially when budgets are under pressure?

Our guest is Joe Rooke, director of risk insights at Recorded Future’s Insikt Group.

Both CVEs and CVSS are core security tools. But, our guest this week argues, they are often misused. In a worst case scenario, they add little to effective defence, and can divert security teams from the real threats.

Tod Beardsley is VP of security research at runZero, is on the board of the CVE Project, and is a former official at CISA.

But as an industry, we focus far more on technical security measures, than on the human element.

Human risk management sets out to change this. Its proponents aruge that by measuring what people do on networks and systems, we create a much clearer picture of risk.

In fact, they say, the risks posed by people should be on the business' risk register.

And it's only with that picture that we can implement the controls, and measures such as security awareness and training. But human risk management goes far beyond anti-phishing campaigns.

Our guest is Ashley Rose, co-founder and CEO of Living Security.

With a background in both marketing and psychology, she’s setting out to help organisations move away from focusing on devices, and to a human-centric view of security.

And, unlike conventional software, large language models are non-deterministic. The same inputs can produce different results.

This makes it hard to secure AI systems, and to assure their users that they are secure.

There is already growing evidence that malicious actors are using AI to find vulnerabilities, carry out reconnaissance, and fine-tune their attacks.

But the risks posed by AI systems themselves could be even greater.

Our guest this week has set out to secure AI, by developing red team testing methods that take into account both the nature of AI, and the unique risks it poses.

Peter Garraghan is professor at Lancaster University, and founder and CEO at Mindgard.

Interview by Stephen Pritchard

APIs, online devices and service calls now dominate internet traffic, and access requests.

And this is only set to increase, with the rise of AI and AI agents.

Could we even see "robot wars" as AI agents take on AI defenders?

A lack of visibility, and a lack of control over machine identities is not just putting systems and networks at risk.

It is changing the whole concept of identity.

Now, it's no longer a question of who has access to our systems and data, but what. And the consequences for cybersecurity are far reaching.

Our guest is Art Gilliland, CEO at Delinea. Interview by Stephen Pritchard

It's not possible to stop every attack or prevent every breach. So CISOs need to link the likelihood and impact of an incident to the damage it does to the organisation.

But do security teams understand business risk? And do business leaders fully appreciate the threat from cyber attacks?

Our guest is Richard Seiersen, chief risk technology officer at Qualys, as well as a researcher, author, entrepreneur and former CISO.

Perhaps not. But a new book from the Information Security Group at Royal Holloway, University of London, sets out to act as a primer on cybersecurity.

The target audience is both those setting out on a career in the sector, or general readers who want to understand the core principles of cybersecurity.

The book is called Cyber Security Foundations: Fundamentals, Technology and Society, published by Kogan Page. In this episode, we ask three of it authors how it came into being, and how a written text can keep pace with a fast-changing security landscape.

This year's report is the 18th and tracks over 20,000 incidents and 12,000 breaches.

What changes are we seeing, and what can CISOs learn from the data?

Our guest is Ashish Khanna, who runs the security solutions and consulting practice at Verizon Business. Interview by Stephen Pritchard

What are the reasons for its success, and why does cyber play an important part in Northern Ireland's post-industrial future? And why should CISOs look there for a source of talent?

Our guest is Simon Whittaker, chair of the steering committee for NI Cyber, and CEO of Vertical Structure, now part of Instil.

Elastic describes itself as a “search AI company”, and is very much at the forefront of modernising enterprise technology.

A host of businesses use Elastic's tools behind the scenes to manage their data, for security and, of course, for AI.

As CISO, Mandy Andress has the dual responsibilities of keeping Elastic secure, and advising customers on security.

In this CISO interview, we hear about her route into cybersecurity and the pressures of dealing with the increasing intensity, or velocity of cyber attacks.

And we discuss why CISOs need to be more aware than ever of their role in providing security not just within their own organisations but across national infrastructure, and the wider economy.

The Council, which is funded by the Government's Department for Science, Innovation and Technology, acts as an umbrella body for a range of professional bodies in cybersecurity.

It is the organisation behind chartered status for cybersecurity professionals, sets standards and publishes an ethics code, and acts as a voice of the industry: quite a broad mission for an organisation that is only a few years old.

The Council is, though, very well placed to assess the health of the cybersecurity industry across the UK. And, as Dr Natanson says, it faces a number of challenges, including recruitment, retention, diversity, and ensuring organisations understand what they need from their cybersecurity teams.

But what, exactly, does pouring the perfect pint of Guinness have to do with a successful career in cyber?

Interview by Stephen Pritchard

A well-known industry figure and speaker on cybersecurity, James runs the family consultancy firm Bores. He's also an author, book publisher, cyber skills trainer and volunteer.

In this Insights Interview, he shares his forthright -- and sometimes controversial -- views on the way forward for cybersecurity, with editor Stephen Pritchard.

Does cybersecurity blame the victim? What is the relationship between trust and security? And why is investment in security sometimes a bad thing?

One survey suggests that as many as one in four senior cybersecurity leaders plans to leave the profession.

The causes include growing responsibilities, increasingly severe threats and ever-greater regulatory burdens.

The result is stress and burn out, with CISOs constantly fighting fires. As one of our guests says, CISOs suffer from an "invisibility of success".

So what can we do? The first step is to recognise the problem; the second is to help CISOs build both organisational and individual resilience.

Our guests are Darren Williams, founder and CEO of BlackFog, which commissioned the research, and Peter Coroneos, founder of mental health not for profit Cybermindz.

Sometimes, the answer is "to the limit".

In this episode we look at stress testing in cybersecurity. Putting systems under pressure is the only true way to check that they will work, as intended, during a cyber attack.

But how does stress testing differ from pentesting and cyber exercises? How far is too far, and how do security teams capture the right lessons from the testing process?

Our guests are Chris McKean, solutions specialist at NetApp, and Simon Edwards, founder and CEO at SE Labs.

The reasons are clear enough: ransomware damages reputations, as well as the balance sheet. in the worst case scenario, a business might never recover from an attack.

And ransomware itself is becoming more sophisticated, and so more dangerous. Groups have moved on from simple phishing and RDP attacks to exploiting zero days. And they are as likely to threaten to release confidential information, as they are to encrypt it.

As our guest suggests, ransomware has moved from an attack on availability to an attack on confidentiality.

When it comes to advising on the ransomware threat, few are better placed than Raj Samani. Senior vice president and and chief scientist at Rapid7, Raj is also chief innovation officer at the Cloud Security Alliance, a special adviser at the European Cybercrime Centre and a co-founder of No More Ransom.

Here he discusses the changing ransomware threat, and how organisations should act when they are attacked, with Stephen Pritchard.

A cyber attack is inevitably a highly stressful situation for everyone involved. But planning and exercising goes a long way to at least manage that stress.

Our guest for this episode is Dan Potter, senior director for resilience and cyber drills at Immersive Labs. He also has over 15 years' experience working in resilience in the financial services sector.

As he says, no playbook or incident response plan will be fully effective, unless the business takes the time to test it - and learn the lessons from the exercises they run.

In an in-depth interview, he discusses threats -- from nation states to business email compromise -- security awareness and culture, and the challenges of ensuring security to a highly distributed business with 26,000 people and over 1000 sites that operates around the clock.

How does a CISO gain the confidence, and support, of colleagues from baristas and chefs to general managers and finance teams?

How can a security team operate internationally and keep headcounts low?

And how can cybersecurity leaders ensure security does not become a blocker?

Interview by Stephen Pritchard

But their make up, and their goals, have changed.

Hacktivism is no longer about "hacker" or counter culture or protest. Instead, it appears increasingly aligned with political objectives.

And some of today's  groups at the very least aligned to, if not sponsored, by nation states.

Perhaps hacktivism is no longer the right term. Researchers are now talking about groups that set out to undermine trust in both the online and physical worlds, and carry out what some security researchers call “cognitive warfare”.

As part of its 2025 Security Navigator report Orange Cyberdefense tracked one hacktivist group in detail. Our guest is their head of security research. In this episode, he tells editor Stephen Pritchard what his team have discovered, from watching one particular group, and a renewed interest in hacktivism more broadly.

But there’s also plenty who argue that AI offers a chance to improve security. Certainly there are plenty of vendors promoting AI-enhanced versions of their products, promising to react faster, and pick up more threats.

Which side, though, will win out? And should cybersecurity professionals fear AI, or see it as an ally?

Our guest this week is Jon France, CISO at ISC Two. On the back of the organisation’s recent Cybersecurity Workforce Study, he discusses AI, good and bad, with editor Stephen Pritchard.

And does workplace stress in the industry threaten security?

Stress and burnout among cyber teams are now a real worry for CISOs. And our guest for this episode argues that they should be a concern for boards too.

Stressed-out operators underperform and make mistakes. Burned out staff are more likely to leave, forcing firms to spend more on hiring and training replacements.

So how should employers spot the signs of stress? And what can we do as individuals to avoid burn out?

Our guest is Katie Maycock, of GYST Wellbeing.

The growth of online espionage, the potential for attacks by state actors, and governments turning a blind eye to cybercrime are all increasing risk.

At the same time, our growing dependency on connectivity, in government, in critical infrastructure and for day to day business, makes cyberspace an attractive target.

But it's not always been this way. In the early days of information and IT security, nation state threats were rare.

But, as Steve Durbin, CEO of the Information Security Forum points out, a lot has changed over the last few decades, and especially in the last few years.

In this Insights Interview editor Stephen Pritchard asks whether we are now more at risk than ever, if the current level of cyber threats could spill over into a more overt conflict and whether organisations have the resources to operate in a more dangerous world.

And there is no doubt that they can now be very convincing, to the point where they can deceive the human eye.

But are deepfakes just a bit of fun, or do they pose real security risks? Do the dangers lie in manipulating public opinion through fake news, or can deepfakes be used to breach security systems.

Our guest, Dr Andrew Newell, academic researcher and chief scientific officer at iProov, argues that both are happening. Security teams need to take steps to block deepfakes from compromising identity systems, but we all need to guard against their wider influence.

Interview by Stephen Pritchard

The SaaS revolution has certainly brought benefits to businesses.

But are SaaS applications secure and robust enough? Supporters of SaaS argue that their applications are actually safer and more resilient than locally-run IT.

However, Cloud vendors, including SaaS companies, rely on the shared responsibility model. In simple terms, they look after the infrastructure, but the customer is responsible for their data.

This can leave organisations with real problems, if their data is inaccessible, or even deleted.

This could be down to human error, malicious actions, such as a ransomware attack, or even a SaaS provider failure.

Our guest today is Simon Taylor, Founder and CEO of HYCU. He believes that SaaS users need to take more control of their data, even when it's in a SaaS application.

It's also pretty fragmented – at least when it comes to vendors. Europe -- even more so than the US -- is now ready for market consolidation.

Some of that is being driven by acquisitions by the large technology firms, as they look to broaden their cybersecurity offerings.

But firms, and their investors, are looking for scale.

And CISOs are looking for simplicity and greater security. Could vendor consolidation achieve this? And what is the role of cybersecurity "platforms" as the industry changes shape?

Our guest is Mark Smith, of advisory firm Houlihan Lokey.

Interview by Stephen Pritchard.

So what can CISOs do, to deliver training and security awareness in a way that is effective, and engaging?

Over the last few episodes we've discussed both the psychology, and human factors, around cybersecurity. To finish the series, in this programme we will look at experiential learning, or learning by doing.

Our guest is Amy Stokes-Waters. She delivers exactly that, by running escape rooms for organisations who want to improve security awareness, but want to move away from slide-heavy courses, and checkbox compliance. She's also written a paper on experiential learning in cybersecurity.

But does it work? She discusses cyber escape rooms, learning theory, and the pros and cons of measurement with editor Stephen Pritchard.

In this, the second of our short series exploring the links between human behaviour and security, we look at the emerging field of human risk management.

The statistics are quite frightening: 90 per cent of security breaches involve human error or social engineering.

But how do we, at a business level, categorise those risks? If we don’t understand the risks, we can’t reduce them.

A better understanding of where the risks are – and which behaviours are risky – makes it easier to design counter measures, such as training.

Our guests this week are Lev Lesokhin and Charlotte Jupp, of OutThink – an firm that’s pioneering human risk management.

We discuss what human risk management involves, and how security teams can make use of it, without crossing privacy boundaries.

Research suggests that the overwhelming majority of cyber breaches start with human error or poor practice. But despite investments in security training and security awareness, we still make mistakes.

Over the next three episodes, we will examine some of the human factors around cybersecurity, including human risk management, and how we change behaviour.

We'll start the series by looking at the psychology of cybersecurity, as well as how to measure change.

Our guest is Dr Thea Mannix, a neuroscientist and head of research at Praxis Security Labs

Even data specialists have been surprised by the rapid take up of generative AI and its benefits. But do we have the measure in place to guard against the potential security risks it brings?

It is not just malicious hackers who make AI tools such as chatbots a risk. Even something as simple as pasting information into a generative AI tool can cause problems. And he argues that we need to apply security's zero trust approach to AI too.

Interview by Stephen Pritchard

And whether it’s transport, logistics, healthcare, the banking system, manufacturing – even food production – industrial and operational systems are what keeps it all running.

Those systems are now being targeted by malicious actors. Both state-sponsored and criminal groups are looking closely at operational technology and industrial systems.

Recent research suggests that many, if not most, of the groups attacking critical national infrastructure are linked to national intelligence agencies. And that raises some difficult questions about how both businesses, and their governments, should respond.

Our guest is Mark Magpie Graham, technical director for threat intelligence at Dragos, who carried out the research.

But could more transparency and information sharing help defend against ransomware?

If more organisations disclosed attacks, we would have a clearer picture of the problem and be able to respond more quicky to new techniques or attack vectors.

That's the argument put forward by this week's guest.

Sabeen Malik is vice president of global government affairs and public policy at Rapid7. She has put together a ransomware disclosure framework, based around the "3 Cs" of capabilities, context, and collective action.

She tells Stephen Pritchard how it works, and why it could help.

Since then, there's been a debate on what cyber war means and what can be done to prevent it.

Some experts even suggest cyber war is already happening, even if it is mostly in the shadows.

For Peter Kestner, the rise of cyber attacks and an increasingly volatile geopolitical situation were just two of the reasons to examine cyber warfare in more detail.

Peter is both a keen student of history, and a cybersecurity professional with over 25 years' experience in consulting in the sector.

He decided to combine the two interests, and the result is his new book, "The Art of Cyber Warfare".

Peter believes that by looking into conflicts in the past, we can learn valuable lessons about how warfare, and especially cyber warfare, might develop. But history can also teach us how to improve our defences, against adversaries who are as comfortable attacking civilian as government or military targets.

• Please note this episode contains some stronger than usual language.

Indeed, constant change and the need to adapt is always a feature of cybersecurity.

And that’s why our guest this week lists curiosity as one of the key attributes for a cybersecurity career.

Mani Nagothu is field CISO at SentinelOne. Before that she headed up IT security for an energy company. That followed a career as a consultant.

But she didn’t start out in cybersecurity, but as an engineer. And the CISO’s role itself is becoming less technical, and more business focused, she says.

In this episode Mani talks to Stephen Pritchard about her career so far, what it takes to be successful as a CISO, and why greater diversity is the key to strengthening our security teams, and so our defences.  

Worldwide, there are close to 3.5 million vacancies in the industry. The problem seems to be worsening, not least because we are all doing more business online.

And moves to recruit and retain more staff, as well as to widen the talent pool, take time.

In the immediate term this leaves CISOs with gaps to fill. One option is outsourcing. Another is to use “on demand” cyber specialists. But how do these options work with building larger and more effective in-house teams?

Do they go hand in hand, or are the two measures likely to conflict?

In the second of the second of our three part series looking at the evolution of the CISO role, we speak to Victoria Parker, advisory professional services manager at Orange CyberDefense.

We discuss how external experts can help organisations secure their environments now - but how CISOs still need to invest in their own teams, and that critical talent pipeline.

IT and data security are increasingly important. But so too are physical security and resilience.

The chief business security officer, though, is a fairly new addition to the security team.

Over the next three episodes of the Security Insights podcast, we’ll look at the changing role of the CISO, the role interim or outsourced security professionals can play in plugging the skills gap.

We’ll cover the role of interim and virtual CISOs, and whether outsourcing parts of security can make up for a growing skills gap.

But first, we ask Anaïs Beaucousin, Chief Business Security Officer at ADP International, about her role, the threats and risks she manages, and what is needed to make the most of a broader security team.

But regulators and law makers are increasingly concerned about the money being paid out to ransomware groups -- often, it is used to fund further crime.

Should paying ransoms be banned? Would a ban improve security, or make matters worse? And what steps can organisations take, to cut the risk of falling victim to a ransomware attack in the first place?

Our guest this week is Ian Thornton Trump, CISO at Cyjax. He believes that calls to ban ransomware are misplaced; a ban gives firms fewer options when it comes to responding to an attack. And fines for paying ransoms is further punishing victims of cybercrime.

He discusses the development of ransomware, why it is so dangerous, and how to counter it with Stephen Pritchard.

Cloud operators, at least the larger ones, now have robust security in place. But that security is there, first and foremost, to protect their business. The "shared responsibility model" means that users are responsible for their data and applications.

The problem, as our guest this week identifies, is that senior managers fail to understand that point, and expect the cloud to fix everything.

It won't, and as Jennifer Cox, member of the global engineering team at Tenable, and director for Ireland of Women in Cybersecurity, warns "it always makes me a bit nervous when people think that something is foolproof".

In this episode, we speak to https://www.linkedin.com/in/johncapps/ at VIDA Digital Identify, and Ev Kontsevoy, CEO of infrastructure access firm Teleport.

They argue that relying on "secrets" and data to prove identity no longer guarantees security. Alternatives, including zero trust, hold out a lot of promise. But moving to zero trust needs the whole organisation behind it -- it's as much about culture as technology.

And are we seeing a shift from attacks based on data and ransomware, towards disruption.

In this episode, we welcome back a previous guest, Trevor Dearing.

Trevor is Director of Critical Infrastructure at Illumio.

Trevor’s work is increasingly focused on resilience, and helping organisations to survive and recover from attacks.

We discuss how organisations in the CNI space need to improve their ability to react to, and survive, a cyber attack.

After all, a failure to do so could cause widespread economic and social disruption.

DORA sets out to improve cybersecurity — or ICT risk management — across the EU’s financial services sector.

The Act covers both regulated firms and what the EU terms “critical third parties” in their supply chains. In fact managing third party risk is a big part of DORA, along with measures such as improved resilience testing, incident management plans, and strict reporting requirements.

Our guest is DORA expert and director of consulting firm SECFORCE Rodrigo Marcos.

But how will this operate, and will another code of practice -- alongside a host of existing laws and industry regulations -- help organisations be more secure?

We discuss this with our guest Amanda Finch, CEO of the Chartered Institute of Information Security.

Listeners can find out more about the proposed Code of Practice and the consultation on the UK Government's cyber security site.

In this episode, we look at why vulnerabilities have seen a steady uptick over the last few years, how identifying and securing vital web applications is essential to enterprise security, and why a fixation on technical CVEs does little to boost defences.

Plus, why both security pros and reporters like a pie analogy.

Our guest is Alex Kreilein, vice president for product security at Qualys. Interview by Stephen Pritchard.

Listeners can also view the Qualys research on the firm's blog.

In our first episode for Series 5, Security Insights is joined again by Chris Dimitriadis, Chief Global Strategy Officer at ISACA.

He explains why AI both poses risks, and offers benefits, why the cyber skills shortage is not going away, and how cybersecurity's voice needs to be heard by the board.

Interview by Stephen Pritchard.

Our special guest is the CEO of the Chartered Institute of Information Security (CIISec), Amanda Finch.

But there is more to cybercrime than ransomware, and the drivers behind online crime are varied too. And the scale of the problem means that few, if any, organisations can tackle it alone.

Our guest this week is security expert, chief scientist at Rapid 7 and Europol EC3 adviser Raj Samani. He talks to Stephen Pritchard about why cybercrime is far more than an IT security issue, and why a range of responses will be needed to reduce the threat.

Organisations need to act now, if they are they are to secure their data and their operations, argue this week's guests.

Ramy Shelbaya is CEO and co-founder of Quantum Dice. That’s a business spun out of Oxford university’s quantum optics lab –  and which is now using quantum mechanics to create a self-certifying quantum random number generator.

And Axel Poschmann is a cybersecurity expert with a background in both the industry and academia. Currently, he works at PQShield, another business with links to Oxford, and which specialises in quantum-resistant cryptography.

We asked them to explain why quantum threatens security, and what CISOs can do about it.

Interviews by Stephen Pritchard

The Act will apply to hardware and software. The idea is to make it easier to update devices, and to fix any vulnerabilities.

Why, then, has a group of cyber security professionals written an open letter to the European Commission asking them to change a key part of the proposed rules?

Experts are concerned that, by requiring organisations to disclose vulnerabilities within 24 hours, the Act could increase, rather than reduce, risks.

Our guest today is Christine Bejerasco, CISO at WithSecure and one of the signatories of the letter.

We asked her to set out the background to the Act, and why so many security professionals fear it could have unintended consequences.

Interview by Stephen Pritchard

And this matters, because open source is now the building block of almost all enterprise software, web applications, and even the code that runs consumer technology.

But open source can be secure. It just needs developers, and the organisation they work for, to think about security throughout the software lifecycle.

With guest Brian Fox, CTO and co-founder at Sonatype.

Both the private and public sectors need more skilled security professionals, as more operations go online. And there is only so much the education system, or training within the business, can do to solve the problem.

So do we need to rethink how cybersecurity operates? Perhaps it is time for the industry to undergo its own digital transformation, and look at automation to take the load off human professionals.

Our guest is Marie Wilcox, board director at the Chartered Institute of Information Security and also security evangelist at Panaseer.

None the less, organisations are not doing enough to ensure that they can continue to operate during a cyber attack, and recover from it.

And the latest UK Government Cyber Security Breaches survey goes further, suggesting that not only are organisations failing to invest in cyber security, but in some cases, are going backwards. They are paying less attention to the basic "cyber hygiene" measures that can help prevent breaches in the first place.

Our guest this week is Prof. Steven Furnell, professor of cyber security at Nottingham University,a senior member of the IEEE, and one of the researchers for the Cyber Security Breaches survey. 

In this episode he discusses the pressures that could be prompting organisations to cut back on security, comparisons between cyber and "physical" crime, the need for awareness and resilience and what we need to do in a world where cyber attacks are now endemic.

Interview by Stephen Pritchard

And attacks are spreading to smaller health care outfits, such as ambulance services, suppliers to the health care system, and the pharmaceutical industry.

Much of this is being driven by ransomware, but we are also seeing more complex attacks.

How can healthcare organisations protect themselves?

Our guest is Trevor Dearing, Director of Critical Infrastructure at Illumio, who reports that a growing percentage of his work now involves the health sector.

In this episode we speak to Prof Richard Benham, a UK Government adviser on cyber security, the first professor in cyber security management, Patron of The National Museum of Computing at Bletchley Park, and non-executive director at Emerge Digital.

He believes that, in some ways, a cyber war has already started. He speaks to editor Stephen Pritchard about the reasons why, and sets out what organisations can do to protect their digital assets and infrastructure.

Or have they?

There is growing evidence that data breaches and attacks, such as ransomware, are exploiting gaps in cloud security.

All too often, this is because security measures have not been deployed, or cloud resources are misconfigured.

And bad actors can exploit those gaps, possibly within just minutes.

Research by vendor Qualys, for their Totalcloud Security Research Insights report, found that in some cases, close to two thirds of cloud instances were misconfigured, and half of internet facing assets were not patched.

In his episode, Paul Baird, Qualys’ EMEA CTSO, discusses the findings – and explores what might be behind them – with editor Stephen Pritchard.

A lot of the ways we identified and trusted the people, and organisations in the physical world are not easy to replicate online.

And, as well as removing the human traits that help us to establish trust – from eye contact or a handshake, to a tone of voice – it's becoming harder to identify if another person is who they say they are. In fact, it's now hard to be sure if they are a person at all.

Digital trust is one answer. And our guest this week is an expert in the field. Rolf von Roessing is one of the lead authors of ISACA's digital trust framework. And, as he explains to Stephen Pritchard, understanding digital trust will be ever more important to any organisation that operates in the digital world.

But improvements in computing power and AI, as well as more powerful sensors, have opened up entirely new fields, such as remote surveillance.

Are we comfortable with systems that can pick out a face from a crowd?

And how do we feel about artificial intelligence making decisions about those images, such as whether someone’s actions look suspicious?

Our guest is one of the leading experts on these issues. Tony Porter was formerly the UK Surveillance Camera Commissioner, and a former senior police officer. He’s now the chief privacy officer at Corsight – a developer of facial recognition software.

He argues that surveillance, biometrics and even AI will make us more secure – but only if we can secure the technology itself.

Interview by Stephen Pritchard

When John Stenton took over as head of IT at housing provider Thrive Homes, he admits technology was a "bit of a mess". And a lot needed to be done, both to review security and to reassure the board.

Thrive Homes is fairly typical of the type of mid-sized organisation that didn't see itself as being in the cyber front line. But, as Stenton explains, any organisation can be a target especially when they are handling seven-figure property transactions.

Here, he talks about his decision to bring in an outside consultancy, the work they did, and the impact this had on Thrive's security capabilities. And we are also joined by Kerry Jones from that partner, DigitalXRAID, where she is head of compliance and information security.

Interview by Stephen Pritchard

And with CISOs' growing emphasis on resilience in the face of cyber attacks, perhaps it is time to look at the human factors involved in combatting and recovering from an incident.

How can we help our teams make the right decisions, and cope under pressure?

In this episode, we look at an investigation into workforce resilience, carried out by Osterman Research for Immersive Labs. Our guest is Immersive Labs' VP of Cyber, Max Vetter.

These include the Cyber Resilience Act, and DORA.

DORA -- or the Digital Operational Resilience Act -- looks to improve overall ICT resilience in the financial services sector. But as our guests this week point out, its impact is likely to be felt by other sectors too.

The Cyber Resilience Act is more broadly based, and sets out baseline security requirements for both hardware and software or, as the text states, anything with a digital element.

Security Insights editor Stephen Pritchard discusses the background to the new laws, and what they mean for business with CREST EU council chair, Rodrigo Marcos Alvarez, and Dominik Samociuk, of Future Processing and the Silesian University of Technology, Poland.

CREST is a non profit organisation focused on building standards in cyber. This includes accreditation of companies and certification of individual cybersecurity professionals.

The cybersecurity sector faces a number of challenges: professionalisation, improving diversity, dealing with a stubborn skills shortage and the potential, and potential threats, of AI.

So how does the industry — and the organisations it serves — move from what Johnson describes as a “market failure” to a collaborative world based on a network of trust?

And how can cybersecurity professionals harness technology to do more?

Interview by Stephen Pritchard

According to research by analysts Forrester, nation state attacks are becoming both more frequent, and more severe. And attackers have widened both their objectives, and their methods.

But can organisations, especially in the private sector, defend themselves against these attacks? Forrester has put together a model setting out one way to do just that.

Our guest is Allie Mellen, senior analyst covering cybersecurity at Forrester, and lead author on the research, which is summarised here.

A growing number of significant security breaches have been caused by vulnerabilities in the software supply chain.

But should we now start to look beyond just software, and look at data too?

Jon Geater thinks we should. The keynote speaker at this year’s CRESTCon Europe, Jon is co-founder at RKVST and co-chair if the IETF’s supply chain integrity, transparency and trust working group.

Here, he discusses with editor Stephen Pritchard how we need to go beyond just software bills of materials and start to look at documents and data too, if we are to prevent disruption to the business.

This poses dilemmas for operators of critical infrastructure.  Devices and applications developed to run on standalone infrastructure, often with specialist operating systems, are not designed to work safely online.

How, then, can organisations operating critical national infrastructure, protect their systems from cyber attack and still benefit from connectivity to the outside world, as well as the economies of off the shelf technology?

Our guests today are both experts in protecting health care systems.

Jonathan Langer is COO Claroty Medigate, which focuses on securing the Internet of Things in health care.

And Adam Zoller is cyber security lead for Providence, a system of compassionate healthcare providers on the west coast of the United States.

They joined editor Stephen Pritchard to discuss why attackers target CNI and health care technology, where the weak spots lie, and how organisations can improve their security without disrupting vital business operations.

But that's not all it does. The organisation is involved in standards as well as developing developing tools for secure and software development and driving areas such as digital trust.

That puts ISACA in a very good position to take the pulse of the cybersecurity industry. Our guest for this episode is Chris Dimitriadis, who is their Chief Strategy Officer.

In a wide ranging interview, he discusses the growth of nation state threats and cybercrime, the industry’s focus on ransomware, and how organisations need to pay more attention to response and recovery from a cyber attack. We also cover the need for better collaboration between firms, and government to counter cyber threats.

And, of course, we look at industry’s on-going skills crisis.

And increasingly, these attacks are either targeting commercial organisations, to gather intelligence, steal intellectual property or simply for political or diplomatic leverage.

Even if there is no specific hostile intent, businesses and public sector bodies risk being caught in the spill over from attacks aimed elsewhere.

Can organisations defend themselves against an attacker with the resources of a nation state behind them? And how does the nation-state threat rank against other risks?

Our guest this week is Rafe Pilling, principal security researcher at Secureworks’ counter threat unit. He is also a specialist in nation state attacks, with a focus on Iran and the Middle East.

In this episode he breaks down the modus operandi of attacks originating from, and targeting, that region. But, he suggests, there are defensive measures organisations can take that will protect against both nation state attacks and other threats, such as ransomware.

Interview by Stephen Pritchard

But is the industry itself at least partially to blame?

From recruitment processes to training, development and retention, and a lack of diversity, there is certainly work to be done. And with no let up in cyber threats, and a growing demand for skilled staff, this needs to be tackled with urgency.

Our guests this week are setting out to do that. Sally Walker is a former director of cybersecurity at GCHQ. She is now neurodiversity champion at WithYouWithMe, a social impact company looking to change the way we hire staff across the technology industry. And she is joined by former police officer Jim Fox, now a security consultant at Capita.

With financial pressures, rising inflation, the continuing aftermath of the pandemic and the ongoing challenge of recruiting skilled people – especially for technical roles – it would be understandable, if privacy had slipped down the agenda.

Our guest this week, though, argues that it is wrong to overlook privacy concerns and data protection.

Camilla Winlo is head of data privacy at Gemserv. She points to new legislation, the need to use data to create competitive advantage and even the growth of AI as reasons to pay attention to data privacy.

So should it still be a board level concern?

But GPT-3 and generative AI can be misused, and could make it easier to carry out cybercrime or create fake news. Although ChatGPT has safeguards built in, the tools to create natural language text are becoming cheaper.

Security researchers at Finnish firm WithSecure put this to the test, in an EU supported project. They used a range of scenarios to see how "prompt engineering" could be misused, and how we can guard against it.

Our guest is WithSecure's intelligence researcher, Andy Patel. The full research report is also available for download.

The challenge for IT directors and cybersecurity leaders, though, is that teams, technologies and practices exist in their own silos. This makes it harder for a business to defend itself, and harder for it to recover if defences are breached.

Our guest this week is Elizabeth Green. She is European advisory and cyber leader at Dell Technologies. Her background is in data and data protection – joining Dell when it acquired storage vendor EMC – so she has a deep understanding of both the need to protect data, as well as the need to link data protection and recovery.

She is also an advocate for greater diversity in cybersecurity and the wider tech industry – without that diversity, organisations will always be more vulnerable than they should be.

But how true is that? Organisations face both increasing threats and increasing regulatory burdens. And often, CISOs and other business leaders lack a true picture of good practice.

This has prompted security researchers at Panaseer to develop a series of real-world security benchmarks.

The research came up with 18 steps, that look more deeply at security standards and controls. The paper also sheds light on why some organisations still fail to carry out basic cyber hygiene measures, and how businesses can improve.

We asked the report’s author, Charlotte Jupp, to explain the ideas behind the research.

National infrastructure is under attack from both nation state actors, and from ransomware gangs and other crime groups.

And, as the war in Ukraine has shown, energy and power generation is especially vulnerable. Are we set to see more politically motivated cyber attacks, and are we likely to see more use of cyber warfare, alone or in combination with conventional military tactics?

Our guest this week is Jon Moran, a law enforcement veteran and former incident response consultant. He is now technical director at Tufin, where he is a close watcher of CNI and the risks it faces.

We look at Log4J, ransomware and "wiper" malware; the geopolitical situation and how the war in Ukraine is impacting cyber security, and the ongoing challenge of the industry's skills shortage.

And we review CISOs' priorities for the coming year, changes in both the threat environment and the regulatory landscape, and discuss security teams will need to handle ever more complex relationships as they look to protect supply chains.

Our guests are Sue Milton, of ISACA, and ISC(2)'s Jon France. Interviews by Stephen Pritchard.

And the conflict has, inevitably, brought an increase in cyber attacks against both Ukraine and its supporters.

That those attacks have not done more damage, or achieved a higher profile, is largely down to the defensive capabilities both of Ukraine and NATO.

But increasingly Russia is trying to combine cyber with physical attacks on critical infrastructure in Ukraine. How can states defend themselves against these blended attacks, and new vectors such as wiper malware? And what can NATO, and other countries, learn from Ukraine's experience?

Our guest this week is Lauri Almann. He was working at Estonia's Ministry of Defence when his country came under cyber attack in 2007. He is now co-founder and chairman of CybExer, a company that runs cyber attack simulations for NATO and other governments, as well as industry.

Here, he analyses what we have seen so far in Ukraine, and what it means for cybersecurity in the West.

As security teams have improved their defences, especially around email, so the attackers have adapted too. They are using fake web apps, blog posts and even exploiting the way search engines operate, to spread malware.

In this episode we speak to Ray Canzanese, the director of Netskope’s Threat Labs and the organisation behind the research. He explains the new attack vectors, and how we can counter them, to Stephen Pritchard.

And although take up has been fastest among consumers, businesses and the public sector are looking to 5G as well, as it offers a boost in both performance and flexibility.

Applications include the internet of things, logistics and transportation, as well as telemedicine and public safety.

But 5G could also come with a significant security impact. It offers a greater attack surface, and organisations will need to adapt if they are going to run most, perhaps all, of their business processes outside the conventional perimeter.

This week’s guest — Nathan Howe, VP of emerging technology and 5G at cloud security company Zscaler — sets out some of the risks associated with 5G, and how organisations can put it to use without compromising security.

Expanding the pool of potential talent is a key to this.

Until recently, though, little attention was paid to neurodiversity, and the idea that neurodivergent candidates -- including people with ADHD and autism -- can be highly effective cyber specialists. 

But neurodivergent people face challenges entering into the workforce. Often, very bright and talented people face long-term unemployment, as conventional recruitment and career pathways are not adapted to their needs.

In this episode, we hear from two business leaders who are trying to change this. Rob Demain is CEO and founder of e2e-assure, and Emma Philpott is CEO of IASME.

We asked them about the work they have being doing with neurodivergent applicants, and employees, and the results they have seen,

Could it be that we need a new approach to security?

Our guest this week is Jason Hart, CTO, EMEA at Rapid7. He argues that the problem is that we are spending money, but are not making security part of the culture, or central to how we do business.

In this episode, we look at whether a new approach could both make organisations safer, and produce a return on investment from all that spending.

Security firm NETSCOUT runs one of the largest monitoring projects for DDoS attacks. They have, for example, seen falls globally in DDoS activity, but an increase in the EMEA region.

Deterring and prosecuting those behind the attacks is as hard as ever, argues Richard Hummel, ASERT Threat Intelligence Lead, at NETSCOUT.

But, he says, there are steps organisations can take to counter the threat, and to keep critical online services working.

But convincing consumers, and firms, to use stronger passwords remains a struggle

Steven Furnell is a senior member of the IEEE, and professor of cybersecurity at the University of Nottingham.

For the last 15 years, he has been tracking the password policies of leading web and ecommerce sites.  Do they, for example, allow weak or easy to guess passwords?

And how easy do they make it for users to pick stronger passwords, or to use alternatives such as multi-factor authentication?

The answers have implications, not just for security online, but for the way we use passwords in business too.

Interview by Stephen Pritchard

Cyber threats have risen steadily over the last few years, and the move to digital business has created its own security challenges.

But at the same time, conventional risks have not gone away. Only recently we've seen wildfires and floods. And we are still feeling the after effects of the global pandemic.

How does an organisation balance physical threats and cyber risks, against the need to become more efficient and to grow? And how do we measure the risks we have to accept? Our guests this week are Pauline Losson, director of cyber operations, and Todd Carroll, CISO, at CybelAngel.

Interview by Stephen Pritchard

Over the last few episodes on Security Insights, we’ve looked more deeply at the skills skills shortage. But is the problem as much down to matching candidates to roles, as it is finding the right people?

And are organisations failing to do enough to develop the staff they do recruit, and so ensuring they stay?

In week's episode, our guest Michael Smith, field CTO at Neustar Security Services, argues that the issue goes beyond skills alone. And firms need to invest more in security, and in their staff, to keep up with the move to digital business.

Interview by Stephen Pritchard

In this week's episode, VMWare's senior security advocate, Karen Worstell, argues that we might need to go back as far as early years education. Then, of course, we need to maintain and develop that interest, as a young person moves through education and on to their career.

And there's also more industry can do, from developing people at the starts of their careers to improving the levels of built-in security in any connected device, she says.

Our guest this week is Tia Hopkins. Based in New York, she is field CTO and chief cyber risk strategist at eSentire.

In addition, Hopkins teaches cyber security, is working on her PhD, and is CEO of Empow(H)er Cybersecurity, which mentors women of colour in the cyber security industry.

How, then, do we encourage more people to join the cyber security world. Should we, as Hopkins says, hire for aptitude, rather than experience? And how do we look beyond the CV?

Interview by Stephen Pritchard