Security Insights

Critical infrastructure is on the front line of the war in Ukraine.

And as the conflict approaches its fourth year, there is little sign of that changing.

Strikes against infrastructure, though, are only part of the picture. Since Russia’s full-scale invasion, and even before, Ukraine’s defenders have waged an equally intense, but less visible, cyber war.

What lessons can we draw from Ukraine’s experience?

And how can states and businesses protect their critical national infrastructure during war and conflict? And how do the public and private sector deal with the prospect of both kinetic and cyber threats?

We discuss this with Mihoko Matsubara, author, associate fellow at the International Institute of Strategic Studies and chief cybersecurity strategist at NTT Corporation.

A growing number of organisations now offer "bug bounties", paying hackers or security researchers rewards for finding vulnerabilities.

But how do these programmes operate, and how do CISOs ensure that they are run ethically? What are the risks of inviting researchers to hack your organisation? How do bug bounties stack up against other methods of security testing?

And what are the benefits to security researchers themselves, as the programmes cannot work without hackers?

We cover the pros and cons of bug bounties with Ottilia Westerlund, hacker engagement manager at bug bounty platform Intigriti, and herself a former software engineer and published security researcher.

DDoS – or distributed denial of service attacks – remain a serious source of disruption across the internet.

DDoS attacks continue to grow in their frequency and volume. And increasingly, they’re aligned to geopolitical events.

A driver is sites offering “DDoS for hire”. The groups behind these sites even offer DDoS as a service attacks for free. But cybercrime groups are making use of AI too.

This is leading to what researchers at NETSCOUT describe as a “digital battlefield", with DDoS attacks overwhelming underprepared defenders.

Our guest is Richard Hummel, director of threat intelligence at NETSCOUT.

Is cybersecurity's skills crisis one of its own making?

And why have initiatives to close the skills gap made relatively little impact?

In this episode, our guests Thom Langford, of Rapid7, and Lee Munson, of the ISF, discuss career changes, hiring practices, certifications and what needs to change with editor Stephen Pritchard

Education is increasingly in the crosshairs for malicous actors. Along with other public sector bodies, schools, colleges and universities are being targeted for the information they hold, as well as for extortion and ransom.

What, then, can leaders in the sector do to bolster their defences, especially when budgets are under pressure?

Our guest is Joe Rooke, director of risk insights at Recorded Future’s Insikt Group.

In this episode, we discuss whether vulnerability scores are still a viable tool when it comes to measuring cyber threats.

Both CVEs and CVSS are core security tools. But, our guest this week argues, they are often misused. In a worst case scenario, they add little to effective defence, and can divert security teams from the real threats.

Tod Beardsley is VP of security research at runZero, is on the board of the CVE Project, and is a former official at CISA.

More than three quarters of security breaches result from human behaviour.

But as an industry, we focus far more on technical security measures, than on the human element.

Human risk management sets out to change this. Its proponents aruge that by measuring what people do on networks and systems, we create a much clearer picture of risk.

In fact, they say, the risks posed by people should be on the business' risk register.

And it's only with that picture that we can implement the controls, and measures such as security awareness and training. But human risk management goes far beyond anti-phishing campaigns.

Our guest is Ashley Rose, co-founder and CEO of Living Security.

With a background in both marketing and psychology, she’s setting out to help organisations move away from focusing on devices, and to a human-centric view of security.

Artificial intelligence is often described as a "black box". We can see what we put in, and what comes out. But not how the model comes to its results.

And, unlike conventional software, large language models are non-deterministic. The same inputs can produce different results.

This makes it hard to secure AI systems, and to assure their users that they are secure.

There is already growing evidence that malicious actors are using AI to find vulnerabilities, carry out reconnaissance, and fine-tune their attacks.

But the risks posed by AI systems themselves could be even greater.

Our guest this week has set out to secure AI, by developing red team testing methods that take into account both the nature of AI, and the unique risks it poses.

Peter Garraghan is professor at Lancaster University, and founder and CEO at Mindgard.

Interview by Stephen Pritchard

Non-human identities now vastly outnumber human actors on the internet, perhaps by as many as 50 to one.

APIs, online devices and service calls now dominate internet traffic, and access requests.

And this is only set to increase, with the rise of AI and AI agents.

Could we even see "robot wars" as AI agents take on AI defenders?

A lack of visibility, and a lack of control over machine identities is not just putting systems and networks at risk.

It is changing the whole concept of identity.

Now, it's no longer a question of who has access to our systems and data, but what. And the consequences for cybersecurity are far reaching.

Our guest is Art Gilliland, CEO at Delinea. Interview by Stephen Pritchard

Managing cybersecurity is increasingly about managing risk.

It's not possible to stop every attack or prevent every breach. So CISOs need to link the likelihood and impact of an incident to the damage it does to the organisation.

But do security teams understand business risk? And do business leaders fully appreciate the threat from cyber attacks?

Our guest is Richard Seiersen, chief risk technology officer at Qualys, as well as a researcher, author, entrepreneur and former CISO.