Security Insights

Cybersecurity is about building resilient organisations. But this is impossible without resilient people.

Cyber defence is often a highly pressured working environment. And it can be lonely too. But if teams are unable to function at their best, attackers will exploit this.

In the second of our two episodes on cyber resilience, we look at its human side.

Our guests are Rebecca Taylor, threat intelligence knowledge manager and human intelligence researcher at Sophos, and Amelia Hewitt director of cyber consulting at Principle Defence. They're also known as the Cyber Agony Aunts.

They discuss steps organisations, and individuals, can take to improve their resilience with Stephen Pritchard.

Cybersecurity is changing its focus.

Increasingly, it is less about defence and more about resilience.

Organisations have to be able to withstand and recover from an attack. It's no longer about preventing breaches: the sheer volume of cyberattacks means that is no longer possible.

Instead, security teams and boards should assume an attack will happen, prepare keep the organisation operating during an incident, and aim to recover as quickly as possible.

Our guest is James Blake, VP of global cyber resilency strategy and consulting services at Cohesity.

He argues that this means integrating  business continuity and disaster recovery with cybersecurity. And organisations should rehearse for cyber incidents, training staff to operate under what can be extreme pressure.

A good playbook, Blake suggests, is not enough.

Interview by Stephen Pritchard.

This year has not been easy for cybersecurity teams.

Businesses continue to face cybercrime and state-sponsored attacks, especially ransomware.

AI is proving to be a double-edged sword, helping both defenders and malicious actors.

And there are the ongoing issues of skills, recruitment and retention.

How, then, do cybersecurity professionals navigate their way through all these challanges? And what should they prioritise for 2026?

For this episode, we're pleased to welcome back Chris Dimitriadis, chief global strategy officer at ISACA.

Interview by Stephen Pritchard

Critical infrastructure is on the front line of the war in Ukraine.

And as the conflict approaches its fourth year, there is little sign of that changing.

Strikes against infrastructure, though, are only part of the picture. Since Russia’s full-scale invasion, and even before, Ukraine’s defenders have waged an equally intense, but less visible, cyber war.

What lessons can we draw from Ukraine’s experience?

And how can states and businesses protect their critical national infrastructure during war and conflict? And how do the public and private sector deal with the prospect of both kinetic and cyber threats?

We discuss this with Mihoko Matsubara, author, associate fellow at the International Institute of Strategic Studies and chief cybersecurity strategist at NTT Corporation.

A growing number of organisations now offer "bug bounties", paying hackers or security researchers rewards for finding vulnerabilities.

But how do these programmes operate, and how do CISOs ensure that they are run ethically? What are the risks of inviting researchers to hack your organisation? How do bug bounties stack up against other methods of security testing?

And what are the benefits to security researchers themselves, as the programmes cannot work without hackers?

We cover the pros and cons of bug bounties with Ottilia Westerlund, hacker engagement manager at bug bounty platform Intigriti, and herself a former software engineer and published security researcher.

DDoS – or distributed denial of service attacks – remain a serious source of disruption across the internet.

DDoS attacks continue to grow in their frequency and volume. And increasingly, they’re aligned to geopolitical events.

A driver is sites offering “DDoS for hire”. The groups behind these sites even offer DDoS as a service attacks for free. But cybercrime groups are making use of AI too.

This is leading to what researchers at NETSCOUT describe as a “digital battlefield", with DDoS attacks overwhelming underprepared defenders.

Our guest is Richard Hummel, director of threat intelligence at NETSCOUT.

Is cybersecurity's skills crisis one of its own making?

And why have initiatives to close the skills gap made relatively little impact?

In this episode, our guests Thom Langford, of Rapid7, and Lee Munson, of the ISF, discuss career changes, hiring practices, certifications and what needs to change with editor Stephen Pritchard

Education is increasingly in the crosshairs for malicous actors. Along with other public sector bodies, schools, colleges and universities are being targeted for the information they hold, as well as for extortion and ransom.

What, then, can leaders in the sector do to bolster their defences, especially when budgets are under pressure?

Our guest is Joe Rooke, director of risk insights at Recorded Future’s Insikt Group.

In this episode, we discuss whether vulnerability scores are still a viable tool when it comes to measuring cyber threats.

Both CVEs and CVSS are core security tools. But, our guest this week argues, they are often misused. In a worst case scenario, they add little to effective defence, and can divert security teams from the real threats.

Tod Beardsley is VP of security research at runZero, is on the board of the CVE Project, and is a former official at CISA.

More than three quarters of security breaches result from human behaviour.

But as an industry, we focus far more on technical security measures, than on the human element.

Human risk management sets out to change this. Its proponents aruge that by measuring what people do on networks and systems, we create a much clearer picture of risk.

In fact, they say, the risks posed by people should be on the business' risk register.

And it's only with that picture that we can implement the controls, and measures such as security awareness and training. But human risk management goes far beyond anti-phishing campaigns.

Our guest is Ashley Rose, co-founder and CEO of Living Security.

With a background in both marketing and psychology, she’s setting out to help organisations move away from focusing on devices, and to a human-centric view of security.