Adam Myers

Hello and welcome to our podcast: Tales from the CyberLab. My name is Adam Myers, I’m joined today by Stuart Coulson. Thank you for joining us Stuart.

You’re from HiddenText and we’re going to be discussing today around cyber leadership as a CISO. Just a quick introduction for any frequent subscribers: I’m a new host, but I’m the Sales Director at CyberLab and I’ve worked in technology and cyber security for around 14 years, and I’m going to be bringing you all the latest guests in the space of technology and cyber security. But Stuart, just tell us a little bit about what you do and your role please.

Stuart Coulson

Yeah, so I’m Stuart Coulson, Director/Owner of HiddenText, which is my own consultancy. I am also the (this fits on the business card in little tiny letters): Cyber Ecosystem Project Manager for the University of Manchester, essentially making Manchester home of cyber. I wish they’d just put that on the business card. It would’ve fit a lot easier. But yeah, that fantastic question of how long have you been in cyber? It’s always a tough one. I turned 50 last year and so yeah, I’ve been in for a long time. My first ever job was on a Windows three 11 machine with a 56K dial up. For those who dunno what that is, go look up a floppy disc. But yeah, I’ve seen and done most of what we have in the industry, which it’s good. It means that when you sit down in a leadership position, you know the pain that’s going on on the actual floor.

Adam Myers

I think that’s going to be relevant for today, isn’t it? Understanding the challenges that probably leaders are facing and cyber crime is on the rise and what can they do to prevent things from happening. So I guess the first topic leads on nicely is why business leaders need to rethink cyber security. So the question I’ve got is why is cyber no longer just an IT issue and how can CISOs help business leaders truly understand their role in cyber resilience?

Stuart Coulson

So it is an interesting topic. It’s one I really passionate about because I think I’ve long seen from the other side as well. Cyber’s lived in an ivory tower, hand-grenaded out policies. “Thou shalt do” or “thou shalt not do”. And it is always been seen as this almost kind of an angry place in the business that where all good ideas go to die because you’re not allowed to do that because, well, we have to do this on a firewall and then there’s this and there’s a million excuses get thrown out. So cyber’s always been the blocker, whereas where I prefer to see is cyber security is an enabler and it sounds very cliche to say that, but the practical side of it. So in my last role where as a Deputy CISO, the first thing we led was comms. So rather than the security awareness, long-term passwords, we read it, we started with awareness of security. So this is the security function, this is what we do, this is what we don’t do. So we were very clear in understanding “that’s an IT issue, this is a cyber issue”. It then meant that when people had problems or whether they wanted some advice, they were going speaking to Dave and Rachel and the whole team we had, the names were there that people could relate to. It also meant that instead of going dumb people inside where they’ve stopped me from doing this, it’s a bit harder to say when it is “Adam”. It’s a little bit harder to have a go at someone because they actually have a name. So leading by and having the personalities in there and also humanising cyber. We live behind every letter on a Scrabble board and we’ve gone way beyond XDR/MDR. Now we’re way into the crazy stuff now because we’ve got AI, we can throw all the actual AI XDR, let’s have that one out there. And because of that it takes what we actually do out the equation. I find that quite challenging actually because we do a lot of good stuff and we really do fight hard on the coal phase and we don’t see that recognition enough. So let’s explain things in the human terms. It’s no longer an XDR, it’s the thing that protects your laptop. Let’s take away the jargon speak and we’ve known this for years, we just don’t do it. So for anyone who’s looking as an aspiring CISO or if you’re in a senior leadership team and things aren’t working, strip it right way back. What is it you do? We’re here to protect the business. We’re here to protect the data and speaking those business words, forget the cyber language. It’s not an interesting language.

Adam Myers

It’s simplifying it in a way as well. And also I do think that we’re…cyber security is just as much about enablement and functionality. It’s not all about bunkering everything down and locking things away

Stuart Coulson

A hundred percent.

Adam Myers

And I think that mindset shift, like you said, is something that a business can hopefully learn from. We’ve gone through that process ourselves. So I guess, yeah, the CISO must translate threats into business language and I guess challenges and how we overcome them and take that to the board in that method as well.

Stuart Coulson

I think if you take the recent example for those who are watching this in the future, Mark & Spencer have been hit very recently by a criminal collective and let’s be clear with the language hacker and criminal. So the criminal collective has hit Marks & Spencer’s and it’s a live incident right now, but what’s the point in calling scary spider? What does that mean to anybody? What you want to say is that a team of teenagers have been able to dupe human beings to click a link and that has caused this. Everyone now understands that we’re all going to go, oh, poor person who had to click the link, they’re all right because immediately we would move into defensive. That’s human to human. But if it’s scary, spiders maliciously sending a phishing email which caused the cross that everyone’s bored, no one’s listening to you. And when you talk to the rest of the business about this, well if I’m speaking in that language, we’ll go fix it then! You are the one who has to deal with Scary Spider – we don’t deal with that, that’s somebody else’s problem. And I think that’s again, is part of this leadership function. It’s our job in the top trait to speak to the rest of the business in their terms. If you want a really interesting thought process on this one, have a look in your own organisations, you’ve probably got Azure sat there. So you’ve got out there, you’ve got your tenants for a SharePoint, you’ve got a OneDrive, you’ve probably got someone out there that’s also using Dropbox, someone out there’s also probably sync and someone else is using iCloud because they’ve got an iPhone through work and the first thing we do in cyber is must knock lock all these down. You’re only allowed to use SharePoint. The question I would ask is, well, will that work on an iPhone? Do they know how to use that? Are we educating people on these things? So rather than hand grenades out the policy, no, we only use this single vendor, go and speak to the business. Go, why do you use Dropbox? Oh, well it works with this. Our software it integrates directly in, it doesn’t work with OneDrive. Go, good point, keep using it.

Adam Myers

And that shadow IT formed out of those processes where people need functionality to work and operate. But just going back a little bit around the cyber awareness piece, we actually do a live hack, which I think translates that message really well. So our pen test team essentially create online content to try and make that easy to understand because I think we are at risk of just overcomplicating something. We work in the industry, we’re familiar with certain language, but as that education piece around a business, I think the live hack is a really good way just to translate how we bypass MFA, how QR codes are now sort of on the rise in car parks for example and Application Authentication and stuff like that is on the rise. So again, we’re trying to do a little bit of that. So I think it’s really good that you’ve actually mentioned that.

Stuart Coulson

I’ll give you a shout right now. It’s a good one. I’ve seen it. I saw it recently. Yeah. What I like is that you demonstrating it to, I think it was at DTX (event) the last, sorry. Yeah, DTX, the last saw it. The audience are techies. Well that doesn’t necessarily mean they speak your techie language. Their specialism may not be in our field, they may be a backend developer, they still need to know the same story in the message. So yeah, it was a good life hack actually – well done.

Adam Myers

We’ve got a few coming up. So check out Secure Tour. Nice plug there, thank you Stuart.

So what does great cyber leadership look like? So I’ll open this question to you. What for you is good cyber leadership in an organisation?

Stuart Coulson

When the business comes back to you, that would be your first indicator that you’re getting things right. So in other words, we’re communicating in a way outwards, which means that we are no longer seen as the threa. In our world, we talk about cyber security and threats and threat actors. We can be our own threat actor in the business. If we are always blocking, then no one will come to us with the problems. So when people come to us early stage, we’re thinking of doing this, what do you think now you know that you work, you’ve basically got the business on your side. So I’d say from a leadership perspective, if you are communicating their language and they’re now coming to you, you’re on the starting point. I would say the second piece of that is when people can name your team, and that’s something which I’ve been stood here, watching your own team working, you get to know the characters in the team and we all work with individuals. So I may prefer to speak to Claudia rather than to Danny because Claudia happens to have an accent closer from my hometown. So I’ll go to Claudia instead of Danny. But now we’ve opened a pathway there. So when someonne gets a phishing email they’ll go, “Hey Claudia, I’ve got an email, could you just look it out for us?” “No problem.” And that’s it. You’ve now opened that doorway rather than, I dunno if it’s sufficient email or not, I’ll just leave it and it gets ignored. So I think from a leadership perspective, your team should be as visible as you are to the board, but the team should be as visible out to the rest of the organisation.

Adam Myers

I think we were talking just beforehand around sort of communicating without scare tactics as well. And I think you touched on this quite well, so I dunno if you want to just expand on that, but I thought it was quite interesting.

Stuart Coulson

Oh – isn’t it so scary having cyber security, “the hackers are here”, “they’re going to come to take over the world”, “worse than AI.” We’re going to, and then it’s just taking a credit card details and assume breach. We have all this rhetoric and yet none of it helps. We’ve been saying it for decades really the start is in 1969, the first password was set. So it’s been our problem since 1969 and we’re still talking about it now. So I want to see a shift now whereby we don’t talk in these fear, uncertainty and doubt and actually just dare I say, take the fluffy bits out and go and speak back in the one-on-ones. What does this actually translate us? For example, if you’ve got a ransomware attack, only a small portion of business knows what that means. They’ve got a big red screen and it’s saying you are doomed unless you paid me a million pound that’s written in that user speech, not in a techie speech yet. We go and try and solve it by saying to the organisation, everyone go home. We’re dealing with a cyber security incident with a ransomware with a threat actor called and it’s like, what does any of that mean? And actually our language is quite scary. Even our threat actor names sound scary. Why don’t we just call it we think it’s this nation state. We think we’re not sure at least one can go home and go, oh, it was Manchester that tried to attack me today.

Adam Myers

One of our partners is really good at that. So Vicarius, they just again, a patch management solution, automated patch management – and they actually kind of create them into cartoon characters! But I think it’s a really good piece just to communicate how we can actually simplify things. And I remember them a lot more from just the way they give them a superhero outfit or if it’s the other way around a baddy outfit. So I do think, yeah, you’re onto something there I think in terms of that educational piece as well. So just around embedding cyber into your organisation, I think this is something that’s good. So what does it mean to embed cyber into an organization’s DNA and why does this matter?

Stuart Coulson

For everyone out there: shift left. We’re already aware of that one and for those who don’t know what that means: if you’ve got a project and you draw it on a Gantt chart, the very left hand consideration is always we’ve got the resource, we’ve got the time, we’re going to do agile and waterfall and et cetera. There should be security consideration at the beginning. So to embed it in a project is one thing, but you are almost forcing the issue. You want the project manager to say, “okay, so we’re doing this, we’re doing that, okay.” In the cyber security team you want that to be part of the natural pattern, not a forced discussion. So to do that, you need to have as a culture is the piece that we’re leaning into here. So we want project managers, product owners, we want these people to understand the value of security being here rather than later on when you realise you’ve got to unwind everything, stick it in the middle and then put it back in. I argue the case that security isn’t a bolt-on. It isn’t something you stick on the outside of something, it’s actually in the fundamental, it’s in the core of something, security development lifecycle, SDLC, it’s in the embedding in the code. It’s not something you add later. So all of this, it’s a security wrapper. Wrong language, it’s not a bolt on. This is a core thing. So you don’t want to build, if you’re making a burger, you don’t want to get to the end and go, oh, if you’ve got the onions!

Adam Myers

Best bit!

Stuart Coulson

You can’t unwind and add onions and then put it all back together again – and this is exactly what we’ve got the problem with. So let’s try and get the conversation the early as possible, but make the organisation be asking us about cyber security consideration.

Adam Myers

Yeah, that’s good. And I think it’s getting teams talking, isn’t it? I see when we talked to a lot of clients, “oh you’ve got to go and talk to that team or go and talk to that team.” And I think if we use the burger analogy, it is kind of bringing all those layers together to create a great burger. I won’t plug any burger companies at this time. But yeah, I think you’re right. I think simplifying that is definitely something that’s good. You mentioned a little bit earlier about startups is maybe they bolt on a bit too late. Do you think that should be part of their, because what I see is a startup is probably one of the biggest risks if they get it wrong because it could be sadly that business could go bust fairly quickly if they don’t take cyber security seriously. So I know there’s ways that we can do that in different opex models. So keeping costs more in a monthly way of doing things. Do you see that especially in startups that need to consider security?

Stuart Coulson

A hundred percent. So I deal with cyber startups as my day job, so I’m doing a lot of mentoring with them and the cyber security startups as well when they’re bootstrapped and that means they’re paying with, do I pay the mortgage or do I put money into my business when they’re at that level, can you spend £5,000 on a security product? The answer is no. So they’d rather spend that on dev to try and get the product built to then make a million pounds, then buy the security products to then put it around the business. By which point it’s generally too late for some of these startups here. It really is. It’s too late. We’ve seen some really good startups be attacked because what we’re working is interested when you were dealing with cyber security startups, it’s even more so we’ve got an organisation based at the hub I work at, they’re doing a large behavioural model. They’re working at how you move different to me and use that as an authentication piece. Imagine cyber security they’re going to need! Because if someone can crack how they’re doing that, all of a sudden when that technology gets embedded into government into the NHS, you can fake people up.

Adam Myers

Yeah, it is a really good game actually at Dish. I know you’ve been part of Manchester Digital Dish and whatnot and it was around, it was a little game of when you should do your cyber awareness training and all these little things and we made it quite easy to understand and I think one of the biggest risks was not having a plan or an incident response plan and these things don’t really have a huge cost sometimes it is not always cost that stops that. So I think it’s just having that ability just to maybe get some plans in place early doors understand it. It’s not always, like you said, the multimillion pound tools to defend you. Sometimes it’s just the basics that people don’t consider do. They can think it’s maybe not for them.

Stuart Coulson

I like if you ever set a business up, I mean the this morning, was it 16 minutes to set a business up now. So in that 16 minutes I’ve now got a limited trading business. I’d like that information pack that arrives that says, have you got an accountant? Have you got cyber insurance? Are you looking at cyber essentials? Here’s your 25 documents that are basically the basics and fundamentals. Why don’t we have that? I mean that should be something we can already knock out there. We already know what this stuff is. Do you have a password manager? Step one, get a password manager. This guidance is there. We need startups to be doing it on day one and whether you’re doing a cyber security startup or a burger startup, this burger analogy’s going to go around this.

Adam Myers

I do like burgers so we’ve gone on a bit of a tangent!

Stuart Coulson

Awesome. But or if you’re making chess, chess piece, it doesn’t really matter. You should still have that consideration on day one of your business if you looked at it at least then you go, it’s in the back of your mind and when you get the budget point, you go, right, okay, I’ve can afford that now. We are quite lucky and spoiled. I suppose that Microsoft’s done a really good job of putting security into their products full stop. That does come with that. You lose sight of it then. Well, it’s already taken care of – no, there’s a lot more to be done on top. And you’re right, the policies, procedures, simple stuff, the free stuff, people should be doing that on day one, a hundred percent.

Adam Myers

We were actually in a bit of an incentive at the moment around cyber essentials and trying to get more smaller organisations being using cyber essentials and we were kind of building that into endpoint protection and almost covering the cost there. So it’s just something listening maybe reach out to some of the team because there’s things we can do to get you on that journey and you might be working to things like ISO9001 or ISO27001 or Cyber Central plus those compliance regulations that you’re trying to follow. We can help you on that journey. From a cost and budget perspective.

Stuart Coulson

I’m a really big fan of Cyber Essentials! I know gets a really bad rap, but I think it’s superb. If you are a large enterprise, super large enterprise, like a household name, can you prove you can do cyber essentials? I’m going to guess some of them are going to say no, they can get ISO27001 because it’s on this scope here, but could the entire operation prove they can do the basics? Generally, no. And that’s kind of scary. Maybe that’s why people at M&S have got hit is because there’s something missing in the fundamentals.

Adam Myers

Right? We lead onto topic number 4. So what should leaders know about insider threats and how can they better manage the human side of cyber?

Stuart Coulson

Wow. Yeah. In terms of threats, a really tough conversation because I basically have to sit as a CISO of a company and go, “you could be my criminal”. And that’s really hard because it then creates suspicion around an organisation. I see it slightly differently. I think that insider threat is something you need to be aware of, you need to plan for and you have to be aware of who in your organisation are likely to become an insider over time.

So for example, if there’s a restructure within an organisation, your disgruntled and employee level can become that insider threat. I also think there is a huge layer in there and times probing this several times over is the accidental insider threat. They only clicked a link by accident. They didn’t mean to. It was in a hurry. It clicked. Oh, I think I just clicked a link. These things happen. There’s an incident that happened recently where I saw an email, literally the drag and drop of the email addresses went one box up and they went to CC not BCC – 417 email addresses. It’s a cyber security incident in our world. To them it was literally three millimetres on a screen and it was so easy to do.

But yeah, I think the insider threat is a really interesting problem because for most organisations, when you hit a certain threshold, you don’t know all of your employees. When you’re small, you can name everyone in that office right now, but when you suddenly get a hundred people, can you name a hundred people’s names? Do you know who they are? Do you know their backgrounds? Do you know who’s having a good day, a bad day? Who’s got a gambling addiction? Who’s the person who’s got the outside personal problems that may drive them? I’m going to steal something from Jenny Radcliffe because I think something which helps when you think about the, it’s a good acronym, it’s Money, Ideology, Coercion and Ego (MICE). Generally, that’s what an attacker is going to come at you with. One of those four is their motive.

If you then look at your organisation, I’m going to look at our cameraman behind the screen. Hello. If we take this chap here, what would his be? So he probably wants a new camera. So now got money as an objective, maybe ideology, maybe doesn’t want to do video podcasts, just want to do audio podcasts, fed fulfilment. So there’s another one in there, coercion. Maybe the chap said next to him is going, no, no, no, let’s not do podcasts. Let’s do something else. And then there’s also the ego is like I was the guy that wrecked the podcast. I’m talking very simply in this. When you scale that up to nation state size, they can supplant someone in your organisation. And I do suspect we have got them already in the UK infrastructure here and critical national infrastructure that are sat there. Nation state threat actors sat on our networks right now doing the day job, probably doing a good job as well. But they are insider threat. They are using it because of a coercion factor that if you don’t, then your family may be in trouble. They’re doing ideology: I stand for my nation state and all that kind of stuff. Maybe doing it as an ego saying, if I can help my nation state therefore, or they’re being paid to do it. And it’s kind of scary as so how do you find it is the hard part.

Adam Myers

I think linking back to the pre episode for those that were maybe listening on a Forcepoint, we had another Stuart on discussing around insider threat and how we can risk and profile people and risk score people when they start doing things at say 3:00 AM accessing files they shouldn’t be. But those tools do come at a cost. But I think for larger organisations, insider threat is real and it’s definitely something that enterprise and public sector space that should consider definitely looking at. Yeah. But yeah. Is there anything else that you think around motivation or I think we’re going to lead onto a bit of hacktivism potentially.

Stuart Coulson

Yeah, let’s leave that one for a moment. Just on that one there you said about the enterprises. Can I just remind people that if you’re a small organisation who has interesting data, you are also a target. Let’s not discount the small GP who’s got everyone’s medical records for where we are here in the northwest, that’s a lot of data on hold. Schools have huge amount of data on children which can then indicate parents, which then can indicate a lot of others. If you picture, let’s just use in the UK as an example, you’ve got Cheltham. If you’ve got all the grammar schools in Cheltham get compromised, their parents highly likely they’re going to be working in a certain building in the cheltham area or related services. You’ve now got that as a layer, but schools don’t have ultimately pound budgets to protect themselves. So smaller organisations for me who’ve got juicy data and it’s opportunity to define whether you’ve got juicy data or not. That’s something to be aware of.

Adam Myers

And just your experience from working at Manchester University, I guess education and syllabuses and what we’re teaching and that becomes a bit of hot topic around nation state attacks and trying to gain access to what we’re educating universities and on that is a big risk, isn’t it? And what can be done, I guess in terms of how we go about approaching that because all our interest isn’t it, to try and keep that information secure.

Stuart Coulson

Yeah, the syllabus in the UK, it’s defined by each university uniquely. So everyone writes their own. There’s no one cyber security course that we all deliver. Everyone does their own different flavours of it. University of Manchester, very different actually. Talking about this earlier, that our cyber security is based in the humanities department. It’s not a cyber security in a technical discipline, it’s a humanities discipline. Of course that’s going to get the eyes of the world because that’s misinformation and disinformation. That’s how people are pushing messages at the moment. So if you can break our syllabus and you can maybe change from the content of it, it gets taught differently. What we’re quite adept at is we’ve got specialists who are working in that field. They’ll know when things have changed on the slide deck, but that still doesn’t stop us having people in the audience in the university. And this goes for all universities, not just University of Manchester. We’re training them up. We are training up our threat actors and that’s been known for years because we do it as a nation, we do it as well. But yeah, it’s a fascinating topic. This is one, you can go down a rabbit hole just on this one topic alone.

Adam Myers

Maybe for a future podcast, but no, but good. So hacktivism, AI and what’s next for the boardroom? So what trends should business leaders keep an eye on and how can they prepare for what’s next?

Stuart Coulson

So this is where we reach for the crystal ball and we wonder what’s coming up next. Yeah, I think let’s start with hacktivism. At the moment, the world geopolitical system, it is wrecked. We all know it. You don’t even have to turn the news on to have the discussion about it. With that comes people who go back to our MICE from before ideology. They’re going to be pro, pro or against. And so those people are going to come with a motive to attack and that’s where we’ve now got a problem. We are starting to see the hacktivist groups who they may not be nation state attackers. They’re doing it off their own back. We’ve seen this with the Ukraine, Russian War. There are small groups of people in the UK and in Spain or in France who are acting on behalf of Ukraine to attack Russian infrastructure. They’re just doing it because it’s the hacktivist thing to do. We’re kind of lucky that anonymous as an outfit, they calm down a lot of their action. They’re still there, they’re just in the background. But I do expect probably the next two years we’re going to see a very big resurgence come forward, especially as we’ve see more wars happening because with that brings the hackers. It’s a simple way for you to get involved in somebody else’s conflict, rather safely from the comfort of your own nice country.

I think that’s definitely one that we need to be aware of. So if you are in a service in an organisation whose products relate to those countries or to those services, definitely put your guards up, start being aware of your messaging. And if someone comes back at you with negative messaging, just be aware that could be a hacktivist group that’s now starting to profile you. Secondly, we have to say AI. It appears that if you don’t say AI, the tech industry disappears at the moment. So AI, it’s like saying Alan Turing in Manchester. The word Manchester disappears. AI is not going to go away. The question is how we’re going to work with it. I use AI extensively. It’s a brilliant tool, it’s helping me a lot with ‘the third voice’. So we have our own internal monologues of how we think, but what about the other voice of reason out there. The other one is just sheer creativity. I need to write sometimes I don’t know, a starting point knowing what I’m putting into these systems and where that is. Then using the data on is the most critical conversation a business should be having right now. If you use ChatGPT, who else is reading what you type into it? And it’s okay if you’re cognizant here because we’re in security, but if Dave in accounts is just put in, “Hey, I’ve got an invoice that’s coming from this supplier. I’m not quite sure if this value looks right. Does that look a ballpark number?” Who have you just told? And I think that’s something which not enough businesses are thinking about at the moment, what’s happening to our data.

Adam Myers

It probably goes into what you’re actually feeding it though, because you might be putting sensitive company information into these tools and you’re not really policing it or there’s no policy behind it. And I think as it’s become this sort of new technology to some extent that’s happening I think more than we think, isn’t it? And that’s a risk.

Stuart Coulson

We’ve got cyber security tool with ai. But does anyone know what’s happening with that data when it goes into there? I mean, if you were to be a nation state, let’s play the bad guy right now. We are now a bad guy country, we’re going really bad guy country we’re really bad. They said bigly bad. Don’t put that in the edit. We’ve got a nation state attacker. So we’ve now got a military that’s creating cyber security companies. So they’re all there and those tools are being implanted everywhere. All you have to do is literally walk into the boardroom as a nation state leader and say, give us some of this data now as an endpoint user. We’re using this technology, it’s securing our business, it’s going through an AI tool and look at all this extra stuff. Guess what? Your data’s going straight into a foreign state government. Not enough. People think like that. Think a criminal. Literally think like a criminal. If you can’t hire someone who can think like a criminal for you, stick it on the tabletop exercise. What happens if our data gets leaked to this country here because someone’s using an AI tool that we don’t know where the data goes to – you saw it with DeepSeek.

Adam Myers

So I guess it probably leads into a little bit around data loss prevention tools. I guess that’s probably where I see, you mentioned the email and BCC and somebody in, and it could be you’re putting the same thing into an AI tool. It needs to probably link, doesn’t it you DLP solution in with AI policies and whatnot. I think it’s just even easier by accident to leak something without really understanding what you’re doing, I guess.

Stuart Coulson

That comes back to the only intentional insider threat that we’ve talked about before. The person who’s using these tools because they’re struggling their job, they haven’t got the right training, whatever reasons they’re using the tools around them, which are publicly available and free, and so they become the unintentional league. Yeah, it’s really interesting. Looking at the shows now, I’m looking forward to InfoSec this year. I’m looking for the DLP AI solution. I want to see the DLP solution that targets very specifically who’s putting into which LLM, what data. I’d be really interested to see if there’s anyone out there doing it. I’ve not seen anything on the market space, but I think that’s one of the big tools that will become something of importance in the future.

Adam Myers

And how it sorts of integrates API driven data into that model. I think that could be the next big technology shift. I think I know Forcepoint will touch upon that a little bit in the previous episode, so I think watch this space. But yeah, it’s definitely going to be good. So that concludes our podcast. Stuart, thank you so much, that was one of the most interesting podcasts I’ve been a part of. Is there anything you want to say before we maybe conclude things?

Stuart Coulson

I think the wrap up for me is if you’re looking at cyber security for your own business, don’t be scared about it. Ask for help. Don’t wait until you’ve got an incident to then go and get the list of names of people going who to phone up. Get ’em today. Speak to someone like yourself. Speak to maybe not our cameraman, but speak to someone. (You might be insider threat) – but yeah, let’s get the list of names. Then when you have an incident, you know who to phone. You’ve got the names already. You’ve got a relationship with them to say, Hey Adam, look, we may be under attack here. Help. It makes the conversation quicker, easier, and you’ll get your resolution quicker. Definitely sit that in day one. If you’re an established business and you’ve got your cyber security, everything’s funky, dory, change your messaging. Start talking to the board in their terms. For me, that would be the two critical things. And as you mature as a small organisation into a bigger organisation, don’t lose that language patterns. Keep speaking human. Adam, I’ve got a problem, not I’ve got an XDR problem because it’s just speaking English because quicker. And I say as you get mature into the enterprise layer when you’re in that big business, keep that up. Keep public internally within your business to who’s the what you’re doing, why you’re doing it. The three think Simon Skinner could be proud of this one. What is it you do as a business? Who do you do it for? Why do you do it? If you think about that as a cyber security function, we’re here to protect data at rest and in transit, who do it for every internal, all of our customers, all of our supply chain. Why do we do it? Because we care. It is our job function to care about data and to get all the other employees around us to care about data team. Yeah, that’s my wrap up.

Adam Myers

Thank you, Stuart. That was an amazing episode. As I said, join us at our Secure Tour. We’ve got three locations in Manchester, Edinburgh, and Belfast. But yeah, thanks for listening to our episode of Tales from the CyberLab. We’ll be back next month with a brand new episode.

But for now, Stay Secure.