The Security Strategist

There is a moment in every investigation where time becomes the deciding factor.
Not capability, not intent, but time. In modern counter-terrorism, that moment arrives faster than ever because the evidence is no longer waiting to be found. It already exists, scattered across devices, platforms, and networks, growing silently in volume.
The question is no longer whether the data is there. It’s whether it can be understood quickly enough to matter.
In this episode of Security Strategist, EM360Tech host Trisha Pillay and Chris Johnson, CEO of Cyacomb, explore how digital evidence is reshaping counter-terrorism and why the real challenge isn’t access to information, but the ability to act on it without crossing the line into overreach.
Why Digital Evidence Is Reshaping Counter-Terrorism
Digital evidence has become central to modern counter-terrorism investigations. From mobile devices and encrypted messaging platforms to online communities, nearly every case now involves large-scale digital analysis. The challenge is not access, it’s volume and complexity.
A single device can hold vast amounts of data, and across thousands of investigations, this creates significant backlogs. Investigators must sift through irrelevant, fragmented, and often encrypted information to identify credible threats.
At the same time, the threat landscape is changing drastically. Terrorist networks are more decentralised, digitally enabled, and adaptive in how they communicate. This forces law enforcement to rethink how investigations are conducted basically shifting toward digital forensics, data analysis, and real-time intelligence gathering. As Johnson highlights, the ability to deal with data quickly is not new, but the scale of the problem has changed dramatically.
Managing Data, Risk and Operational Pressure
Speed sits at the centre of modern counter-terrorism operations, where even minor delays in analysing digital evidence can result in missed warning signs or postponed intervention. The increasing speed is far from straightforward. Investigators must contend with vast volumes of data spread across multiple devices, alongside a growing diversity of formats and platforms that complicate analysis.
Layered on top of this are manual processes that slow case progression and persistent operational backlogs that delay access to critical insights. The result is a bottleneck in which time-sensitive intelligence risks being lost in a sea of noise. In response, organisations are turning to advanced digital forensics tools and automation to streamline workflows, prioritise relevant data, and reduce the burden of manual investigation. However, efficiency alone does not solve the problem. Accelerating processes without robust controls introduces new risks, particularly when handling sensitive personal data, where speed must be carefully balanced with accuracy, oversight, and compliance.
Privacy and Security with AI in Digital Investigations
Artificial intelligence is becoming an increasingly significant tool in digital forensics and counter-terrorism investigations, largely due to its ability to process data at scale, identify patterns, and rapidly surface relevant insights. This capability enables faster identification of high-risk material, more informed decision-making during investigations, and a reduced dependence on manual data review, which has traditionally been time-consuming and resource-intensive.
However, the integration of AI into law enforcement also introduces important ethical and legal challenges that cannot be overlooked. Counter-terrorism operations must remain firmly within established frameworks that safeguard privacy and civil liberties, as failing to do so risks undermining public trust in both the technology and the institutions that deploy it. In response, privacy-assured AI and specialist investigative tools are emerging, designed to minimise exposure to irrelevant personal data, concentrate only on content linked to potential threats, and support transparent, compliant investigative processes. As Johnson notes, while AI has a clear and valuable role in modern law enforcement, its effectiveness ultimately depends on the responsibility and governance with which it is implemented.
The Future of Counter-Terrorism
The next phase of counter-terrorism will be defined by the ability to turn data into actionable intelligence quickly and responsibly.
This means:
Reducing investigative backlogs;
Integrating AI into core workflows;
Improving collaboration across systems and teams;
Embedding privacy into the design of investigative technologies.

Digital evidence will only continue to grow. The organisations that succeed will be those that can navigate the intersection of speed, scale, and privacy without compromising any one of them. In modern counter-terrorism, advantage is no longer just about access to information; it’s about how effectively you can act on it.
Takeaways
Digital evidence and data volumes in investigations
Evolving threat landscape and global tensions
Privacy, civil liberties, and ethical considerations
Operational efficiency and technological innovations
Future trends in law enforcement technology

Chapters
00:00 The Evolving Role of Digital Evidence in Counter-Terrorism
07:10 Challenges in Analysing Digital Evidence
13:02 Balancing Privacy and Security in Investigations
20:09 Future of Counter-Terrorism and Technology

AI isn’t introducing entirely new cyber threats, but it is changing how easily they can be executed, and by whom. In this episode of Security Strategist, EM360Tech host Trisha Pillay speaks with Darren Anstee, Chief Technology Officer for Security at NETSCOUT, about how conversational AI is lowering the barrier to entry for cyberattacks.
Drawing on real-world telemetry from thousands of enterprises and service providers, Anstee outlines how the threat landscape is shifting not through new attack types, but through scale, speed, and accessibility. At the centre of that shift are two forces, in his words, simplification and automation.
How AI is Changing Cyber Attacks
From a Distributed Denial-of-Service (DDoS) perspective, Anstee says, “AI isn’t creating fundamentally new attack vectors. Instead, it’s making existing ones easier to execute”. Historically, launching a sophisticated attack required time, expertise, and intent. Attackers would need to scan a target, identify vulnerabilities, select the right attack vectors, and continuously adapt based on how defences responded. That process demanded both technical knowledge and active decision-making. Now, much of that can be abstracted away.
As a result, conversational interfaces are increasingly being integrated into attack tools, allowing users to issue simple, natural language instructions. Behind the scenes, those tools can run reconnaissance, analyse results, select attack methods, and even adapt in real time if defences respond. As Anstee puts it, “the whole need for there being any knowledge in the seat has gone away.” The result is not necessarily more advanced attackers, but more attackers capable of attempting advanced techniques.
The Democratisation of Cyber Attacks
This shift has direct implications for enterprise risk. As sophisticated capabilities become more accessible, the volume and distribution of attacks change. Organisations that were previously unlikely targets are now within scope, not because they are high-value, but because they are reachable.
Anstee points to a growing trend, and that is attackers moving beyond heavily defended primary targets and focusing on secondary organisations within the digital supply chain. Suppliers, service providers, and partners often present a weaker entry point, while still offering indirect access to larger ecosystems. In practical terms, this expands the attack surface.
It also exposes a gap in how many organisations think about risk. Dependencies are not always fully mapped, and the resilience of third-party services is often assumed rather than verified. When those dependencies fail, be it through DDoS disruption or another incident, the impact can cascade quickly. What’s changing is not just who gets targeted, but how risk propagates across interconnected systems. This shift is being accelerated by automation.
Automation and Efficiency in Cybercrime
Automation is what turns accessibility into scale. The steps involved in launching an attack, reconnaissance, analysis, execution, and adaptation, can be structured as decision trees. AI systems can follow those paths quickly and consistently, removing the need for manual intervention at each stage. This has two consequences. First, it increases the frequency of attacks. More actors can launch them, and they can do so with less effort. Second, it compresses response time. Attacks can adapt dynamically, forcing defenders to react faster and with greater precision.
For many organisations, this exposes a mismatch between perceived and actual readiness. As Anstee notes, having defensive tools in place is not the same as knowing how they perform under real conditions. Firewalls and baseline protections may handle simple attacks, but they are often insufficient against multi-vector, adaptive threats. This is where his emphasis on certainty becomes critical.
Confidence—based on vendor claims or assumed coverage is not enough. Organisations need real visibility into how their defences behave in practice, across environments, and under pressure. Without that, decision-making is based on assumptions rather than evidence. In a landscape shaped by automation, that gap becomes harder to sustain.
For more information, visit netscout.com
Takeaways
AI is simplifying and automating cyber attacks, making them accessible to a broader range of attackers
Enterprises must reassess their risk management strategies
The cost of cybersecurity is likely to rise as organisations enhance their defences
AI's impact on cyber attack sophistication
Democratisation of attack capabilities
Automation in attack execution
Supply chain vulnerabilities and third-party risks
Certainty vs. confidence in cybersecurity decision-making

Chapters
00:00 Introduction to Cybersecurity and AI
02:28 The Evolving Threat Landscape
06:36 Automation and Cost Implications of AI in Cybercrime
11:20 AI's Role in Existing and New Attack Vectors
13:36 Understanding Supply Chain Risks
17:25 The Importance of Certainty Over Confidence
20:33 Strategic Actions for C-Suite Leaders

Many organisations assume that moving to the cloud means much of their security posture is handled automatically. But that assumption can create blind spots. In the latest episode of the Security Strategist Podcast, Trisha Pillay from EM360Tech speaks with Rob Edmondson, Senior Director of Product Marketing at CoreView, about cyber resilience in Microsoft 365 environments and what tenant hardening means in practice.
As organisations rely more heavily on Microsoft 365 for collaboration, identity management, and device control, understanding how the environment is configured becomes increasingly important for security teams.
Microsoft 365 Has Grown Beyond Its Original Scope
When Microsoft first introduced Microsoft 365 as Office 365, it primarily focused on email and productivity tools. Security strategies often revolved around protecting inboxes and ensuring that business data was backed up. According to Edmondson, that model no longer reflects how the platform is used today. Microsoft 365 now includes a wide range of services that support identity management, device management, compliance, and collaboration. Many of these services sit at the centre of daily business operations.
This shift means that security risks are no longer limited to email or file storage. Identity platforms, collaboration tools, and endpoint management capabilities all operate within the same tenant. If critical settings are misconfigured, the impact can extend across multiple systems at once. For security leaders, the challenge is recognising that the platform has evolved into something far more complex than many organisations initially planned for.
Why Visibility Into Configurations Is Still Limited
One of the main themes in the discussion is visibility. Edmondson explains that many organisations simply do not have a clear view of how configurations change within their Microsoft 365 tenants.
Attackers often exploit these blind spots. If they gain access to an environment, they may modify configurations that allow them to regain access later. Because some of these changes are subtle, they may go unnoticed for long periods. However, not all configuration drift comes from attackers. Administrative errors or platform updates can also change settings in ways that affect security or operations.
This is why documentation still plays a role. Edmondson suggests that even basic records of key configurations can help organisations understand their environment and recover faster during incidents. While documenting every setting in a large tenant may not always be practical, identifying and tracking the most critical configurations can provide a starting point for stronger oversight.
Reducing Privilege and Strengthening Tenant Resilience
Another concern discussed in the episode is the issue of excessive privileges. Many administrator roles in Microsoft 365 grant access across an entire tenant, which can increase risk if those accounts are compromised. Edmondson argues that reducing standing privileges should be a priority. Instead of granting broad permissions by default, organisations should consider limiting administrative access to only what is necessary.
Tenant hardening plays an important role here. By tightening configuration controls and carefully managing privileges, organisations can reduce the likelihood that a single compromised account leads to a wider security incident.
The goal is not simply to add more security controls, but to build a clearer understanding of how the tenant operates and how it could be restored if something goes wrong. The full conversation on the Security Strategist Podcast explores these challenges in greater depth, including configuration visibility, tenant recovery scenarios, and the practical steps security teams can take to improve resilience in Microsoft 365 environments.
If you would like to find out more, visit coreview.com
Chapters
00:00 Introduction to Cyber Resilience in Microsoft 365
01:01 Guest Introduction: Rob Edmison and His Role at CoreView
02:17 Why Confidence in Microsoft 365 Security Falls Short
04:24 The Expanding Scope of Microsoft 365 Services
05:27 Visibility Challenges in Microsoft 365 Security
07:20 Bridging the Gap: Improving Visibility and Configuration Management
11:05 Risks of Configuration Drift and Tenant Hardening
16:23 Importance of Configuration Backup in Cyber Resilience
21:28 Overprivileged Accounts and Tenant Security Risks
26:04 Balancing Security and Innovation with AI and Automation
28:37 Tips for Decision Makers
Takeaways
Microsoft 365 now covers identity, device, compliance, and collaboration tools.
Security risks extend far beyond just email and file storage.
Limited visibility into configuration changes creates blind spots.
Excessive administrative privileges increase the potential impact of a compromise.
Strengthening configurations and planning for recovery helps organisations respond more quickly.

Podcast: The Security Strategist
Host: Richard Stiennon, Chief Research Analyst at IT-Harvest
Guest: Michael Kennedy, Ostra Security Founder
For leaders in enterprise technology, the pressure to show measurable cybersecurity outcomes has never been greater. Boards are asking tougher questions, attackers are moving faster, and conventional security awareness metrics aren’t telling the whole story.
In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, is joined by Ostra Security Founder Michael Kennedy, who pointed out a growing gap in how enterprises measure success. Despite years of investment in phishing training and user awareness, breaches keep happening—not because employees are failing on a large scale, but because enterprise systems aren’t designed to handle inevitable mistakes.
For CIOs, CISOs, and CTOs, this signals a major transition toward outcome-based security.
Why Traditional Security Awareness Metrics Fall Short
Phishing simulations, reduced click rates, and increased reporting are often seen as proof of a strong cybersecurity strategy. The metrics are easy to track, too.
However, as Kennedy notes, they provide limited insight into actual risk reduction. Even the most effective awareness programs leave some room for error. In reality, attackers only need one successful attempt to gain access. “If one gets through, that’s enough,” Kennedy suggests, highlighting a truth most security leaders understand but find difficult to measure.
What these metrics don’t capture is the downstream impact of that failure.
Two identical phishing attacks can lead to vastly different results depending on the enterprise security setup. In one situation, the threat is neutralised quickly. In another, it escalates into lateral movement, credential theft, or ransomware deployment. For enterprise settings, this gap reveals a basic problem – user-focused metrics assess behaviour.
What Outcome-Based Cybersecurity Looks Like?
The more effective approach, Kennedy argues, is to frame cybersecurity around engineering outcomes instead of user behaviour.
This means evaluating how well systems perform during attacks—not how well users avoid making mistakes.
The key markers of a strong enterprise cybersecurity strategy include how quickly threats are detected, how effectively security teams respond, and how well incidents are contained before they spread. These operational metrics give a clearer view of real-world readiness.
This shift lines up with the growing adoption of zero trust architectures, extended detection and response (XDR), and AI-driven security operations. All these frameworks focus on containment, visibility, and fast responses rather than the unrealistic goal of perfect user behaviour.
It also changes how breaches are examined. High-profile incidents are often simplified to stories about weak passwords or phishing clicks, while the more vital question—why controls failed to limit the impact—gets overlooked.
For enterprise buyers and decision-makers, this can lead to misaligned investments, over-prioritising awareness training while underfunding detection engineering, identity controls, and network segmentation.
Why is it Necessary to Create a No-Blame Culture?
While the focus shifts away from blaming users, Kennedy emphasises that people still play a vital role in enterprise cybersecurity—just not in the way many enterprises think.
In enterprise environments where employees fear blame, reporting delays are common. Suspicious emails go unreported, incidents remain unnoticed longer, and response times increase.
In contrast, organisations that create a no-blame security culture see users acting as an extension of their detection capabilities. Employees who feel safe reporting anomalies can identify threats earlier, often before automated systems escalate them.
This cultural change has measurable operational benefits. Faster reporting reduces dwell time, limits damage, and improves overall incident response effectiveness.
Some enterprises are formalising this approach through internal collaboration platforms, enabling real-time threat sharing across teams. In doing so, they turn their workforce into a distributed security layer—one that complements, rather than replaces, technical controls.
The enterprises that succeed in this next phase of cybersecurity maturity will be those that move beyond the “human error” narrative and embrace a truly outcome-based approach to security engineering.
Because in modern enterprise environments, the question is no longer who clicked—it’s how well the system absorbed the impact.
Key Takeaways
Cybersecurity failures are system design issues—not user mistakes.
Click-rate metrics are misleading
Real success is measured by containment speed and impact reduction.
Strong security culture encourages users to report threats without fear of blame.
Engineering outcomes (like detection speed and blast radius control) matter more than user behaviour metrics.
AI is reshaping both attacks and defence, making faster, smarter response capabilities essential.

Chapters
00:00 Introduction to Cybersecurity's Human Element
03:15 Reevaluating User Responsibility in Cybersecurity
06:44 Creating a Culture of Reporting
09:25 Measuring Security Outcomes Beyond Click Rates
12:05 The Role of AI in Cybersecurity
15:06 Adapting to Evolving Threats
17:44 Key Takeaways for Decision Makers

For more information, please visit em360tech.com and ostrasecurity.com.
Follow:
EM360Tech YouTube: @enterprisemanagement360
EM360Tech LinkedIn: @EM360Tech
EM360Tech X: @EM360Tech
Ostra LinkedIn: Ostra Security
Ostra X: @ostra_security
Ostra YouTube: @OstraCybersecurity
#Cybersecurity #CISO #EnterpriseSecurity #OutcomeBasedSecurity #SecurityMetrics #Phishing #ZeroTrust #AIinSecurity #NoBlameCulture #SecurityStrategist #OstraSecurity

Podcast: The Security Strategist
Host: Richard Stiennon, Chief Research Analyst at IT-Harvest
Guest: Nathan Rollings, CISO at Zafran
The cybersecurity enterprise space has been transforming for years, going beyond traditional vulnerability management. According to Nathan Rollings, CISO at Zafran, the next shift is already underway in the B2B Enterprise technology space. It is being driven by automation, AI, and a deeper understanding of context within enterprise environments.
Rollings sat down with host Richard Stiennon, also the Chief Research Analyst at IT-Harvest on The Security Strategist podcast to talk about the need for security teams to move beyond dashboards and risk scores to something more operational–agentic exposure management.
“Attackers are already using automation and AI,” Stiennon says to Rollings during the podcast. “Meanwhile, most defenders are still focused on risk scores, dashboards, and ticket backlogs.”
Rollings believes the real opportunity lies in allowing intelligent systems to analyse exposure continuously and act on it.
The Discourse to Agentic Exposure
Exposure management often appears as a new discipline, but Rollings believes its roots are much older.
“If you were to look at a vulnerability management maturity model five or 10 years ago, the characteristics of the most mature programs aligned with what we consider continuous threat exposure management today,” he said.
Traditional vulnerability management focused heavily on scanning and prioritising flaws. Continuous threat exposure management (CTEM) builds on that by adding context such as internet reachability, compensating controls, and real-time telemetry from security tools.
Agentic exposure management goes a step further, where autonomous systems help drive the processes themselves. “When we look back at the early days of vulnerability management, we did much of this manually,” Rollings said. “Then we moved toward automated processes. Now, we are moving toward autonomous.”
Instead of security teams manually distributing vulnerability reports or setting rigid rules for ownership and remediation, AI agents can interpret available telemetry and handle those workflows dynamically. Over time, those same systems may even take remediation actions on their own.
The challenge is trust, according to Zafran’s CISO. “Enterprises must trust that the actions taken by these systems are safe and effective within their environments.”
Anthropic’s AI announcement sends industry ripples
The podcast also covered a recent announcement from Anthropic regarding AI-driven code security. This move quickly sparked debate about how generative AI might reshape vulnerability management.
Stiennon suggested the technology could disrupt parts of the market focused on application security. However, Rollings believes its impact on exposure management will be more limited. “Code analysis is incredibly powerful,” he said. “But it’s very much a shift-left capability."
Exposure management operates on the opposite side of the lifecycle. It focuses on production environments, where context decides whether a vulnerability is actually exploitable.
“A good exposure management platform considers your defence-in-depth strategy,” Rollings explained. “That means tens of integrations across an organisation to understand the residual risk of specific exposures.”
Runtime behaviour, network paths to the internet, endpoint protection policies, and segmentation controls all influence whether a vulnerability is a real risk. Analysing source code alone cannot provide that operational picture.
Why context matters more than another risk score
For many security teams, vulnerability prioritisation still relies heavily on numerical risk scoring. Rollings argues that this approach often misses the bigger picture. “You’re spending so much money on these security tools,” he said. “The real question is, what is the return? What is the business value?”
Understanding the effectiveness of existing controls, such as intrusion prevention systems, endpoint detection, or micro-segmentation, can dramatically change how vulnerabilities are prioritised.
Research cited by Rollings suggests that only around one in 50k vulnerabilities is truly exploitable in a given environment once contextual factors are taken into account. “That means organisations spend enormous effort remediating vulnerabilities that may never actually be reachable,” he added.
Agentic systems that correlate telemetry across security tools could narrow that focus significantly. This would allow teams to prioritise the small subset of exposures that really matter.
“Security teams were so focused on detection, assessment, and ticketing that they didn’t have time to dig deeper,” Rollings tells Stiennon. “Agentic capabilities free them to concentrate on the things that truly make a difference.”
Key Takeaways
Exposure management prioritises vulnerabilities using real-world context, not just CVSS scores.
Agentic AI can analyse exposures and automate remediation workflows.
Security context—controls, network paths, and runtime data—determines real exploitability.
Only about 1 in 50,000 vulnerabilities are truly exploitable in most environments.
AI-secured code won’t remove runtime risk in live infrastructure.

Chapters
00:00 Introduction to Cybersecurity Challenges
03:19 The Evolution of Exposure Management
07:31 Impact of AI on Vulnerability Management
11:34 Contextual Understanding in Exposure Management
15:37 Efficiency and Cost-Effectiveness in Security Teams
18:08 Key Takeaways for Security Practitioners

For more information, please visit em360tech.com and www.zafran.io.
Follow:
EM360Tech YouTube: @enterprisemanagement360
EM360Tech LinkedIn: @EM360Tech
EM360Tech X: @EM360Tech
Zafran LinkedIn: Zafran Security
Zafran X: @Zafran_io
#AgenticAI #ExposureManagement #VulnerabilityManagement #CTEM #Cybersecurity #CISO #SecurityStrategist #RichardStiennon #NathanRollings #Zafran