The Security Strategist

In an environment where cyber threats evolve faster than regulation, UK organisations are being asked to defend themselves with rules written for a different era. That tension sits at the centre of a recent episode of the Security Strategist, where host Trisha Pillay speaks with William Wright, Chief Executive Officer of Closed Door Security and Scotland’s first accredited (chartered) hacker. Their conversation moves beyond headlines and funding announcements to examine why, despite growing awareness and investment, both public and private sector organisations in the UK continue to be compromised.
The Biggest Cybersecurity Challenges Facing UK Organisations
As Wright explains, cybersecurity cannot be understood purely from policy documents or tooling dashboards. It has to be understood from the attacker’s point of view. From where he stands today, the UK cybersecurity landscape is marked by a growing gap between how organisations believe they are protected and how exposed they actually are.
One of the most persistent misconceptions Wright highlights is the belief that buying cybersecurity tools automatically makes an organisation secure. Too many businesses, he argues, rely on poorly implemented services or procure technology they don’t fully understand.
The result is a false sense of confidence. Organisations assume they are protected, but still fall victim to ransomware, business email compromise, and financial fraud. Often, the tools they’ve invested in are never properly tested, validated, or tuned to their environment.
Awareness is another issue. Despite constant media coverage of cyber attacks, cybersecurity is still not consistently treated as a board-level risk. When it remains a technical afterthought rather than an operational priority, organisations struggle to respond effectively when incidents occur.
Wright also challenges the idea of a simple “skills gap.” While much of the discussion focuses on a lack of junior talent, he argues the real problem sits at the top. Too many cybersecurity decisions are being made by individuals without deep, hands-on experience, particularly in senior or policy-shaping roles. This lack of expertise leads to misaligned strategies, both in organisations and in government.
The UK Government’s Cyber Action Plan
The UK government’s £210 million cyber action plan is, in Wright’s view, a welcome signal but not a solution. Any investment in cybersecurity is positive, yet the plan largely reflects practices the private sector has been using for years.
This creates a familiar pattern as the private sector absorbs the damage, while the public sector learns from it later. Economically, Wright argues, this approach is flawed. When businesses are repeatedly compromised, the impact extends far beyond individual organisations.
Legislation is another weak point. Cyber threats evolve daily, but laws move slowly. The Computer Misuse Act, for example, has not been meaningfully updated in over a decade. In a world of cloud computing, automation, and AI-driven attacks, this leaves the UK operating with outdated guardrails.
What Government Can Learn From Offensive Security
As the CEO of an offensive security firm,...

Cybersecurity often feels like a battle of technologies—firewalls, AI, monitoring tools, but at its core, it’s human. People are both the first line of defence and, more often than not, the most vulnerable point. On a recent episode of Security Strategist, Richard Stiennon spoke with Nicole Jiang-Gibson, Chief Executive Officer of Fable Security, about why traditional training doesn’t work and how understanding human behaviour can fundamentally change an organisation’s security posture.
Humans are the Weakest Link
Nicole’s journey in cybersecurity began long before Fable. She was an early member at Abnormal Security, where she helped build email security solutions. That experience exposed a recurring truth, and that was even the best technical safeguards can be undone by human error.
“Human error is really the number one cause at the beginning of cybersecurity incidents,” Nicole explains. “Phishing attacks are the number-one starting point—one click, one misstep, and suddenly the consequences are massive.”
She recalls the MGM Resorts breach as a turning point: an IT help desk employee took a phone call from someone impersonating an Okta admin, leading to a major security lapse. “Even with strong email defences, people were exposed in ways technology couldn’t prevent. That’s when I realised that this was a human problem we needed to solve.”
Seeing Security Through the Attacker’s Eyes
Fable Security’s approach is rooted in understanding both the employee and attacker behaviour. Nicole describes it almost like a conversation at both sides of the table.
“Looking at security from the attacker’s perspective changes how organisations design interventions,” she says. Employees often don’t even realise which actions put them at risk. By understanding predictable behaviours, we can build targeted, timely interventions instead of generic training modules that people forget.”
The company leverages data to identify risky behaviours and reinforce safe ones. Richard notes that this can turn the math of phishing attacks in an organisation’s favour, reducing the likelihood of a click from 40 per cent to 2 per cent, for example, meaning attackers have to try 50 times to succeed once.
Reinforcement Not Punishment
One of the major differences in Fable’s approach is how they treat learning. Traditional phishing simulations can leave employees feeling tricked or shamed. Fable focuses on reinforcement and repetition, creating a culture where security is part of everyday decision-making.
“We empower organisations with data to understand how employees behave and then help them stay one step ahead of attacks,” Nicole explains. “It’s not just about preventing business loss, it’s about protecting culture, brand, and employee safety.”
By shifting the focus from blame to understanding and from generic training to targeted behavioural interventions, organisations can finally address the human factor in cybersecurity with the seriousness and nuance it deserves.
For more information, visit fablesecurity.com
Takeaways
Cybersecurity is not just about technology; it's about people.
Traditional training often fails to change behaviour effectively.
Human errors are the leading cause of...

In an era where enterprise data sprawls across cloud platforms, collaboration tools, and SaaS environments, CISOs are under constant pressure to reduce risk without becoming the department that slows everything down. That tension sits at the heart of a recent episode of the Security Strategist, where host Jonathan Care speaks with Ariel Zamir, founder and CEO of Ray Security, about what pragmatic, modern data security actually looks like.
Their conversation cuts through the noise around cybersecurity tools and frameworks and focuses instead on how CISOs can think differently about enterprise data, risk management, and control.
Understanding Enterprise Data Risk Starts With Reality
One of the most grounded points Zamir makes is also the simplest, and that is, most enterprise data is not being used. At any given time, around 98 per cent of enterprise data sits dormant. From a data security perspective, that should immediately raise questions. Why is data that no one needs today exposed in the same way as data actively driving the business?
For CISOs, this reframes the challenge. Instead of trying to secure all data equally, the priority becomes understanding which data is actually accessed, by whom, and when. This shift matters because risk does not come from volume alone, but from unnecessary exposure. Dormant data with overly broad access control is often invisible to the business, yet highly visible to attackers.
By grounding cybersecurity decisions in how data is really used, security teams can reduce enterprise data risk without introducing friction for employees who are simply trying to do their jobs.
Permission Hygiene, Access Control, and Dynamic Security
A recurring theme in the discussion is permission hygiene. Over time, access rights accumulate. People change roles, projects end, contractors leave, but permissions rarely get cleaned up. The result is an expanding attack surface that no amount of policy documentation can realistically govern.
Zamir argues that improving permission hygiene and access monitoring should come before heavy data classification initiatives. Tightening access control, understanding access patterns, and removing unnecessary permissions can dramatically reduce risk with relatively low operational impact.
Crucially, this does not mean locking everything down. Dynamic controls play a key role here. Instead of blocking access by default, organisations can monitor for unusual behaviour and respond in context. Alerts, step-up verification, or temporary restrictions allow security teams to manage risk while preserving user experience. From a business perspective, this approach aligns far better with how work actually happens.
This is also where agentic AI and agentless monitoring enter the picture. As autonomous systems increasingly access data on behalf of users, traditional identity-based controls struggle to keep up. Agentless approaches help close coverage gaps without requiring intrusive deployments, while agentic AI introduces new questions about accountability and oversight that CISOs can no longer ignore.
Just-in-Time Classification and the Legal Implications of Automation
Traditional data classification has long been treated as a foundational security activity, but the podcast challenges that assumption. Classifying vast amounts of dormant data upfront is expensive, slow, and often disconnected from real risk. Instead, Zamir advocates for just-in-time classification, applying context only when data is accessed.
This approach supports more effective risk management while easing the burden on security teams. It also aligns...

When code is no longer written solely by humans, the way we think about application security has to change. In a recent episode of the Security Strategist podcast, host Richard Stiennon sits down with Gadi Bashvitz, CEO of Bright Security, to talk about the challenges and opportunities of securing applications in an AI-driven world. Their conversation reveals a reality many organisations are only beginning to face, and that is vulnerabilities are multiplying faster than ever, and traditional security tools aren’t keeping up.
Rethinking Application Security for a New Reality
Since 2018, Bright Security has been helping organisations secure their applications and APIs. Gadi Bashvitz shares that the company’s journey has always been about anticipating challenges before they become crises.
“And that’s what we did from 2019 to 2024—signed up some of the world’s largest financial institutions and insurance companies, so very proud of that customer base,” he explains.
But in 2024, everything changed. Customers started raising concerns about AI-assisted coding. Bashvitz recalls:
“Some of those customers came to us and said, ‘Houston, we’ve got a problem. We’re starting to adopt AI-assisted coding.’ We’ve gone from a world where a developer generates 100 per cent of code and 100 per cent of vulnerabilities, to one where that developer is now generating 200 per cent of code and 600 per cent of vulnerabilities. That AI-generated code is three times more prone to vulnerabilities.”
This shift exposes a fundamental truth, and that is that AI is reshaping software development, but not always in ways organisations are ready to manage. What was once a controlled DevOps process is now a rapid, high-volume environment where oversight can easily slip.
The Hidden Risks of AI-Generated Code
The impact is real and immediate. Marketing teams, product managers, and developers alike are generating code faster than ever, but without the traditional checks and balances. Bashvitz highlights that AI models are trained on open-source code, often without security in mind. This means vulnerabilities multiply at a rate that can overwhelm static tools or conventional security processes.
Organisations are feeling the pressure daily, realising that if they don’t adapt, AI-generated vulnerabilities could outpace their ability to detect and mitigate risks.
Embedding Security Into Every Step of Development
So how can enterprises regain control? Bashvitz is clear: it’s not too late, but action must be deliberate.
“At some point, there will be a few very, very significant hacks that will take us back,” he warns. “The key is to embed dynamic security measures directly into the development lifecycle. That’s how you catch vulnerabilities, even when code is being generated at an unprecedented scale.”
Dynamic Application Security Testing (DAST) is one approach Bright Security has championed. Unlike traditional static tools, dynamic testing integrates into code repositories and runs throughout the development pipeline, from unit tests to production deployment. This approach doesn’t just mitigate risk—it empowers teams to continue innovating without being paralysed by fear of vulnerabilities. The goal is to create a balance where AI-driven productivity and robust security coexist.
For more information, visit https://brightsec.com
Takeaways
Bright Security was...

As firms increasingly adopt autonomous AI, a key assumption in cybersecurity seems to be disappearing – data security can be understood through static maps.
In the recent episode of The Security Strategist Podcast, Abhi Sharma, Co-Founder and CEO of Relyance, speaks to Host Richard Stiennon, Chief Research Analyst at IT-Harvest.
Sharma tells Stiennon that most security tools are still built for a world before AI. In that world, data stays still long enough to be scanned, categorised, and managed. AI changes this model.
“We’re in the middle of a tectonic shift,” Sharma said. “For the first time, software behaviour is not just defined by the instructions you give it, but by the data in and around it.”
In modern AI systems, data is no longer just an asset. It becomes an instruction. The quality, frequency, distribution, and even the absence of data directly influence how models and agents function. This reality makes traditional security models dangerously incomplete.
“People are very good at answering what data they have and where it’s stored,” Sharma explained. “But they can’t answer how it got there or what happened along the way.” He argues that this missing context is where AI risk now resides.
Agentic AI Turns Data Movement Into Real Security Risk
The issue becomes critical with agentic and autonomous AI workflows. Here, decision-making is not based on fixed code but on a large language model operating in real-time.
“In these systems, your control logic is an LLM,” Sharma said. “It’s a black box.”
To complete tasks, AI agents must access tools, look at past decisions, copy production data, and dynamically manage infrastructure. In doing so, they create what Sharma calls ephemeral infrastructure—temporary environments that may exist for minutes and disappear without a trace.
For example, an agent working to improve cloud costs might create a high-performance database cluster, copy sensitive logs into a staging area, analyse them, and shut everything down in under 20 minutes.
“But in that process,” Sharma warned, “a default Terraform script might leave four S3 buckets open to the internet.” Traditional security scans, which often run every 24 hours, would never catch this.
“You don’t even know this little circus happened while you were asleep,” he said. “But it created a new risk.”
This is why Sharma believes that breaches in the AI era are no longer failures of data at rest but failures of data flow. Attackers don’t target identities or tools in isolation; they target outcomes—especially the theft or destruction of data. Those outcomes occur through movement over time.
Data Journey Solution for Responsible AI
Despite the widespread use of DSPM, DLP, IAM, AI gateways, and governance platforms, Sharma sees the same pattern in the Fortune 500: security incidents continue not because the tools lack usefulness, but because they operate in silos.
“All of the real business impact,” he said, “comes down to flow.”
Relyance’s solution is what Sharma calls data journeys—a unified, time-aware view of how data moves across identities, tools, infrastructure, and persistent assets. “If you can consistently reason across all of those layers,” Sharma said, “you finally have a chance to protect data and enable safe, responsible AI.”
Looking ahead to 2026 and beyond, he predicts security, governance, and compliance will merge around this shared visibility. Organisations will move away from simple audits toward infrastructure that...