The Security Strategist

Podcast: The Security Strategist
Host: Richard Stiennon, Chief Research Analyst at IT-Harvest
Guest: Nathan Rollings, CISO at Zafran
The cybersecurity enterprise space has been transforming for years, going beyond traditional vulnerability management. According to Nathan Rollings, CISO at Zafran, the next shift is already underway in the B2B Enterprise technology space. It is being driven by automation, AI, and a deeper understanding of context within enterprise environments.
Rollings sat down with host Richard Stiennon, also the Chief Research Analyst at IT-Harvest on The Security Strategist podcast to talk about the need for security teams to move beyond dashboards and risk scores to something more operational–agentic exposure management.
“Attackers are already using automation and AI,” Stiennon says to Rollings during the podcast. “Meanwhile, most defenders are still focused on risk scores, dashboards, and ticket backlogs.”
Rollings believes the real opportunity lies in allowing intelligent systems to analyse exposure continuously and act on it.
The Discourse to Agentic Exposure
Exposure management often appears as a new discipline, but Rollings believes its roots are much older.
“If you were to look at a vulnerability management maturity model five or 10 years ago, the characteristics of the most mature programs aligned with what we consider continuous threat exposure management today,” he said.
Traditional vulnerability management focused heavily on scanning and prioritising flaws. Continuous threat exposure management (CTEM) builds on that by adding context such as internet reachability, compensating controls, and real-time telemetry from security tools.
Agentic exposure management goes a step further, where autonomous systems help drive the processes themselves. “When we look back at the early days of vulnerability management, we did much of this manually,” Rollings said. “Then we moved toward automated processes. Now, we are moving toward autonomous.”
Instead of security teams manually distributing vulnerability reports or setting rigid rules for ownership and remediation, AI agents can interpret available telemetry and handle those workflows dynamically. Over time, those same systems may even take remediation actions on their own.
The challenge is trust, according to Zafran’s CISO. “Enterprises must trust that the actions taken by these systems are safe and effective within their environments.”
Anthropic’s AI announcement sends industry ripples
The podcast also covered a recent announcement from Anthropic regarding AI-driven code security. This move quickly sparked debate about how generative AI might reshape vulnerability management.
Stiennon suggested the technology could disrupt parts of the market focused on application security. However, Rollings believes its impact on exposure management will be more limited. “Code analysis is incredibly powerful,” he said. “But it’s very much a shift-left capability."
Exposure management operates on the opposite side of the lifecycle. It focuses on production environments, where context decides whether a vulnerability is actually exploitable.
“A good exposure management platform considers your defence-in-depth strategy,” Rollings explained. “That means tens of integrations across an organisation to understand the residual risk of specific exposures.”
Runtime behaviour, network paths to the internet, endpoint protection policies, and segmentation controls all influence whether a vulnerability is a real risk. Analysing source code alone cannot provide that operational picture.
Why context matters more than another risk score
For many security teams, vulnerability prioritisation still relies heavily on numerical risk scoring. Rollings argues that this approach often misses the bigger picture. “You’re spending so much money on these security tools,” he said. “The real question is, what is the return? What is the business value?”
Understanding the effectiveness of existing controls, such as intrusion prevention systems, endpoint detection, or micro-segmentation, can dramatically change how vulnerabilities are prioritised.
Research cited by Rollings suggests that only around one in 50k vulnerabilities is truly exploitable in a given environment once contextual factors are taken into account. “That means organisations spend enormous effort remediating vulnerabilities that may never actually be reachable,” he added.
Agentic systems that correlate telemetry across security tools could narrow that focus significantly. This would allow teams to prioritise the small subset of exposures that really matter.
“Security teams were so focused on detection, assessment, and ticketing that they didn’t have time to dig deeper,” Rollings tells Stiennon. “Agentic capabilities free them to concentrate on the things that truly make a difference.”
Key Takeaways
Exposure management prioritises vulnerabilities using real-world context, not just CVSS scores.
Agentic AI can analyse exposures and automate remediation workflows.
Security context—controls, network paths, and runtime data—determines real exploitability.
Only about 1 in 50,000 vulnerabilities are truly exploitable in most environments.
AI-secured code won’t remove runtime risk in live infrastructure.

Chapters
00:00 Introduction to Cybersecurity Challenges
03:19 The Evolution of Exposure Management
07:31 Impact of AI on Vulnerability Management
11:34 Contextual Understanding in Exposure Management
15:37 Efficiency and Cost-Effectiveness in Security Teams
18:08 Key Takeaways for Security Practitioners

For more information, please visit em360tech.com and www.zafran.io.
Follow:
EM360Tech YouTube: @enterprisemanagement360
EM360Tech LinkedIn: @EM360Tech
EM360Tech X: @EM360Tech
Zafran LinkedIn: Zafran Security
Zafran X: @Zafran_io
#AgenticAI #ExposureManagement #VulnerabilityManagement #CTEM #Cybersecurity #CISO #SecurityStrategist #RichardStiennon #NathanRollings #Zafran

Podcast series: The Security Strategist
Guest: Sam Woodcock, Senior Director of Solutions Architecture at 11:11 Systems
Host: Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360Tech
In the recent episode of The Security Strategist podcast, host Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360Tech, spoke with Sam Woodcock, Senior Director of Solutions Architecture at 11:11 Systems. They discussed what he sees as one of the biggest issues in cybersecurity today: the gap between confidence and ability.
Their conversation, based on findings from the company’s latest global survey, revealed a troubling fact. While 81 per cent of IT leaders believe they are ready to recover from a cyberattack, many have already faced serious incidents, sometimes more than once a year.
Woodcock pointed out that this confidence can be misleading. “If you think about your cyber recovery planning, it often looks strong on paper,” he said. “That can create a false sense of security because cyber recovery is very complex.”
Analyst Read: Forensic Recovery Is Central to Cyber Resilience
Cyber Recovery is Not Fixed
Woodcock explained that many organisations confuse documented plans with actual readiness. Cyber recovery is not fixed; it must change with the infrastructure, applications, and threats.
“Change is the only constant in this industry,” he noted. “Things are shifting daily and weekly. What you had in place today can quickly become outdated.”
Testing often suffers from time and budget constraints. Many companies test just once a year, if at all. Woodcock advises that quarterly testing should be the minimum.
“You’d rather find those issues now instead of during a real ransomware incident.”
The costs of misplaced confidence are high, such as prolonged downtime, growing financial losses, regulatory fines, and damage to reputation. Some survey participants reported recovery times of one to two weeks, while others took over a month.
The more alarming truth is the risk of getting reinfected. “Enterprises might recover from the first outage and then be hit again,” Woodcock warned. “That extends the recovery time and increases the risk and damage.”
How Modern Attackers Hack?
One of the most revealing points from the discussion was how modern attackers operate once they gain access. A common way in is through VPN flaws and social engineering.
“One of the first things they will do is examine existing documentation within your organisation to understand your recovery strategy,” Woodcock tells Dua. “They’ll look at your company’s cyber incident recovery planning document.”
Attackers often target backup systems directly to wipe out recovery options before launching ransomware.
In one case, Woodcock mentioned, a company’s local backup systems were compromised. Luckily, they had maintained immutable cloud backups, allowing them to recover even after the primary backup environment was breached.
In other cases, entire primary environments were taken offline, forcing organisations to switch to secondary, isolated environments.
“You need a safe, trusted, clean space to recover your environment,” he said. “That way, you can understand how the attack happened and be confident that your recovery is clean.”
The idea of the "clean room," or an isolated recovery environment, has become crucial to modern cyber resilience strategies.
AI vs. AI: A Weapon & a Defence
The conversation also addressed artificial intelligence (AI), both as a weapon and a defence. Woodcock noted that cybercriminals are already using AI to refine phishing campaigns, increase attack frequency, and add complexity to evade detection.
“They’re using AI to potentially improve the language in social engineering attacks or to raise the frequency of attacks,” he said.
However, defenders are also making progress. 11:11 Systems collaborates with technology partners like Veeam, Cohesity, and Zerto, all of whom invest heavily in AI for spotting anomalies and providing real-time threat visibility.
These tools can help organisations identify when an attack began and find the last known clean recovery point. “It helps them make quicker decisions,” Woodcock added. “They can make better choices by using AI to find the right recovery point.”
However, he also cautioned against thinking that technology alone will solve the problem. “Technology by itself isn’t enough. It always comes down to the maturity level and expertise within the business.”
Looking forward, Woodcock does not expect ransomware sophistication to slow down. Enterprises now face double extortion tactics—not just encrypted data but also threats of public exposure.
“It’s not just ransomware encrypting data,” he said. “There’s also this evolving threat of being told that data will be made public.”
In an era where attackers study your recovery plan before you implement it, resilience is about proof, not just documentation.
Takeaways
81% of IT leaders are overconfident in their recovery abilities.
Cyber recovery is complex and requires a robust plan.
Regular testing is essential for effective cyber recovery.
Organisations often overlook recovery strategies in favour of prevention.
AI is being used by cybercriminals to enhance attacks.
The frequency of cyber attacks is increasing.
Understanding application dependencies is crucial for recovery.
A clean recovery environment is necessary to avoid reinfection.
Decision-making during incidents can be time-consuming and impact recovery.
Building a strong security culture is vital for organisations.

Chapters
00:00 Introduction to Cyber Resilience
01:46 Understanding the Cyber Recovery Gap
07:17 Overconfidence in Cybersecurity
12:37 The Importance of Testing in Cyber Recovery
13:37 Multi-layered Approach to Cyber Recovery
17:17 Real-world Cyber Attack Examples
20:19 AI and the Future of Cybersecurity
24:00 Emerging Threats in Cybersecurity
26:31 Key Takeaways for IT Leaders

For more information, please visit em360tech.com and

Podcast series: The Security Strategist
Guest: Chip Witt, Principal Security Analyst at Radware
Host: Richard Stiennon, Chief Analyst Researcher at IT-Harvest
When attackers target modern enterprises, they don’t break in; they log in. This insight came from the recent episode of The Security Strategist Podcast, where host Richard Stiennon, a cybersecurity analyst and Chief Analyst Researcher at IT-Harvest, speaks to Chip Witt, Principal Security Analyst at Radware.
The conversation spotlights a critical issue faced by most enterprises – defending APIs as if they are just infrastructure while attackers exploit them as part of the business logic. That gap represents the real risk.
What’s the Core Misunderstanding with APIs?
As per Witt, enterprise teams often view APIs as technical plumbing instead of business products. Security programs focus on endpoints and authentication, believing that a locked front door means the house is safe.
However, the true risk lies deeper — in authorisation logic, identity sprawl, and how applications change over time. Modern development methods lead to constant API drift. New routes appear, fields change, and versions multiply. In many organisations, security leaders cannot confidently state which APIs are live in production. The uncertainty to many is theoretical, but in reality, it’s an operational risk.
Also Watch: How Do You Stop an Encrypted DDoS Attack? How to Overcome HTTPS Challenges
How are Enterprises Shifting Towards Intent-Aware Protection?
As enterprises speed up their use of serverless architectures, microservices, and AI-driven applications, API sprawl intensifies. With sprawl, the security model cannot remain unchanged while the application structure evolves.
According to Witt, the future of API security must be intent-aware. Protection should assess whether a sequence of calls makes sense within its context for the user, system, or resource initiating them. Simply confirming identity is not enough; security also needs to validate behaviour.
Zero trust principles have reshaped strategies for networks and identities. APIs now require similar scrutiny—not just at the perimeter, but within the workflow itself.
APIs are no longer just back-end connectors; instead, they are now the visible surface of the enterprise. The most concerning attacks are not brute-force attempts. Most distressing attacks, in fact, are authenticated actions carried out with malicious intent.
Organisations that continuously track their APIs, enforce strict authorisation, and identify workflow misuse in real time can significantly reduce their risk of breaches. More importantly, they can align security with the business pace. In today’s digital economy, APIs are the product.
Takeaways
APIs are your primary business attack surface, not back-end infrastructure.
Most damaging API attacks use valid credentials and exploit weak authorisation.
Visibility gaps and API drift quietly expand your exposure over time.
Machine-to-machine identities often carry excessive, unmonitored privileges.
Runtime, intent-aware detection is now essential to stopping business logic abuse.

Chapters
00:00 Introduction to API Security
02:04 Understanding API Misconceptions
04:49 Current API Threat Landscape
06:43 Business Logic Abuse in APIs
09:11 Challenges in API Security
12:03 Runtime Protection and Intent Detection
13:40 Key Takeaways for IT Decision Makers

For more information, please visit em360tech.com and radware.com
Follow: @EM360Tech on YouTube, LinkedIn and X
Radware YT: @radware
Radware LinkedIn: https://www.linkedin.com/company/radware/
Radware X: @radware
#APISecurity #BusinessLogicAbuse #AuthenticatedAttacks #RuntimeProtection #IntentAwareSecurity #Radware #Cybersecurity2026 #OWASP #BusinessLogic #ZeroTrust #TechPodcast #EnterpriseSecurity #IntentAwareProtection #TheSecurityStrategist #Cybersecurity

In an era where enterprise data sprawls across cloud platforms, collaboration tools, and SaaS environments, CISOs are under constant pressure to reduce risk without becoming the department that slows everything down. That tension sits at the heart of a recent episode of the Security Strategist, where host Jonathan Care speaks with Ariel Zamir, founder and CEO of Ray Security, about what pragmatic, modern data security actually looks like.
Their conversation cuts through the noise around cybersecurity tools and frameworks and focuses instead on how CISOs can think differently about enterprise data, risk management, and control.
Understanding Enterprise Data Risk Starts With Reality
One of the most grounded points Zamir makes is also the simplest, and that is, most enterprise data is not being used. At any given time, around 98 per cent of enterprise data sits dormant. From a data security perspective, that should immediately raise questions. Why is data that no one needs today exposed in the same way as data actively driving the business?
For CISOs, this reframes the challenge. Instead of trying to secure all data equally, the priority becomes understanding which data is actually accessed, by whom, and when. This shift matters because risk does not come from volume alone, but from unnecessary exposure. Dormant data with overly broad access control is often invisible to the business, yet highly visible to attackers.
By grounding cybersecurity decisions in how data is really used, security teams can reduce enterprise data risk without introducing friction for employees who are simply trying to do their jobs.
Permission Hygiene, Access Control, and Dynamic Security
A recurring theme in the discussion is permission hygiene. Over time, access rights accumulate. People change roles, projects end, contractors leave, but permissions rarely get cleaned up. The result is an expanding attack surface that no amount of policy documentation can realistically govern.
Zamir argues that improving permission hygiene and access monitoring should come before heavy data classification initiatives. Tightening access control, understanding access patterns, and removing unnecessary permissions can dramatically reduce risk with relatively low operational impact.
Crucially, this does not mean locking everything down. Dynamic controls play a key role here. Instead of blocking access by default, organisations can monitor for unusual behaviour and respond in context. Alerts, step-up verification, or temporary restrictions allow security teams to manage risk while preserving user experience. From a business perspective, this approach aligns far better with how work actually happens.
This is also where agentic AI and agentless monitoring enter the picture. As autonomous systems increasingly access data on behalf of users, traditional identity-based controls struggle to keep up. Agentless approaches help close coverage gaps without requiring intrusive deployments, while agentic AI introduces new questions about accountability and oversight that CISOs can no longer ignore.
Just-in-Time Classification and the Legal Implications of Automation
Traditional data classification has long been treated as a foundational security activity, but the podcast challenges that assumption. Classifying vast amounts of dormant data upfront is expensive, slow, and often disconnected from real risk. Instead, Zamir advocates for just-in-time classification, applying context only when data is accessed.
This approach supports more effective risk management while easing the burden on security teams. It also aligns better with regulatory expectations, where proportionality and intent increasingly matter.
However, automation and agentic AI introduce legal implications that CISOs must consider when developing their strategies. When autonomous agents access, move, or transform data, organisations need clarity on responsibility, auditability, and compliance. Dynamic controls and temporal insights into data access are not just technical safeguards; they are essential for demonstrating governance in an environment where human and machine actions intersect.
Taken together, the conversation highlights a more measured path forward. By focusing on how enterprise data is actually used, improving permission hygiene, and applying controls dynamically, CISOs can enhance data security without slowing down the business. It is less about adding more tools and more about making smarter, context-aware decisions in a landscape where risk is shaped by time, access, and intent.
For more information on this, visit: https://raysecurity.io/
Takeaways
Around 98 per cent of enterprise data sits idle, creating hidden security risks.
Focusing on data dormancy helps prioritise protection and reduce exposure.
Permission hygiene and dynamic controls reduce risk without slowing business workflows.
Just-in-time classification cuts overhead by securing data only when accessed.
Agentless monitoring and oversight of agentic AI improve coverage and accountability.
Legal and governance frameworks must evolve to handle autonomous data access.

Chapters
00:00 Introduction to Cybersecurity Challenges
01:38 Understanding Data Dormancy and Its Implications
05:10 Focusing on Critical Data for Security
08:21 The Importance of Permission Hygiene
10:53 Just-in-Time Classification for Data Security
12:28 Dynamic Controls for Business Needs
16:43 Agentless Monitoring and Coverage Gaps
19:32 Integrating Logs and APIs for Security
21:34 Future Trends in Cybersecurity

In an environment where cyber threats evolve faster than regulation, UK organisations are being asked to defend themselves with rules written for a different era. That tension sits at the centre of a recent episode of the Security Strategist, where host Trisha Pillay speaks with William Wright, Chief Executive Officer of Closed Door Security and Scotland’s first accredited (chartered) hacker. Their conversation moves beyond headlines and funding announcements to examine why, despite growing awareness and investment, both public and private sector organisations in the UK continue to be compromised.
The Biggest Cybersecurity Challenges Facing UK Organisations
As Wright explains, cybersecurity cannot be understood purely from policy documents or tooling dashboards. It has to be understood from the attacker’s point of view. From where he stands today, the UK cybersecurity landscape is marked by a growing gap between how organisations believe they are protected and how exposed they actually are.
One of the most persistent misconceptions Wright highlights is the belief that buying cybersecurity tools automatically makes an organisation secure. Too many businesses, he argues, rely on poorly implemented services or procure technology they don’t fully understand.
The result is a false sense of confidence. Organisations assume they are protected, but still fall victim to ransomware, business email compromise, and financial fraud. Often, the tools they’ve invested in are never properly tested, validated, or tuned to their environment.
Awareness is another issue. Despite constant media coverage of cyber attacks, cybersecurity is still not consistently treated as a board-level risk. When it remains a technical afterthought rather than an operational priority, organisations struggle to respond effectively when incidents occur.
Wright also challenges the idea of a simple “skills gap.” While much of the discussion focuses on a lack of junior talent, he argues the real problem sits at the top. Too many cybersecurity decisions are being made by individuals without deep, hands-on experience, particularly in senior or policy-shaping roles. This lack of expertise leads to misaligned strategies, both in organisations and in government.
The UK Government’s Cyber Action Plan
The UK government’s £210 million cyber action plan is, in Wright’s view, a welcome signal but not a solution. Any investment in cybersecurity is positive, yet the plan largely reflects practices the private sector has been using for years.
This creates a familiar pattern as the private sector absorbs the damage, while the public sector learns from it later. Economically, Wright argues, this approach is flawed. When businesses are repeatedly compromised, the impact extends far beyond individual organisations.
Legislation is another weak point. Cyber threats evolve daily, but laws move slowly. The Computer Misuse Act, for example, has not been meaningfully updated in over a decade. In a world of cloud computing, automation, and AI-driven attacks, this leaves the UK operating with outdated guardrails.
What Government Can Learn From Offensive Security
As the CEO of an offensive security firm, Wright sees the same pattern repeatedly that organisations are compromised using relatively unsophisticated methods. These are not advanced, state-of-the-art attacks. They are basic weaknesses that remain unaddressed. The problem, he suggests, is that policymakers are often advised by people who have never actively attacked real systems. This disconnect shows up in legislation and regulation that look sound on paper but fail in practice.
Other governments have taken a different approach. Bug bounty programmes, for example, allow ethical hackers to test government infrastructure and responsibly disclose vulnerabilities. These programmes force transparency and accountability. Despite this, the UK has been slow to adopt similar models.
Where Cyber Resilience Efforts Should Focus Next
Beyond legislation, Wright points to funding and enforcement as critical gaps. Many public sector organisations know where their risks are, but lack the budget to fix them. Meanwhile, regulatory bodies often lack the authority to enforce remediation.
Without both funding and enforcement, reports identifying serious vulnerabilities are filed away rather than acted upon. This cycle repeats until an attack forces emergency investment, which is often too late.
Emerging Threats Organisations Must Prepare For
Looking ahead, Wright identifies two major areas of concern. The first is the use of AI in cyber attacks. AI is not replacing attackers, but it is dramatically accelerating them. Tasks that once took hours can now be completed in minutes, shrinking the window for detection and response.
The second is technology supply chain risk. Attacks on widely used software tools can give attackers access to thousands of organisations at once. Past incidents involving widely trusted vendors show how devastating these compromises can be, particularly when they go unnoticed for long periods.
Despite the scale of the challenge, Wright’s advice is grounded and practical. Multi-factor authentication is non-negotiable. Organisations without MFA are, in his words, “sailing blind.”
He also urges businesses to validate their security investments. Spending heavily on defence while allocating minimal budget to testing is self-defeating. Security tools do not work perfectly out of the box, and penetration testing must go beyond surface-level assessments. Finally, Wright stresses the importance of depth. Black-box testing alone is not enough. Organisations need to assume breach scenarios and test how attackers move inside their environments, particularly through identity-based attacks such as phishing.
Takeaways
Cybersecurity is frequently mistaken for deploying tools, rather than managing risk.
Cyber risk must be treated as a board-level responsibility, not a technical afterthought.
The real cybersecurity skills gap exists at senior and decision-making levels.
Cyber legislation is largely reactive and struggles to keep pace with modern threats.
Bug bounty programmes can help governments identify weaknesses before attackers do.
Offensive security insight strengthens defensive strategy and decision-making.
Legacy systems can be secured when risks are properly understood and addressed.
AI is accelerating the scale and speed of cyber attacks, not replacing attackers.
Security investments must be validated through continuous testing and assurance.
Multi-factor authentication is a foundational requirement for modern cyber resilience.

Chapters
00:00 Introduction to Cybersecurity Landscape
02:56 William Wright's Journey in Cybersecurity
05:56 Current Cybersecurity Challenges in the UK
08:53 Evaluating the UK Government's Cyber Action Plan
12:03 The Impact of Legislation on Cybersecurity
15:01 Lessons from Offensive Security for Government
16:55 Notable Cybersecurity Breaches and Their Impacts
19:59 Future Focus: Improving Cyber Resilience
24:01 Emerging Cyber Threats: AI and Supply Chain Risks
27:48 Practical Advice for Organisations
31:05 Conclusion and Key Takeaways