Critical infrastructure is on the front line of the war in Ukraine. And as the conflict approaches its fourth year, there is little sign of that changing. Strikes against infrastructure, though, are only part of the picture. Since Russia’s full-scale invasion, and even before, Ukraine’s defenders have waged an equally intense, but less visible, cyber war. What lessons can we draw from Ukraine’s experience? And how can states and businesses protect their critical national infrastructure during war and conflict? And how do the public and private sector deal with the prospect of both kinetic and cyber threats? We discuss this with Mihoko Matsubara, author, associate fellow at the International Institute of Strategic Studies and chief cybersecurity strategist at NTT Corporation.

A growing number of organisations now offer "bug bounties", paying hackers or security researchers rewards for finding vulnerabilities. But how do these programmes operate, and how do CISOs ensure that they are run ethically? What are the risks of inviting researchers to hack your organisation? How do bug bounties stack up against other methods of security testing? And what are the benefits to security researchers themselves, as the programmes cannot work without hackers? We cover the pros and cons of bug bounties with Ottilia Westerlund, hacker engagement manager at bug bounty platform Intigriti, and herself a former software engineer and published security researcher.

DDoS – or distributed denial of service attacks – remain a serious source of disruption across the internet. DDoS attacks continue to grow in their frequency and volume. And increasingly, they’re aligned to geopolitical events. A driver is sites offering “DDoS for hire”. The groups behind these sites even offer DDoS as a service attacks for free. But cybercrime groups are making use of AI too. This is leading to what researchers at NETSCOUT describe as a “digital battlefield", with DDoS attacks overwhelming underprepared defenders. Our guest is Richard Hummel, director of threat intelligence at NETSCOUT.  

Is cybersecurity's skills crisis one of its own making? And why have initiatives to close the skills gap made relatively little impact? In this episode, our guests Thom Langford, of Rapid7, and Lee Munson, of the ISF, discuss career changes, hiring practices, certifications and what needs to change with editor Stephen Pritchard

Education is increasingly in the crosshairs for malicous actors. Along with other public sector bodies, schools, colleges and universities are being targeted for the information they hold, as well as for extortion and ransom.   What, then, can leaders in the sector do to bolster their defences, especially when budgets are under pressure? Our guest is Joe Rooke, director of risk insights at Recorded Future’s Insikt Group.  

In this episode, we discuss whether vulnerability scores are still a viable tool when it comes to measuring cyber threats. Both CVEs and CVSS are core security tools. But, our guest this week argues, they are often misused. In a worst case scenario, they add little to effective defence, and can divert security teams from the real threats. Tod Beardsley is VP of security research at runZero, is on the board of the CVE Project, and is a former official at CISA.

More than three quarters of security breaches result from human behaviour. But as an industry, we focus far more on technical security measures, than on the human element. Human risk management sets out to change this. Its proponents aruge that by measuring what people do on networks and systems, we create a much clearer picture of risk. In fact, they say, the risks posed by people should be on the business' risk register. And it's only with that picture that we can implement the controls, and measures such as security awareness and training. But human risk management goes far beyond anti-phishing campaigns. Our guest is Ashley Rose, co-founder and CEO of Living Security. With a background in both marketing and psychology, she’s setting out to help organisations move away from focusing on devices, and to a human-centric view of security.

Artificial intelligence is often described as a "black box". We can see what we put in, and what comes out. But not how the model comes to its results. And, unlike conventional software, large language models are non-deterministic. The same inputs can produce different results. This makes it hard to secure AI systems, and to assure their users that they are secure. There is already growing evidence that malicious actors are using AI to find vulnerabilities, carry out reconnaissance, and fine-tune their attacks. But the risks posed by AI systems themselves could be even greater. Our guest this week has set out to secure AI, by developing red team testing methods that take into account both the nature of AI, and the unique risks it poses. Peter Garraghan is professor at Lancaster University, and founder and CEO at Mindgard. Interview by Stephen Pritchard

Non-human identities now vastly outnumber human actors on the internet, perhaps by as many as 50 to one. APIs, online devices and service calls now dominate internet traffic, and access requests. And this is only set to increase, with the rise of AI and AI agents. Could we even see "robot wars" as AI agents take on AI defenders? A lack of visibility, and a lack of control over machine identities is not just putting systems and networks at risk. It is changing the whole concept of identity. Now, it's no longer a question of who has access to our systems and data, but what. And the consequences for cybersecurity are far reaching. Our guest is Art Gilliland, CEO at Delinea. Interview by Stephen Pritchard

Managing cybersecurity is increasingly about managing risk. It's not possible to stop every attack or prevent every breach. So CISOs need to link the likelihood and impact of an incident to the damage it does to the organisation. But do security teams understand business risk? And do business leaders fully appreciate the threat from cyber attacks? Our guest is Richard Seiersen, chief risk technology officer at Qualys, as well as a researcher, author, entrepreneur and former CISO.

Can a book hold the answers to our cybersecurity challenges? Perhaps not. But a new book from the Information Security Group at Royal Holloway, University of London, sets out to act as a primer on cybersecurity. The target audience is both those setting out on a career in the sector, or general readers who want to understand the core principles of cybersecurity. The book is called Cyber Security Foundations: Fundamentals, Technology and Society, published by Kogan Page. In this episode, we ask three of it authors how it came into being, and how a written text can keep pace with a fast-changing security landscape.

Verizon's Data Breach Investigations Report is one of the longest-running research studies in the industry. This year's report is the 18th and tracks over 20,000 incidents and 12,000 breaches. What changes are we seeing, and what can CISOs learn from the data? Our guest is Ashish Khanna, who runs the security solutions and consulting practice at Verizon Business. Interview by Stephen Pritchard

In this episode, we look at the growth of the cybersecurity industry in Northern Ireland. What are the reasons for its success, and why does cyber play an important part in Northern Ireland's post-industrial future? And why should CISOs look there for a source of talent? Our guest is Simon Whittaker, chair of the steering committee for NI Cyber, and CEO of Vertical Structure, now part of Instil.

Our guest this week is Mandy Andress is CISO at Elastic. Elastic describes itself as a “search AI company”, and is very much at the forefront of modernising enterprise technology. A host of businesses use Elastic's tools behind the scenes to manage their data, for security and, of course, for AI. As CISO, Mandy Andress has the dual responsibilities of keeping Elastic secure, and advising customers on security. In this CISO interview, we hear about her route into cybersecurity and the pressures of dealing with the increasing intensity, or velocity of cyber attacks. And we discuss why CISOs need to be more aware than ever of their role in providing security not just within their own organisations but across national infrastructure, and the wider economy.

Dr Claudia Natanson is CEO at the UK Cyber Security Council. The Council, which is funded by the Government's Department for Science, Innovation and Technology, acts as an umbrella body for a range of professional bodies in cybersecurity. It is the organisation behind chartered status for cybersecurity professionals, sets standards and publishes an ethics code, and acts as a voice of the industry: quite a broad mission for an organisation that is only a few years old. The Council is, though, very well placed to assess the health of the cybersecurity industry across the UK. And, as Dr Natanson says, it faces a number of challenges, including recruitment, retention, diversity, and ensuring organisations understand what they need from their cybersecurity teams. But what, exactly, does pouring the perfect pint of Guinness have to do with a successful career in cyber? Interview by Stephen Pritchard

Our guest for the 125th episode of Security Insights is James Bore. A well-known industry figure and speaker on cybersecurity, James runs the family consultancy firm Bores. He's also an author, book publisher, cyber skills trainer and volunteer. In this Insights Interview, he shares his forthright -- and sometimes controversial -- views on the way forward for cybersecurity, with editor Stephen Pritchard. Does cybersecurity blame the victim? What is the relationship between trust and security? And why is investment in security sometimes a bad thing?  

Are CISOs leaving the industry in droves? One survey suggests that as many as one in four senior cybersecurity leaders plans to leave the profession. The causes include growing responsibilities, increasingly severe threats and ever-greater regulatory burdens. The result is stress and burn out, with CISOs constantly fighting fires. As one of our guests says, CISOs suffer from an "invisibility of success". So what can we do? The first step is to recognise the problem; the second is to help CISOs build both organisational and individual resilience. Our guests are Darren Williams, founder and CEO of BlackFog, which commissioned the research, and Peter Coroneos, founder of mental health not for profit Cybermindz.

How far should you push security tests? Sometimes, the answer is "to the limit". In this episode we look at stress testing in cybersecurity. Putting systems under pressure is the only true way to check that they will work, as intended, during a cyber attack. But how does stress testing differ from pentesting and cyber exercises? How far is too far, and how do security teams capture the right lessons from the testing process? Our guests are Chris McKean, solutions specialist at NetApp, and Simon Edwards, founder and CEO at SE Labs.

Ransomware remains one of the greatest cyber threats to organisations. Certainly, it is the threat at the top of most boards' agendas. The reasons are clear enough: ransomware damages reputations, as well as the balance sheet. in the worst case scenario, a business might never recover from an attack. And ransomware itself is becoming more sophisticated, and so more dangerous. Groups have moved on from simple phishing and RDP attacks to exploiting zero days. And they are as likely to threaten to release confidential information, as they are to encrypt it. As our guest suggests, ransomware has moved from an attack on availability to an attack on confidentiality. When it comes to advising on the ransomware threat, few are better placed than Raj Samani. Senior vice president and and chief scientist at Rapid7, Raj is also chief innovation officer at the Cloud Security Alliance, a special adviser at the European Cybercrime Centre and a co-founder of No More Ransom. Here he discusses the changing ransomware threat, and how organisations should act when they are attacked, with Stephen Pritchard.

What happens when a cyber attack hits? What is it like to be in the eye of the storm, and how can security teams prepare? A cyber attack is inevitably a highly stressful situation for everyone involved. But planning and exercising goes a long way to at least manage that stress. Our guest for this episode is Dan Potter, senior director for resilience and cyber drills at Immersive Labs. He also has over 15 years' experience working in resilience in the financial services sector. As he says, no playbook or incident response plan will be fully effective, unless the business takes the time to test it - and learn the lessons from the exercises they run.