The Security Strategist

Walk the floor of any security conference, and you'll hear the same story that AI is transforming threat detection, closing the vulnerability gap, and redefining cyber defence. But the data suggests security professionals aren't buying into the hype as much as vendors might expect.According to Oliver Spence, CEO of Cybaverse and a former Royal Marine, the cybersecurity industry has a marketing problem, and that problem is making organisations less secure. In this episode of the Security Strategist Podcast, Spencer sits down with Trisha Pillay to examine where security leaders are being misled, why buzzwords are replacing meaningful outcomes, and what organisations should be focusing on instead.Why AI Falls ShortResearch conducted with security professionals at Infosec Security found that 87 per cent of respondents believe AI increases risk rather than mitigates it. Six in ten said their organisation didn't have the resources to manage the threats AI introduces. These aren't the numbers of an industry confidently embracing a new era. They're the numbers of a sector that's been oversold.Spence puts it plainly: "There's a lot of money from VCs being pumped into cybersecurity, and cybersecurity does marketing extremely well. Which means people end up buying tools. And quite often, tools are purchased, and they barely make it out of the onboarding phase." The hype, in other words, is moving faster than reality, and security leaders are paying the price.What the Mythos Release Actually Taught UsTo understand where AI hype collides hardest with security reality, look at what happened with Mythos. The frontier AI model was made available to a limited group of organisations through Anthropic's Project Glasswing initially around 12 companies, including Microsoft and CrowdStrike, and later expanded to more security businesses. The intent was to test and validate a security-focused AI capability at the highest level.Within 24 to 48 hours of Fable's release, the security solution built on Mythos was being released, and someone had already found a prompt that bypassed its controls. Shortly after, the US government restricted access to the model for organisations outside the United States.For Spence, the lesson isn't that AI is useless. It's that the hype around AI security outpaces what even the best-resourced organisations can actually control."If the top security companies in the world, dedicated to testing and securing these AI frameworks, still haven't been able to secure it, how does a smaller mid-market business take on that security challenge?"His answer cuts against the grain of most vendor messaging that nothing about AI development, including Mythos, has actually changed what organisations should be doing. "If you look at the NCSC's top ten steps, it's all about fundamentals. And if you have those right, you will still be secure from AI-driven attacks." That's not a comfortable message for vendors selling AI-native security platforms, but it's the one the data supports.Where Security Leaders Are Getting It WrongThe most common mistake Spence sees is organisations acquiring tools in response to fear rather than strategy. AI marketing is particularly effective at generating that fear, which is exactly why the cycle keeps repeating."There's a culture that a product is just going to do everything for you and save your bacon in a time of issues. The magic fairy dust of: buy this product and it solves all your problems."The result is tool sprawl at a scale most boards don't realise. The average mid-market company runs between 30 and 40 security products. Enterprise organisations frequently exceed 80 or 90. And yet breaches persist. Operational complexity grows. Security teams burn out managing tools rather than managing threats.Six in ten security professionals surveyed said AI hype was pushing them to fixate on the volume of vulnerabilities rather than how to manage them. That's a direct consequence of marketing designed to create urgency, and it's causing leaders to make reactive purchasing decisions instead of strategic ones.The fix isn't complicated, but it requires discipline: define the outcome you need to achieve before you look at a single product. "What is the outcome that we need to achieve as a business? Make sure you have those written down. Then look at which tool maps to solving those outcomes." Tool mapping, not tool accumulation, is what an effective security strategy looks like.The Vulnerability Volume TrapOne of the clearest examples of hype distorting reality is how organisations are handling vulnerability management or failing to. AI has made vulnerability discovery faster and more accessible, both for defenders and attackers. The next wave of AI-enabled attacks, beyond the phishing use cases that became widespread first, is exploitation at scale. AI scanning infrastructure for gaps faster than human teams can identify and close them. That's a real threat but the response many organisations have is to treat every vulnerability finding as equally urgent, which is where the hype machine takes over.Spence gives a concrete example: a vulnerability scanner might flag four instances of an outdated version of Chrome as four separate critical findings. Teams see four criticals. Boards panic. In reality, there's one action update Chrome. The noise generated by poorly configured tools inflates urgency and slows down the teams trying to respond."People can get so overwhelmed and go, there's so much to do here, it's going to be impossible. But it's about putting a system and structure in place to deal with it. It doesn't matter whether it's one vulnerability or a thousand; it's the same process."A healthcare client Spence worked with had a board furious at the IT team over the volume of critical vulnerabilities appearing in reports. The team hadn't done anything wrong. They'd simply never run structured vulnerability management before, so when they started, everything surfaced at once. The fix wasn't faster patching, it was building a process: identify assets, prioritise by actual business risk, remediate in order, track progress. Once the board understood they were closing gaps rather than chasing an impossible zero, the relationship between leadership and the security team stabilised.Patch management isn't a solved problem. For businesses running tens of thousands of endpoints with hundreds of applications across their estate, keeping up with remediation at scale is genuinely hard. AI-driven discovery doesn't solve that it amplifies the pressure if there's no management system underneath it.How to Evaluate AI Security Claims Given the pace of AI development and the volume of vendor claims, security leaders need a practical filter. Spence's is straightforward with his sentiments like does this address a specific outcome your organisation has already identified as a gap?Not "does this solve the broad threat category of AI-driven attacks." Not "does this give us AI-powered detection." But specifically, does this map to something we know we need to fix in our environment?The same filter applies to internal AI adoption. Two questions should come before anything else: what business risk are you accepting by giving AI agents access to your data, and is that access read-only, or can the agent execute actions? The risk profile of those two scenarios is dramatically different, and most organisations haven't explicitly defined which one they're operating under.What Security Leaders Should Do DifferentlyThe practical takeaways from Spence's position are less about new tools and more about clearer thinking:Lead with outcomes, not products. Define what your organisation needs to achieve before engaging with any vendor. Map tools to outcomes, not the other way around.Treat vulnerability volume as noise, not signal. Build a prioritisation and remediation process. A thousand vulnerabilities managed systematically is less dangerous than ten vulnerabilities with no process behind them.Ask the data access question first. Before any AI deployment, define what it can access and whether it can act on that access. That decision shapes your entire risk profile.Consolidate rather than accumulate. The industry is moving toward fewer, better-integrated tools for good reason. Thirty security products that no one fully configures is not a security strategy.Stay on the fundamentals. AI hasn't invalidated the NCSC's core steps. If anything, AI-driven threats make...

AI isn’t introducing entirely new cyber threats, but it is changing how easily they can be executed, and by whom. In this episode of Security Strategist, EM360Tech host Trisha Pillay speaks with Darren Anstee, Chief Technology Officer for Security at NETSCOUT, about how conversational AI is lowering the barrier to entry for cyberattacks. Drawing on real-world telemetry from thousands of enterprises and service providers, Anstee outlines how the threat landscape is shifting not through new attack types, but through scale, speed, and accessibility. At the centre of that shift are two forces, in his words, simplification and automation.How AI is Changing Cyber AttacksFrom a Distributed Denial-of-Service (DDoS) perspective, Anstee says, “AI isn’t creating fundamentally new attack vectors. Instead, it’s making existing ones easier to execute”. Historically, launching a sophisticated attack required time, expertise, and intent. Attackers would need to scan a target, identify vulnerabilities, select the right attack vectors, and continuously adapt based on how defences responded. That process demanded both technical knowledge and active decision-making. Now, much of that can be abstracted away.As a result, conversational interfaces are increasingly being integrated into attack tools, allowing users to issue simple, natural language instructions. Behind the scenes, those tools can run reconnaissance, analyse results, select attack methods, and even adapt in real time if defences respond. As Anstee puts it, “the whole need for there being any knowledge in the seat has gone away.” The result is not necessarily more advanced attackers, but more attackers capable of attempting advanced techniques.The Democratisation of Cyber AttacksThis shift has direct implications for enterprise risk. As sophisticated capabilities become more accessible, the volume and distribution of attacks change. Organisations that were previously unlikely targets are now within scope, not because they are high-value, but because they are reachable.Anstee points to a growing trend, and that is attackers moving beyond heavily defended primary targets and focusing on secondary organisations within the digital supply chain. Suppliers, service providers, and partners often present a weaker entry point, while still offering indirect access to larger ecosystems. In practical terms, this expands the attack surface.It also exposes a gap in how many organisations think about risk. Dependencies are not always fully mapped, and the resilience of third-party services is often assumed rather than verified. When those dependencies fail, be it through DDoS disruption or another incident, the impact can cascade quickly. What’s changing is not just who gets targeted, but how risk propagates across interconnected systems. This shift is being accelerated by automation.Automation and Efficiency in CybercrimeAutomation is what turns accessibility into scale. The steps involved in launching an attack, reconnaissance, analysis, execution, and adaptation, can be structured as decision trees. AI systems can follow those paths quickly and consistently, removing the need for manual intervention at each stage. This has two consequences. First, it increases the frequency of attacks. More actors can launch them, and they can do so with less effort. Second, it compresses response time. Attacks can adapt dynamically, forcing defenders to react faster and with greater precision.For many organisations, this exposes a mismatch between perceived and actual readiness. As Anstee notes, having defensive tools in place is not the same as knowing how they perform under real conditions. Firewalls and baseline protections may handle simple attacks, but they are often insufficient against multi-vector, adaptive threats. This is where his emphasis on certainty becomes critical.Confidence—based on vendor claims or assumed coverage is not enough. Organisations need real visibility into how their defences behave in practice, across environments, and under pressure. Without that, decision-making is based on assumptions rather than evidence. In a landscape shaped by automation, that gap becomes harder to sustain.For more information, visit netscout.comTakeawaysAI is simplifying and automating cyber attacks, making them accessible to a broader range of attackersEnterprises must reassess their risk management strategies The cost of cybersecurity is likely to rise as organisations enhance their defencesAI's impact on cyber attack sophisticationDemocratisation of attack capabilitiesAutomation in attack executionSupply chain vulnerabilities and third-party risksCertainty vs. confidence in cybersecurity decision-making Chapters00:00 Introduction to Cybersecurity and AI02:28 The Evolving Threat Landscape06:36 Automation and Cost Implications of AI in Cybercrime11:20 AI's Role in Existing and New Attack Vectors13:36 Understanding Supply Chain Risks17:25 The Importance of Certainty Over Confidence20:33 Strategic Actions for C-Suite Leaders

Podcast: The Security StrategistHost: Richard Stiennon, Chief Research Analyst at IT-HarvestGuest: Michael Kennedy, Ostra Security FounderFor leaders in enterprise technology, the pressure to show measurable cybersecurity outcomes has never been greater. Boards are asking tougher questions, attackers are moving faster, and conventional security awareness metrics aren’t telling the whole story.In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, is joined by Ostra Security Founder Michael Kennedy, who pointed out a growing gap in how enterprises measure success. Despite years of investment in phishing training and user awareness, breaches keep happening—not because employees are failing on a large scale, but because enterprise systems aren’t designed to handle inevitable mistakes.For CIOs, CISOs, and CTOs, this signals a major transition toward outcome-based security.Why Traditional Security Awareness Metrics Fall ShortPhishing simulations, reduced click rates, and increased reporting are often seen as proof of a strong cybersecurity strategy. The metrics are easy to track, too.However, as Kennedy notes, they provide limited insight into actual risk reduction. Even the most effective awareness programs leave some room for error. In reality, attackers only need one successful attempt to gain access. “If one gets through, that’s enough,” Kennedy suggests, highlighting a truth most security leaders understand but find difficult to measure.What these metrics don’t capture is the downstream impact of that failure.Two identical phishing attacks can lead to vastly different results depending on the enterprise security setup. In one situation, the threat is neutralised quickly. In another, it escalates into lateral movement, credential theft, or ransomware deployment. For enterprise settings, this gap reveals a basic problem – user-focused metrics assess behaviour.What Outcome-Based Cybersecurity Looks Like?The more effective approach, Kennedy argues, is to frame cybersecurity around engineering outcomes instead of user behaviour.This means evaluating how well systems perform during attacks—not how well users avoid making mistakes.The key markers of a strong enterprise cybersecurity strategy include how quickly threats are detected, how effectively security teams respond, and how well incidents are contained before they spread. These operational metrics give a clearer view of real-world readiness.This shift lines up with the growing adoption of zero trust architectures, extended detection and response (XDR), and AI-driven security operations. All these frameworks focus on containment, visibility, and fast responses rather than the unrealistic goal of perfect user behaviour.It also changes how breaches are examined. High-profile incidents are often simplified to stories about weak passwords or phishing clicks, while the more vital question—why controls failed to limit the impact—gets overlooked.For enterprise buyers and decision-makers, this can lead to misaligned investments, over-prioritising awareness training while underfunding detection engineering, identity controls, and network segmentation.Why is it Necessary to Create a No-Blame Culture?While the focus shifts away from blaming users, Kennedy emphasises that people still play a vital role in enterprise cybersecurity—just not in the way many enterprises think.In enterprise environments where employees fear blame, reporting delays are common. Suspicious emails go unreported, incidents remain unnoticed longer, and response times increase.In contrast, organisations that create a no-blame security culture see users acting as an extension of their detection capabilities. Employees who feel safe reporting anomalies can identify threats earlier, often before automated systems escalate them.This cultural change has measurable operational benefits. Faster reporting reduces dwell time, limits damage, and improves overall incident response effectiveness.Some enterprises are formalising this approach through internal collaboration platforms, enabling real-time threat sharing across teams. In doing so, they turn their workforce into a distributed security layer—one that complements, rather than replaces, technical controls.The enterprises that succeed in this next phase of cybersecurity maturity will be those that move beyond the “human error” narrative and embrace a truly outcome-based approach to security engineering.Because in modern enterprise environments, the question is no longer who clicked—it’s how well the system absorbed the impact.Key TakeawaysCybersecurity failures are system design issues—not user mistakes.Click-rate metrics are misleadingReal success is measured by containment speed and impact reduction.Strong security culture encourages users to report threats without fear of blame.Engineering outcomes (like detection speed and blast radius control) matter more than user behaviour metrics.AI is reshaping both attacks and defence, making faster, smarter response capabilities essential.Chapters00:00 Introduction to Cybersecurity's Human Element03:15 Reevaluating User Responsibility in Cybersecurity06:44 Creating a Culture of Reporting09:25 Measuring Security Outcomes Beyond Click Rates12:05 The Role of AI in Cybersecurity15:06 Adapting to Evolving Threats17:44 Key Takeaways for Decision MakersFor more information, please visit em360tech.com and ostrasecurity.com.Follow: EM360Tech YouTube: @enterprisemanagement360EM360Tech LinkedIn: @EM360TechEM360Tech X: @EM360TechOstra LinkedIn: Ostra SecurityOstra X: @ostra_securityOstra YouTube: @OstraCybersecurity#Cybersecurity #CISO #EnterpriseSecurity #OutcomeBasedSecurity #SecurityMetrics #Phishing #ZeroTrust #AIinSecurity #NoBlameCulture #SecurityStrategist #OstraSecurity

Podcast series: The Security StrategistGuest: Sam Woodcock, Senior Director of Solutions Architecture at 11:11 SystemsHost: Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360TechIn the recent episode of The Security Strategist podcast, host Shubhangi Dua, Podcast Producer and B2B Tech Journalist at EM360Tech, spoke with Sam Woodcock, Senior Director of Solutions Architecture at 11:11 Systems. They discussed what he sees as one of the biggest issues in cybersecurity today: the gap between confidence and ability.Their conversation, based on findings from the company’s latest global survey, revealed a troubling fact. While 81 per cent of IT leaders believe they are ready to recover from a cyberattack, many have already faced serious incidents, sometimes more than once a year.Woodcock pointed out that this confidence can be misleading. “If you think about your cyber recovery planning, it often looks strong on paper,” he said. “That can create a false sense of security because cyber recovery is very complex.”Analyst Read: Forensic Recovery Is Central to Cyber Resilience Cyber Recovery is Not FixedWoodcock explained that many organisations confuse documented plans with actual readiness. Cyber recovery is not fixed; it must change with the infrastructure, applications, and threats.“Change is the only constant in this industry,” he noted. “Things are shifting daily and weekly. What you had in place today can quickly become outdated.”Testing often suffers from time and budget constraints. Many companies test just once a year, if at all. Woodcock advises that quarterly testing should be the minimum.“You’d rather find those issues now instead of during a real ransomware incident.”The costs of misplaced confidence are high, such as prolonged downtime, growing financial losses, regulatory fines, and damage to reputation. Some survey participants reported recovery times of one to two weeks, while others took over a month.The more alarming truth is the risk of getting reinfected. “Enterprises might recover from the first outage and then be hit again,” Woodcock warned. “That extends the recovery time and increases the risk and damage.”How Modern Attackers Hack?One of the most revealing points from the discussion was how modern attackers operate once they gain access. A common way in is through VPN flaws and social engineering. “One of the first things they will do is examine existing documentation within your organisation to understand your recovery strategy,” Woodcock tells Dua. “They’ll look at your company’s cyber incident recovery planning document.”Attackers often target backup systems directly to wipe out recovery options before launching ransomware.In one case, Woodcock mentioned, a company’s local backup systems were compromised. Luckily, they had maintained immutable cloud backups, allowing them to recover even after the primary backup environment was breached.In other cases, entire primary environments were taken offline, forcing organisations to switch to secondary, isolated environments.“You need a safe, trusted, clean space to recover your environment,” he said. “That way, you can understand how the attack happened and be confident that your recovery is clean.”The idea of the "clean room," or an isolated recovery environment, has become crucial to modern cyber resilience strategies.AI vs. AI: A Weapon &amp; a DefenceThe conversation also addressed artificial intelligence (AI), both as a weapon and a defence. Woodcock noted that cybercriminals are already using AI to refine phishing campaigns, increase attack frequency, and add complexity to evade detection.“They’re using AI to potentially improve the language in social engineering attacks or to raise the frequency of attacks,” he said.However, defenders are also making progress. 11:11 Systems collaborates with technology partners like Veeam, Cohesity, and Zerto, all of whom invest heavily in AI for spotting anomalies and providing real-time threat visibility.These tools can help organisations identify when an attack began and find the last known clean recovery point. “It helps them make quicker decisions,” Woodcock added. “They can make better choices by using AI to find the right recovery point.”However, he also cautioned against thinking that technology alone will solve the problem. “Technology by itself isn’t enough. It always comes down to the maturity level and expertise within the business.”Looking forward, Woodcock does not expect ransomware sophistication to slow down. Enterprises now face double extortion tactics—not just encrypted data but also threats of public exposure.“It’s not just ransomware encrypting data,” he said. “There’s also this evolving threat of being told that data will be made public.”In an era where attackers study your recovery plan before you implement it, resilience is about proof, not just documentation.Takeaways81% of IT leaders are overconfident in their recovery abilities.Cyber recovery is complex and requires a robust plan.Regular testing is essential for effective cyber recovery.Organisations often overlook recovery strategies in favour of prevention.AI is being used by cybercriminals to enhance attacks.The frequency of cyber attacks is increasing.Understanding application dependencies is crucial for recovery.A clean recovery environment is necessary to avoid reinfection.Decision-making during incidents can be time-consuming and impact recovery.Building a strong security culture is vital for organisations.Chapters00:00 Introduction to Cyber Resilience01:46 Understanding the Cyber Recovery Gap07:17 Overconfidence in Cybersecurity12:37 The Importance of Testing in Cyber Recovery13:37 Multi-layered Approach to Cyber Recovery17:17 Real-world Cyber Attack Examples20:19 AI and the Future of Cybersecurity24:00 Emerging Threats in Cybersecurity26:31 Key Takeaways for IT LeadersFor more information, please visit em360tech.com and <a href="http://1111systems.com/" rel="noopener noreferrer"...