What happens when there are 100 machine identities for every human one in your organisation? This is not a prediction for the future. It is the world we are already operating in, and the implications are profound.

In this episode of Business of Cybersecurity, I speak with David Higgins, Senior Director at CyberArk, about how AI agents, autonomous systems, and the sheer scale of machine credentials in the enterprise are reshaping identity security. We discuss why password reuse, unsecured personal devices, and skipped updates remain stubbornly common even though awareness training has been around for decades. David explains that the issue is rarely laziness. Instead, it is often a lack of secure and practical alternatives that still fit the way people work.

We dig into how phishing and social engineering tactics have evolved, with AI enabling deepfake audio and video that can pass casual inspection, and how attackers are increasingly bypassing tech-savvy users entirely by targeting helpdesks and third-party support teams. We also look at the commoditisation of stolen credentials and why buying access on the dark web can now be easier than running a phishing campaign.

A major theme in our conversation is the role of culture in security. David challenges the outdated idea that humans are always the weakest link, arguing instead for a more collaborative approach that blends security objectives with user experience. We explore strategies like adaptive authentication, behavioural context analysis, and just-in-time privilege models that reduce risk without slowing down legitimate work.

The discussion then turns to the identity challenges created by agentic AI. These are AI-driven systems that can interpret goals, adapt, and communicate directly with other AI agents and human colleagues. Unlike traditional machine identities, their behaviour changes over time, creating an entirely new category of security risk. David outlines how organisations can begin to secure these identities now, rather than deferring the problem until it becomes unmanageable.

By the end of this episode, you will have a clear view of why identity-first security is essential in a machine-dominated environment, what practical steps can be taken to close gaps without adding unnecessary friction, and why aligning identity strategy with your organisation’s digital roadmap is no longer optional.

In this episode, I sat down with Mike Britton, CIO at Abnormal AI to explore the increasingly urgent overlap between AI governance and cybersecurity. With AI accelerating faster than regulation, and attackers already using these tools for harm, Mike offers a pragmatic take on what needs to happen next.

We dig into the realities of regulating AI in a fragmented world, drawing comparisons between Europe’s application-based approach and the US’s patchwork of state-level initiatives. Mike shares why he believes regulation should focus on context and application, not just model size, and why human oversight must stay part of the loop.

We also cover:

• How Abnormal uses behavioral AI to catch phishing and email attacks before they hit inboxes
• Why sandboxes and risk-based regulation can protect innovation without losing control
• The threat of over-regulation pushing innovation toward regimes with fewer ethical safeguards
• The challenge of navigating AI vendors at security events, where almost everyone claims AI capabilities
• The real-world risks of AI bias, misuse, and geopolitical influence in open-source models

Mike also shares practical guidance for CIOs and CISOs on model validation, audit trails, kill switches, and how to distinguish genuine AI value from marketing spin.

🧠 One key takeaway: Attackers are already using AI. If security teams don’t fight fire with fire, they’re at risk of falling behind.

🔗 For more, check out abnormal.ai or connect with Mike on LinkedIn.

In this episode of The Business of Cybersecurity, I’m joined by John Queally, Senior Director of Revenue Operations at Clari, for a conversation that goes far beyond spreadsheets and pipeline forecasts. We explore why RevOps has become mission-critical for cybersecurity firms facing escalating threats, intense market pressure, and growing expectations around AI.

John unpacks how cybersecurity leaders from Okta to Fortinet are rethinking the entire revenue engine to fund innovation, reduce friction, and stay ahead of attackers. We discuss the growing gap between AI ambition and data reality, and why 67% of revenue leaders are not trusting their data should be a wake-up call for anyone betting big on automation.

From real-time prospecting and clean data infrastructure to unified cross-departmental collaboration, this is a masterclass in how operational strategy, not just security tooling, is shaping the future of cyber resilience.

John also shares what it really takes to unify go-to-market teams, how RevOps is shifting from reactive reporting to proactive insight, and why the most powerful transformation starts with the "unsexy" work of cleaning up your data stack.

If you’ve ever underestimated the role of RevOps in a tech-driven industry or dismissed data hygiene as someone else’s problem, this conversation will change your mind.

🎧 Listen in to learn:

• Why AI can’t fix broken data
• How cybersecurity firms are aligning ops, sales, and customer success in real time
• What separates high-growth companies from those stuck debating dashboards

Visit Clari.com to learn more about the work John and his team are doing, or connect with him directly on LinkedIn.

Ask ChatGPT

In this episode of The Business of Cybersecurity, I’m joined by Christian Reilly, Field CTO for EMEA at Cloudflare, to unpack what real-world cyber resilience looks like across industries and what’s holding many organisations back. From legacy systems in healthcare and education to cloud-native agility in gaming and fintech, Christian explains why some sectors are better prepared for modern cyber threats and what the rest can learn from them.

We explore the power of simplicity in cybersecurity strategy, the shift toward zero trust, and the cultural importance of treating employee training as a relentless, personal mission rather than a compliance checkbox. Christian also shares sharp insights on the growing risks posed by AI and quantum computing, the need for post-quantum cryptography, and how data protection is fast becoming the cornerstone of competitive advantage.

If your boardroom still treats security as an IT issue or your workforce sees it as a blocker, this conversation will change how you think about cyber preparedness. We discuss Cloudflare’s latest research findings, the future of AI-powered SecOps, and how organisations can move from passive defence to proactive, strategic resilience.

Listen now to learn how forward-thinking businesses are simplifying their stacks, mobilising end-user education, and building security into the core of their operations rather than bolting it on after the fact.

In this episode of The Business of Cybersecurity, I speak with Trevor Dearing, Director of Critical Infrastructure at Illumio, to unpack some eye-opening truths from their latest ransomware report.

We explore why more than half of global companies still have to halt operations when ransomware strikes and why so many UK businesses remain reluctant to report incidents. Trevor shares candid insights into what is working, what is not, and why shifting focus from prevention to containment could be the real key to resilience.

He explains how modern containment tactics like advanced obfuscation and one-click ringfencing can limit damage and keep critical operations running, even when attackers break through. We also discuss why only 13 percent of companies believe their cyber resilience is strong enough and what it will take to close that gap as regulations tighten worldwide.

If you want a grounded take on how to prepare for the attacks that will inevitably come, rather than just hoping they never do, this conversation is for you.

Search Tech Talks Network for more episodes that connect cybersecurity and real-world business strategy.

When I spoke with Mark Lluic, CEO in Residence at Zscaler, on the Business of Cybersecurity podcast, we didn't spend time rehashing the basics. We looked at how leadership thinking must evolve. If your security posture is still built for light rain, what happens when a hurricane hits?

Mark has spent years helping organizations rethink security from the ground up. Instead of chasing alerts or layering new tools onto outdated systems, he advocates for a proactive, systems-first approach. One that prioritizes architecture and continuity over quick fixes.

Zero Trust Isn't Just for Remote Work

Zero Trust started as a security fix for remote access, but that's just one piece of the puzzle. Mark made a sharp observation: many companies still trust users more when they're sitting in the office. That's a dangerous assumption.

Modern Zero Trust means treating all traffic with the same level of scrutiny, regardless of its origin. Every access request should be evaluated based on its context: who is making the request, what device they're using, what they're trying to do, and whether that behavior fits a known pattern.

The Problem with the Patch-and-Pray Model

Security teams often react to new threats by throwing more tools into the mix. Over time, this patchwork creates more problems than it solves. Complexity grows, visibility shrinks, and attackers exploit the gaps.

Mark pointed to research showing that many teams are overwhelmed by the tools they already have in place. Others are held back by outdated systems or a lack of staff with the right skills. That creates a situation where attackers need to succeed once, while defenders must stop everything every time.

A Better Way Forward: Resilient by Design

So, what does a stronger strategy look like? Mark recommends starting with architecture. Build systems that expect disruption. Apply continuous risk assessment. Incorporate business continuity from the start rather than as an afterthought. And don't limit Zero Trust to a single use case. Make it your foundation.

For leaders looking to take action, Mark laid out some clear first steps:

Start by reviewing where Trust is currently assumed. Challenge those defaults. Apply the same standards inside your network as you do for external traffic. Think about context every time you evaluate access.

Ensure that your legacy systems are also included in this effort. But remember, you don't need to replace everything overnight.

Resilience is about ensuring your organization remains standing, regardless of what challenges it faces. That means planning, testing your response, and building security into your infrastructure not bolting it on later.

Listen to the full episode to hear why this shift is a leadership decision that defines how your organization faces tomorrow's threats.

Are junior cybersecurity professionals outpacing their senior colleagues in readiness for modern threats?

In this episode of The Business of Cybersecurity, Neil C. Hughes sits down with Max Vetter, Vice President of Cyber at Immersive Labs, to examine a surprising trend: less experienced team members are consistently completing more difficult training content than veterans with eight or more years in the field. It’s a data point that challenges assumptions and raises urgent questions about how organizations approach skills development in cybersecurity.

Max shares findings from recent research that expose worrying gaps in readiness, especially at the senior level, and outlines a practical checklist for building resilient, threat-ready teams. He makes a compelling case for continuous, challenge-based learning across all levels of expertise, not just for new hires, but for seasoned professionals who may risk falling behind.

Together, Neil and Max explore:

• Why traditional training approaches might be failing senior professionals
• How complacency and lack of tailored development can erode cyber resilience
• The cultural shifts needed to make continuous learning a team-wide priority
• What boards and business leaders should know about workforce readiness gaps

Whether you're leading a SOC, managing risk at the executive level, or shaping your organization's cyber strategy, this episode offers real-world insight into the human dynamics behind technical defenses.

Are we doing enough to upskill cybersecurity veterans before the next threat hits? Tune in and join the conversation.

Legacy systems are everywhere, quietly powering core operations in some of the world’s largest enterprises. But behind that familiarity is risk. In this episode of The Business of Cybersecurity, Paul Savill, Global Practice Leader of Networking and Edge Compute at Kyndryl, joins me to break down why aging infrastructure is becoming a major liability in today’s security posture.

We talk candidly about the security implications of 44 percent of enterprise technology being “out of life” and unsupported. Paul shares how that vulnerability becomes even more exposed as IoT devices proliferate and AI-powered attacks grow more sophisticated. It’s no longer a question of whether legacy tech is a problem, but how long organizations can afford to ignore it.

This conversation moves beyond the buzzwords and straight into the operational reality. Paul explains how Kyndryl’s post-IBM spin-off transformation included shifting to a cloud-first, zero trust model—and why that decision was just as much about improving agility and cost control as it was about reducing risk.

We also explore the human side of cybersecurity. Paul outlines how Kyndryl’s internal phishing simulations and scenario-based training have led to a measurable increase in employee-reported incidents. It’s a compelling argument for why building a cybersecurity culture beats any off-the-shelf solution.

From AI-enhanced social engineering threats to the disconnect between IT and OT teams, this episode highlights the practical steps business leaders can take to modernize without compromising day-to-day operations. If your cybersecurity strategy still depends on outdated tools and last year’s training modules, it might be time to rethink the foundation.

For more insight, check out the Kyndryl Readiness Report at kyndryl.com,