• Recent Cloud outtages have not simply disrupted low-level infrastructure, they have disabled cybersecurity solutions and sometimes shut down corporate access to critical network assets.
• As well as managing Cloud security, CISOs need good Cloud incident response. How are they going about it?

• The number of security professionals on LinkedIn who’ve left without another job to go to is astonishing given the shortage of cyber-talent.
• Are CISOs being fired for breaches?
• Are they quitting companies who’ve lied about their commitment to security?
• How can firms solve this problem?

• Until cybersecurity is truly seen as risk management and not a whack-a-mole IT problem, the hackers will continue to evade outmoded control frameworks
• Part of this is down to CISOs, part of it to Boards and part of it to solution providers
• The banks have done it. When will the rest of business catch up?

• From secure web gateways to clever tools designed to let employees flag suspicious emails, technologists have tried to solve the problem of email and message-delivered malware. And they’ve failed.
• This is still the number one vector for the cyber attacks that cause real damage.
• Is there another way?

• Cloud security is a multi-dimensional problem.
• But underneath all the technology and complexity, once again it is human error that is likely to cause the most material losses.
• For large firms with complex hybrid and multicloud environments, this problem is compounded.
• So, what are the most common errors and how can they be avoided?

• The US Treasury reported that companies paid an estimated $5.2 billion in BitCoin transactions due to ransomware payments for companies in 2021.
• Only a quarter of ransomware attacks are reported. 
• Ransomware is here to stay. So how can CISOs stop it being a permanent tax on the business?

• There’s too much talk of awareness in cybersecurity and not enough talk about actually changing behaviour.
• There’s too little talk of personal accountability and disciplinary enforcement of security policies.
• These are controversial statements - but should they be?
• Isn’t part of the paradigm shift we need a fundamental change in employee responsibility?

• When economies are under stress, employees too can find themselves in financial difficulty. When geopolitical tensions rise, people can take sides.
• Insider threats of various kinds become far more prevalent and dangerous at times like these.
• How have security and other MIS tools matured to make detecting malicious insiders easier and more accurate?

• Blurred lines between cyber-spies, cybercriminals and cyber-armies have transformed the (in)security landscape
• Nation-state exploits are now widely available
• How can the various elements of government work better with private sector solution providers and endusers to build security that can cope with not-quite-nation-state attackers?

• To solve their problems cybersecurity teams are told to add ever more tools to their stacks, and ingest ever more internal and external data.
• And then they are told to somehow aggregate all of that complexity to detect cyberattacks, determine risk metrics and all the rest of it.
• So how to change the paradigm?

NIS2 expands the scope of who is included. It adds more regulations and divides the world into two tiers, each with different requirements. And it increases the personal liability of senior officers around cybersecurity failings. So how does this new regulatory environment change the cybersecurity calculus? What do firms need to do now?

• One specific example of staff overload is the SOC.
• There are debates over the value of network traffic analysis and other data.
• Meanwhile SOC teams are flooded with false positives and even ‘smart’ solutions do not alter this calculus very much.
• Is the answer to outsource or evolve?