State of the Nation: Cybersecurity in the UK Today

Cybersecurity threats in the UK

What are the key threats facing UK security leaders? These technology leaders discussed their sophisticated adversaries and how to mitigate these attacks. Businesses in the UK face a myriad of cyber threats that can potentially disrupt operations, compromise sensitive data and damage their reputation. 

To shed light on this issue, industry experts, CISOs and security professionals sought to identify the most pressing cyber threats and explore strategies to mitigate them effectively. In this roundtable debate, the speakers delved into key insights, addressing the following crucial questions: What is the top cyber threat facing UK businesses today and why?

Our cybersecurity panellists include:

• Chris Brocklesby, CIO, Dunelm
• Elaine Bucknor, Group Director of Technology Strategic Services and Group CISO, SKY
• Brian Brackenborough, CISO, Channel 4 
• John Maynard, CEO, Adarma

With Keme Nzerem moderating this roundtable:

This roundtable was recorded at The Studio in partnership with Adarma. Click 'The Studio' to find out more.

Ready to discover more? If you liked these highlights, click the button below to watch the full roundtable debate on YouTube or listen to it on Spotify.

Cybersecurity risks: an overview

“The big picture is we have a highly motivated, sophisticated adversary, which ranges from nation state to script kiddie in the bedroom”, said John Maynard, CEO of Adarma. Providing the rest of the roundtable speakers with a “helicopter view” of UK business risks and cybersecurity, John argued that this adversary is both financially and politically motivated. 

For the most part, John describes these threat actors as the mature ecosystem of an adversary, with different specialists equipped with the knowledge to attack organisations – declaring “political warfare”. Singling out the corporate organisational structure, he explained that security is fragmented as a result of being treated as an afterthought. “It's been technology-oriented rather than outcome-oriented. And so we're in a state of catching up and maturing our cyber defences”, he said.

For most organisations, SKY’s Group CISO Elaine Bucknor believes that cybersecurity threats arise from unintended consequences of something “silly” such as opening a rogue email. When organisations think about defending themselves they need to consider the “volume game”. This involves being prepared for the small mistakes as well as the larger targeted attacks.

Language and influence

Moving on, Keme asked John how he effectively influences the Board and C-suite to better understand these threats and secure investments.

Focusing on language, John argued it is about communicating and understanding the potential risks that the organisation faces. In his view, awareness of one of the biggest risks, cyber, has improved. As a CIO or a CISO, John argued that these leaders need to rethink their communication in a language that resonates with the C-suite and the Board. 

This involves moving away from the usual technical jargon such as threat vectors and zero-day. “It's about risk mitigation and it's about lost opportunity”, he said, pointing out that it is simply about communicating the steps you need to take to defend the organisation, as well as talking about what not to do when taking a certain action.

Having sat on multiple Boards and listened to many of these conversations, Elaine Bucknor has found it interesting being on the other side. “Every CISO was going into the room talking about patching… the truth is, not one single person around the table knew what that meant”, she said. The reason for this confusion was due to a lack of context on the CISO’s part. Security leaders need to be able to explain what this means for the business and organisation as a whole.

Keeping an eye on the type of language being used to communicate with Boards is also a priority for the CIO at Dunelm, Chris Brockelsby, who warned that ​​if you are not careful, it becomes a “tick box exercise”. As a result, this would not fully describe the risks including phishing and malware attacks. Chris explained that while it is helpful to know about the different levels of technical control, the Board needs to be reassured that they are protected against malware attacks.

Evolving attacks

“Do you know how sophisticated those emails are getting? I struggle sometimes to work out if they're real or not”, said Brian Brackenborough, CISO at Channel 4. On top of the usual attacks, bring into the equation “dreaded AI”, which Brian argued is being used as a tool for good and bad. While not blaming anyone in the organisation for clicking those links, he said that it is up to cybersecurity professionals to put the tools in place to try and prevent this.

Keme asked Brian: “How is AI changing the cyber risk game?”

Describing it as an unfortunate situation, he remarked that the technology world has not learnt its lessons. “There's this race among the big tech giants, to release it and to improve it and to get it out there without thinking about any of the consequences”, he said. He later pointed out that cyber crime is the third biggest economy in the world. The question that remains is how much budget are organisations willing to invest in their cybersecurity? While threat actors are utilising AI and the cloud, when cybersecurity leaders respond, they have to “follow in the eye of the law”.

In agreement with Brian’s comment on response to attacks, John described the situation as a “race” between the defenders (cybersecurity) and the adversaries (threat actors). Every time a tool is built on the defensive side, John finds that these tools end up being used for the attacker side. In an example, he spoke about the NSA tool leakages and how they were exploited. John sees the same thing happening with AI.

Elaine argued that there are tools that cybersecurity professionals have used for a long time that have involved AI and machine learning. These are the kind of tools that drive the biggest change in her view. 

One of the main qualities of CISOs is a “relentless kind of curiosity”, Elaine believes that this drives them to look for both the upside and the downside of emerging technologies. Looking on the upside, Elaine said that one of the things this will do is help the industry to work together more collaboratively. “Cyber is one of those very unique parts of tech where everybody needs to pull together and share learning and knowledge”.

This roundtable was in partnership with Adarma.

https://adarma.com/