Razorwire Cyber Security Insights

Are you making career moves in cybersecurity or is cybersecurity making moves around you?Welcome to Razorwire. In this episode, I sit down with Marius Poskus - CISO, consultant, podcaster and all-round cyber expert - to how to succeed in cybersecurity. We discuss career paths, why security culture fails in most organisations and the risks of rushing into AI without understanding what you're doing. Whether you're trying to break into the industry or you're leading security strategy, this conversation covers what works and what doesn't.Summary:Want to break into cybersecurity without wasting time on the wrong certifications? Wondering why your security programme keeps failing despite all the tools you've bought? We have the answers.From physical security in Lithuania to CISO at a global fintech, Marius explains why pen testing is a terrible entry route for juniors, why compliance doesn't stop breaches and why giving AI control of your SOC is riskier than most people realise.We discuss how to build actual security skills (not just a collection of certificates), why punishing people for clicking phishing links backfires and why you need to stop firefighting incidents and start preventing them. Marius also shares why so many organisations buy expensive tools that solve nothing and what happens when you remove humans from security decisions.Key Talking Points:The Truth About Career Pathways:We debunk common myths about entry routes into cybersecurity, explains why starting in a SOC makes strategic sense and shares advice for hands-on learning that goes beyond certifications.Security Culture and Human Factors:We discuss why technologists and business leaders often miss the mark on culture, how reward (not punishment) transforms security behaviours and what happens when compliance is mistaken for genuine protection.AI, Emerging Threats and Resilience:Marius reflects on the dangers of autonomous AI-driven security, the future of continuous assessments and why building resilience matters more than chasing perfection. If you want a blunt take on what’s coming next in cyber risk, this episode will challenge your thinking.Tune in for real world stories, hard-won lessons and clever insights you can use right now, whether you’re climbing the infosec ladder or shaping your organisation’s security future.The Future of AI in Software Development: “Everyone thinks that pen testing is sexy. How many pen testing roles are you going to find in a junior space? So if I'm playing numbers game, go in a SOC, learn cyber defence, build up all of your skills and then you pivot to wherever you want because that's the easiest path.”Marius PoskusListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Choose your entry point strategically: Why starting in a SOC gives you more options than chasing pen testing roles straight away and how to play the numbers game when breaking into the industry.Focus on skills that actually get you hired: Why hands-on experience with home labs matters more than stacking certifications and what employers really look for in junior candidates.Understand why pen testing isn't an entry-level path: Most junior roles are in Security Operations Centres, not penetration testing. Learn why

Is your security stack making you safer or just adding to the chaos?Welcome to Razorwire, the podcast where we unravel the mess, myths and market realities behind today’s cybersecurity challenges. I’m your host Jim and in this episode, I’m joined by our favourite regulars Oliver Rochford and Richard Cassidy to tackle a topic that irritates every CISO: the security solution stack. We discuss the big questions about vendor motivations, tool sprawl and why consolidation so often promises more than it delivers.In this episode, we set aside the sales buzzwords and look at what it really means to consolidate your security stack. Oliver and Richard share straight-talking insights from both the vendor and CISO perspectives. We debate why security platforms so often fail to reduce complexity and whether AI is about to solve - or simply mask - the underlying pain.Three key reasons to listen:“Noise in depth” versus defence in depth: Discover why having dozens of overlapping tools can actually increase risk and burnout, rather than improve your security posture. Hear insights on “noise in depth” and how it impacts the choices CISOs face.Vendor incentives and the truth behind “consolidation”: Get an insider’s take on why vendors push for consolidation only when it benefits their stack, how lock-in happens and why most platforms are stitched together from half-baked acquisitions.The hard reality of AI, integrations and future-ready strategy: Find out why AI and automation aren’t the magic fix the industry claims and what you actually need to do to keep your stack effective, adaptable and under control in a shifting market.If you want honest, practical advice on managing cybersecurity complexity and want to hear what real CISOs wish they'd known before their last renewal, this episode is worth your time.Welcome to the Future: Solving Problems, Not Just Selling Tools"If you're coming to market, remember the product is only half the game.Security teams, GRC compliance teams - they're drowning. Support, deployment, tuning and post-sales success – they really make or break from my organisations and ones that I talk to. So be the vendor that doesn't just sell the product, be the one that really helps operationalise it. If you're just here to sell a tool, you're already obsolete. If you're here to solve a problem and remove complexity, then welcome to the future.Richard CassidyListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Tool Sprawl vs. Defence in Depth Learn why organisations with dozens of overlapping security tools end up with noisy environments instead of effective layered defence and what CISOs actually see happening on the ground.Vendor Incentives and Lock-In Discover how security vendors push you into consolidation within their own ecosystems while prioritising customer lock-in over real interoperability and simplification.Platform Consolidation Cycles Understand why the industry keeps repeating the same consolidation mistakes and what you should consider instead of chasing the perfect platform that doesn't exist.The Role and Myth of AI in Security Stacks Find out why AI won't magically fix your complexity problem and how it often just adds...

Are you prepared for the psychological toll that comes with handling disturbing content in the cybersecurity world?Welcome to Razorwire, where today we’re exploring into the realities behind a career in cyber, from technical warfare to the often-overlooked human cost. In this episode, I’m joined by therapist and consultant Eve Parmiter to examine the real psychological impact of repeated exposure to distressing material that many of us face during incident investigations, content moderation and threat research.Eve draws on her background in trauma therapy and real-world experiences both inside and outside of cybersecurity. Together, we discuss why even seasoned professionals struggle to talk about their experiences, how secondary trauma manifests in our daily lives and what can actually help in environments that don’t provide enough support.If you've ever had to investigate colleagues, review disturbing material, or make impossible decisions under pressure, this conversation will resonate. We don't shy away from hard truths, but we do focus on practical ways to build resilience and find some measure of satisfaction in doing the right thing - even when it's difficult.In this episode:1. Understand the true impact of secondary trauma in cyber roles.We break down the difference between stress, burnout and trauma specific to cybersecurity professions, exploring how exposure to disturbing content changes your outlook - and why it’s not a personal weakness.2. Learn why most pros don’t talk about their struggles and how to break the silence.Eve explains why lacking the right language keeps many from processing what they experience and offers insight into building peer support systems and practical organisational responses.3. Discover tested strategies for coping and recovery.You’ll leave with actionable advice straight from the worlds of therapy and cyber on how to protect yourself, when to seek help and the importance of cultivating supportive communities.Tune in for a genuine, valuable discussion that puts the mental health of cybersecurity professionals front and centre and find out how to make a tough job more sustainable for yourself and your team.Why Self Care Isn't Enough for Trauma"You can't self care your way out of trauma. There is no amount of bubble baths or ice baths that are going to remove certain images or certain experiences."Eve ParmiterListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:The Psychological Impact of Difficult Materials. Why exposure to traumatic or distressing digital content leads to anxiety, depression and long term negative outlooks.Challenges Discussing Trauma in Cybersecurity. How professionals can overcome their reluctance to discuss experiences when they lack the language or organisational support.Primary vs Secondary Traumatic Stress. Learn how to identify when direct and indirect exposure to disturbing content creates real psychological effects that often resemble PTSD.Addressing Vicarious Trauma and Worldview Shifts. How to cope when repeatedly witnessing other people's trauma changes how you perceive the world and interact with your environment.Moral Distress and Injury in Decision Making. Find out how to manage situations where you face ethical dilemmas...

Understanding AI security threats before they become your next crisisOn this episode of Razorwire, I explore the emerging frontier of AI security with leading experts Jonathan Care and Martin Voelk. We examine the latest risks, show you how adversaries are exploiting AI systems and share practical advice for professionals working with these rapidly advancing technologies.We move past the marketing speak to reveal how attackers are using generative AI, what it really takes to test these complex systems and what the rise of agentic, self-operating AI means for defenders. Security leaders, penetration testers and anyone implementing business technology need to understand these threats before committing to new AI solutions.This conversation addresses real incidents, examines practical realities and highlights why many enterprises are dangerously unprepared for what's ahead in AI security.Key TopicsInside the Mind of the Attacker: Learn how both ethical hackers and financially motivated criminals are already using AI to automate attacks, spread misinformation and create new vulnerabilities. Martin and Jonathan share examples of prompt injection, data poisoning and “model jailbreaking” - all tactics reshaping the cyber threat landscape right now.Pen Testing AI: What’s Different and What’s Still the Same: Go behind the scenes with insights into penetration testing for large language models and agentic AI. The episode discusses fresh attack surfaces, why classic testing skills are still vital and the new OWASP Top 10 for LLMs. If you’re considering buying AI-powered tools, take away concrete advice on how to stress-test these systems before attackers do.Business Risk, Legal Headaches and What to Demand from Vendors: With AI now touching everything from customer bots giving dodgy medical advice to autonomous agents able to cause chaos, the conversation gives practical advice about reputational, legal and operational risks. Listen for the must-ask questions every business should take to their vendors as well as new regulatory requirements that mean robust AI testing can’t be left as an afterthought.If you want to stay ahead of AI and cybersecurity developments and avoid building tomorrow's biggest headache, this episode is essential listening.AI Model Bias Debate: " 77% of enterprises are reporting at least one AI related security incident. 62% of enterprises lack any dedicated testing programme.”Jonathan CareListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Test Your AI Before Attackers Do - With 77% of enterprises already hit by AI security incidents but 62% lacking testing programmes, discover what specific vulnerabilities to check for and how to implement proper AI red teaming.Stop AI Hallucinations From Damaging Your Business - Understand how AI systems fabricate information and create legal liability, plus practical steps to identify and mitigate these risks before they affect customers or operations.Protect Against Medical and Legal AI Disasters - Learn from real cases where AI gave dangerous advice and created legal obligations, including what liability questions you need to address with vendors and internal teams.Secure Agentic AI That Can Take Real Actions - Discover why AI agents that can invoke APIs, modify data

Is your compliance strategy making life easier or just adding more chaos?Welcome to Razorwire, where we take you to the heart of cybersecurity with voices that have seen it all. I’m Jim, your host and in this episode, I’m joined by Martin Davies (Audit Alliance Manager at Drata) and Patrick Sullivan (VP of Strategy and Innovation at A-LIGN). Together, we explore how to cut the compliance overhead, eliminate duplication across multiple frameworks and turn compliance into a competitive advantage that actually speeds up sales cycles.Compliance is rarely anyone’s favourite topic, yet it’s unavoidable and organisations are under more pressure than ever to do it well. We explore why compliance keeps getting more complex, what’s actually driving value and how the right blend of people, processes and technology can transform it from a painful cost centre into a genuine strategic asset.Key topics:Cutting Compliance Overhead: Discover practical ways to avoid duplication of effort, map overlapping controls across frameworks and use technology to bring order to compliance chaos.Compliance as a Value Generator, Not Just a Cost: Hear real world perspectives on shifting the mindset around compliance, from being a necessary evil to a competitive differentiator that can support new business, speed up sales cycles and add commercial value.The Road Ahead: Continuous Monitoring and Emerging Pressures: Explore the shift from annual audits to ongoing assurance, the impact of AI on compliance frameworks and the new reality of management liability in regulations like DORA and NIS2.If you’re ready to rethink compliance and turn it into a source of strategic advantage, this is an episode you won’t want to miss.On duplication of effort: "The words ‘compliance overhead’ - when I hear that, I hear duplication of effort. If someone's doing the same control twice, that's objectively a bad thing." Martin DaviesListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:How to tackle the complexity of compliance - Understand why compliance requirements keep growing and discover strategies for managing multiple frameworks without getting overwhelmed.How to turn compliance from cost centre to value generator - Learn practical approaches for positioning compliance as a competitive advantage that can speed up sales cycles and create business value.Practical ways to streamline your compliance processes - Discover methods to eliminate duplication of effort, reduce time waste and support more agile business operations.How to identify and eliminate overlap across frameworks - Learn techniques for mapping overlapping standards and consolidating controls to avoid doing the same work twice.How to leverage technology and GRC tools effectively - Understand how platforms like Drata can transform evidence management, reduce audit stress and bring order to compliance chaos.What auditors actually look for during assessments - Learn why auditors focus on intent and sound processes rather than box-ticking, and how to prepare effectively for audits.When to shift from annual to continuous monitoring -...

Why venture capitalists have abandoned cybersecurity and what this means for real innovationWelcome to Razorwire, the podcast where we go beyond the headlines to dig into what really matters in information security. I'm your host, James Rees and this week we're pulling back the curtain on the world of venture capital in cybersecurity. The brutal truth is that VC money has dried up, innovation has stalled and according to this week’s special guest, we're mostly seeing "the same crap with AI on it." VCs are having layoffs, funds are frozen at 13-14 years with no exits and genuine breakthroughs are nowhere to be found.In this episode, I sit down with cybersecurity expert Oliver Rochford to dissect the state of VC investment in information security in 2025. We break down why funding is tightening, where the "innovation" is really happening (or not) and how security start-ups can survive in a changing landscape. If you're tired of jargon and want to know what's really happening behind the scenes, from market consolidation through to the real world impact on practitioners and products, this one's for you.3 key talking points you won’t want to miss:Why VC money is slowing and what that means for innovationWe explore the shifting strategies of venture capital in the security industry: what’s drying up, where the smart bets are moving and whether this environment is strangling real progress.The reality behind “consolidation” and the myth of the mega-vendorOliver unpicks the idea of market consolidation and explains why, despite the headlines, the security market remains fragmented and why there’s unlikely to be a handful of companies owning it all.What start-ups really need to survive in the current marketWe talk through the pitfalls, survival tactics and realities facing new security vendors. From the importance of business fundamentals to why flashy tech might not be enough, you’ll get practical insight into turning great ideas into sustainable businesses.Tune in for a realistic look at the business side of cybersecurity, packed with lessons directly from the experts.The Startup Funding Struggle:"No one's getting any money. Not the investors, not the VCs. They've had rounds of layoffs in the VC industry, which you can imagine, the people with money have had layoffs."Oliver RochfordListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, you’ll learn:Why VC Funding Has Hit Crisis Point: Discover why venture capital investment has frozen in cybersecurity, with VC funds now at 13-14 years (well beyond the typical 10-year lifecycle) and no viable exits in sight and why even VCs themselves are having layoffs.How Major Vendors Are Replacing Traditional VCs: Learn why Cisco, Okta and Zscaler have established their own investment arms and how this shift is concentrating power whilst reducing diversity in startup selection.What's Really Happening Behind the Scenes: Understand how silent fire sales are occurring and why limited partners are refusing to invest further, stalling new cybersecurity ventures.Why "Consolidation" Is Actually a Myth: Learn why the cybersecurity vendor landscape remains highly fragmented despite headlines suggesting otherwise and why no single vendor will ever dominate.How Cybersecurity Compares to Other Tech Markets: Discover why the total...

Are small and medium-sized businesses finally getting the cybersecurity solutions they deserve - or is the market still leaving them exposed?Welcome back to Razorwire, the podcast where I investigate the real world challenges and breakthroughs in cybersecurity, bringing you the stories and advice of the industry’s leading minds. I’m Jim, and in this episode, I’m sitting down with Piers Morgan - no, not that Piers Morgan - who serves as Senior Vice President and General Manager for EMEA at Coro cybersecurity. We’re exploring the future of endpoint security for small and medium-sized businesses and why this sector is seeing a big shift in how security is delivered, priced and managed.In our conversation, we get frank about the tangled mess of security tools, why dashboards are driving everyone mad and how the industry’s obsession with complexity has left the “forgotten” mid-market crying out for help. Piers shares how Coro is shaking up the space with unified, affordable security, without the vendor lock-in and upsell traps that so often sting growing businesses.Key Talking Points:The end of the dashboard nightmare: Discover why having “one pane of glass” for your entire security stack has become more than just marketing hype for smaller firms, and how Coro is actually delivering on this long standing promise.Security without breaking the bank: We dig into the true cost of endpoint protection and how most businesses are burning cash on complex tools they barely use. Learn what a flat rate, scalable approach really looks like in practice.What’s next in SME security: Hear how Coro’s approach to AI and automation is giving small businesses access to enterprise-grade defences, along with Piers’ view on where the market is heading, the threats reshaping mid-sized risk and why managed services are becoming the new frontline for the channel.If you’re a cybersecurity professional, consultant or MSP grappling with SME security demands, you’ll hear practical insights  and perhaps question a few of your own assumptions about what’s possible for the “forgotten middle” of our industry.On the cost burden for smaller businesses:"It can go up to fifteen hundred dollars a seat a year. Now, when you're timesing that by a few hundred licences and users, that's a significant amount of cash. We can manage it in one single platform... we can do it up to a tenth of the cost of what they're currently using today."Piers Morgan (Coro)Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Escape the multiple dashboard trap Learn why juggling numerous disconnected security platforms creates operational chaos and discover practical approaches to streamline your security operations. Right-size security solutions for smaller organisations Understand how to match your security investments to your actual needs and resources, avoiding the enterprise-focused tools that often overwhelm smaller teams. Implement unified security platforms effectively Discover how to evaluate and deploy consolidated security solutions that deliver enterprise-grade protection without the complexity or cost. Calculate the true cost of your security stack Learn to audit your current security spending and identify where you're paying for unused capabilities or redundant tools. Adapt your security strategy to...

How do we measure and manage the human element of cyber risk beyond technology and basic security training?Welcome to Razorwire, where we uncover what really matters in cybersecurity. I’m James Rees and in this episode, talking about the world of human risk intelligence with Flavius Plesu, Founder and CEO of OutThink. We'll question whether staff really are the 'weakest link' and instead explore how understanding real human behaviour can turn your workforce into a formidable security asset.For too long, information security has focused almost exclusively on technical controls, but sophisticated attacks today often exploit human decision-making more than any firewall. Flavius draws on his experience as a CISO and innovator, sharing first-hand insights into how organisations can predict, quantify and actively manage risk stemming from their staff. We discuss psychological profiling techniques that identify high-risk individuals, methods for engaging employees in security and balancing monitoring with trust when using behavioural analytics. If you want to future-proof your security posture, this episode is essential listening.3 Key Talking Points:Why traditional security awareness strategies fall short - and what truly effective human risk management looks like: Learn why measuring click rates and running generic training programmes leaves you blind to real human risk, and discover how behavioural science and crowdsourced intelligence can finally give you the visibility and control you need.Real world examples of predicting and preventing insider threats - before damage is done: See exactly how banks and enterprises use psychographic segmentation and statistical models to identify risky patterns in their workforce, and understand the practical steps to transform your incident response from reactive to predictive.Navigating the ethical line: how to balance security monitoring with employee privacy and trust: Master the delicate balance between effective security monitoring and employee rights, learning how transparency-driven design and GDPR-compliant approaches can turn potential resistance into active security partnership across your organisation.Ready to rethink the human side of cyber risk? Tune in to this Razorwire episode and sharpen your defences from the inside out.On Moving Beyond Traditional Training: "Something like 90% of users admitted to bypassing security controls… with full knowledge that they're introducing additional risk to the organisation. So the idea that training would be enough, just train them, they'll get it. It's a bit naive."Flavius PlesuListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:The Evolution of Human Risk in Cybersecurity Learn how the industry's shift from purely technical controls to recognising human factors is reshaping security strategy and why this change is essential for modern organisations.Defining Human Risk Intelligence Understand what human risk intelligence actually means and discover how organisations can quantify and predict human behaviour to strengthen their cybersecurity posture.The Shortcomings of Traditional User Training Discover why legacy approaches like annual training and click-through tests fail to address real world human risk and what you should be doing instead.Accidental vs....

Six months into DORA's implementation, what's actually happening in financial services organisations?Welcome back to Razorwire, where we tackle cybersecurity's toughest challenges with honesty and expert insight. In this episode, I'm joined by returning experts Jonathan Care and Richard Cassidy and also a new guest to the podcast, Romain Deslorieux, to examine how the Digital Operational Resilience Act is playing out in practice.Now some time has passed since DORA's January deadline, we're seeing the real story emerge. Some organisations are discovering they fundamentally misunderstood what compliance actually requires. Others are struggling with skills gaps they didn't anticipate. And many are finding that operational resilience can't simply be bought or outsourced.Our guests share what they're witnessing firsthand – from boardrooms finally grasping why digital resilience matters to IT teams pushed beyond their limits. We discuss the vendor relationship upheaval, the consultant dependency trap, and why some approaches are succeeding while others spectacularly fail.If you're dealing with DORA implementation, wrestling with third-party risk or watching your security team stretched thin, this conversation offers the unvarnished perspective you need.Key Talking Points:From Tick-Box Compliance to True Resilience: Discover why DORA is exposing the dangerous gap between documentation exercises and actual operational readiness and why this demands unprecedented collaboration across IT, compliance and business teams.The Human Capital Crisis Behind DORA: Learn how the regulation is revealing critical expertise shortages (40-50% of financial entities lack internal capabilities), creating dangerous over-reliance on consultants and pushing existing teams towards burnout.Third-Party Risk Revolution: Get behind-the-scenes insights on how DORA has fundamentally changed vendor relationships, why surface-level due diligence no longer works and the board-level cultural shifts making resilience a C-suite priority rather than an IT problem.Tune in for an unfiltered, expert-led conversation on what’s working, what’s failing and where DORA is truly making a difference in cybersecurity today.On the accountability gap in third party risk:"Really what do you do about this responsibility? How do you demonstrate that you are accountable? That people fell short on that question and now with the third party responsibility, which is clearly identified in things like DORA, people cannot ignore it anymore."Romain DeslorieuxListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:DORA's Immediate Impact Learn how DORA is driving financial institutions to adopt continuous monitoring and operational resilience strategies that go far beyond traditional compliance checklists. Third Party Risk and Vendor Management Understand how to navigate the fundamental shift in vendor relationship management, including the enhanced due diligence and transparency requirements now reshaping procurement decisions. Cultural and Organisational Change Discover strategies for building the cross-functional collaboration between IT, security and business teams that DORA compliance demands. The Human Capital Challenge Explore how to address the critical shortage of skilled professionals capable of...

Welcome to Razorwire, where we examine the realities facing cybersecurity professionals on the front lines of digital defence.In this episode, I am joined by Rob Priest, a former NHS insider with 24 years of experience, and returning co-host Richard Cassidy to expose the cybersecurity crisis gripping Britain's healthcare system. From WannaCry's devastating impact to recent ransomware attacks on children's hospitals, our experts reveal why the NHS remains a prime target for cybercriminals despite years of warnings and government promises.Rob shares insights from his transition from running around hospital corridors with paper records to witnessing sophisticated nation-state attacks that can cripple entire trust networks for months. Richard brings his unique perspective as both a cybersecurity professional and working paramedic who experienced firsthand how cyber attacks paralyse emergency services when systems go dark.Whether you're a healthcare professional worried about patient safety, a cybersecurity expert trying to understand why healthcare remains so vulnerable, or a concerned citizen wondering why your medical data isn't better protected, this conversation cuts through the political rhetoric to examine what's actually happening behind NHS firewalls.Tune in for an unvarnished look at legacy systems running on Windows 95, the shortage of qualified CISOs across 213 NHS trusts and why the government's latest cybersecurity mandates might create more problems than they solve.Listen in for:The Hidden Fallout of Cyber Attacks on Patient Care - Understand the cascading impact that ransomware and outages have, not just on IT, but on clinicians, paramedics and everyday patient outcomes. Rob shares first-hand accounts of real NHS incidents and why cyber breaches are, at their core, clinical emergencies.Why Legacy Tech and Fragmented Leadership Leave Us Exposed - Hear why outdated, unsupported systems and a chronic lack of cyber leadership make true resilience so tough in large NHS trusts. We unpack the disconnect between government strategy, local implementation and real world risk.Practical Steps (and Missed Opportunities) for NHS Cyber Resilience - Explore what actually works, from playbooks and clinical 'huddles' to the role of centralised threat intelligence - and where policy too often lags behind reality. If you want to know how to prioritise resilience amid chronic uncertainty, this episode is essential listening.Get ready for a grounded discussion that blends expert perspective with genuine NHS war stories - plus candid thoughts on what really needs to change.On learning from cyber incidents before they happen: "Organisations that understand the impacts of events the best are the ones that have actually gone through it. My question is: does that have to be the case?"Rob Priest, RubrikListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Understanding Escalating Cyber Threats to the NHS - Learn how nation-state actors and cybercriminals are targeting NHS organisations through supply chain weaknesses and vulnerable digital infrastructure. Recognising Legacy Technology and Technical Debt Challenges - Discover why outdated IT systems and unsupported medical devices create persistent security challenges and make patching complex and...

Can we secure generative AI before it outpaces our ability to defend it?Welcome back to Razorwire, where we have our finger on the pulse of cybersecurity’s most urgent dilemmas and future threats. I’m your host, Jim and in this episode, I sit down with Ante Gojsalić, CTO and co-founder of SplxAI, to unpick the tangled challenges of securing the next wave of generative AI before it becomes too integrated, too complex and too risky to control.Generative AI is reshaping everything from business operations to personal lives, but the race to capitalise on its potential leaves us with difficult questions. Are we allowing technological progress to sprint ahead of security? Is anyone putting robust protections at the heart of these new AI systems? Ante shares stories from the frontlines - explaining why both East and West are taking wildly different approaches, why securing AI isn’t as simple as plugging in a new tool and how the real vulnerabilities lie hidden in the everyday systems we’re already beginning to trust.Three key talking points to listen out for:Why securing AI is fundamentally different - and harder - than traditional IT - Ante shares real scenarios where the unpredictable, fast-evolving nature of large language models means old school security techniques simply can’t keep pace. Find out why continuous testing, automation and security-by-design are more critical than ever.Hidden risks as AI agents take on human-like roles in business - We explore where the most pressing security gaps lie as AI agents begin to make decisions, handle confidential data and even manipulate users. Learn how attackers are already exploiting these systems - and what steps organisations can take to avoid catastrophic mistakes.The battle between business priorities and security fundamentals -Hear our thoughts on why commercial pressure and the quest for innovation often override basic security and discover hands on, pragmatic advice for leaders aiming to bake security into AI projects from day one - before it’s too late.Whether you’re a CISO, an AI developer or a cyber strategist, this episode of Razorwire will arm you with practical insights and hard-won lessons on defending against the unknowns of AI.Why Continuous Security Testing Is Essential: "So imagine you do the security evaluation [of AI] on day one, then they change it a hundred times and you don't do another pen test. It's not relevant anymore. So, yeah, the continuous thing is important. Automation is important. And with AI, which is non-deterministic and which is still very changeable day by day, it's different than web security or API security… It's just unstable."- Ante Gojsalić, on why traditional security approaches fail with AI systemsListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Rise of Generative AI - Understand what generative AI actually is and how to assess its rapidly expanding applications within your organisation's threat landscape. Global AI Arms Race - Learn how different regional approaches to AI development affect your security strategy and vendor selection decisions. Security vs Speed in AI Development - Discover practical ways to balance innovation pressure with security requirements without stifling business growth. Emerging Threats to AI Systems - Identify specific...

Welcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.In this episode, James Rees is joined by security awareness specialists Amy Stokes-Waters and Jemma to dismantle outdated approaches to security training. From click-through fatigue to the critical importance of culture change, our experts explore why traditional computer-based training fails to make organisations truly secure.Listen as Amy and Jemma share their expertise on transforming security awareness from a box-ticking exercise into meaningful behaviour change. Their refreshingly honest assessment of the "80% compliance myth" and why focusing on business impact rather than personal consequences undermines effectiveness will have security professionals nodding in recognition.Whether you're a CISO struggling with training completion rates, an IT professional tired of being ignored, or someone who's repeatedly clicked "next" through mandatory security modules wondering if there's a better way, this conversation offers practical alternatives to the stale CBT approach that dominates the industry.Tune in for a candid discussion that feels like eavesdropping on three security professionals brainstorming how to fix what's broken in security awareness while acknowledging the realities of human behaviour.3 Key Talking Points:Why Traditional Security Training Fails Everyone Discover the fundamental flaws in conventional security awareness approaches that waste both time and budgets. When Amy reveals that "less than 1% [of IT budgets] is spent on humans" while "95% of incidents are caused by humans," you'll understand why throwing money at technical solutions while neglecting human factors is a losing strategy. Listen for actionable insights on avoiding the compliance trap that leaves organisations vulnerable despite ticking all the regulatory boxes.The McDonald's Approach to Security Awareness Learn why successful security awareness should mirror effective marketing campaigns rather than dreaded annual training sessions. Our experts break down how security teams should adopt McDonald's persistent, multi-channel strategy instead of expecting one-off sessions to change behaviour. You'll gain practical strategies for implementing "security by osmosis" that keeps protective measures visible and top-of-mind without creating training fatigue or resistance.Measuring What Actually Matters Transform how you evaluate security awareness effectiveness with metrics that genuinely reflect improved security. When Jemma dismantles the "80% of people scored 80%" myth, you'll understand why completion rates and phishing test results fail to indicate real security improvements. Listen for concrete guidance on tracking meaningful engagement metrics like security team contact, proactive reporting, and actual incident reduction that demonstrate true cultural change rather than superficial compliance."What a lot of people are doing is security training for compliance, but they're not actually doing anything around the culture. They're hitting the compliance metrics. Brilliant. But the actual culture of the organization is still inherently insecure."- Amy Stokes-Waters, on the difference between compliance and cultural changeListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Budget Reality Check: Learn why organisations spending less than 1% of IT budgets on human factors whilst 95% of incidents are...

Welcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.In this brilliantly unfiltered episode, we're joined by security professionals Iain Pye and Chris Dawson for a no-holds-barred discussion about security measures that cross the line from prudent to preposterous. From biometric authentication dilemmas to the maddening theatre of airport security, our experts dissect the fine balance between protecting assets and actually getting things done.Listen as Chris and Iain lock horns on what constitutes "reasonable" security, with Chris arguing for Fort Knox-level protection while Iain advocates for practicality, whilst your host Jim attempts to referee. Their real-world examples of security absurdity, including trapping thieves in revolving doors and putting warning signs in car parks, will have you nodding in recognition or shaking your head in disbelief.Whether you're a battle-scarred security professional or maybe just someone who's stood impatiently in endless security queues wondering why your belt buckle is suddenly a threat to national security, this conversation offers both genuine insight and proper laughs about the sometimes bizarre world of overzealous security controls.Tune in for a refreshingly honest chat that feels like overhearing three security experts having a pint down the pub whilst debating the madness that sometimes defines our industry.3 Key Talking Points:The Security vs Practicality TightropeListen as our experts dissect the eternal balancing act between locked-down security and business functionality. When Chris boldly claims he'd implement "seven layers of security" for critical infrastructure while Iain argues for practicality, you'll gain valuable perspective on finding that sweet spot where protection doesn't become paralysis.The Psychology Behind Security ResistanceDiscover why people willingly hand over biometric data to tech giants yet baulk at the same requests from employers. Our conversation uncovers the fascinating psychological disconnect between consumer and corporate security acceptance, offering insights you can apply immediately to your own security implementation strategies.Beyond Bureaucracy: When Risk Management Goes WrongExperience the painful yet hilarious reality of security bureaucracy gone mad, from needless warning signs in car parks to the absurdity of airport security theatre. You'll leave with a clearer understanding of how to champion meaningful security measures while avoiding the trap of controls that exist merely to tick compliance boxes."Information security professionals the world over, in various different cultures and various different parts of the world have had the words echoing through the halls: ‘Isn't that a bit much?’"- James Rees, Razorthorn SecurityListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Finding the Balance: Discover how to navigate the tension between robust security measures and practical business operations without alienating your colleaguesBiometric Backlash: Understand why people readily surrender their biometrics to tech giants but resist providing the same data to employersSecurity Theatre: Learn to identify when security measures serve more as performance than protection, particularly in public spaces like airportsRisk Management Revelations: Gain insights into creating...

How can overcoming personal adversity lead to a successful career in cybersecurity?Welcome to Razorwire, the podcast that delves into the world of cybersecurity by sharing the journeys of its most inspiring figures. Join us for a truly heartwarming episode as we welcome Jemma, the brilliant mind behind CultureGem and a passionate champion for security behaviour and culture. Jemma's incredible journey - from surviving homelessness to becoming a respected voice in InfoSec - reminds us how our different paths can bring richness and depth to our industry.Jemma shares her powerful story and gives fresh perspectives on the human side of cybersecurity, why accessibility matters in learning and the reason technical solutions alone will never be enough. We discuss the changing face of InfoSec culture, the eyebrow-raising phenomenon of "cyberlebrities", and how we might better spend our security budgets to protect the people who matter most.Whether you're a seasoned professional or just starting your InfoSec journey, you'll find wisdom in Jemma's approach to making security concepts meaningful for everyone - from corporate executives to her beloved nan.Tune in for a conversation that, for me, genuinely felt like catching up with a friend at the pub, whilst challenging us all to think differently about creating a more inclusive approach to security.3 Key Talking Points:The Human Element of CybersecurityLearn why organisations allocate less than 1% of security budgets to human factors despite 97% of incidents being attributed to human error. Jemma explains how addressing this disconnect creates stronger security cultures and reduces vulnerabilities.Accessibility as a Security ImperativeDiscover how CultureGem's accessible learning approach removes barriers to understanding security concepts. Jemma demonstrates why making security comprehensible to everyone isn't just inclusive - it's fundamental to effective protection.The Evolving InfoSec CommunityGain perspective on industry dynamics from "cyberlebrities" to challenges faced by professionals from non-traditional backgrounds. This discussion gives valuable context for navigating the InfoSec community."If 10% of an IT budget is spent on cyber, which is there or thereabouts, less than 1% is spent on human side of cyber. Yet 97% of incidents are put down to, rightly or wrongly, human error."- Jemma, Founder of CultureGemListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Overcoming Adversity: Learn how navigating difficult circumstances can build transferable skills for an InfoSec career Budget Realignment: Discover why redistributing your security budget towards human factors can address the root cause of 97% of incidents Inclusive Security: Explore how removing barriers to learning strengthens your organisation's overall security posture Employee Engagement: Find out how to move beyond compliance to create genuine security motivation amongst your staff Community Dynamics: Navigate the changing InfoSec landscape and its impact on collaboration and knowledge sharing Diverse Recruitment: Understand the value of hiring security professionals with unconventional backgrounds and experiences Translating...

In this latest episode of Razorwire, I sit down with the brilliant Stefania Chaplin to explore the often overlooked yet crucial skill of effective communication in information security.Throughout our conversation, we discuss why communication matters so much in our field, especially during critical moments when tensions run high. Stefania brings her trademark enthusiasm and wealth of experience to highlight approaches that work across different contexts, cultures and situations.As our profession has evolved, and particularly when working with colleagues remotely, our approach to communication needs to adapt accordingly. Whether you're just starting out or have been in the trenches for decades, I guarantee you'll take away some valuable insights on a skill that I've found to be just as important as technical expertise throughout my career.3 Key Talking Points:Managing Communication During IncidentsDiscover practical strategies for effective communication during high stress security incidents. Learn how to establish clear communication channels, manage stakeholder expectations and create space for your team to resolve issues without constant interruptions. Stefania shares techniques from her experience, including the importance of creating transparent incident documentation and using mindfulness to maintain clear thinking under pressure.Cross-Cultural Communication in Global TeamsGain insights into navigating the complexities of multicultural teams in information security. With remote work connecting professionals across different time zones and cultural backgrounds, understanding how communication styles vary globally has never been more crucial. Learn how different cultures approach feedback, instructions and hierarchy, drawing from Stefania’s multicultural background and experiences working as a digital nomad.Adapting Your Message to Different Audiences Master the art of tailoring your security communication for different stakeholders. Whether you're speaking with developers who need technical details or executives who need the headlines, find out how to switch hats effectively. This practical knowledge will help you build credibility with technical teams whilst ensuring leadership understands the key security messages they need for decision-making."What happens when you have a cybersecurity incident and you're working in a global organisation with employees from all different countries and cultures in a very high stress environment? In those moments, communication really matters." Stefania ChaplinListen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listenIn this episode, we covered the following topics:Incident Clarity - Transform your incident response with effective communication strategies for high stress scenariosGlobal Trust - Build trust across global teams by understanding cultural communication differencesStakeholder Speak - Tailor your security messaging for maximum impact with different stakeholdersFocus Shield - Protect your technical team from distractions during critical incidentsPre-Crisis Planning – Advice on creating communication plans before incidents occur to reduce chaos when they happenMental Control – Learn breathing techniques to maintain clarity during high pressure security eventsRemote Mastery - Navigate the complexities of remote teams across different time...