Cyber Security Month 24: Interview with John Madelin, one of the world’s most rekognised Cyber Security Experts (part one)

The American non-profit foundation National Cybersecurity Alliance (NCA) promotes awareness of cybersecurity. Its core activities include ‘Cybersecurity Awareness Month’ in October. John Madelin has over 25 years of experience in designing, building and managing cybersecurity. He has led security teams that have identified, analysed and mitigated security risks around the world.

After 6 years at Cognizant, John Madelin is now working as a consultant for the UK government. thebroker had a chat with him.

You have dual citizenship of the UK and Switzerland. How come?

My Mother comes from Bern – as a family we travelled a lot across Europe and the US when I was young, so Switzerland was the stable home. I had a great relationship with Grossi and Grossfatti in Bern, with lots of happy memories there, and my heart is still in Switzerland! From around 18 I settled in the UK, for various practical reasons, and met my lovely wife Sue, who’s friends and family are based around Maidenhead in the UK; so I’m happy to be living in this new community and we travel back to Bern whenever we can.

What distinguishes the collaboration of government, business and science between England and Switzerland in terms of the sustainable protection of the population and the economy against cybercrime?

This is a deceptively complicated question with a lot of historical, cultural, Geographic and organisational nuances.

I should first say that over the years I have built and run services for UK government and performed some advisory roles for both the UK and Swiss Government (for the Swiss Government indirectly through some research partnerships, which is one of those distinguishing features of approach!)

I’ve found that the UK’s approach is often more proactive and structured around the idea of national security. Cybercrime is seen as a strategic threat, and there is an active effort to deter and punish attackers through international partnerships and domestic law enforcement.

Switzerland, being a neutral country, seems to have a somewhat different stance. Its approach to cyber defence is often more defensive and privacy-focused, reflecting the country’s emphasis on data protection. Switzerland is also seen as a hub for diplomatic discussions on cybersecurity, hosting international dialogues on cyber norms and standards, such as recent SBOM (secure bill of materials) publications coming out of the US White House and the European Commission.

To pursue their slightly different approaches, the UK government, particularly through institutions like the National Cyber Security Centre (NCSC), has created a centralised framework for cybersecurity. The NCSC acts as a primary national authority, supporting both public and private sectors.

For example, recently the UK has adopted mandatory reporting laws for critical infrastructure companies and is integrated into broader EU (previously) and NATO cyber strategies. These companies have a legal obligation to meet specific cybersecurity standards and incident reporting obligations to the NCSC, giving the government a clear picture of the cybersecurity landscape.

The UK also emphasises public-private partnerships in combating cybercrime. The NCSC coordinates directly with private companies, often involving them in government-led initiatives. There’s also significant collaboration on national-scale cybersecurity exercises that involve both sectors to simulate and prepare for large-scale cyberattacks.

The UK’s Cyber Security Information Sharing Partnership (CiSP) is an example of active collaboration, where businesses and the government exchange cybersecurity information. Swiss cybersecurity is primarily regulated by the Federal Office for National Economic Supply (FONES) and the National Cybersecurity Centre (NCSC, Swiss counterpart).

When I say the differences are nuanced, the Swiss have a decentralised approach, partly due to the federal structure. Each canton (region) has a degree of autonomy, and while there is federal guidance such as the Cyber Strategy Switzerland 2018-2022, implementation can vary by region.

Swiss collaboration between government, business, and science is often driven by research partnerships, particularly through government-funded projects with universities such as ETH Zurich.

Switzerland also fosters innovation through incubator programs and cyber labs, in my experience this can work well to bridge scientific advancements with business needs, whereas the supporting technologies in UK tend to be very Tech vendor led. The Swiss government’s approach tends to favour voluntary collaboration rather than the mandatory frameworks seen in the UK (although the Swiss appear to be more understanding and co-operative in these matters!)

Swiss businesses operate under a more self-regulated model compared to the UK, but again, my experience is they have been more compliant whereas hard commercial drivers tend to result in businesses elsewhere keeping quiet. While there is a strong focus on cybersecurity, many Swiss companies work independently or through voluntary associations like the Swiss Cybersecurity Hub.

Unsurprisingly, Switzerland places a much higher value on privacy and data sovereignty than we do in the UK, which can make mandatory business-government collaboration less centralized than in the UK.

Switzerland’s financial sector, in particular, is a much closer community given that Switzerland is a smaller country with more concentrated banking infrastructure, and takes the lead on cybersecurity initiatives, which can have a positive “ripple effect”, given the country’s global standing in finan

Conclusion:

The key distinction lies in centralisation and regulatory enforcement versus decentralisation and voluntary cooperation. While the UK uses a more structured, government-led approach to enforce cybersecurity standards and foster public-private collaboration, Switzerland relies on self-regulation and privacy-led initiatives, driven largely by research and innovation partnerships. Both approaches are effective in their own contexts but reflect the different cultural, historic, structural and regulatory landscapes of each nation.

How do you think cyberattacks that are difficult to insure against will be dealt with in the future?

Today Cyber is an ill-defined term with a chaotic patchwork of approaches that vary not just across organisations, but within them! This, amongst other things, makes it hard to insure. One hopes that over time Governments will help to frame stricter cybersecurity regulations on a wider definition of critical infrastructure, as well as for financial systems, and other essential services to ensure a minimum level of protection.

This should lead to more standardised cyber risk management frameworks, making it easier for insurers to assess risks consistently across industries.

I live in Maidenhead near the river Thames, so I am on the “flood-plain” and it soon became impossible for me to get flood insurance, despite my house not having flooded since the 1940’s. Fortunately the Government recently introduced a Government backed flood Insurance scheme for those living on flood plains. It’s an analogy that one hopes might play out for Cyber Insurance, I would hope that the concept of Cybersecurity as a Public Good especially for high-risk sectors (e.g., energy, healthcare, finance), will evolve, meaning governments might provide backstop insurance for particularly high-impact or catastrophic cyberattacks that private insurers deem uninsurable.

As well as my flood Insurance, this is similar to the way in which governments handle natural disasters or terrorism insurance in some regions.

It’s not reasonable to expect Insurers to be the safety net to catch all eventualities, especially as Cyber is such an abstract term. Many cyber insurance policies today exclude state-sponsored attacks or Cyber Terrorism, which are often seen as acts of war. As these attacks become more prevalent and sophisticated, insurers will likely maintain or even expand such exclusions, requiring government-backed insurance or multilateral protection agreements to cover attacks that involve nation-state actors.

As far as what we might see in the future to cover the huge growth in criminal activity and complexity of this still relatively immature subject, insurance models might shift to parametric insurance for cyberattacks, which triggers payouts based on predefined parameters (e.g., a certain type of cyberattack or downtime threshold), rather than requiring a full assessment of damage. This can make claims processing quicker and easier, especially in complex or large-scale incidents.

Insurers might offer more granular, specialised coverage for attack vectors like ransomware or DDoS attacks, where the risks are better understood and can be more accurately modelled.

Companies might also pool cyber risks through industry mutuals or collective insurance schemes, sharing risk across sectors to absorb large-scale incidents that would otherwise be difficult to insure individually.

Future approaches may involve increased redundancy in critical systems and data infrastructure, which ensures continuity of operations even in the event of a successful attack. This might involve regular stress tests and simulations to prepare for different types of cyberattacks, which would lower insurers’ concerns about large-scale disruptions. Companies will likely be required to demonstrate robust incident response and recovery plans as part of their risk management strategy before qualifying for insurance. This will include regular cyber drills and the implementation of detailed recovery protocols. I’d like to think that there might be exclusions for those companies who can’t demonstrate that they have taken care of basic protections; material losses today are often the result of a lack of basic discipline, and the Insurance Industry should not be expected to pay for this lack of basic hygiene!

Most recently, as a BISO (intermediary between main processor and software) and Global Head of Information Security and Assurance at Cognizant, you were responsible for the company’s security risks in the UK, Central Europe, the Asia-Pacific region and the Middle East. What exactly were your responsibilities at Cognizant?

As the Business Information Security Officer (BISO) and Global Head of Information Security and Assurance at Cognizant, my primary responsibility extended far beyond technical implementation and cybersecurity operations. The role involved managing cybersecurity risks across multiple regions—UK, Central Europe, the Asia-Pacific region, and the Middle East—while engaging at the highest levels with both internal stakeholders and external clients. This meant overseeing the end-to-end security strategy, orchestrating technical solutions, and ensuring that these aligned with business objectives, while also maintaining compliance with regulatory frameworks across multiple jurisdictions.

In today’s rapidly evolving threat landscape, the role has transformed from being the “department of no” CISO—focusing solely on prohibitive controls—into becoming a BISO trusted advisor who plays a pivotal role in shaping business strategy, resilience, and digital trust. A successful BISO must be able to translate technical risks into business risks, and more importantly, communicate them effectively to the C-suite. This is why deep practitioner experience is so crucial; to advise on complex issues such as ransomware response, M&A risk due diligence, and security architecture, a BISO must have first-hand knowledge of how these risks manifest and how to resolve them in practice.

One key responsibility at Cognizant involved the review and approval of major client offerings, ensuring that their technical architecture, security protocols, and resilience measures met not only contractual obligations but also evolving cybersecurity challenges. This required extensive interaction with business leaders across regions, aligning security measures with business resilience rather than imposing restrictions. The ability to facilitate this dialogue effectively requires a combination of technical credibility and soft skills—the latter being essential in engaging executives who may not have the same level of technical literacy but who are critical decision-makers in any cybersecurity strategy.

In leading regional security teams, my focus was on enabling them to identify, analyse, and mitigate security risks at the ground level, while also providing the strategic vision that allowed Cognizant to maintain its global security posture. However, what truly differentiates an effective BISO from a traditional CISO role is the understanding that security is not just a technical function, but a business enabler.

Strangely I found that by arriving with the title CISO it was hard for the door to open to me thanks to the “brand of No” that implied, and to be invited into the room where key decisions are made, a “presentation layer” of introducing the term “Business” into the title opened the door! Once the door is open a crack, a BISO then needs to frame cybersecurity not merely as a defensive mechanism, but as an integral part of risk management, business continuity, and value creation.

The role also entailed managing some of the most high-profile incidents, including participation in major ransomware events, where coordination with law enforcement, regulatory authorities, and critical customers was required. These situations demand calm under pressure, a comprehensive understanding of incident response protocols, and the ability to deeply understand the technicalities of what just happened, but also to be able to communicate that clearly with non-technical stakeholders during moments of crisis. This is where the shift from “Chief” to “Business” in the title matters—executives are more likely to engage with someone who is positioned as a business risk advisor rather than a technical gatekeeper.

Thus, my approach in these roles reflects a blend of hands-on technical leadership and strategic business advisory. To build trust, I ensured that security wasn’t viewed as an impediment but as a necessary enabler of digital innovation. The ability to influence and lead this shift requires a deep understanding of both the technical landscape and the business drivers that shape the organisation’s approach to risk and resilience. This underscores why soft skills like communication, stakeholder management, and cross-functional collaboration are just as essential as technical expertise in the modern BISO or CISO role. This evolution is crucial in the current cyber landscape, where businesses are continuously accelerating digital transformation efforts and need security leaders who can seamlessly integrate into the strategic conversations around business continuity, digital trust, and organisational resilience.

Cyber Security Awareness Month was launched by the NCA and the US Department of Homeland Security in October 2004. When it began, the focus was on simple precautions such as updating anti-virus software. What has changed since then?

The original campaign’s focus was on basic personal protection measures, which thanks to recent events, has transformed into a comprehensive initiative that addresses complex, multi-layered threats.

By recent events, I mean that cybercrime has evolved into a serious, global issue affecting all sectors of society, the focus has shifted from individual user security to include corporate, national, and global cybersecurity initiatives, with an emphasis on awareness, collaboration, and sophisticated risk management.

Initially, cybersecurity awareness was mostly about personal computer protection. Now, it’s recognised as a matter of national security and economic stability. Governments and organisations across sectors are actively engaged in cybersecurity initiatives to protect critical infrastructure and the economy from cyberattacks, with greater emphasis on cyber resilience, basically the continuation of free-flowing goods through the supply chain. In 2004, the emphasis was on simple measures like updating anti-virus software and basic digital hygiene, reflecting the more limited threat landscape at the time. Cyberattacks were mostly limited to viruses, worms, and straightforward phishing schemes. There was still an element of “nuisance” when things did occur, rather than material loss.

Today, the focus has shifted to include a wide range of sophisticated threats such as ransomware, advanced persistent threats (APTs), zero-day vulnerabilities, and supply chain attacks. There are many motives that vary from simply generating ill-gotten gains, to stealing intellectual capital, and penetrating Government as was the case with the recent SolarWinds event. Threats have become more targeted and complex, requiring more advanced protective measures, including:

• Multi-factor authentication (MFA)
• Zero Trust architectures
• Data encryption
• Incident response planning
• Regular (offline!) backups and disaster recovery

The focus now includes organisational policies and cultural shifts within businesses to prioritise cybersecurity from the top down; and ensure that the disciplines required across the basic IT infrastructure are shared responsibility across a whole variety of functional and IT owners.

In 2004, the human factor in cybersecurity was less emphasised. Today, there is a much greater focus on human-centric vulnerabilities such as phishing, social engineering, and insider threats. Campaigns now promote security awareness training for employees to ensure they are aware of potential scams and their role in protecting corporate and personal data. The idea of cyber hygiene has expanded from simply updating software to educating users on how to recognise threats, avoid risky behaviours, and respond appropriately to cyber incidents.

We still have a long way to go on this last subject as today’s approach to Security Awareness tends to re-enforce “classroom training” approaches rather than improving communication, dealing with organisational issues on authority and responsibility, hands on experience, and as close to real-world simulation (so-called Tabletop exercises) as possible.

At this year’s International Cyber Expo in London, you chaired the panel on ‘Managing The Incident Before It Happens’ at the SASIG Global Cyber Summit. This means that cyber incidents are no longer a matter of ‘if’, but of ‘when’. So what needs to happen?

Moving beyond the checkbox mentality of security training and tabletop exercises requires an investment in culture.

Culture may sound like a “soft” word; but it is something we recognise tangibly in real life. For example, if your house was on fire, you wouldn’t expect me to hand you a 30-page document on “what to do if your house is on fire” before you act. Organisations need to awaken these unconscious competencies by embedding cybersecurity awareness into everyday activities, ensuring proactive engagement across all departments, and fostering a mindset where security is second nature. This leads to faster, more coordinated responses and minimises the impact of inevitable incidents.

It is important to confront the issue I mentioned above about the way in which we drive change across the organisation. Simply engaging in tabletop exercises or compliance-driven awareness programs often leads to minimal engagement. Leaders often either pay lip service, or delegate to subordinates. Employees may go through the motions, but without embedding security into the organisation’s DNA, these efforts remain surface-level and ineffective.

By fostering a cyber-aware culture, through rich storytelling, practical examples, demonstrated effectiveness, shared responsibilities, and staff shadowing each other (as just some examples) you encourage employees to internalise security practices, creating unconscious competencies where individuals naturally integrate security into their daily activities. This can only happen if they understand the ‘why’ behind the ‘what’, connecting their actions to the larger security posture of the organisation.

It is possible to lift these exercises from today’s tabletop exercises, which tend to be static and don’t always reflect the dynamic, evolving nature of real cyber incidents. To be effective, exercises need to be engaging, adaptive, and as realistic as possible, so that behaviours become natural rather than forced. Whilst I don’t underestimate the challenge of this organisational issue it cannot continue to go unresolved.

Ingraining unconscious competencies is vital in areas such as incident detection, escalation, and response to ensure that security reactions become automatic. Today we are literally in a situation where a different staff at different levels and in different roles across a wide variety of affected and involved functions are asked to read a manual explain what step to take next towards the door in a burning building (to use my earlier analogy).

It’s hard to underestimate the negative effect of this poor cross-functional collaboration is in most of today’s modern, complex organisations where breaches often touch on multiple areas—legal (data breaches), financial (ransomware), and HR (insider threats). A culture of shared responsibility fosters synergy and alignment when managing an incident.

When a culture of cybersecurity is adopted, employees don’t need to think twice about identifying phishing emails or reacting to suspicious network activity—it becomes instinctive. It goes without saying that aspiring to a model where the right behaviour is ingrained and becomes instinctive is critical because during an actual cyber incident, response time is everything. Teams that have ingrained response behaviours are able to act swiftly and cohesively, minimising the impact of an attack.

Of course, this organisational change requires Leadership buy-in. Businesses that have leaders who understand the need for robust disciplines to ensure trust, confidence, resilience can often be shown to outperform business that don’t in their ability to protect and recover. This engagement and deep belief rather than posture for leaders is essential to building a culture where cybersecurity is prioritised, because if the C-suite shows thorough their actions that they enforce security best practices, it sets the tone for the entire organisation.

I use language like “deep belief” because Leaders should champion not just the processes (e.g., regular training) but also the mindset shift required. When employees see that leadership values security as part of the company’s core mission and risk management, they are more likely to adopt those values themselves.

Would it help if companies shared their experiences of cyberattacks?

Yes, it would significantly help if companies shared their experiences of cyberattacks, and there are multiple benefits to both organisations and the broader cybersecurity ecosystem

1. Improved Industry-Wide Preparedness

• Collective Learning: When companies share their experiences, it enables the industry to learn from each other’s mistakes and successes, creating a stronger collective defence. Shared knowledge of attack vectors, vulnerabilities, IoC’s (Indicators of Compromise) and the TTP’s (Tactics Techniques and Procedures) used by cybercriminals helps others recognize and prevent similar threats in the future.
• Threat Intelligence Sharing: Cybercrime often involves coordinated and evolving tactics. Sharing threat intelligence helps detect patterns across different attacks and industries, leading to faster identification of threats and more effective countermeasures. This collaborative approach is already being fostered by programs like the Cyber Security Information Sharing Partnership (CiSP) in the UK, where public and private sectors share real-time information on cyber threats.

2. Reduced Risk for Other Organisations

• Better Incident Response: Understanding how an organisation responded to a specific type of attack helps others refine their incident response plans. If companies learn from the lessons of others—such as which strategies worked, and which didn’t—they are better prepared to respond quickly and minimise damage when facing a similar attack. There is NO substitute to having lived through an attack and navigating some unexpected practicalities!
• Raising Baseline Security: The lack of transparency means many organisations may not be aware of the frequency or sophistication of attacks. Often these may have been caught early in the Reconnaissance stage, but even that is worth learning from, as later in the attack chain it can get very expensive, time consuming and business affecting to deal with things when the attackers are more deeply embedded.
• Visibility equates to action: When companies share their experiences, it also raises awareness and encourages others to improve their baseline security measures, including two-factor authentication, endpoint protection, and vulnerability management; basics that are often neglected because Businesses think “it will never happen to us, I don’t see many cases of this stuff in my world-view”. In fact, they are going on all the time, just not visible to most.
• Improved Actuarial Calculations: I know you have worked with the Swiss InsurTech Hub (SIH) Binci, so this point might be strongly felt! If companies share their experiences of cyberattacks, cyber insurance providers can use this real-world data to refine their actuarial models and better assess risk. By understanding the frequency, nature, and impact of different types of cyberattacks, insurers can more accurately price policies and determine coverage requirements. Additionally, this transparency helps insurance companies develop more tailored underwriting processes, providing incentives for organisations that implement strong security measures and penalising those that neglect the basics. This not only improves the cyber insurance market but also drives better cybersecurity practices across industries.

3. Breaking the Silence and Stigma

• De-stigmatising Cybercrime: Many organisations do not report cyberattacks due to fear of reputational damage. However, if more companies were transparent about their experiences, it could help normalise the conversation around cybersecurity. This could lead to a cultural shift, where organisations feel less shame about being breached and instead focus on taking proactive steps to recover and prevent future incidents.
• Collaborative versus critical behaviours: When you suffer an attack and announce, there are two breeds of affected stakeholder. First those who are aggressive, who think it will never happen to them and that you were weak and ineffective. Good luck to them, their day will come. Then there are those who are sympathetic, supportive, and think “there but for the grace of God go I…” and want to share, support, and learn. Please aspire to be one of those!
• Increased Accountability: When attacks are not reported, it creates a false sense of security, both within the affected company and across the industry. Transparency forces businesses to take accountability for their cybersecurity practices and fosters trust with customers and stakeholders.

4. Dark Web Growth and Business Enablement

• Perfect Information breeds near-perfect response: As the Dark Web becomes increasingly sophisticated, serving as a marketplace for stolen data and attack tools, the only way to effectively counter this threat is through collaboration and transparency. Criminals share attack strategies in near real-time and with reputational models not unlike the star-ratings on Amazon and eBay, and sell or trade vulnerabilities on the Dark Web with competitive efficiency. Companies should respond by doing the same in terms of information sharing to strengthen defences.
• Negotiation Tactics: As cyberattack experiences are shared more widely, it will lead to an improved understanding of negotiation tactics with cybercriminals, a domain currently handled by deep experts. A recent example of a negotiation transcript between the UK Post Office and cybercriminals highlighted the strategic positioning used during ransomware attacks, which won’t be familiar to most victims who nevertheless will be thrown in at the deep end. Much like playing a game of cards, it’s critical to understand which “cards” you hold—for example, knowing whether your systems are backed up, what the attackers know, and how valuable your data is to them. Sharing these negotiation strategies, combined with a better understanding of the psychology of attackers, would allow more organisations to engage confidently in these high-stakes situations. This transparency could democratise knowledge, helping more companies adopt street-smart negotiation tactics that can reduce ransom payouts or even avoid them altogether.

5. Conclusion:

In the face of expanding cybercrime, a growing attack surface, and a highly active Dark Web, the benefits of sharing cyberattack experiences are blindingly clear. It accelerates collective learning, improves the industry’s response capabilities, and enhances overall cybersecurity resilience.

Transparency, when managed properly, can be a powerful tool in the fight against cybercrime, fostering collaboration and ultimately making organisations less vulnerable. Whilst it’s imperative that companies shift towards open information sharing (of course, while ensuring privacy and data protection compliance as well as “subject to privilege” constraints) it sems this is an all or nothing “Mexican draw” game, with everyone waiting for everyone else to start first!

What do you see as the biggest business risks and threats?

Given everything we’ve covered, I still come back to the biggest business risk simply being the importance of getting the basics right when it comes to cybersecurity. The facts show that the biggest risks and most pervasive threats often stem from neglecting fundamental security practices rather than cutting-edge, sophisticated attacks. I believe that by focusing well on just 6 key areas a Business can significantly improve its Cyber resilience. Cybersecurity doesn’t necessarily need to be complicated—the fundamentals work, time and time again the material events show that the biggest risks are often from failing to adhere to these basic, foundational practices. Even the security monitoring can be more focussed, and doesn’t need to be complex. Effective threat detection is often about focusing on a very small handful of less than 20 key signals rather than drowning in data. The focus should shift to consistently applying these best practices across the board.

Additionally, cultural complacency and misplaced focus on high-tech solutions without reinforcing basic cybersecurity hygiene is a critical risk. Businesses with better cultural understanding of their IT resilience and Cyber are also those who are much better placed organisationally to cope with issues and incidents, and the organisational element stemming from good cyber culture is a critical success factor.

Is the security setup the same for startups, medium-sized companies or large enterprises?

For this question I will focus on SME and bundle startup into SME category they face similar challenges and have similar characteristics.

The SME (Small and Medium-Sized Enterprise) sector in the UK is vast and plays a critical role in the economy. As of recent data, SMEs account for approximately 99.9% of the UK business population, employing about 16 million people and contributing over £2 trillion to the economy. Despite their importance, SMEs are significantly underserved in terms of cybersecurity.

The SME sector in Switzerland is similarly critical to the country’s economy, much like in the UK. SMEs account for over 99% of all Swiss businesses and employ approximately 67% of the Swiss workforce, making them the backbone of the national economy. These businesses span a wide variety of sectors, including manufacturing, services, and finance, and importantly for Cyber Security, they are particularly prominent in niche markets where Switzerland excels globally, such as precision engineering and pharmaceuticals.

Given their crucial role, Swiss SMEs, much like their counterparts in the UK, face significant cybersecurity challenges. Many lack the resources or expertise to defend against growing cyber threats, leaving them underserved in terms of cybersecurity solutions. With the rise of digitisation and increasing cybercrime, SMEs in Switzerland are particularly vulnerable, as they often don’t have the same level of awareness, preparedness, or access to security infrastructure as larger enterprises. This creates a pressing need for simplified, accessible cybersecurity tools and increased focus on cyber resilience within the Swiss SME community. Quite contrary this to this need for simplified tools, they are often confused by the complexity of the cybersecurity landscape, overwhelmed by choice, and struggle to implement necessary measures like simple Anti-Virus and desktop protection, multi-factor authentication, proper data management, and security monitoring.

Unlike large enterprises, which have dedicated cybersecurity teams and budgets, SMEs are underserved and frequently have to rely on basic, often outdated defences and struggle with navigating complex and costly solutions. This lack of guidance makes them vulnerable to increasingly sophisticated attacks. Additionally, as they grow, and on top of the basics, they may overlook key fundamentals in keeping with a growth in size leading to additional complexities, such as offline backups, network interconnects, or managing privileged access, further exposing themselves to threats like ransomware.

I am an Ambassador for the National Cyber Resilience Centre Group (NCRCG) in the UK which focuses on improving security and resilience within the SME sector. The NCRCG plays a vital role in bridging the gap between SMEs and the support they need, by raising awareness, simplifying security concepts, and providing practical, accessible solutions.

One similar and significant Swiss initiative is the CyberSeal, a certification launched by the Alliance for Digital Security Switzerland (ADSS) with the support of the NCSC. The CyberSeal helps Swiss SMEs identify qualified IT service providers to ensure they receive adequate protection against cyber risks. This reflects Switzerland’s approach to fostering voluntary collaboration between businesses and government, aimed at increasing the cybersecurity resilience of its vital SME sector

As an Ambassador for NCRCG through an SME security company Trustify, my role is pivotal in making cybersecurity attainable for SMEs by offering straightforward, user-friendly security solutions tailored to their specific challenges. Trustify focuses on simplifying cybersecurity and ensuring that SMEs can protect themselves effectively, without the need for extensive IT knowledge or large budgets.

Finally, what about the role of AI in combating cyber security?

AI is frequently touted as a game-changing technology in the cybersecurity domain, but before businesses rush to embrace it, it’s crucial to emphasize that the fundamentals of cybersecurity must come first. The essentials—such as multi-factor authentication, privileged access management, robust monitoring, and basic hygiene around endpoints and applications—remain the most critical lines of defence. Without these foundations in place, no amount of AI-driven tools will compensate for the glaring gaps in security posture. I acknowledge that AI tools can certainly enhance certain aspects of cybersecurity, particularly in detecting and responding to threats faster, but my cautionary positioning here is that there is a real risk of organisations being distracted by the latest hype (something of a trait in the technology industry and especially the Tech-vendor-led Cyber world!) rather than addressing the basic security challenges that persist.

Cybercriminals often exploit well-known vulnerabilities that have not been patched or defended due to a lack of attention to the fundamentals. If businesses focus on improving these basics, they will significantly reduce their exposure to common attacks before even needing to rely on advanced AI systems.

That said, AI systems themselves are an emerging attack surface. The rapid growth of AI applications in business has created new vulnerabilities, as AI systems are architected differently from traditional applications and can be prone to novel attack vectors. Traditional application testing tools are not sufficient to identify weaknesses in AI systems, which require specialized testing solutions like those offered by companies such as MindGard, which focus on AI-specific vulnerabilities. This includes monitoring AI behaviour, performance, and outputs for anomalies, as well as discovering “shadow AI”—unauthorised or unmanaged AI applications operating within the organisation.

Thus, while AI can contribute to both the offensive and defensive sides of cybersecurity, the discovery and vulnerability testing of AI systems should be a priority for businesses that are beginning to integrate these technologies. This is particularly important in mitigating the risks posed by uncontrolled AI applications, ensuring that businesses remain resilient as they adopt new technologies.

In conclusion, the path forward is clear: prioritise getting the basics right, which will address the most pressing and frequent cyber risks. Once these are securely in place, companies can turn their attention to AI, not only to leverage its defensive capabilities but also to ensure that AI systems themselves are rigorously tested and secured against potential vulnerabilities.

Part two of this interview will be published on October 25, 2024.

John Madelin has over 30 years of hands-on experience in numerous front-line roles which have focused on the design, build, and management of cyber security—and included intense cyber incident management responsibilities. John’s experience spans across government, banking, retail, manufacturing, and utilities. His practical approach is re-enforced by his involvement managing one of the Industry’s largest Cyber-incident databases with Law Enforcement.

A long-standing member of the security community has led to many prominent roles and responsibilities. In recent years, this includes: 

• Drafting the UK Government public consultation document on the cyber profession; 
• Chairing RISCS, one of the leading research committees providing cyber security material to the UK Government;
• Heavily involved in early days Verizon Data Breach Report 
• Worked with Analyst Cyentia (Wade Baker ex Verizon DBR) on two years of Board and CISO interviews 
• Becoming an Oxford Martin Associate on the topic of international co-operation which became NIS2;
• Offering guidance an academic supervisor at the University of Cambridge; 
• Advising another large national government as a regular panel member;
• And Co-Director CSEConnect an NCSC sponsored Cyber Academia professionalisation initiative. 
• Both CISO and Service Provider for Large Security Enterprises.

Also read: Shira Kaplan: Building up a Cybersecurity Ecosystem in Switzerland

---

---