A

Welcome to the Sans Cyber Leaders podcast. I am Kieran Martin. More on the absence of James Line in a moment, but you are joining us at a later date. This is Wednesday 22nd October at about just coming up on 1140 from the wonderful Merchant Tailors building in central London, right at the heart of the city. A building that has survived the Great Fire, it survived the Blitz, so maybe there's something we can learn from it on Cyber Resilience. Now, for those of you listening, as opposed to those of you here at Merchant Taylor's, you will notice there are two unusual things about this. One is it's live recorded. Now, there's no proof of that yet, so I'd like the audience to give a cheer to prove to our listeners that we are indeed at a live recording, the first live recording of the Sans Cyber Needles podcast. Are we? Excellent. I should have realized that does give you permission to jeer some of my questions, or indeed Tom's answers later on. The second thing you'll notice is that I'm doing this interview on my own. So maybe at this point San has to make an admission. Some of you may think of my co host, James Lyon as one of the most important and influential cybersecurity leaders in Britain over the last couple of decades. But we now have to admit that he doesn't actually exist. He's an AI deep fake who exists only on audio and our AI isn't quite good enough to build a life size hologram of him that will convince you that he's real. So you'll have to make do with me. More seriously, James can't join us today, but someone who can join us is Thomas Harvey, the ciso@santander UK and again, one of the leading operational figures and lead leaders in British cybersecurity. He's been at Santander for I think, eight years. But you've been in the UK CISO for three of those. Before that you worked in the energy sector at bp. So a lot of experience. Never mind your seven years in government service, or was it? That's right, seven years in government service, including, like me, at the cutting edge of cyber defence, in the security services at GCHQ and elsewhere. Multiple degrees in international relations in all sorts of other things. An absolute wealth of experience. Tom, you are extremely, extremely welcome to be our first live recorded guest on the Sand Cyberligence Podcast. Welcome. Thank you very much. Kiran, right, you know the drill. You claim to be a listener, so you know what the first question is.

B

It is true.

A

Tell this group Tell the listeners. How did you get into this crazy business of ours? What was your path into cybersecurity?

B

Well, not many people know that. Actually I started my career at Topshop in the Birmingham Bullring. So doing what? I was managing the store. I was deputy manager. It was a store which had approximately 105 females under 20. There was.

A

And you were what age?

B

I was 23 at the time.

A

Oh, veteran.

B

There was a staff turnover of about 95% and I think it gave me a real steep learning curve about leadership in chaos and working in a pretty high paced, pressured and constantly changing environment. And then I guess some people here in Sans know I'm probably a person slightly of extreme, so I thought, how do I go from Topshop next? So I then went into the Royal Marine Commandos and I was unfortunately medically discharged due to a peanut allergy. And I think like a lot of security professionals, I had this kind of sense of mission and it was at the time where I was delivering stellar artois around to different supermarkets in central London and I had this kind of feeling I was destined for a little bit more. So I studied intelligence and security studies and you're right, I was looking at the agencies and more at the human agencies. And it was my professor who said, hey Tom, I think you should look at GC hq. And I think my response was, well, doesn't everybody walk around in socks and sandals? And he was like, completely not.

A

I was going to say. And you're going to say, and your point is what exactly?

B

He said, actually, you know, they need a lot of people from different perspectives. So I absolutely loved my time there. An amazing place to work with some amazing people. But I think I got to a point where I realized 80% of the networks who had been compromised were in the private sector, so had an opportunity to work in bp, which I enjoyed as well. And then being in Santander's kind of global cyber journey for the last eight

A

years, I hadn't realised that we had the humble peanut to thank for your cybersecurity career. So that's. So you mentioned you realized that the heart of the mission was in the private sector. Any particular reason you went into energy and switched to financial services or was it just where the work took you or what happened?

B

I think it's just where work took me. It was really interesting kind of arriving in bp. I think first of all I was leading a red team, which I think in 2014 was quite innovative in terms of merging physical and cyber attack vectors to test the different networks. But you suddenly go from gchq, where everybody cares about security, and you suddenly land yourself in energy. And the first realization for me was, I got to make people care because people don't care. And it was a real different journey. And then had an opportunity later on time to go to financial services, which actually I never thought I would work in.

A

Well, we will come back to that. Particularly, I love this question of how do you make people care? But let's just start with where we are. We have reports out this morning, one of which I was involved in, which prices the Jaguar Land Rover breach at nearly 2 billion pounds cost to the economy. And that's all a bit scary. That's the first time I can think of where a cybersecurity incident in the UK has topped a billion pounds in a really obvious way. So a lot of corporate Britain, a lot of people who are the bosses of cyber leaders, will be perhaps paying a bit more attention than they were. So what are the security opportunities that you're thinking about at the moment?

B

So, yeah, I'd probably catch these as two. One is a basic one and one is a progressive one. And I'll interested in a show of hands who's got their asset inventory sewn up in your organisation.

A

For the audio, let it just be said, much like parliamentary records, no one indicated agreement, I think, is the formal thing. Quite a lot of shaking heads.

B

Is that a lot of shake heads? I don't know. I still don't understand how in 2025, we're struggling so difficult with this challenge. And you look at the CISA report from 2024, 90% of breaches either come from unknown systems, unpatched systems or unmanaged. And I think it's an area where we need a little bit more collective brain power, attention and focus, because I think it's something which is stumping us all. And then I think in terms of progression, and that's why I love these types of events and I'm very keen to support them. But I think we need to build a network to defeat the network. And I think there's some amazing stuff going on in the world of public partnerships, whether it's the World Economic Forum, Cybercrime Atlas, mapping out 200 threat actors with their infrastructure, some of the Ransomware Task Force, the Cyber Defence alliance within Financial Services, how it's really trying to work with law enforcement to disrupt the threat and not just observe the threat. So that's some of the things that's giving me optimism.

A

Right, so you mentioned lots of these initiatives Kind of ransomware, cyber threat alliance and so forth. And some of them were financial services specific. And this brings us back to your current sector. I suppose I should be asking tough questions. This is quite a soft one, but it's a soft one based on evidence. You go around the world, you talk to governments, you talk to industry groups and so forth. And very often it's not just me, it's lots of other people. They say none of this works in terms of collaboration, in terms of resilience and so forth, except in financial services. It sort of works there. It's sort of best in class. Now, A, is that true in your view because you're in the sector? And B, if it is true, is it simply because you've got bags of cash or are there more complicated reasons for it?

B

It's interesting, Kieran. Like, I can remember when my former boss approached me to work for a bank. I don't tell them, but I was like, I could never see myself working in financial services. I really couldn't at the time.

A

Letter to your younger self.

B

Exactly. But I guess with a bank where I. The key difference is how integrated cyber is in the mission. I think banks don't just store money, but I think they store trust. And I think it might be a former girlfriend who told me is that trust is earned in drops and lost in buckets. Excellent.

A

You do realize you're being recorded here.

B

So I think trust is a key critical part. And we did actually a kind of a survey looking at what people want in an ideal bank. And it actually surprised me because first, after no banking fees, which is obvious, the second was actually we want our data protected and we don't want to be the recipient of fraud. So I think within financial services, cyber is considered a key critical priority. And when I joined the bank, one of the things that really surprised me was in energy. I think I'd seen the CEO from maybe half a kilometer away. And my first kind of meeting with the CEO was like, every month I want you to come and brief me on the latest threats, the latest incidents, and what we're doing about it. So I think there's a real understanding about the critical components that cyber play within organizations and also the relationship between cyber and fraud. Because I think the difference with fraud, as I see, is fraud. You can talk in business language and business risk. I can talk about the investment I'm making in the control and what that will do to reduce my fraud losses. And I think that's an area in cyber where we're hopeless at in terms of quantifying how we're effectively managing the risk. And I think that kind of partnership with cyber and fraud enables us to get closer to the business and have some of those more interesting conversations. So, yes, I think it is a vibrant, progressive place to work, but we have a lot of challenges and we face the same challenges as other sectors.

A

Well, just on that. So it does take me back two bits of follow up there. The first one is you mentioned once you'd finished a Topshop and carting Stellar around, you went into the military and then you went into the intelligence services. So you went into high security cultures where everybody cared. You're now in a culture where at least your CEO certainly cares, but you've talked about you walked into a different environment where you had to persuade people to care. What worked, what didn't work. What did you learn from that experience?

B

I think what I learned is I think in cyber we've got to be really good communicators. I think we've got to tell the story behind cyber and we've got to make it personal. And one of the exercises I think I conducted at bp, one of the first actual Red Team exercises, was doing an effective digital footprint on the exco, making them understand a little bit about the level of data which was available, not just about them, but their family, their loved ones, and how that data then could be manipulated to create various different attack vectors or scenarios.

A

And this is all open source data.

B

This is all open source data. And I actually, at that moment I saw a change in people's perception and almost like a change in their recognition that actually cyber isn't just something which is a mythical risk that we talk within an organization, but it's something that applies to me on a day to day basis. So I think we need to be having these kind of nuanced conversations within the organization where one, we're speaking the same language and two, that we are looking at novel ways to communicate to make it feel personal.

A

So let me follow up on that. I don't know if you'd characterize it like this. We didn't talk about it in advance because as anybody else who's ever appeared in the show knows, we're hopelessly unprepared. So you have potentially a breakthrough moment with the top level. You say, right, here's your digital footprint. Not the only way you can do it, but it's a way so you've got their attention. How do you follow through on that in a massive organization like an energy company or.

B

Well, the breakthrough moment was a red team exercise and demonstrating through a red team exercise you could have a loss of containment. And I think a loss of containment for people who work in energy is obviously on oil spillage is a big deal. So suddenly you're understanding how cybersecurity is sitting alongside safety as a key critical risk within the organization. So I think it is demonstrating how you bring those to light. And then like all of us here, you never let a good incident go to waste. Right. An incident is a catalyst for change within your organization and understanding how you can demonstrate what's happened either within your own organization, outside your own organization and what you're going to do about.

A

Fascinating. Thank you. Let's flip it back to financial services and I wanted to ask you a little bit about fraud and just the synergies or differences between sort of cyber threats and fraud. And you mentioned trust in a bank. I'm sure a lot of us in this community looking around the room, we do lots of things in local communities and we talk about cyber risk and people ask you about, when it's in the news, they ask you about this and that. And then sometimes I can remember, for example, I did a board of governors presentation for the local primary school and inevitably and this happens, I'm sure all the time to others, somebody says yes, and I got a call or the other day with a, you know, a slightly broken English accent trying to persuade me to invest in all of this. And these people don't care about the difference between malware following a phishing attack and, you know, telephonic based fraud based on data. You have to deal with both, it's in your job title, it's in the risk of the bank. And fraud is the thing that many British and other citizens, that's the thing they'll experience. Is there an answer? Are there lessons from cyber? Is it the same thing? Is it different? How do you approach it?

B

I think it's a really interesting kind of merge of cultures because what I see with CY is that we're pretty proactive, we're good at anticipating the threat, we're good at understanding threat actors, the journeys they take, what we need in terms of controls, defence, in depth analysis. Whereas I think within the fraud approach is that they've got a higher threshold to fraud, higher threshold to risk. So I think when you're combining the two disciplines, you've got this kind of anticipatory element. Let's get intelligence led, let's see how we can prevent fraud from actually impacting our systems. How can we actually work outside in the wider ecosystem to disrupt the fraud? How can we have a more data focused, data LED lens? And then when we do see some of these events, how can we respond them in a way where we've got almost a zero appetite to the different events and really drive through some of the lessons learned where I think maybe within the fraud profession they've got more disciplined risk management procedures and a different methodology and a different culture within the organization. So I think there is a real opportunity to combine the two different areas to create better synergies.

A

And in terms of what you'd like to see change in the fraud space, I am perhaps inviting you to be critical of other sectors. But you don't have to take the bait if you don't want to. But if you look at government strategies around the world, the British government had one and the previous government had one in 2023. And there's this triangle of actors. There's the government, there's the tech companies and there's you guys. And I hear a lot, not from you, I must stress, because we're being recorded. I hear a lot from the financial sector that the whole thing falls on you rather than government and certainly the tech companies. You can comment on that if you want, you may not want to, but more generally, is there one sort of big strategic shift you'd like to see? Could be anything you like in the counter fraud area that might move the dial a bit.

B

Yeah. It's interesting, Kieran, I was in the bank of England and some comment which was passed to me is in financial services you don't want to build a steel fortress on a glass table. And I guess the analogy is saying that, you know, one of the legs is telco. One legs is energy generation, the other one is energy distribution. And we conducted in Santander a cyber exercise across different areas of CNI, 14 areas of CNI and also public private. And it was a amazing seeing the different attitudes financial services. So I think we need to become much better at operating across different sectors in critical national infrastructure because we're only actually going to drive better resilience or fraud reduction by working in unison. So whether it's through public partnership, whether it's through intelligence and information sharing, I think there needs to be a more holistic approach to the way that we tackle both fraud and both cyber.

A

Right, back to cyber. We're at the SANS Cyber Leaders Summit. We're talking a lot about how to deal with various threats, what capabilities we need and all the rest of it you're a veteran of the industry now in government, in energy and in banking. Give us your state of the nation or state of the world in terms of the cybersecurity industry. Is it on its knees? Is it an optimistic picture what's going on in the profession?

B

You read a lot of different reports. There's 4.5 million vacancies. But I actually think in cyber there's a huge amount of talent and I think one of the areas which we're failing is to identify, identify the talent. And I've got some great stories from my team where the most talented cyber analyst was actually a former accountant. We've recruited people from police, military. I've actually had someone even write to me from a hospital bed saying they're stuck in a hospital bed for a few months and they've picked up a cyber book. Could they offer an opportunity when they leave? So I think it's this.

A

What do you do with that application?

B

Yeah, we brought them on board.

A

Wow, quite a good use of hospitalization time. I guess it is.

B

And I think it's the kind of tenacity. So I believe actually we should stop complaining about the lack of talent, go out there and be better at identifying the talent. But I think there's also a flip side. And the flip side I think is retention. I don't know about people in here, but working in cybersecurity is brutal, right? It is brutal. I think you get to an end of a week and you want to lay down in a darkened corner, right, and breathe.

A

What's brutal about it?

B

I think it's the context switching and I think it is the demands we place on it. Whether it's in the morning, go and brief the board on quantum readiness. Right, okay. And then go and speak to the European Central bank and then actually there's a cyber security incident and then you're buying a new organization. Can you manage the risk of integration? I think it's becoming such a multi dimensional discipline and we're being pulled in such areas and we're in demand by so many different parts of the business that I actually think in terms of level of knowledge, level of stakeholder interaction, it's incredibly demanding profession to work in.

A

Now I will open it up in a minute, so please feel free to stick up a hand now and we can come to you after the next question. But whilst you're thinking of that question, let me turn and so we talked about tech companies, we talked about banks, we talked about energy dependencies, let's talk about government and their role. You mentioned the bank of England and not building. What was the phrase from the bank

B

of England you mentioned building a steel fortress on a glass table.

A

On a glass table. And the bank of England, for those here will probably have noticed those listening. It's literally next door. So it's the big regulator for your sector. Go a mile and a half west, you've got the heart of the British government. What would you like to see the government do differently to help our current cybersecurity problems need our future cybersecurity problems?

B

Yeah, I divide that, I think, down into the what and how, because I think having come from government, I got a lot of sympathy and I think they are doing the right things. But sometimes it's maybe the how. So I'm not sure about the people in the room, but I love the fact that there was an open letter to the CEOs of the top 350 FTSE organizations. But as a cyber professional, I would love to have seen it before it went out or had knowledge that that was being deemed distributed. And I think the government are becoming much better at involving professionals into decision making. I think some of the government advisory boards which have been set up by dcit, by the National Cybersecurity Centre, are fantastic. But I do think we need more opportunities to sit down and just have those kind of plain conversations between the cyber leaders in this room and some of the government entities, because I think that's where help really happens and then setting the bar. I'm someone who is a big fan of the likes of Cyber Essentials. I'm a big fan of some of the software security code of practice. One of my concerns is, though, is we operate in these large global organizations, is how do these schemes operate and interlock with other organizations, other geographies, other governments, because I think that makes it very, very difficult for you to start to effectively execute these within your supply chain.

A

Didn't mention that in the introduction because you have too many distinctions to get into one brief introduction. But you yourself were a member of one of these advisory councils. What was that experience like? Would you recommend it to anybody in this room or listening if they get an invitation to participate in one of these government industry forums? What do you get out of it? What might work better?

B

No, I love it. And I'm still involved in the Government Cyber Advisory Board. I think it's a great opportunity because everybody here, and I think that's what I love about cyber. I think it's one of the positives, but one of the flaws. I think everyone in cyber runs towards problems, runs towards to try and help out others. But at the same time, I think these types of advisory boards give you an opportunity not only just to expand your personal network and meet other professionals in different organizations, but to impart some of your difficult lessons learned and some of your battles and some of your injuries on the journey that the government are going through. So I would get involved as much as you can and I think, I think there are lots of different flavors of those types of schemes available.

A

Great. Well, thank you. We do have one question on Slido and I'm very happy if anybody wants to put up their hand. I'll come to you next. Thank you very much. Question from Hemp Pant. Thank you for breaking the ice and meaning I don't have to actually break the recording. How do firms prepare for the use of AI within their own firms and use by their third parties? Nice kicker, supplementary there.

B

So I'm going to tackle this from two lenses because I think it's interesting. I think first of all, I think there is a lot of, lot of hype about how artificial intelligence has been used to fuel cybersecurity attacks. I think definitely it's been used to hone social engineering. I think it is obviously being used for phishing attacks. But actually, you know, I'm not sure if you've had a chance to have a look at one of the OpenAI reports which was published in October, talking about disrupting the malicious use of AI. They actually cite that they have seen no real effective attempts of the use of AI to generate cybersecurity attacks. So I think that's something that we need to work on in demystifying and have a bit more of a data LED lens. And then in terms of managing effectively within the risks, what I see AI doing is amplifying some of the existing risks that we currently face. And with supply chain, it's huge. So really with supply chain, my concern is how artificial intelligence has been used either within chatbots, within fourth parties, how it's effectively utilizing your data. I think ensuring having the right governance channels or having your right architectural review forum visibility across your various different supply chain. I don't think there is any magic solution and I think where AI probably generates greater risk is that there is more business drive and more business imperative to adopt at a faster pace. Therefore, going through some of the due diligence and effectively executing the security controls is much more pressure.

A

Brilliant, thank you. Fascinating mention of that OpenAI report. We shall put that in the show notes. I haven't seen that. We have a question. Live from the floor with a microphone, please.

B

I really loved what you said about trying to sort of grow the cyber talent pool.

A

And we have this kind of experience

B

paradox whereby you need to have experience to get a job, and, you know, vice versa. You need to, you know, to get a job, you need experience. So, you know, how can we kind of break out of that cycle? What are your thoughts in that space? And how can we kind of move from maybe being sort of, as you

A

said, like, you know, talent consumers to talent creators?

B

First of all, I think we need to look at some of our job descriptions and the way that we promote jobs. You know, I look at a lot of the different jobs out there, and I think we're asking from unicorn. And in my career over 20 years, I only know about five of them within the cyber world. So I think we've got a responsibility in this room that when we put out a job description, maybe we were asking for some more different types of skills or some more transversal types of skills, or even the way that we use AI to filter out candidates or human resources, we're thinking and looking for different signs. So I think we've got a responsibility here to set the tone in terms of the different job descriptions. I think in what we do in our own organization, we use apprentices a lot. And actually, you know, we were debating this morning how on earth do we fit in 19 apprentices within our current cybersecurity function, because it is a lot of work bringing in and integrating and mentoring them, but we've actually found a lot more success in bringing people in at that stage of their career than attempting to actually effectively recruit graduates. So I think there's something more around the apprentices area and maybe more that government can do in those effective areas. So I would say let's make cyber a bit more accessible by describing jobs in different ways and asking for different things. And then let's look about how we bring in pipelines of talent at an earlier stage.

A

And I do love the way you use the word unicorns in terms of cyber talent rather than just corporate talent. You talk about individuals as unicorns, and we want to foster and nurture unicorns when we can, but unicorns are by their nature exceptional, so we probably ought not to advertise for them. I would agree. Question right there. Hello, Tom, it's Rob Demain here. You mentioned that working in cybersecurity can be brutal, and I think that's been the case this Year in particular? Yeah, definitely on the front line of defense offenders. Lots of stress, definitely. I think you personally have lots of extreme ways to take those things out. Very much the commando background. But do you have any advice for people personally and professionally around handling the stress that cyber creates?

B

It's a great question. Thank you. I think the first is we need to set expectations at the top. I think if any of us are briefing our board or our C suite and we're talking about us being able to prevent cyber harm, then I think that's a difficult conversation. Bad things are going to happen as they do. This is a risk management principle and it's going to be with our ability to recover and respond. So I think we need to start to change the way that we describe cybersecurity to be closer towards cyber resilience. And then I think something in terms of how we judge ourselves. Well, I don't know about everyone in this room. I could work 23 hours and 59 minutes a day and I still wouldn't do my job. I still would not do the job to the extent that I would love to. So there needs to be an understanding is that we're out there to do the best of our ability. We want to prioritize the top three things on a daily basis, but we can't keep on beating ourselves up about it. And then something I think is an interesting reflection on leaders and leadership. One is that I noticed that effective leaders are the people who can make their problems, everybody's problems. And sometimes I think in cyber we work in a little bit of a silo and we're like, cyber security risk. This is our problem and we're going to got this, we're going to manage it. We're actually. Sometimes I look at our CIOs and they've got issues with infrastructure or they have an operational incident. It's cyber's problem. Right. So I think we've got to operate as an organization to make everybody feel kind of the heat in cyber and take responsibility for their component part. And I think lastly, you know, as professionals, we need to be kind to ourselves and I think we need to be kind to others because it is a demanding experience. And I would be lying if I said that I don't feel overwhelmed at least once, once a week in my job.

A

Well, very honest, very useful, an awful lot there, looking after yourself. I really like the bit about good leaders making their problems, everybody's problems. I assume they mean including their own rather than just offloading them onto somebody else. Maybe that's excellent leadership. I don't know. These questions are great. Maybe we should do this more often. They're a major improvement on me and James. That's all I'll say. Sorry, James, if you're listening, there's one from Jay on Slido. So you work in a heavily regulated industry and you've worked in two heavily regulated industries. So what improvements would you like to see regarding regulatory oversight and influence? I'm assuming that to do with cybersecurity.

B

It's interesting when we talk about regulation, I think as cyber professionals sometimes we can talk down regulation. But I was really interesting. I was at an event the other day and I was talking to a fellow CISA and he was like, God, I would love a bit of regulation in my industry. Because it's true. I think regulation executed and implemented in the right way can give you some of the resources and the attention that you need to drive your cybersecurity transformation. And if I look at regulation, I actually think regulation is moving steadily in the right direction of travel. I think one is it's starting to focus. It's not just about data and it's actually about resilience. So, you know, we've got the cyber resilience bill, which will be coming in. We have OP resilience might even come

A

in by the time this recording goes on.

B

Maybe. Maybe, yeah. And then we have op resilience within financial services, which is all focused about can you recover your important business services within the time of untolerable harm to your customers. So I think regulation is moving in the right direction, but I think we've also got to be careful with regulation. We're not punishing victims of cyber attacks and cybercrime and we're actually supporting the agendas and the controls within organizations.

A

Great answer. Thank you. We've got one probably final question on Slido from Mr. And anonymity is fine, but I'm going to call you Managed Response. That'll do. So is collaboration across industries an area where sector specific ISACs might be falling short? Interesting. This is me speaking up. The question, given that the FS ISAC is probably the most lauded one in the world, should governments be more proactive fostering that collaboration? So an interesting question here, not least because if ISACs work anywhere, as per a previous discussion, they're seen to work in your sector. So what do you make of that?

B

Yeah, first thing, I'll be bold and say that, Yeah, I think ISACs do work in financial services.

A

How, by the way?

B

How? Because I think what it's focused on is not just on effective intelligence sharing, but it's focused more on collective defence and understanding how you can disseminate within a timely manner some of the attacks that you see in your witness and ensure that your other fellows within financial services can effectively mitigate them. Or if you've got suppliers in common across your supply chain, I think you can leverage greater pressure. And then it's also looking about how you can be more proactive and exchange information intelligence for either disruption purposes or to help mitigate the risk. So I think there's a real vibrant community in there. But I think I really like the second part of the question about what should governments be doing? Because I personally think that cyber is so huge and I think government officials will tell you this, that they cannot solve all the ills in cybersecurity. So I think there needs to be maybe more for funding, more promotion of public private partnerships and more driving behind and highlighting some of the benefit parts of it. So we have got ISACs which are operating across critical national infrastructures, and we've got ISACs which feel vibrant in different sectors. And I think government need to understand actually, is this a really good place to invest because we can magnify and it can be a force multiplier across the sector.

A

Brilliant. Thank you. We are coming to the end of our time. For those listening, you're coming to the end of the episode. For those in the room coming towards lunch, so slightly more important, so you know what's coming. I'm channeling James here. We always, like at the end of every episode, and particularly with 100 cyber leaders gathered as a literally captive audience, they have no off button. So you have 30 seconds, give or take. No one's actually come in under 30 seconds. I've got a clock here, but I'm not going to hold you to it to impart some brief takeaway wisdom on improving cyber. So what advice do you give cyber leaders? As just the chunky takeaway. Off you go.

B

Okay, 30 seconds and I am watching the clock. Three key takeaways. One, on what to do, maybe on what to think, and thirdly, on what we should consider. So on what to do, I think logs, logs, logs. I think we should be, as cyber security leaders, ensuring that we are consuming as much data as we possibly can to have visibility across a quite wide network, because I think that is critical for us to kind of detect and identify attacks. I think what to think, let's stop this fatalism that cybersecurity is a tsunami and that it's impossible to prevent. It is a risk. It is an asymmetric risk at times. But we can apply good risk management disciplines to effectively address cyber risk and support our organizations. And then what to consider? We've talked a lot about security by design, but what about the novel concept of resilience by design? How do we start to drive in resiliency as one of the primary conversations when we're starting to talk about cycle suppliers, talk about products, talk about development within our own organizations?

A

Fabulous. Sort of 30 seconds takeaway.

B

Sort of.

A

So do logs think about stopping fatalism and consider how to move to resilience by design. That's three excellent takeaways. I think if I can ask the audience not just for a round of applause, but for another cheer. Thank you very much, Tom Harvey of Santander. Thank you. Come on. That concludes this experimental episode of the Sans Cyber Leader podcast. Thank you to the audience. Most of all, thank you to Tom. You can leave us feedback as normal, constructive, abusive, neutral@cyberleaderspodcastans.org thank you very much for that. And that concludes the recording. See you next time, Sam.