Nothing in this world stands still, particularly technology and even more particularly the shape of a cyber threat. As attendees at ISC2 SECURE London learned, a variety of factors including geopolitics and AI are colliding to change the threat landscape.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
At the recent ISC2 SECURE London event Craig Rice, CEO of the Cyber Defence Alliance (CDA), spent a few minutes setting the scene and then led a panel discussion: Changing Threats in a Changing World: Keeping Up With the Next Generation of Cyber Attacks.
The underlying theme of Rice’s scene-setting was geopolitics, primarily making the point that following the change in U.S. presidency in early 2025, the shape of geopolitics has changed radically: “Now we're in the age of G-zero,” he said, “where the Americans are retracting back into their inter-war stance of isolationism,” which means that Europe in particular has to re-assess its risks in the context of shrinking U.S. involvement (not least, Rice pointed out, because of President Trump’s observation when he pointed out that the U.S. had been contributing disproportionately to the world’s defenses and that other countries had not been “pulling our weight”).
At the same time, the tendency for state-level attacks is changing rapidly. Rice noted that: “The risk calculation that we're seeing, as well as the risk appetite we're seeing, in hostile intelligence agencies and hostile states, also known as ‘challenger states’ in some government papers, is changing rapidly”.
Rice drew three implications from these observations. First, that our experience of the Cold War and past hyper-globalization does not translate to competency in this new, rapidly changing world. Second, that the assumptions we have previously relied on for planning our defenses and responses must be re-tested against new and emerging geopolitical trends. Third, that it is inevitable that the sophistication and volume of what Rice termed “malicious and subversive” threat groups, will accelerate.
The presentation moved on to look further into the “so what” of the changing world. Rice contended that it will soon be impossible to understand every risk and vulnerability, that our accepted approaches to security such as defense in depth are becoming old-fashioned, that the failure of cyber defenses is, to use his word, inevitable. He added by pulling out a quotation from the U.K. National Cyber Security Centre (NCSC) that said: “the gap between the threat and defenses continues to widen”.
The final key element of Rice’s introduction came with quantum computing (QC) and artificial intelligence (AI). Challenging the panel and the audience to “pull apart” his idea, he proposed the hypothesis that “quantum AI” (the coming together of QC and AI) was the future and that: “the person that crosses the finish line for quantum AI wins and will be the next global superpower”.
A Broad Discussion
Rice proceeded to introduce the panel, which comprised: Sarah Michaels, head of threat intelligence at Nationwide Group; David Boda, chief security and resilience officer, also from Nationwide Group; and Matt Rowe, chief security officer at Lloyds Banking Group. He began by inviting Michaels to challenge his hypothesis, which she chose not to do for the simple reason that she agreed with Rice’s point. Michaels concurred with another observation that Rice had made in his introduction – that the volume of threats emerging from China is growing rapidly – making the point that if threats are on a rapid increase, what we should not be doing is decreasing our capability to defend against them. She noted that there are “indicators of dysfunction and in some cases, defunding, particularly of CISA, right?” She continued “Regardless of who is sitting in the White House … it's that degradation of capability that's hugely concerning,” asking: “How do we work together to shore up that collective defense in a time when … there is that inclination to withdraw?”
The moderator then turned to Boda for his view on the state of cybersecurity. Boda’s view was that in today’s threat landscape, working with other organizations for mutual defense is more important than commercial competition. “We're a bank … we've got a lot of resources, but there's some things that we just can't do and there's also some things that we could do, but are clearly going to be more effective if we do them together.” Boda’s view was that the only way to defend the U.K. economy is for the banks to work together to do so, calling out the CDA as a platform that can help this happen.
Rice, an entertaining and challenging moderator, as well as a purveyor of unfiltered, direct questions, then turned to Rowe. What is it we’re doing badly, he asked. “Some of our modes, some of our models, some of our approaches are at this point a bit out-of-date,” came the response, observing that some of the younger, newer financial services companies have had the scope to invent and innovate differently from the way in which “traditional” banks have to work. He continued: “We've maybe got a little bit stuck in a classical mode, a bit bloated. We've thrown every tool at every problem; we now can and must work out: what if we were to start again today? What would we do to meet the challenges that you describe?”.
Addressing Increased Risk
The discussion inevitably came around to third party risk. Rice asked Boda: “What do you see as the greater risk: your own controls being compromised or your supply chain being compromised?” The answer came quickly and definitively: the supply chain: “We've chosen as an organization to outsource something and we're like: that was a conscious decision we made. With that, there's some risk and I can't necessarily quantify that risk as much as I'd like to. When you don't know something, you naturally assume the worst.” He also pointed out that in a relationship with a third party that perhaps suddenly begins to pose an unacceptable risk, exiting that relationship is often not the obvious choice. “it's not always the case that even when bad things happen, you can just shift away from the supplier,” he said, “because the business might need that supplier to be competitive and to grow”.
Boda advocated planning for the worst and building a resilience model that accounts for the fact that suppliers may suffer attacks that affect our own organizations as well.
Mitigating Risk Posed by Legislation
The host then switched subjects once more and asked Michaels for her view on new legislation such as the Telecommunications Security Act and the Cyber Security Resilience Bill. “I would wish to see baked in mandatory disclosure of information that we can action,” came the answer, “and I appreciate the sensitivity of it, right? But the more we know, the better of a defensive position we're in. That's what threat intelligence is all about. The purpose of having robust threat intelligence capability”.
Rice had invited audience members to pose questions to the panel and in the remaining time he posed as many as he could to the three panelists.
“What about the rest of the Critical National Infrastructure (CNI) organizations outside final services?” Rowe’s view was that although organizations like the CDA have grown through vertical markets, it is time to “look a lot more horizontal” and step outside those verticals. Another audience member asked: “Do the boards of [CDA] member institutions apply any pressure to the security team not to share intelligence so that their competitors, competitors suffer a successful attack?” The general sense was no, not as such, but that it is not uncommon for parts of an organization to be wary; as Rowe put it: “That rarely is a board thing, it’s quite often the legal team or external counsel being hyper cautious,” going on to note slightly wryly that: “when you're on the defender side, it's all about collaboration”.
“What do financial services companies do well and where do they lag behind?” As had been hinted at previously, in financial services, often because of legacy technologies: “there is a challenge around agility,” said Michaels, going on to say: “there's a real challenge, getting that balance right and ensuring that we're meeting all of our regulatory obligations, getting that absolutely nailed on, so that we are building for the future and developing that culture of innovation”.
Via a few more questions, Rice wrapped up the session on a topical note: “What about AI for cyber defense?” Michaels’ view: “My concern around agentic AI implementation is that there are some absolutely fantastic options out there to enhance our cybersecurity [but] at the moment, the adversaries appear to be moving faster than ourselves.” Boda: “We started with agentic AI, but we've had to pull back because the capabilities to use that in a safe way weren't there. So, we didn't have a way of properly securing identity of agents. Therefore, I pulled the plug on it. We're keen to go but maybe the marketing departments of some of the vendors were slightly ahead of the research and development departments,” though he remains slightly optimistic, noting that: “hopefully all those things will deliver and we'll get some benefit”.
Rowe had the final word: “I am really optimistic, but I think it's not yet,” he said, noting that although they have some extremely promising experimental activity going on, “We're not ready to scale and we've got some unanswered questions that we need to answer to do scaled agentic.” By 2030, he believes that AI “is going to fundamentally change how cybersecurity gets done in a good way. Because if all that busy, frustrating, fiddly work gets done by the agents, we're going to be able to get to some of the problems that we've never got to. There are some big problems that we want to get after and solve”.
