Cybersecurity Strategies: CISOs Reveal Best Their Practices
At Cyber LIVE London, three leading cybersecurity experts gathered to discuss the evolving threat landscape and strategic responses. The timing was particularly relevant, with major UK retailers M&S and Co-op suffering significant cyberattacks that had crippled operations. Initial reports suggested the M&S breach may have originated from social engineering – a fraudulent call to IT requesting credential changes. Against this backdrop of real-world incidents affecting household names, the panel explored lessons learned, industry collaboration, and the strategic imperatives facing organisations in 2025's increasingly complex digital threat environment.
Question 1: With M&S and Co-op recently hit by cyberattacks, possibly through social engineering, what lessons can organisations learn?
Justin Kuruvilla: “We haven’t seen any official reports yet. If it was spear phishing, have we learnt anything new? I don’t think so – this has been around for years. With AI, it could have been a voice or video call that made it seem like someone of importance. But hopefully organisations have adopted an assumed breach mentality – train your staff in cyber hygiene, but if the worst happens, how do you contain the blast radius?”
Stuart Seymour: “One aspect of cybersecurity is that everything’s new. Always. The threat continually evolves – as we shut one door, they open another. What’s disappointingly not new is ambulance chasing vendors on LinkedIn, assuming the role of ‘director of hindsight,’ claiming they have silver bullets. We can do better.”
Nick Godfrey: “Fundamentally, attacks enter through technical or human compromise. We have a growing problem with remote IT workers – North Korean actors gaining insider access. It’s a whole-of-business problem, not just security. The extent to which businesses have digitally transformed changes the attack surface and threat profile significantly.”
Question 2: How should companies approach cybersecurity as an entire business strategy?
Nick Godfrey: “There are two key things: First, understand the interplay between technology architecture and security posture. You can’t bolt security products onto 30-year-old architectures and get good outcomes. Think about combined technology spend – is money better on security budgets or IT modernisation? Second, there’s no senior executive I’ve worked with who doesn’t buy into security. The question is how, how much, and how they help make it a whole-of-business consideration.”
Stuart Seymour: “For me it’s about risk and resilience – understanding your company’s risk appetite, what’s tolerable versus intolerable. Security done badly is the worst thing in the world. The question I hate most is ‘are we secure?’ Because the answer is no. To secure a company, you’d smash everyone's phones and laptops, put them in a Faraday cage, bury them in the garden – but that’s not much use. Every pound spent modernising IT also improves security.”
Justin Kuruvilla: “The narrative that senior execs don’t recognise cyber risk as business risk is old in 2025. Everybody gets it now. It comes down to resilience. Your entire security shouldn’t depend on whoever answers the phone first. I wouldn’t want my parents in charge – their passwords are Justin1, Justin2, Justin3 despite me telling them otherwise. There’s no silver bullet. It’s people, processes and technology, recognising that people aren’t infallible.”
Question 3: How can the cybersecurity community better support each other during incidents?
Stuart Seymour: “In defence and aerospace, we understood there was no competitive advantage in security – if one suffers, we all suffer. Government security services over-classify things: by the time you get intelligence, you’re four days into an attack. For vendors: we don’t need you ambulance chasing so aggressively. I’ve blocked seven vendors over their M&S reaction. Our peers need understanding and support, not wisdom-vomiting on social media."
Nick Godfrey: “We share technical TTPs well, but we’d benefit from sharing what actually happened – the real gory details. This would help normalise cyber attacks and reduce stigmatisation. It should be thought of as an inevitability rather than something that should never happen. More empathy would help CISOs understand the realities of this risk.”
Justin Kuruvilla: “Clients worry about market reactions to disclosure. When you’re under pressure to restore operations and getting pushback about market impact, it’s daunting to be transparent. But sharing lessons learnt serves the wider good, even at the risk of embarrassment.”
Question 4: What role should the government play in improving cybersecurity standards?
Stuart Seymour: “Government has a critical role. I support regulation – it’s made every industry I’ve worked in better from a cybersecurity lens. Governments should tackle fraud specifically – stand up dedicated departments, give policing more resources. As CISOs, we face nation states and cyber criminality, but sending reports to Action Fraud yields nothing.”
Justin Kuruvilla: “I’m a petrol head who loves clean air regulations – you can have both. ‘Regulations are written in blood’ – usually reactive responses. I’m glad we’re moving towards resilience. The challenge is proportional application – a massive corporation versus a 10-person startup have different capabilities. Eventually, resilience becomes a competitive advantage.”
Nick Godfrey: “We’re supportive of increased regulation because it raises the bar. Three helpful approaches: outcome-focused regulation requiring businesses to determine preferred outcomes first; appropriate board-level responsibility for those outcomes; and helping companies manage supply chain risks, particularly critical suppliers.”
Question 5: How should organisations handle expensive security tools that aren’t properly configured or utilised?
Stuart Seymour: “It’s a common problem: people buy shiny tools with CapEx budgets, then leave. You’ve got a lovely car nobody knows how to drive. At Virgin Media O2, our internal people configure, develop and run the tools. We’re not vendor-locked, we develop our people’s skills. You always trust but verify – Google doesn't understand my environment better than I do. They’ve built us an exquisite car, but they don’t understand the country lanes it drives on."
Nick Godfrey: “Vulnerability management is a perfect example. You buy a scanner that finds millions of vulnerabilities, but that’s not helpful. The real problem isn’t simple patching – organisations can’t deploy patches because they lack test environments or source code for applications. Solve basic fundamental problems first for a much faster return on investment.”
Question 6: Is AI helping defenders or attackers more in cybersecurity?
Nick Godfrey: “On balance, AI provides more advantage to defenders currently. Threat actors are using it – improving speed-to-market and phishing quality, including deepfake videos – but we’re not seeing completely novel AI-based attacks yet. That’s why defenders have the advantage.”
Stuart Seymour: “AI’s been here for years – it’s just the new hype. It’s both friend and foe. We’ve automated 900 hours monthly using AI, letting my team do the cool stuff they joined cybersecurity for – threat hunting, building hypotheses and creating labs – instead of copying spreadsheets. People remain our most vulnerable asset because they report anomalies and work nights during incidents.”
Justin Kuruvilla: “Both. Cybersecurity’s always been cat and mouse – ignore AI and you’re left behind. Understand what attackers are using it for, whether lowering the bar for less skilled attackers or enhancing advanced threats. I’ve seen people deploy AI just because it’s a buzzword without understanding business outcomes – you’re either wasting money or exposing yourself to new threats. It can be a friend if done smartly and holistically, but entire organisational security can’t depend on one person.”
To read the full article in the magazine, click HERE.