Today, Steve returns to Business Matters with Juliette Foster. In this conversation, Steve recaps 2025 in cyber and shares what he sees as the biggest risks heading into 2026. The two also discuss resilience and compliance, as well as the growing importance of togetherness among businesses…

Key Takeaways:

1. Companies would be wise to conduct frequent cyber audits.
2. Supply-chain disruptions can have long-lasting, reputational effects.
3. How we protect the integrity of our data is at the core of cybersecurity.

1. The relationship between government business in cyber (12:56)
2. How boards should plan for a cyber attack (15:40)
3. Collaborating within and across industries (22:24)

1. “I've said many times that good compliance doesn't equal good security, but good security does equal, nine times out of 10, very good compliance. So where do we go with all of that? I do think that we're probably getting to a point, sadly, where we need to be viewing some of the security processes that we need to undergo in the same way as we consider financial audits.” - Steve Durbin
2. “I think that the day is gone when you can rely on your defenses. So boards have to be planning for the day when the defenses fail. When an attack really starts to make an impact on your business. The starting point is to figure out how long you can be without your systems. It may sound like a strange thing to say, but that's the important starting point for me.” - Steve Durbin
3. “Security is not, in my opinion anyway, a competitive advantage. And because it's not a competitive advantage, there shouldn't be this massive barrier to sharing some of the ideas, some of the attacks that are out there for the good of the industry.” - Steve Durbin

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

In today’s episode, Steve sits down with Tom Hardin, aka Tipperx — best known for helping expose a massive Wall Street insider trading ring. Steve and Tom discuss early warning signs that an organization might be crossing ethical or legal lines, how to build an organizational culture that promotes openness and protects from insider threats, and how to get employees to buy into things like good cyber hygiene.

Key Takeaways:

1. Governments must work with the private sector to achieve a cyber-secure environment.
2. Boards are increasingly aware of cyber risks, but more work is needed.
3. Global trust is dissipating.

1. The changing landscape of critical national infrastructure (5:46)
2. Security vs. privacy in the UK (9:27)
3. An ongoing, structural geopolitical shift (15:18)

1. “We need to make sure that we are thinking right across government when we are thinking about the approach to critical national infrastructure and how we can make it most safe for our users and for our populations.” - Sir Jeremy Fleming
2. “I still encounter plenty who haven't done one for 18 months, who haven't updated to the latest threat environment, who haven't thought about geopolitics coming into play. Haven't checked that they've still contracted with a company who's gonna help them wind back in the event that they are breached. Hasn't thought seriously about whether it's gonna pay a ransom. The implications of paying a ransom.” - Sir Jeremy Fleming
3. “The first thing is that what we're seeing now around changes in geopolitics is definitely a structural change. It's not a cyclical change. So the post 1948 Bretton Woods approach to the global order, with a whole load of United Nations agencies, World Health Organization, World Trade Organization, our approach to international aid, World Bank, these are all institutions that have changed fundamentally and won't change back.” - Sir Jeremy Fleming

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

In today’s episode, Steve sits down with Tom Hardin, aka Tipperx — best known for helping expose a massive Wall Street insider trading ring. Steve and Tom discuss early warning signs that an organization might be crossing ethical or legal lines, how to build an organizational culture that promotes openness and protects from insider threats, and how to get employees to buy into things like good cyber hygiene.

Key Takeaways:

1. The most underappreciated leadership skill is listening.
2. Compliance must never be an afterthought or just a check-box exercise.
3. Anybody has the potential to become an insider threat.

1. The fraud triangle (4:10)
2. How cybersecurity leaders can build a culture that discourages insider risk (7:12)
3. Striking a balance between trust and control (15:12)

1. “But you don't get people to speak up by telling them to speak up. You actually have to, if you're gonna tell them to do that, you have to listen up. So I always encourage leadership to work on their listening skills.” - Tom Hardin
2. “If you have a rule that a few people break, you have a people problem. If you have a rule that a lot of people are breaking, you have a rule problem.” - Tom Hardin
3. “You could be one decision away. Never feel like it couldn't be you. Just have a healthy paranoia when you're in situations and not to feel like that could never be me crossing a line, because that's when we're most susceptible to that.” - Tom Hardin

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

Today, we bring you the second half of Emerging Threats 2026, the first episode of which we aired last year. In the previous episode, Steve outlined the threats and challenges that enterprises and business leaders will face in 2026 and beyond. Today, he answers questions from the audience. We’ll get into artificial intelligence, supply chain and geopolitical challenges, corporate governance, risk and resilience, and more.

Key Takeaways:

1. Cyber resilience today is about data, data, and data.
2. Enterprises must help their suppliers to meet adequate security standards.

3. AI will be a big challenge for the board in 2026.

1. Managing supply-chain risk ()
2. How leaders can deal with risks outside of their control ()

3. An evolving cyber threat landscape ()

1. “Assuming you've got your policies and your processes in place, I would suggest you have an AI committee that actually approves or otherwise the way in which these tools are then implemented across the business. Why have a committee? Because that way you can pull in representatives from different parts. You can have security, you can have IT, you can have legal and people from the mainline businesses. Everybody makes a decision based on very well-defined criteria, no comeback on any individual, and either it's approved or it isn't.” - Steve Durbin
2. “How do you avoid getting caught out? For me that's not what's happening. If you happen to be on a list. If you happen to be an organization that has something that is exceptionally interesting or useful, then somebody will want that information. Somebody will want that data. What you have to do is make yourself look pretty unattractive. So it is about all of the tedious things that we don't like. It's about patching, it's about making sure that you're making it difficult for people to access your systems. It means that your monitoring is top of its game.” - Steve Durbin
3. “What measures can we put in place to ensure our suppliers and third party partners meet our security standards? Good question that I think that requires a lot more communication. It is about being really clear as to what it is you're expecting from a security standard perspective. It's about not just setting the bar, it's about helping people to achieve what it is you're expecting them to do. And the really important piece that I would emphasize there is tell them the why. Why do you have to do it? Why is it important? This isn't about people doing tick boxes. It is about people understanding why it's important and how they can help to maintain integrity and security across the whole supply chain.” - Steve Durbin

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

The ISF Podcast celebrates 10 years this year. Over the decade that we’ve been in your ears every week, Steve has interviewed a lot of fascinating people: visionary business leaders, neuroscientists and physicists, world leaders, and formerly notorious cyber criminals, just to name a few. We have touched on topics like AI, the human mind, cyber resilience, leadership, and the future of technology and society.

So, to kick off 2026, we wanted to give you a look back, highlighting the very best of this first decade of the ISF Podcast. And don’t worry – we’ll link all the episodes in the show notes.

Check out our favorite episodes from the last 10 years:

1. Mo Gawdat - Rethinking the Paradigm of Artificial and Human Intelligence
2. Brian Cox — Intellectual Honesty & Learning to be a Leader
3. Hannah Fry - What Data Can & Can’t Tell Us About Ourselves
4. Peter Hinssen - The Never Normal
5. Inside the Mind of Today's Cybercriminals (Brett Johnson, Part 1)
6. Steve Wozniak In Conversation with Steve Durbin
7. Captain Tammie Jo Shults - Habits, Hope and Heroes in a Time of Crisis
8. Sadie Creese — Minimising Your Attack Surface
9. Sir Bob Geldof — Challenging Orthodox Thinking
10. Bonus Episode: Reggie Butler — Bringing Your Home to Work

Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter

From the Information Security Forum, the leading authority on cyber, information security, and risk management.

1. Steve’s four key drivers of cyber risk heading into 2026 are AI, supply chain, quantum, and geopolitical instability.
2. Crucial to cyber resilience are strong governance and a security-conscious culture.
3. Adaptive governance and adaptive security are keys to managing the challenges of 2026 and beyond.

1. Steve’s four key drivers of cyber risk heading into 2026 (2:23)
2. Questions to ask, whether you’re a board member, an executive, or practitioner (16:14)
3. The changing role of the board (18:54)

1. “ Resilience really needs an organizational wide holistic approach that takes technology, it takes governance, it takes operational readiness, and really importantly, it takes people into account.” - Steve Durbin
2. “I think boards need to really take it upon themselves to absolutely recognize that cyber risk is a national risk. It is a business ending risk, and they need to ensure that they don't just have incident response and resilience in place, but that they also have a tried and tested plan, so this is good old fashioned BCP — business continuity planning — with a cyber flavor.” - Steve Durbin
3. “Cyber risk reporting has to be business outcome oriented. Boards, business executives understand revenue, operations, customer impact, legal exposure. That's the way we have to be reporting cyber risk. It's not about how many attacks we repelled, it's not about how good our systems might be. You need to translate it into business language. If you can do that, not only will you get buy-in, but you'll also have a much richer conversation about the role that cyber and therefore cybersecurity and cyber resilience play in the business.” - Steve Durbin

1. Small and medium-sized businesses must receive support to stay up-to-date with new technologies.
2. As more automation is introduced into business operations, understanding of one’s crown jewels and how to protect them is increasingly important.
3. AI is advancing rapidly with evermore funding, and globally society is not preparing as well as it needs to for what’s to come.

1. Steve’s view on autonomous cyber defense (00:55)
2. The National Cyber Security Centre and its role in the cyber resilience of UK businesses (3:36)
3. How AI will impact jobs in cyber (7:55)

1. “You'll never get me going into an autonomous car. I just won't do it. And people will say, ‘Yes, they're being looked after by some bloke in a tower somewhere who's watching it.” I'm not buying it. I've been working in technology for far too long to know that it is fallible. And so I think we have to really move toward much more transparency in our understanding of where the AI tool is active, the data that it's using, the decisions it's making.” - Steve Durbin
2. “We are looking for large private enterprise to be working collaboratively with people like the NCSC, with people like the ISF, to really help some of these smaller organizations that don't have the luxury or resources available to them to keep a pace with [technology].” - Steve Durbin
3. “If you go back to the internet, we didn't do a good enough job of trying to forecast the way in which the internet was going to be used. We put it out there and we said, ‘Let everybody use it and let's see where it goes.” We are doing, I fear, a similar kind of thing with AI.” - Steve Durbin

1. Boards and senior executives understand there is a threat, but many still lack knowledge of how to deal with it.
2. We are too reliant on technology; for the sake of business continuity, a backup plan must be in place.
3. High-quality simulation exercises are a crucial step toward more cyber resilience.

1. The role of policy and regulation (3:17)
2. Why cyber simulation exercises are so important (5:45)
3. Steve’s thoughts on the recent AWS outage (7:54)

1. “Now, in the boardroom itself, in companies themselves, we have seen over the past few years an increasing awareness of the threat that these kinds of things can bring to really the future of an organization. But the challenge I think we now face is really helping boards, senior executives to transition from, yes, I get there's a threat, but what should I actually be doing about it?” - Steve Durbin
2. “I think that in the main, cloud service providers are still probably far better equipped to provide the level of service that most companies need than you'd be able to do yourself. However, we do need to take into account that things will go wrong. And we have to plan for that. So if you are an organization that can quite happily exist without access to data in a cloud provider, it doesn't have to be Amazon, it could be anybody else, then fine. I would question why you're using them in that case. If on the other hand, you are dependent on them, you have to have some backup in place.” - Steve Durbin
3. “All too often I'm seeing people particularly in the area of, say, cyber simulation exercises, because they're viewing it as a compliance exercise, going for least cost. That to me is a bit like saying I've just moved into an area where I know the burglary rate is quite high. What's the cheapest lock and door that I can get on my front door? It's madness. Not many of us would do it. We would try to work within our budget. We'd try to really figure out how important things were in our house. That's the mentality we have to adopt. So yes, you can get some of these things done very cheaply and you can tick a box, but it's not going to help you when things go wrong.” - Steve Durbin