You Can't Patch a Human: Security Awareness as a Behavioural Science with Lucy Finlay

From Recon to Ransom: Inside the Attacker's Playbook with Glenn Wilkinson, Ethical Hacker

Most organisations think about cybersecurity in terms of tools and compliance. Attackers think in objectives, timelines, and human behaviour. That gap is exactly where breaches happen. In this episode, Katie speaks with Glenn Wilkinson, CEO of Agger Labs and ethical hacker with 15 years of experience breaking into organisations, legally. Glenn has tested financial institutions, trained law enforcement, and presented at Black Hat and DEF CON. He brings that attacker's perspective directly to the conversations organisations need to be having right now. The episode covers significant ground: the structured methodology that makes hackers effective, why most breaches still start with a person rather than a system, and what it really means that attackers spend an average of 197 days on a network before anyone notices. Glenn also explains why a passed pen test is not the same as being secure, and makes the case for reframing cybersecurity as a business continuity issue, not an IT problem, to get genuine board-level engagement. The conversation closes on ransomware: what it actually is, how to build your defences before it hits, and the decision no organisation properly prepares for until it's too late, pay, or don't pay, including the legal and moral complications most people don't see coming. Practical, direct, and grounded in real-world experience. This is how attackers think. This is what that should change about how you defend.

Third-Party Risk in the Age of AI with Chris Thornberry, Information Security Manager & DPO at Oleeo

Managing third-party risk has always been complex. Add AI into the supply chain, and the rules change entirely. In this episode, Katie Watson sits down with Chris Thornberry, Information Security Manager and DPO at Oleeo, an HR Tech SaaS platform serving major UK public sector organisations and global financial services institutions. With over six years navigating security at the intersection of GRC and technical resilience, Chris brings a grounded, pragmatic perspective on what robust third-party risk management actually looks like in practice. Chris and Katie dig into why certifications like ISO 27001 and SOC 2 are no longer enough on their own, what transparency really means when you're assessing an AI supplier's entire ecosystem, not just the supplier themselves, and how to avoid shadow AI taking hold before you've had the chance to assess it. They also cover the dual challenge of operating as both a data processor and a data controller, how to build a security culture that stops bottlenecks before they start, and why Chris uses data as his North Star when evaluating any new tool or vendor. If you're responsible for third-party risk and feeling the pressure of AI reshaping your supply chain, this is a practical conversation worth your time.

Building Trust In Your Team & Supply Chain with Keith Price Director of Security, National Highways

When a cyber attack hits, most organisations focus on what technology failed. Keith Price focuses on whether the people were ready. As Director of Security at National Highways, Keith leads security for one of the UK's most critical infrastructure operators. Shutting down the motorway network during a cyber attack is not an option, which means resilience has to be built long before an incident occurs, and it starts with the team. In this episode, Keith shares what two decades in the US military, consulting roles across oil, gas, and banking in the UAE, and now leading security at national scale have taught him about what actually keeps organisations safe. His answer, consistently, is people. Keith and Katie cover: * Why people, process, technology is not just a phrase but a leadership philosophy, and what it looks like in practice * How mental health and psychological safety directly affect an organisation's security posture * The difference between security awareness that works and the annual click-through training nobody takes seriously * How Keith's finance team at National Highways avoided 2.8 million pounds in fraudulent payments, not through technology, but through engagement * Why building a no-blame culture with your supply chain matters more than a tough security questionnaire * And why, when the digital infrastructure goes down, the organisations that survive are the ones who planned for analog If you lead a security team, or you're responsible for one, this episode is a practical reminder that your greatest security investment is not a tool. It is your people.

You Can't Patch a Human: Security Awareness as a Behavioural Science with Lucy Finlay

---------------------------------------- Security awareness has spent years stuck in the same loop, annual training, phishing simulations, completion rates. Budgets are tight, compliance is the priority, and the dial on actual human behaviour barely moves. Lucy Finlay has spent nearly a decade in the security awareness space, and her argument is simple: the industry has been treating people like machines you can update with a policy and a phishing simulation. It doesn't work. And the data backs her up. In this episode, Lucy, who built her career through marketing, languages, and people engagement before spending seven years leading security education at Aviva, makes the case that security awareness is fundamentally a behavioural science problem, not a compliance one. We get into why context is everything when it comes to how people retain information, why click rates are the wrong thing to measure, and how the COM-B model can help you identify the real reason your programmes aren't landing. Lucy also talks through what it actually looks like to segment your audience, how to make the case for more resource, and why security awareness professionals should be in the containment phase of an incident, not cleaning up afterwards. Whether you're a CISO questioning your current approach or a solo security awareness practitioner trying to do more with less, this one is worth your time.

Stop, Assess, Act: A Detective's Approach to Incident Response with Stuart Bird, DFIR Leader

Stuart Bird has spent nearly four decades dealing with the worst moments organisations, and people, will ever face. Twenty-one years in UK law enforcement, including early high-tech crime work triggered by Operation ORE, gave him an investigative foundation that most in the industry simply don't have. Since moving into the private sector, he's managed over 1,000 cyber incidents globally, from ransomware and data breaches to insider threats and APTs. In this episode, Stuart breaks down what actually happens in the first 24 to 72 hours of a cyber incident, why most organisations are already several steps behind by the time they pick up the phone, and what the detective's mindset, who, what, where, when, why, how, brings to incident response that no tool can replicate. We cover the common mistakes he sees time and again: CEOs pushing to pay the ransom before any proper assessment, teams that try to fix it themselves for five days before calling for help, and playbooks that have never been tested and don't reflect reality. Stuart also makes the case that organisations are thinking about incident response the wrong way, focusing on the end game rather than the six or seven points in the kill chain where an attack could have been stopped before the encryption ever lands. If you're a CISO, IT or security manager, or business owner trying to understand what good incident response actually looks like, this is a conversation worth your time.