Cyber Fusion Forum

The $65k Report That Missed Everything: Bang for Your Buck in Pen Testing

Penetration testing is crowded with great brands and even greater illusions. In this episode, William Wright, CEO of Closed Door Security and UK Council member at CREST, breaks down the stark difference between real pen testing and glorified vulnerability scans. We get into how to vet providers, what a good report actually looks like, why references matter, and how threat-led testing changes the game from “find issues” to “prove business-relevant risk.” William shares war stories: a bank test that missed an IDOR exposing transactions, a $65k engagement that produced 70+ pages of screenshots but ignored systemic compromise, and how weak internal testing loops create “unknown unknowns” that later become ransomware incidents. If you buy, run, or rely on pen tests, this is your field guide to getting value and avoiding smoke and mirrors.

Start With Why, Not the Tool: IAM Transformation with HSBC’s Joe Matthewson

Most transformations start with the tech and stall with the people. In this episode, Joe Mathewson (IAM Transformation Lead at HSBC) shares a refreshingly practical playbook for turning identity programs into business outcomes. We dig into how to lead change in complex environments: begin with the why (not the tool), tailor the message by audience, and bring operations in from day one so the final solution is adopted, not resisted. Joe unpacks how security can enable revenue by giving the business controlled speed (think: day-one access, adaptive auth, and cloud controls), and he shows how to write business cases that land. If you’ve ever been told “we’re rolling out this product because…,” this episode will help you flip the narrative, get buy-in, and deliver any program the business actually champions. What you’ll learn: * The “Start with Why” method for security transformation (and how to use it with execs vs. engineers) * Bottom-up stakeholder engagement that survives tool changes and re-orgs * Turning IAM into a service: enabling risk-taking safely to grow revenue * Business-case proof points: day-one access, JML automation, and killing tick-box recerts * How to sell change without creating a “no department”

Tailored, Not Templated: Designing a SOC That Fits Your Business

What does a modern SOC really look like? Craig Gilliver (Head of Cyber, Sector Alarm Group) joins me to unpack how to build a security operations function that fits the business you actually run. Coverage that matters, visibility you can act on, and costs you can defend! We get into: why every SOC should start with business risk (not “collect everything”); the coverage vs. storage trade-off and how to show ROI beyond license spend; why SOC teams often become “productive disruptors” who expose missing owners, undocumented systems and CMDB gaps; and how to keep analysts sharp when the alert firehose never stops. Craig also tackles the AI hype head-on & why attacker tooling is evolving faster than many defenses. Listen to his pragmatic take on The Board conversation: security is one voice at the table, so bring signal, not noise. If you’re building, rebooting or right-sizing a SOC, this one’s a blueprint.

From Chaos to Control: Building Safe AI Practices in Your Business

AI isn’t coming - it’s already in your business. In this episode, Matt Neal, Founder of Artificia1, reveals how businesses are unknowingly exposing themselves to risk through “Shadow AI” - and what they can do about it. From ChatGPT use in marketing teams to users buying AI tools on their own credit cards, Matt breaks down the uncomfortable truth: you can’t block AI adoption - but you can guide it safely. We cover: * Real examples of Shadow AI across departments * How to safely adopt tools like ChatGPT, Gemini, and Copilot * Why banning tools leads to user workarounds * What every business should do before they roll out AI * The rising importance of the Chief AI Officer Whether you’re in IT, security, or business leadership, this is the episode that will help you prepare for the AI-infused future that’s already arrived.

Tiger Teams and BLUFs: Delivering Identity in Complex Environments

In the Ministry of Defence, getting digital identity right isn’t just about access control, it’s about operational readiness. In this episode, I sit down with Richard Curtis, Program Manager for Digital Identity at the UK MOD, to explore what it takes to lead secure, agile identity programs across one of the most complex operating environments on the planet. Richard shares: * Why he uses “Tiger Teams” to solve delivery bottlenecks * How the MOD balances agility with Secure by Design principles * The red flags he watches for when building identity teams * How he uses BLUF (Bottom Line Up Front) to cut through noise and build advocacy * Why the emotional connection to cyber work makes the mission personal Whether you're running IAM in a critical infrastructure org or navigating transformation under pressure, this episode will leave you with practical tactics and thoughtful leadership insight.