Cyber Fusion Forum

Penetration testing is crowded with great brands and even greater illusions. In this episode, William Wright, CEO of Closed Door Security and UK Council member at CREST, breaks down the stark difference between real pen testing and glorified vulnerability scans. We get into how to vet providers, what a good report actually looks like, why references matter, and how threat-led testing changes the game from “find issues” to “prove business-relevant risk.”William shares war stories: a bank test that missed an IDOR exposing transactions, a $65k engagement that produced 70+ pages of screenshots but ignored systemic compromise, and how weak internal testing loops create “unknown unknowns” that later become ransomware incidents. If you buy, run, or rely on pen tests, this is your field guide to getting value and avoiding smoke and mirrors.

Most transformations start with the tech and stall with the people. In this episode, Joe Mathewson (IAM Transformation Lead at HSBC) shares a refreshingly practical playbook for turning identity programs into business outcomes. We dig into how to lead change in complex environments: begin with the why (not the tool), tailor the message by audience, and bring operations in from day one so the final solution is adopted, not resisted.Joe unpacks how security can enable revenue by giving the business controlled speed (think: day-one access, adaptive auth, and cloud controls), and he shows how to write business cases that land. If you’ve ever been told “we’re rolling out this product because…,” this episode will help you flip the narrative, get buy-in, and deliver any program the business actually champions.What you’ll learn:The “Start with Why” method for security transformation (and how to use it with execs vs. engineers)Bottom-up stakeholder engagement that survives tool changes and re-orgsTurning IAM into a service: enabling risk-taking safely to grow revenueBusiness-case proof points: day-one access, JML automation, and killing tick-box recertsHow to sell change without creating a “no department”

What does a modern SOC really look like? Craig Gilliver (Head of Cyber, Sector Alarm Group) joins me to unpack how to build a security operations function that fits the business you actually run. Coverage that matters, visibility you can act on, and costs you can defend!We get into: why every SOC should start with business risk (not “collect everything”); the coverage vs. storage trade-off and how to show ROI beyond license spend; why SOC teams often become “productive disruptors” who expose missing owners, undocumented systems and CMDB gaps; and how to keep analysts sharp when the alert firehose never stops. Craig also tackles the AI hype head-on & why attacker tooling is evolving faster than many defenses. Listen to his pragmatic take on The Board conversation: security is one voice at the table, so bring signal, not noise.If you’re building, rebooting or right-sizing a SOC, this one’s a blueprint.

AI isn’t coming - it’s already in your business.In this episode, Matt Neal, Founder of Artificia1, reveals how businesses are unknowingly exposing themselves to risk through “Shadow AI” - and what they can do about it.From ChatGPT use in marketing teams to users buying AI tools on their own credit cards, Matt breaks down the uncomfortable truth: you can’t block AI adoption - but you can guide it safely.We cover:Real examples of Shadow AI across departmentsHow to safely adopt tools like ChatGPT, Gemini, and CopilotWhy banning tools leads to user workaroundsWhat every business should do before they roll out AIThe rising importance of the Chief AI OfficerWhether you’re in IT, security, or business leadership, this is the episode that will help you prepare for the AI-infused future that’s already arrived.

In the Ministry of Defence, getting digital identity right isn’t just about access control, it’s about operational readiness.In this episode, I sit down with Richard Curtis, Program Manager for Digital Identity at the UK MOD, to explore what it takes to lead secure, agile identity programs across one of the most complex operating environments on the planet.Richard shares:Why he uses “Tiger Teams” to solve delivery bottlenecksHow the MOD balances agility with Secure by Design principlesThe red flags he watches for when building identity teamsHow he uses BLUF (Bottom Line Up Front) to cut through noise and build advocacyWhy the emotional connection to cyber work makes the mission personalWhether you're running IAM in a critical infrastructure org or navigating transformation under pressure, this episode will leave you with practical tactics and thoughtful leadership insight.

AI is already reshaping how product teams build, launch, and evolve digital experiences. But what happens when those experiences have security blind spots baked in from the start?In this episode, I sit down with Kevin Magee, CTO of All Human, to explore how AI is accelerating product roadmaps—and the cybersecurity implications many teams are ignoring.Kevin explains:How AI is changing the way teams brainstorm, prototype, and ship featuresWhy traditional DevOps isn’t enough when LLMs are in productionWhat “non-deterministic behavior” really means and how it can lead to dangerous outcomesHow to create a human-in-the-loop process that includes security without blocking innovationWhy your AI chatbot could be the next insider threat if you're not carefulThis episode is essential listening for any security leader trying to stay ahead of how AI is used inside their business, not just to defend it.

How do companies keep buying Ferraris when all they need is a bike?I sit down with Daniel Álvarez García, Senior IAM Manager at PwC Spain and author of the widely followed Future of Digital Identity newsletter, to explore the 7 most common IAM mistakes companies make—and how to fix them.Daniel shares brutally honest lessons from the field:Why IAM tools are often underused (and overpriced)How to build a realistic identity roadmap before (or after) making a major purchaseWhy your cloud apps are your problem—not your provider’sWhat metrics and SLAs matter most for onboarding, offboarding, and critical accessHow identity teams can move from firefighting to building foundationsWhether you’re about to invest in IAM or already stuck trying to justify one—this episode is a playbook in how to approach identity strategically, not reactively.🎧 Listen on Spotify or watch on YouTube now.

In this episode of Cyber Fusion Forum, James Oakes sits down with Michael Dybek, Senior Solutions Consultant and identity evangelist, to unpack a growing challenge in modern cybersecurity: over-relying on traditional network security while neglecting identity. Michael shares candid insights on how too many organisations still treat cybersecurity as a tick-box exercise—securing just 40-50% of what’s actually at risk.The conversation dives deep into:Why hybrid work environments demand layered security approachesThe risk of choosing “safe buys” instead of fit-for-purpose IAM strategiesWhy defining what “good” looks like in identity is so elusiveHow to justify dual investments (like IAM and NetSec) to non-technical stakeholdersWhat to look for in a consulting or reseller partner—beyond just the logo wallIf you’re navigating the trade-offs between IAM, network tools, and business realities—or trying to make smarter security investments that actually work—this one’s for you.

In this episode of Cyber Fusion Forum, we down with Carl Pickering — a veteran Linux engineer and Lead Platform Engineer at MetDesk — to explore what secure software delivery really looks like at the coalface of DevOps and platform engineering. Carl shares candid insights from nearly three decades in tech, reflecting on: Building security into the dev cycle without slowing delivery The human element in mistakes, misconfigurations, and burnout How to use CVEs, SBOMs, and CI/CD pipelines to validate security early The Log4j scramble — and how he’d handle it now Creating business buy-in when pressure mounts to release fast This episode is packed with practical wisdom for any engineer, manager, or CISO trying to harden delivery pipelines without creating blockers — and for any business leader learning how (and when) to listen to their tech teams. 

In this episode, I sit down with Owen Jones — founder of Loopli and creator of the OSbD™ (Organisational Security by Design) framework — to unpack why traditional InfoSec often fails to scale, and how to build security into your business without burning out your teams or your budget.We talk about:What modular security looks like in practice — and why it reduces compliance overhead by up to 50%Why most GRC efforts overload the business (and how to reverse that dynamic)How to make cybersecurity a strategic asset for finance, ops, product, and procurementWhy cyber insurance requirements are a ticking time bomb — unless InfoSec has a seat at the tableHow to operationalise security into workflows, not just policy docsOwen doesn’t just talk frameworks — he’s built them into fast-growing startups and complex enterprises alike. If you’ve ever struggled to articulate InfoSec’s value to the business, or you’re stuck in audit purgatory, this one’s for you.