Cyber Security

Secure Project & Programme Management


Building Cyber Resilience into Every Project Milestone

Secure Projects for
New Frontiers

Innovation and Protection in the Age of Complex IT Solutions


The increasing complexity of IT systems, driven by evolving transformational technologies, has significantly heightened the importance of security programme management in successful delivery.


Modern IT ecosystems are a blend of legacy systems, cloud services, mobile platforms, and emerging technologies like IoT and AI.


Security project and programme management helps navigate complexity by ensuring that security measures are built into every connection, and that all elements in the system work together securely.

Trust by Design

Our Programme Managers are deeply integrated in the programme from beginning to end. We start with an initial assessment to agree on vulnerabilities and the associated priorities and programme roadmap. We design a tailored security architecture: update your policies, map security protocols to new technologies, assess risks, log issues, analyse dependencies, and create clarity in responsibilities.


Stakeholder engagement is prioritised through regular reporting and executive briefings, ensuring transparency and informed decision-making—with objective judgement for red flags and escalations.


We also provide rigorous compliance support, aligning your projects with the necessary regulations using outcome-oriented dashboards and reports that are consistent and understandable.


Our holistic approach ensures that clear responsibility and accountability results in well directed action along a critical path towards successful project delivery.

Benefits of our model


Driven by expertise

Our team has the experience, technical background, and real-world experience to deal with complex cyber security challenges.

Secure by design

We build security into your IT infrastructure and business processes from the ground up, concentrating on our 6 key areas.

Bespoke roadmaps

We develop tailored cybersecurity roadmaps that consider your specific business models, industry challenges, and risk profiles.

Client-centric model

We ensure close collaboration with our clients. This includes regular updates, clear communication, and flexible engagement models.

Thought leadership

We leverage advanced technologies like AI and automation to improve the efficiency and effectiveness of our solutions.

Training programmes

We offer innovative training and up-skilling programs to foster a culture of cyber security awareness within organisations.

Ready to talk?

We have experienced large-scale security programme leaders with proven success, available to discuss your project execution, risk management, compliance and any other challenges.


Get in touch today to discuss how we can help.

BOOK A CONSULTATION

Cyber Security in Numbers

$9.5tr


Cybercrime costs predicted for 2024.

$4.5m


The global average cost per data breach as of 2023; as so many incidents go unreported, this is just the tip of the iceberg.

233


The average number of days for financial services organisations to detect and contain a data breach.

"Since 2016, BEC losses have topped $26 billion. And that’s just the tip of the iceberg because many are too embarrassed to report it"

Chris McMahon, Cyber Security expert

Cyber Security insights


Aerial shot of city with a triangle shaped roof terrace in the centre
by John Madelin 17 June 2024
What are NIS2 & DORA? Standing for the Network and Information Security Directive, the NIS Directive is an EU Regulation which details a blanket level of cyber security measures required of all Member States and organisations within them, as well as those with or seeking to establish a footprint in Europe. In 2022, the Official Journal of the European Union published their updates to this Directive in NIS2 , which made their regulations more stringent while broadening the scope of who it applies to. One of these amendments differentiated between entities deemed ‘important’ and ‘essential’, whereby the latter, which includes Banking and Finance, will be subject to closer scrutiny and greater penalties regarding their compliance with NIS2 – or lack thereof . This level of regulated scrutiny will also be heightened by a further EU directive, the Digital Operations Resilience Act ( DORA ). Similar to NIS2, DORA is described as establishing a ‘ comprehensive framework for harmonising digital resilience processes and standards ’. However, where NIS2 applies to all business entities within the EU, DORA is specifically designed to ‘strengthen the resilience of digital operations in the financial sector ’. Thus, though accounting for similar processes and practices, as we shall outline, the emergence of both NIS2 and DORA represent at least two sets of cyber criteria which financial entities must comply with, not only to avoid legal penalty, but to remain robust in an increasingly dangerous digital environment. NIS2 and DORA are scheduled to become national law on the 17 th October 2024 and 17 th January 2025 respectively, and it is important to understand both in order to ensure that your business is compliant with their requirements. NIS2 Requirements Chapter 4 of NIS2 requires that all Member States of the EU ensure that all of their essential and important entities ‘take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to the security of network and information systems’ . By ‘appropriate and proportionate’, NIS2 directs all such entities to adopt an ‘all-hazards approach’, by which they refer to a baseline set of requirements including: a. Internal Security Policies: Develop and enforce good essential policies that ensure robust internal security practices. b. Incident Handling: Establish tested protocols to effectively respond to and manage security incidents. c. Backup Management & Disaster Recovery: Ensure reliable backup solutions and disaster recovery plans to safeguard data integrity, also ensuring continuity. d. Supply Chain Security: Maintain mutual responsibilities with partners through clear connections and dependencies to avoid the cascade effect of major incidents. e. Information Security Maintenance: Ensure the security of your network, including vulnerability handling and disclosure. f. Ongoing Assessment: Continuously update and monitor information security measures to protect against the ever-changing street smarts of evolving threat actors. g. Cyber Security Hygiene & Training: Regularly assess and adapt security measures to current threat landscapes, which are often basic and repeated. h. Cryptography & Encryption: Provide continuous cyber security training promoting best practices among employees, and ensuring Quantum-ready cryptography, a subject of other evolving regulations. i. Human Resources Security: Implement thorough background checks and enforce security protocols for all personnel. j. Multi-Factor Authentication: Enhance access control through the use of multi-factor authentication, which is always a feature of successful cyber incidents. DORA Requirements DORA is considered a Lex Specialis for financial sector entities, meaning that, where it possesses overlapping or shared regulations and principles with NIS2, DORA takes precedence. Thus, though it is still important to remain aware and informed regarding NIS2 and its requirements, it is more important to be equipped with an acute understanding of DORA. DORA requires that all financial entities be equipped with an ‘ internal governance and control framework ’ designed to strengthen their cyber defences, particularly in regards to the transfer of data, risk of corruption, confidentiality and loss of data, and protection from human error. In order to ensure this, DORA insists upon the implementation of the following processes: a. An information security policy with clearly defined rules to protect the availability, authenticity, integrity, and confidentiality of data. b. A sound infrastructure management structure which makes use of appropriate techniques and mechanisms, such as those which isolate affected assets in the event of a cyber attack. c. Policies which limit the physical access to information assets and ICT assets to what is legitimate and approved. d. Protocols for strong authentication mechanisms based on relevant standards and systems, including the use of encryption. e. Controls for ICT change management in order to ensure that any changes are recorded, tested, assessed, approved, and verified. f. Appropriate policies for patches and updates . Implications for the Finance Sector Both NIS2 and DORA may appear to establish relatively basic levels of cyber security awareness and defence, however it is important that they are properly implemented and strengthened within your operations. This is partly due to the financial and reputational losses that can and will impact your organisation in the event of a cyber security breach. In considering financial entities to be essential, NIS2 makes them liable to a fine of up to €10m or 2% of their annual turnover, whichever is higher. Similarly, DORA penalises any instance of non-compliance with a daily fine of up to 1% of the average daily worldwide turnover of the financial entity until compliance is reimposed. Furthermore, the reporting obligations of both Acts pose significant and specific considerations to financial entities, based on how and when an organisation should bring awareness to a potential or recent cyber security breach. DORA’s Article 10: Detection imposes that financial entities shall ‘have in place mechanisms to promptly detect anomalous activities’, and expands the reporting process in Article 17: ICT-related incident management process to ensure that ‘major’ cyber security incidents are reported to the appropriate management bodies in order to enact mitigation and prevention procedures. Similarly, NIS2’s Article 23: Reporting Obligations requires that all essential and important entities promptly identify and report any ‘significant’ cyber security breach or incident to their representative computer security incident response teams (CSIRTs). There are two main indicators which make an incident ‘significant’ under NIS2: one is that it has affected or caused damage to other entities or persons; the second is that ‘it has caused or is capable of causing severe […] financial loss for the entity concerned’. This is particularly emphatic for organisations which by nature and definition handle and advertise the possession of large amounts of money, a consideration which DORA highlights as an Act specific to the financial sector. In their classifications of ICT-related incidents which financial entities should use to determine their impact, DORA specifies ‘the criticality of services affects, including the financial entity’s transactions’ as well as ‘the economic impact, in particular direct and indirect costs and losses’. Thus, it is crucial for financial organisations to ensure that their operations are properly barricaded against cyber threats, and that they have airtight contingencies and reporting protocols in place in case they are breached. Finally, it is important to internalise clear accountability within your organisation. NIS2 makes it clear that the responsibility for the approval, delivery, and maintenance of an essential entity’s cyber security risk-management measure rests with the management bodies of the entity. This includes coordinating cyber security training and the provision of ‘sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices’. DORA is even clearer in this regard, specifying that the management body of the financial entity shall ‘bear the ultimate responsibility for managing the financial entity’s ICT risk’. Thus, the stakes are higher for executives and C-suite professionals to ensure compliance, as they will be the ones held accountable for breaches and attacks. How Cambridge MC can Help Whether your company is based primarily inside or outside the EU, it is crucial that your organisation complies with NIS2 and DORA by the end of the year if you have any entities or subsidiaries, or currently/plan to conduct work in any EU Member States. In any case, NIS2 and DORA represent aspirational sets of guidelines pertaining to the cyber hygiene of your organisation that would only strengthen it to internalise.  This is particularly salient in a regulatory culture which is increasingly prioritising and scrutinising cyber security. As of April this year, the UK Government implemented minimum security standards to protect consumers and businesses from cyber attacks. These include the banning of easily guessable default passwords; regulations which, like NIS2 and DORA, are seemingly basic yet possess higher stakes for non-compliance. At Cambridge Management Consulting, we have a team of experienced Cyber Security professionals with decades of combined practical experience in the field, as well as detailed and up-to-date knowledge on all relevant regulations and principles. To avoid your organisation from being left behind or penalised for a lack of cyber maturity, contact our cyber team to understand your pain points and vulnerabilities—we will work with you to construct, assess, and deliver a comprehensive strategy to resolve them. Contact John Madelin , our Managing Partner for Cyber Security, or learn more about our Cyber Security capability here .
Digital screen with lines and numbers representing a network
by John Madelin 28 February 2024
Introduction The National Counterintelligence & Security Center (NCSC) suggests that universities are particularly vulnerable to cyber crime because they are key contributors to the economy, skills development, and innovation. Cambridge MC was approached to conduct a comprehensive cyber capability maturity assessment for a major UK academic institution, leveraging a team of experts with technical understanding and frontline experience in cyber defence. This team carried out a thorough evaluation through a series of tests, interviews, and artefact examinations. Unlike conventional assessments, our strategy focused on actionable insights which were tailored to the unique operational context of the institution. The assessment was structured around recognised capability categories, informed by the team’s extensive experience defending against cyber attacks. The methodology was particularly effective for its sensitivity to the institution’s risk appetite—balancing cost, risk, and investment to propose solutions that were unique to their situation. Project Overview The primary challenge was the institution’s realisation that its existing cyber hygiene practices and IT discipline might not be sufficiently robust to withstand increasingly advanced tactics employed by cybercriminals and their growing interest in the education sector. The institution sought out Cambridge MC to identify these vulnerabilities, assess the overall maturity of its cybersecurity practices, and recommend strategic improvements. This meant not only highlighting technical deficiencies, but also providing a holistic evaluation of the institution’s security posture, considering the practical realities of defending against threats. This included an assessment of the institution’s risk readiness, infrastructure resilience and staff preparedness. Cambridge MC’s goal was to ensure that the recommendations produced as a result of this assessment were not only technically sound but contextually appropriate and aligned with the institution’s strategic objectives and resources constraints. This personalised approach was crucial in designing a cyber security strategy that was both achievable and sustainable. Strategy What we did Our approach involved a thorough assessment of the institution’s cyber infrastructure, including tests, interviews, and the examination of artefacts to gain a holistic understanding of their cyber maturity. To do this, we engaged experts with significant technical depth and extensive experience in cyber defence and leadership roles; a blend which was crucial in conducting a maturity assessment that focused on pragmatic gap closures. Why we did it this way Our methodology was designed to move beyond mere technical details and address the practical aspects of cyber security. By organising our work into recognised capability categories, we targeted areas that, if weak, would likely lead to vulnerability and a high risk of attack. This approach allowed us to pinpoint critical gaps in the institution’s cyber security practices and propose target improvements. Concepts and methodologies applied We applied a risk-based approach, sensitive to the institution’s risk appetite, to make practical trade-offs between cost, risk, and investment. This ensured that our recommendations were contextually appropriate and aligned with the institution’s strategic objectives. Our assessment framework was grounded in industry-best practices and standards, tailored to the unique needs and challenges of the academic sector. Obstacles encountered and overcoming them One of the main obstacles we encountered was resistance to change, a common challenge for institutions with established routines and cultures. To overcome this, we emphasised the importance of cyber hygiene and IT discipline through clear, evidence-based findings and recommendations. We conducted workshops and discussions to engage stakeholders at all levels, highlighting the tangible benefits of enhancing their cyber security posture and demonstrating how our recommendations could be implemented in a manageable manner. The Team The Cambridge MC cyber security team tasked with supporting on this project was comprised of: A technically adept practitioner specialising in vulnerability testing, equipped with cutting-edge knowledge of tools and techniques for identifying weaknesses in the institution’s cyber defences. This role was crucial for uncovering hidden vulnerabilities that could be exploited by attackers, providing a technical foundation for the assessment. Back-office risk experts with a deep understanding of the broader risk landscape and risk management principles, ensuring that the assessment considered not just technical vulnerabilities but also organisational and procedural risks, aligning the cyber security strategy with the institution’s overall risk appetite. A security leader with 30 years of experience building and running security services, who offered strategic oversight and practical insight into effective cyber defence mechanisms and was vital in ensuring the recommendations were not only theoretically sound but also pragmatically achievable. Together, these professionals ensured a comprehensive, nuanced, and highly practical assessment, underlining the importance of a balanced team in addressing complex cyber security challenges. Outcome & Results Optimised Cyber Resilience We recommended and outlined a robust workflow and identity management system across all of the institution’s systems, emphasising the need for multi-stakeholder cooperation. This highlighted the challenge of managing over tens of thousands of accounts for a community of many fewer staff and students. Longevity We made clear, actionable recommendations describing implementation plans for changes, such as improving the security culture and some operational deliverables associated with SOC efficacy, all of which were agreed upon by the leadership team who assured us that these changes would be in place at this institution for the next three years. Staff Readiness We enhanced the security awareness and training of the staff, postgraduate researchers, and students, including specialised training for the Information Security team. We also made recommendations for improving security posture, such as the adoption of Cloud Access Security Broker (CASB) and Data Leakage Prevention (DLP) solutions, and the development of a quantitative risk forecasting methodology. Forward Planning We also made suggestions for future improvements, including SOC operational activities, creating new initiatives targeting cyber kill chain strategy areas, and planning disaster recovery tests for ICT systems.
Neon blue network and numbers
by John Madelin 23 January 2024
“Cybercrime is the number one problem for mankind, and Cyberattacks are a bigger threat to humanity than nuclear weapons” - Warren Buffet As we enter 2024, there are signs that the Cyber Security industry is teetering on the brink of a major transformation, culminating in a more coherent and business-involved approach which will ensure a better understanding and management of cyber risks. Setting aside other associated factors for now, this metamorphosis is being fuelled by the astronomical rise in cybercrime that has been observable across the previous 3-5 years, turning it into a multi-trillion-dollar industry. The business leaders who missed this sudden rise in temperature, suddenly find themselves in boiling water. These anticipated and imminent changes, accelerated by the lucrative and seemingly untouchable nature of cybercrime, will inevitably necessitate a more fundamental redefinition of cybersecurity strategies. The Dark Web’s explosion of sophisticated crime and the pivot from traditional crime streams, such as the illegal drug industry, to the high profit margins and low-risk profile of cybercrime is just too irresistible to a growing demographic. Between the intoxicating mix of easy money and apparent immunity, the appeal of cybercrime is reaching not only existing criminals, but new breeds. This new era and new generation will force us to re-characterise what we mean by Cyber Security, as business leaders are set to thaw the icy divide between CISOs and the CIOs with whom they tend to work. This will push the industry into constructing a more deeply integrated and pervasive defence strategy overall. However, this shift is not just about adopting new technologies; on the contrary, it amounts to a cultural revolution, and the associated liability, regulatory, maturity, quantification, integration, communication, and behavioural shifts in emphasis that are pulled into its current will be further catalysed by the growing ranks of ingenious cyber criminals and hackers at the gate, equipped to breach your defences with persistent creativity. By now you may be thinking ‘wasn’t this a predictions article’? Yes, and so far I have tried to emphasise why the critical tactical actions that we begin today must be held to, not merely as piecemeal reactions to the cyber environment I have thus far outlined, but all the way to future proof. These tactical building-block priorities must become the planned foundations to support long-term resilience, we otherwise risk seeing the criminals melt into the dark web with our money and private data. There’s a likelihood that absent vital improvements in our cyber defences, left by those still using old-school, gear-heavy, and fragmented defences, led by the autonomous and uncommunicative CISOs, those who fail to adapt will find themselves outmanoeuvred by the increasingly resourceful cybercriminals. However, for those organisations in 2024 who recognise the gravity of the current climate and ingenuity of recent cybersecurity threats—and commit to more fundamental practices built into more IT and business integrated frameworks (which might also suggest a new breed of CISO)—the transition into 2025 is likely to be marked by a significant decrease in anxiety, and far more restful nights. Traditional Technology Predictions for 2024 In this first section, we look at the more traditional, in-brief predictions for the gearheads, specifically falling within my Top 6 most pressing technology themes that will colour 2024: Multi-Factor Authentication Given how prevalent credentials are in attacks, we used to follow the rule of ‘Anything web-facing needs Multi-Factor Authentication (MFA)’. Now, in 2024, thanks to the cloud breaking into our legacy estate, our complete clarity on what exactly is being published to the web has become obscured. In 2024, the mantra must be changed to ‘everything needs MFA’, but this still has a long way to go. Privileged Access Management Since Privileged credentials are the holy grail for cybercriminals, these chinks in the armour need resolving urgently. This is exacerbated by the way in which responsibility for this resolution is spread across business units; tactical challenges can be resolved, but only if an appropriate leader, at an appropriate level, applies some pressure and urgency. Systems are out-of-date, there are too many passwords, many of these are mismanaged, privileges themselves are too excessive, etc. In modern systems, the arrival of cloud multiplies these complexities, as does the expansion of responsibilities to third parties. These systemic failings need to be addressed in 2024, and imminently. The way forward is a cross-functional emergency exercise, with a target to adopt and maintain serious discipline by this time next year. Monitoring You read that correctly—unbelievably, monitoring is much further behind than it needs to be as we move further into 2024, a fact that has somehow gone largely unnoticed. This may be the reason why the cyber insurance industry weathered rough seas in 2020, and why we are now overwhelmed with high volumes of indiscriminate alerts. We must improve basic log aggregation, normalisation, and correlations, through better IT integration. This reporting should be developed to enhance action, with a, perhaps uncomfortable, focus on more meaningful ‘one-ten-sixty’-style reporting. With today’s current threat landscape, if the insurance losses are anything to go by, if your monitoring is not polished in 2024 then you can forget cyber insurance, as you can expect to suffer losses in 2024. Zero Trust As a frequently misused and misunderstood phrase, it is important to establish a clear and consistent definition of what we mean by ‘Zero Trust’, first coined by Forrester’s John Kindervag many moons ago. The need for clarity is equally important to business leaders; they will expect quick intelligibility and relevance, or they will lose interest fast—and, for the first time in 2024, we need them seriously on board. As you probably know, Kindervag’s core theme was to shift from the network’s ‘trust but verify’ model to ‘never trust but always verify’. This more cloud-ready mindset forces more emphasis on users, data, and devices across better segmented and more continuously monitored networks, also enhancing third-party risk management scenarios. Incremental steps in this direction, which reflect the need for more fundamental practices within more IT-integrated frameworks, can pay quick dividends in 2024. AI Threats I was reluctant to include this one, as I don’t believe that the use of AI either offensively or defensively will have a truly transformative effect on cyber defences in 2024/2025. I must, however, acknowledge that cybercriminals, who are after a quick win and are inherently street-smart, will use it to operate smarter and faster. At the very least, this will hopefully force companies to take care of their basics more effectively. That being said, keeping an eye on AI is an increasingly critical aspect of security that is often overlooked, specifically the need to conduct regular, repeatable security testing of the AI technologies themselves. As the integration and use of AI tools becomes more pervasive, a new category is poised to become a bigger emphasis in 2024, one which continuously monitors AI systems for any unusual activities or anomalies, including tracking system performance and outputs. IoT and OT (Complexity and Criticality) Arguably, IoT is just more IP end points, which the networkers amongst you will be unphased by. I am using OT as shorthand (as many non-IT aware business leaders do) for ‘critical supply chain systems’. This amplification of the criticality of IoT as they continue to undertake more supply-chain functions suggests that we will need to distinguish which of them support critical business processes. In 2024, getting our arms around a near real-time and complex CMDB (the basic inventory of our IT estate), including this explosion of more integrated, more intelligent, and more mission-critical IP end points becomes of pressing concern. Conclusion Some might argue that these predictions are a little basic, and you will have noted that I collected cloud and third party under ‘Zero Trust’, when arguably there is so much more to be said for both. However, I unapologetically remain of the opinion that, if we continue to build our infrastructure on sand, then we shouldn’t be surprised when it sinks . A key theme in 2024, as we consider my predictions in the next section, is that we must first attack these ‘basic’ technical security categories in more meaningful ways before leaping into shinier, strategic topics that will remain moot if unsupported by solid foundations. What is Really Driving Change in 2024 The Business Sophistication of the Cyber-Criminal Fraternity Cybercrime as a Service (CaaS) is an industry by which threat actors on the Dark Web sell their tools, expertise, and services to others, often in franchise or affiliate models. Since the primary goal for such criminals is to make more money with less effort and less direct involvement, this exploding trend is a worrying, yet increasingly material, part of the criminal Dark Web. It is estimated that at least two thirds of ransomware, one of the largest categories of cybercrime, is conducted through a CaaS model (according to Cyber Resilience Insights). There is a frightening level of organisation and sophistication with the roles, expertise, and infrastructure of these CaaS models that is making it easier for new entrants to subscribe to criminal franchises without the need for any technical or operational knowledge. Full-service CaaS operators will offer not only customer service to affiliates during ransomware campaigns, but they may also handle ransomware payments and decryption key access, for example. The organisational sophistication of these franchisors is breathtaking, let alone their pricing and marketing capabilities. Operators such as Lockbit 2.0 offers guarantees on the speed of infection, not to mention service guarantees in recovery for those who pay the ransom. In 2024 and beyond, his will continue to enable access to a wider demographic of new criminal profiteers in more resilient and integrated models that continue to evolve and improve with time and volume. More criminals will continue to exit lower profit and higher risk activities, such as people-trafficking and drugs, and move into cybercrime. Key 2024 Takeaway: This re-enforces the need to re-visit the basics; cyber activities will continue to be a volume game for the perpetrators. Visibility of Cybercrime to Non-Experts Crime will become more visible, at last. At the higher end of the size estimates for cybercrime are $10.5 trillion by 2027 . Allowing for a certain amount of scepticism, even if we halve those numbers, the US Government estimates that IP theft alone now amounts to around $600 billion a year, suggesting that ‘trillions’ is now the sizing language for cybercrime. It should be noted that this number is widely distributed across a wide variety of criminal activity. The criminal fraternity are not greedy, given that too much visibility raises risk levels from complete impunity to unnecessary minimum risk. Whilst, globally, 72.7% of all organisations fell prey to a ransomware attack in 2023 (Statista), too much of this goes unreported. Because it represents a huge volume of mid-level cash impact, it has been too fragmented for any single action to deliver any more attention-grabbing deathblows, but is instead amounting to a less visually compulsive ‘death by a thousand cuts’. Attacks are becoming so widespread and persistent, as well as collectively reaching material levels from a wider demographic of criminals, and taking numerous variegated forms of profiteering (such as data theft, phishing, malware, ransomware, DDos), that the growth in visibility to the Boardroom will accelerate in 2024. Key 2024 Takeaway: In the past, research has suggested that CISOs have gotten away with accepting ‘smile and wave’ feedback from the board. While that may have worked previously, this will now force security and IT leaders to be held more accountable in real terms in 2024, and we will see much sharper qualification and expectations from the Board in the coming year as a result. Furthermore, this opportunity will not be lost on the more mature CISOs. They will use these almost absurdly unrealistic yet engaging and increasingly visible happenings to fuel strong anecdotal storytelling with board members, in order to catch and retain their attention. Authorities will Continue to Turn Up the Heat on CISOs and Business Leaders A recent set of straw polls from front-line incident response experts in 2023 suggested that between 70-90% of incidents are not disclosed and, in another significant proportion, ransoms are paid. However, during July 2023, the Securities and Exchange Commission (SEC) in the US adopted rules requiring registrants to disclose any material cybersecurity incidents that they experience, and to disclose on an annual basis any information regarding their cybersecurity risk management, strategy, and governance. For those breathing a sigh of relief that they do not work or reside within the US, the Commission has also adopted rules that effectively incorporate certain categories of foreign entity that pass a business contact or ownership test. These steps are expected to be adopted in Europe, and some of them have already been incorporated within the EU Cyber Resilience Act (CRA). These new rules will require registrants to disclose any cybersecurity incident they determine to be significant enough on a formal reporting form, and to describe the aspects of the incident’s nature, scope, and timing, as well as its impact – or potential impact – on the registrant. These changes will thus force a much closer relationship to develop with lawyers in 2024, who must be prepared for virtually real-time disclosure responsibilities and their impacts on personal and professional liabilities and fines. Key 2024 Takeaway: Disclosure warrants a significant amount of workload involving lawyers, regulators, clients, media, executive, and the board, not to mention all the paperwork around the crime scene and a host of behaviours affected by subject-to-privilege constraints. With all of this in mind, it is even more important to run those tabletop exercises in 2024, and ensure that you have all of the internal help and flexible bench strength from a host of experts ready at hand. Around 50% of CISOs will leave in 2024 Another recent survey has suggested that 94% of CISOs are affected by stress, and that, for 64%, these, stress levels are compromising their ability to do their job. The relentless barrage of incidents which consistently affect nights, weekends, and vacations, combined with the aggression with which such incidents are met from impatient work colleagues and business partners is traumatic enough, but it is increasingly becoming the norm for CISOs to be held personally liable. Recent actions from the US Government display a growing practice of holding executives accountable for cybersecurity breaches. Notably, the US District Court in San Francisco brought criminal charges against Joe Sullivan, Uber’s former CISO, for his alleged role in covering up a 2016 data breach. Professional observers say that he narrowly avoided going to prison because he was the first, and thus the rest of us should see this as a warning; however, it should be noted here that his $50,000 fine, significant costs of defending himself, and three years of probation are not going to help CISO stress levels. This is compounded by the latest news from SolarWinds suggesting that executives there are likely to be held personally liable for their cyber security threats. Admittedly, as of now, there hasn’t been a specific legislation or regulation that would lead to the staff at SolarWinds being personally liable, but the legal and regulatory landscape is evolving, with discussions surrounding the accountability for cybersecurity incidents at the corporate leadership level expected to accelerate. In short, it can be deduced that around 50% of CISOs are expected to change career paths by 2025. More imminently, in 2024, all of this will result in the lawyers and leaders representing major organisations paying much more attention to cyber and their D&O insurance. This shift will force closer attention and alignment with broader efforts to strengthen cyber defence mechanisms and ensure responsible management of cybersecurity risks within organisations, where failures in attention to detail could still result in jail time and other uncovered and personal liabilities. Key 2024 Takeaway: This concerns those in business leadership specifically. If your CISO is a true front-line CISO, they will be suffering, and if you have not already done so, then now is the time to reach out and offer support. Accountability needs to be shared, or you’re going to lose your CISO and find them hard to replace. The days of autonomous and isolated CISOs being ‘left to do the expert cyber stuff’ are over. Budgets and Quantifying Risk and Return in Cyber Security In a recent board and CISO report, supported by thorough survey work and conducted by the analyst firm, Cyentia, the topics and concerns mentioned by board members that were cited as the most critical and pressing fell at the bottom of the priority list for CISOs. I was closely involved in the first of the series, and personally spoke to dozens of CISOs, all of whom assured me of their close relationship and good communication with the board. The 75 board members surveyed universally disagreed—one quote in particular spoke volumes: ‘Security has a seat at the table, but has nothing to say. We’re listening, but security mumbles.’ The board-side lack of appetite to resolve these differences was amplified by the fact that, at the time (2017-2018), cybercrime did not have the visibility that it has today, in which it is near-impossible to ignore, and, in their words, ‘there’s no chance of fines or personal liability for me’. Looking at the spending side, there has been almost unconstrained growth in Cyber Budgets in the period 2010 to 2020, expanding across a wide range from 6% - 14% of the company’s annual IT budget, and averaging at 10%. This has grown during a period in which, while experts could recognise the growth in cybercrime activity, business leaders felt no need to get involved. Arguably, budgets were parcelled out to CISOs largely to keep the problem at arm’s length, during a time at which, according to my own survey expertise, leaders were paying lip-service to cyber defence and regulation. Meanwhile, the evolving and escalating nature of cyber threats has hit the radars of most business leaders. In 2020, the FBI declared a record level of activity, unbeknownst at the time that this remarkable increase would continue to accelerate. As cybercrime has exploded in size and diversity since 2020, budgets have been reducing. This is a strange coincidence, with one theory being that IT leaders and CISOs have suddenly found themselves being asked to hold themselves accountable for a spend that, over the last 15 years, has been tech-vendor-led, uncontrolled, and indiscriminate. This has led to the pause-button being hit in order to better understand what we have, before choosing to add any further investment. ‘Indiscriminate’ may seem like a provocative turn of phrase here, but it covers the reduced accountability for clear outcomes than are associated with other spending categories of a similar size. In the apocryphal words of some CISOs, the more you spend, the more ‘nothing’ (referring to peace of mind) that you get. This is not usually a good enough business case for a CFO. Key 2024 Takeaway: The security community has tried and failed to engage the Board with any impact. The security community has struggled to meaningfully capture the Board's attention. However, there's a promising shift towards a new archetype of business savvy CISOs who embrace the 'listen more, speak less' approach, skilfully blending rigorous discipline with the nuanced 'narrate with data' soft skills required. Despite these advancements, bridging the gap between cybersecurity and executive engagement remains a significant hurdle, and there is still a long way to go. In 2024, CISOs must identify with the business, build security awareness, be credible and candid, and provide ‘pointed evidence’. KPIs for the board should be based on underlying core business initiatives supported by security products and processes in a ‘by design’ approach that places security as an unobtrusive yet solid foundation to business offerings and the platforms upon which they sit. Conclusion While I anticipate the eye-rolls toward the Warren Buffet quote with which I opened this article, I hope we can all agree that he is not known for his hyperbole. Rather, he is known for due diligence across a wide cross-section of businesses. I am assuming he will have seen first-hand the Board members squirming as the temperature rises. 2024 will be the year to finally consolidate, integrate, simplify, and operationalise shoulder-to-shoulder with business and IT leaders, who will at last take an active interest in cyber security, and expect CISOs to operate like business leaders, together. The interest and active engagement of the board will be amplified by the extraordinary scale and frightening growth, not to mention evolution, of cybercrime. Attention will also be sharpened by the promise of serious personal and professional liability, with material amounts of money, and a stronger likelihood of being affected, coming into view for even the most sceptical of naysayers. It is still going to be about getting the basics right in 2024, as the profound changes outlined in this article necessitate a more fundamental redefinition of cybersecurity strategies at a cultural level, involving a wider demographic of more actively interested leaders and lawyers determined to support the more coherent and integrated execution of threat defence strategy. At Cambridge Management Consulting, we are equipped with a Cyber Security practice, led by John Madelin, which can accelerate, optimise, and strengthen your cyber-infrastructure, and support you in staying ahead of these trends and developments.

Our Cyber Security practice is led by Tom Burton

Partner - Cyber Security

Tom Burton is a cyber professional with over 20 years of experience in business, IT, and security leadership roles. His expertise lies in simplifying complex security problems and enhancing cyber security and efficiency across various industries such as Defence, Aerospace, and Pharmaceuticals. His approach is based on applying engineering principles to deliver sustainable business change.


Tom's career highlights include serving as a Commissioned Officer in the British Army, where he was promoted to CIO. He later joined Detica (now BAE Systems Applied Intelligence) as the Strategic Advisor to the Ministry of Defence CIO, overseeing a multi-billion set of IT-enabled benefits-driven change programmes. He also held the position of Global Head of Managed Security Services, growing the business from sub-£1m to £15m+ orders.


In 2014, Tom moved to KPMG UK as Director for Cyber Security, responsible for selling and delivering business across various sectors. He co-founded Cyhesion in 2017, developing a SaaS platform to disrupt the Third-Party Risk Management market. Most recently, he founded Digility in 2022 to deliver security and digital transformation consultancy and interim management, serving as Interim CISO at a Tier 1 Outsourced Service Provider.

Our team can be your team


Our team of experts have multiple decades  of experience across many different business environments and across various geographies.


We can build you a specialised team with the skillset and expertise required to meet the demands of your industry.


Our combination of expertise and an intelligent methodology is what realises tangible financial benefits for clients.

SPEAK TO THE TEAM

Our Cyber Security Experts

Get in touch with our Consultants today


We are a highly collaborative team of senior-level executive professionals able to adapt to any challenge, however niche & challenging.

+44 (0)1223 750335

info@cambridgemc.com

Contact Form - Cyber Security Practice

Case Studies


Our team has had the privilege of partnering with a diverse array of clients, from burgeoning startups to FTSE 100 companies. Each case study reflects our commitment to delivering tailored solutions that drive real business results.

CASE STUDIES

A little bit about Cambridge MC


Cambridge Management Consulting is a specialist consultancy drawing on an extensive global network of talent. We are your growth catalyst.


Our purpose is to help our clients make a better impact on the world.

ABOUT CAMBRIDGE MC