Welcome to an insightful conversation on the evolving world of cybersecurity and risk management. Today, we’re joined by Simon Glairy, a renowned expert in insurance and Insurtech, with a deep focus on risk management and AI-driven risk assessment. With cyber threats becoming a pressing concern for businesses of all sizes, Simon offers a unique perspective on how organizations can navigate these challenges, from strengthening defenses to managing supply chain vulnerabilities. In this interview, we’ll explore the shifting landscape of cyber risks, the role of AI in both defense and attack, the critical importance of basic security measures, and the growing focus on third-party risks, while also delving into strategies for recovery and resilience.
How have cyber threats transformed in recent years, particularly in terms of their impact on businesses?
I’ve seen a dramatic shift in the scale and sophistication of cyber threats over the past few years. Attacks are not only more frequent but also more costly, with breaches causing significant financial and reputational damage. What’s striking is that no business is immune—small startups to global enterprises are all targets now. A few years ago, larger corporations with deep pockets were the primary focus, but today, attackers exploit any vulnerability, often targeting smaller businesses as entry points to larger networks. Ransomware, for instance, has become a daily concern, locking organizations out of their systems and demanding hefty payments.
What has driven cybersecurity to become a priority in the boardroom, rather than just a concern for IT teams?
Cybersecurity has climbed the corporate ladder because the stakes are higher than ever. Major breaches that cost millions in damages, coupled with strict regulations like GDPR in Europe, have shown executives that a cyber incident can cripple a business overnight. I’ve noticed board members now actively engaging in discussions about cyber strategy, often hiring chief information security officers who report directly to them. It’s no longer about just fixing a server; it’s about protecting the company’s reputation and bottom line. High-profile attacks have been wake-up calls, pushing leaders to take ownership of these risks.
What fundamental cybersecurity practices should companies prioritize to build a stronger defense?
The basics are still the bedrock of good cybersecurity. Strong access controls, multi-factor authentication, regular software updates, and data encryption are non-negotiable. These measures might seem simple, but they block a surprising number of attacks. For small or medium-sized businesses with tight budgets, starting with these foundational steps is doable—there are free or low-cost tools available, and even basic training for staff on phishing scams can go a long way. I’ve seen companies reduce their risk significantly just by ensuring no one uses ‘password123’ as their login.
In what ways is artificial intelligence reshaping the cybersecurity field for both protectors and perpetrators?
AI is a game-changer on both sides of the fence. For defenders, it’s a powerful tool to manage the overwhelming volume of alerts—filtering out noise so human analysts can focus on real threats. It also helps predict potential vulnerabilities by analyzing patterns. However, attackers are leveraging AI too, using it to craft more convincing phishing emails or even write malicious code faster than ever. I’ve come across cases where AI-generated deepfakes tricked employees into transferring funds. It’s a double-edged sword, and companies need to stay ahead by adopting these technologies while anticipating how they can be weaponized.
Why are supply chain vulnerabilities, especially involving third and fourth parties, such a pressing issue for businesses today?
Supply chain risks are a blind spot for many organizations. Even if your own systems are secure, a compromised supplier can create a domino effect. I’ve seen instances where a small vendor with weak security became the entry point for attackers to access a larger client’s network, leading to data leaks and operational shutdowns. The challenge is that companies often have little visibility into the security practices of their third or fourth parties. It’s not just about disruption; sensitive data exposure can lead to regulatory fines and loss of customer trust. Mapping out your supply chain and enforcing security standards for partners is critical.
How can organizations assess their tolerance for cyber risk and prioritize what needs the most protection?
Understanding your cyber risk tolerance starts with identifying what’s mission-critical to your business. Which systems or data, if compromised, would stop operations or damage your reputation beyond repair? I advise clients to conduct thorough assessments, listing out assets and estimating the cost—financial, operational, and reputational—of a breach. This isn’t just about numbers; it’s about knowing your breaking point. Workshops with key stakeholders can help map this out, and using real-world scenarios to gauge impact often reveals hidden priorities. It’s a tailored process, not a one-size-fits-all.
Can you guide us through the key steps companies should take to prepare for recovery after a cyber incident?
Recovery planning is as important as prevention. One effective method is conducting tabletop exercises—simulated scenarios where teams walk through a cyber crisis to identify gaps in response plans. I’ve facilitated these, and they’re eye-opening, showing who knows what to do and where communication breaks down. Testing recovery plans regularly, at least annually, is crucial because threats evolve, and so do your systems. A plan from two years ago might be obsolete. It’s also about building muscle memory—when a real incident hits, your team shouldn’t be figuring things out on the fly. Clear policies and assigned roles make all the difference.
What is your forecast for the future of cybersecurity and risk management in the coming years?
Looking ahead, I believe cybersecurity will become even more intertwined with business strategy as threats grow in complexity. AI will continue to play a bigger role, potentially automating more defenses but also enabling smarter attacks. Supply chain security will likely be a regulatory focus, with governments pushing for stricter standards. I also expect a surge in cyber insurance as companies seek financial buffers against breaches. My hope is that businesses will shift from reactive to proactive stances, investing in resilience before disasters strike. It’s an ongoing battle, and staying ahead will require constant adaptation and collaboration across industries.
