June 3, 2025
Head of Marketing
In this interview, we sit down with our CTO, Paul Foley, to unpack how cybersecurity strategies are evolving in the face of AI-driven threats, tighter regulations like DORA, and growing complexity in private markets. From the pitfalls of relying too heavily on certifications to the importance of real-world testing and a strong risk-aware culture, Paul shares a candid perspective on what it really takes to stay resilient in today’s threat landscape.
Over the last year we've seen an increase in the risk relating to AI attacks and overall supply change vulnerabilities. We've also seen increased regulation in the form of DORA. To combat this shift, we've expanded our internal training and extended our tool set. One thing that we continue to see is that a good company culture, one based on risk awareness and respect - is actually one of the best ways to manage day to day security and operational risk in general.
From my perspective, the private markets landscape is seeing an increased level of threat based on social engineering to facilitate data leakage. By that I mean things like phishing/spear phishing and to a lesser extent supply chain manipulation. I think that everyone understands that in the typical financial services environment, the goal of the attacker is to steal funds - but in the private markets environment the data itself is of value and worth targeting (from both a theft and manipulation perspective).
DORA, in my opinion, is actually a good thing for clients as it forces everyone to adopt a more robust attitude/strategy towards security threats. One key piece of DORA, which again, in my opinion, makes it valuable is the requirement for companies to perform scenario based disaster recovery testing/threat analysis.
This may seem to be a bit of a strange comment coming from a CTO given that this requirement clearly makes the process of testing and analysis harder but here's the kicker - if you do detailed scenario based exercises with your teams, you not only ensure that that people understand both the risk and the context of the risk but you also ensure that the company culture includes people's ability to understand the risk associated with operational complexity and their part in the potential risk. If your idea of disaster recovery is simply walking into the data center and turning off a server then when things go sideways for real - good luck! None of your staff will know how to behave, none of them will understand associated risks/attack vectors and potentially your infrastructure will be on it's back again a few minutes after you've 'recovered'.
Athletes do not train by eating pizza and watching "Chariots of fire". Successful athletes tend to get out on the track and practice what they want to do well at.
It's typically easier to attack than defend, so in the short term I foresee the proliferation of spear phishing and deep fake technology to facilitate social engineering shortly followed by vulnerability identification in the supply chain as a means to target attacks. In the mid term, defence will catch up in the form of increased ability around anomaly detection in SIEM platforms (based on AI).
When we talk about identity verification there are things that we know and things that we don't - the zero trust framework really builds on a rather common sense approach to security. For example, when you try to login, I know where you are, I know what device you're using and I know who you say you are. So if we look at a couple of the key tenets of zero trust - explicit verification and least privilege we can see that by simply adding MFA we're adding more known devices to help validate that you are who you say you are and by implementing the least privilege strategy we're ensuring that you have the ability to do your job - but not go too far off the rails.
In terms of the actual implementation, we have clients who use a combination of Microsoft for SSO and OKTA for MFA (and then least privilege within the platform) - and this works fine. I can however understand that for some service providers, just the ability to apply MFA might be problematic and if their system wasn't designed with security in mind then the whole questions of "roles and responsibilities" might be very time consuming to retrofit (if it's even possible). So for companies like ours - it's not a bad thing and extends our security strategy.
It's worth noting that zero trust encompasses a lot more than I've mentioned, but these for me are the key points from a user experience vs operational risk perspective.
The reliance on theory over practice. We see time and again that clients focus on the certifications that a provider has but don't ask more practical questions. For instance, very few clients have asked me what we did for our last disaster recovery exercise but most have asked for our latest SOCII certificate. Whilst I do understand the importance of the certification, it only gives you a high level overview of the provider - where as asking questions about their pen testing or DR exercises gives a good indication as to actual readiness and capabilities (this goes back to my thoughts on DORA).
From my perspective, based on my experience over the decades: If you encourage your teams to get involved with security exercises and you make your exercises practically based, you will encourage the kind of culture that you want and need. If your training focusses not only on the theoretical questions around cyber/operational risk but includes fun examples of people giving away millions or falling for stupid tricks - you will encourage peoples interest and ensure that they remember some of these things for that early morning email that 'appears' to be from the boss.
If you ensure that you explain to people what the consequences are, both good and bad along with who needs to do what when things go sideways - you will ensure that your team feels safe and able to talk to you when things have gone wrong and reaction time is a 'thing'. If you can encourage your teams in this way, your culture will support the business whilst also embracing creativity.
