Security and Privacy

Reflecting this week and speaking with colleagues across the sector I am reminded of some truths that I learned early in my InfoSec/InfoGov journey. Two that have stood out are that having well written policies and robust processes does not mean that people will follow them. And inexorably linked to the first is that training staff, and importantly senior officers and key staff is only half a job if they aren’t able to demonstrate their understanding and put it into practice.

I read an interesting blog post from NCSC this week talking about recent research with frontier AI models in simulated enterprise attacks. The progress is impressive, eighteen months ago, the best available models barely made a dent. But now, the most recent models responding impressively and finding attack approaches the scenario designers hadn’t thought of. And the cost of running a full attempt was roughly £65! A sophisticated, AI-assisted attack delivered with low cost and without specialist expertise.

I will likely cover this in a post eventually, but a quick whistle stop of how I came to be here. Like many in my field, my route to Information Security and Data Protection was roundabout to say the least. Academically, I studied History, medieval history in particular. I went on to complete a post graduate qualification, worked for a while in several fields landing in IT. Then went back to Uni and completed my teacher training to be an Lecturer, before another left turn took me back to IT. After some time in IT support and training made successive moves to Information Management > Information Security > Data Protection to where I am now, wearing all three hats!