teissTalk: Resilient by design – the next cyber-security imperative

On 3 April 2025, Teiss Talk host ThomLlangford was joined by Heather Lowrie, Independent Advisor, Earthgard Ltd; Sasha Henry, Cyber Strategy & Resilience Advisor, Confidential; and James Tucker, Head of CISO, International, Zscaler.

Views on news

A major new cybersecurity law set to come into force later this year will demand new compliance requirements of 1000 UK organizations. The Cyber Security and Resilience Bill is the government’s long-awaited answer to the EU’s NIS2 – a new piece of legislation that builds on the European NIS Directive of 2016. This piece of legislation mandates reporting a cyber incident within 24 hours instead of the current GDPR standard of 72 hours, as well as daily updates till closure. Although it’s expected to affect only 1000 firms, it will probably also set a new standard for broader society as it trickles down to third parties. These types of regulations are required to push critical infrastructure companies to increase their resilience. Many of the technologies implemented by CNIs – for example, maritime – aren’t secure by design. This is where Zero Trust may come into play. In the maritime sector there is also a huge lack of data standardisation. 

Boosting resilience

Network segmentation shouldn’t be seen or implemented in isolation but as part of a broader Zero Trust strategy, which identity and access management is a major pillar of. With identity and access management, you can minimise the radius of an attack when it happens. Identity in this context is not just that of humans but also IoT devices and workflows. The levels of security can vary within a ship’s OT and IT system too – the engine supported by Zero Trust may stay on while the rest goes down due to the lack of proper controls. ZeroTrust is fundamentally a mindset shift too. Businesses are under huge pressure to innovate, and when coming up with new technological deployment is the top priority, cyber security will remain an after-thought. 

Digital and media literacy, as well as communication, should form a more integral part of cyber security. It’s also part of a CISO’s role to foster trust. Only 5-7 years ago, CISOs had to sit at the children’s table when strategic issues were discussed. Today’s CISOs are expected to be more business-minded than earlier. User friendly security solutions such as pass keys can improve employees’ attitude to cyber security and they cam also pave the way to the adoption of Zero Trust. Zero Trust can also provide flexibility in what devices employees can use at the workplace, which might also change attitudes towards it for the better. It’s important for businesses to invest in strategic skills to make the most of security by design, as it requires continuous learning and adaptation. 

The panel’s advice

• The principles of Zero Trust apply across all sectors.    
• For business leaders, security is only a means to an end.
• 50% of CISOs in a recent survey said that their budget doesn’t match the risks they need to manage.
• Speak in the language of trust to the board.