The Expert View: Transforming security through risk intelligence

Cyber risk is changing, and many organisations are struggling to keep the pace. That was the message of a Business Reporter dinner at the House of Lords, hosted by Obrela. Attendees, all senior security leaders from a range of sectors, discussed the growing gap between how quickly organisational risk evolves and how slowly many businesses still measure it.

 

Introducing the evening, Daniel Voss, Sales Director for the UK and Ireland at Obrela, argued that the company’s combined view across governance, risk and compliance (GRC) and managed detection and response (MDR) offers a unique market perspective. With visibility over both how organisations define risk and how attacks unfold in real time, he said, Obrela is well placed to observe where traditional approaches fall short.

 

Andrew Winters, Executive Vice President of MDR at Obrela, set out the challenge more starkly. Regulations increasingly dictate how organisations should respond to cyber threats, but many still don’t meet those expectations. The problem, he said, is not intent but tempo. An organisation’s risk profile changes by the minute, while risk registers may be reviewed only weekly, if that. Meanwhile, the window between a vulnerability being disclosed and exploited has shrunk to as little as four hours. In that environment, static approaches to risk are no longer sufficient.

 

Regulation sharpens focus

 

In practice, regulation is already shaping operational decisions. One example discussed involved access to critical infrastructure in Italy, where compliance with the EU’s NIS2 Directive was a prerequisite for connecting to the energy grid, forcing rapid action. Participants also said NIS2’s ability to hold senior executives personally accountable for non-compliance has concentrated minds at board level, though they noted that the regulation has still not been deployed in every territory.

 

But while regulation sets a baseline, attendees agreed it does not capture the full reality of modern cyber risk. Smaller organisations may sit outside the direct scope of regulation, but their controls should match regulated standards because of their role in supply chains. Notis Iliopoulos, Executive Vice President of MRC at Obrela, pointed out that attackers often exploit these weaker links as entry points into larger, more secure enterprises.

 

Several participants argued that regulation is not the primary driver of change. High-profile cyber incidents, and the operational and reputational damage they cause, remain more persuasive than compliance checklists. If regulation becomes the only reason organisations improve their security posture, then the profession has failed to articulate the broader business value of resilience.

 

Understanding risk means understanding assets

Much of the discussion focused on how organisations define and prioritise risk. Traditional models often rely on tiering, with the most severe risks addressed immediately and others deferred for weeks or months. But this approach assumes a stable environment, and that assumption no longer holds.

 

Attack techniques have also evolved. As several attendees observed, many breaches no longer begin with sophisticated hacking but with legitimate credentials being misused. Securing identities, rather than simply fortifying perimeters, is increasingly the first line of defence.

 

Emerging technologies add further complexity. Open-source AI tools such as OpenClaw, for example, can offer genuine productivity benefits but simultaneously introduce serious, and largely invisible, risks. Because such tools are often downloaded and run locally, they may sit outside the reach of traditional security controls, leaving organisations blind to their presence.

 

Mr Winters argued that effective risk management begins with a clear understanding of assets. Organisations should be able to classify every asset according to its importance to the business and define in advance how to respond if it is threatened. For critical assets, that may mean accepting automated shutdowns under agreed conditions. But this is possible only if the organisation has a complete and accurate view of its environment. Even shadow IT, he said, can be identified and brought under control quickly with the right tools.

 

Speaking the board’s language

Bridging the gap between technical risk and business decision-making was a central theme of the evening. Boards may not understand the mechanics of cyber security, but they are accustomed to weighing risk, cost and trade-offs. The challenge for security leaders, said Mr Iliopoulos, is to translate technical exposures into business impact.

 

That means expressing cyber risk in concrete terms: the financial cost of downtime, the operational impact of lost systems, or the reputational consequences of a public incident. It also requires security leaders to understand the organisation’s strategic priorities. Advice that is disconnected from commercial reality is unlikely to gain traction.

 

One practical test discussed was reputational: what would the organisation say in a post-incident press release? If leaders can credibly state that reasonable steps were taken to mitigate known risks, stakeholders are more likely to be forgiving. If not, that gap should prompt immediate action.

 

Cost remains a constraint, particularly in the absence of a visible threat. But experience shows that incidents elsewhere in the market can quickly change attitudes, unlocking investment as boards reassess their own exposure.

 

A shared challenge

Closing the discussion, Mr Voss reflected on the consistency of concerns raised around the table. Few organisations believe they have fully solved the problem of communicating cyber risk effectively at board level. But there was reassurance, too, in hearing that these challenges are widely shared.

 

The consensus from the evening was that no single framework or tool can keep pace with the speed of modern cyber risk. Instead, organisations need a more dynamic approach, one that treats risk as a continuously changing property of the business, rather than a static entry on a register.

 

---

To learn more, please visit: www.obrela.com