Andy Penn

If you're, for example, the Department of Defense or Department of War, you know, some of that data is incredibly important, even to the point where you would actually keep it offline.

So it would actually never touch a public internet.

Whereas other pieces of information, such as at a personal level, my Netflix account.

Yeah, of course, I want to protect it, but I don't worry as much about my Netflix account.

I do my bank account.

And so once you've got your inventory of digital assets, you can actually start to adopt a

differentiated approach to having a different security posture on each asset, define what you want that to be and make sure that you've got those protections in place.

The third thing I would say is that the worst possible time to develop a crisis response plan is in the middle of a crisis.

Somebody once sort of said to me that you need to touch the Bunsen burner to know that it's hot.

In other words,

As a kid doing chemistry, you can be told that the Bunsen burner is hot, but of course you still touch it and then you realize it's hot.

And it's that experience, that visceral experience that is the learning.

And so actually when companies do scenario testing and they sort of role play, if you like, a cybersecurity incident, the more visceral you can make that, the more the learnings from it will stick.

And then the last thing I would say is that

What is safe today may not be safe tomorrow.

You may have put in place a comprehensive cybersecurity risk management plan, and it's pretty robust.

Can't guarantee nothing bad is going to happen, but you can put your hand on your heart and say, I've taken reasonable steps.

But actually the world's changing.

And so we talked about AI, malicious cyber acts as more tools with which to do as harm.

Another great example would be quantum computing.