Can we secure generative AI before it outpaces our ability to defend it?

Welcome back to Razorwire, where we have our finger on the pulse of cybersecurity’s most urgent dilemmas and future threats. I’m your host, Jim and in this episode, I sit down with Ante Gojsalić, CTO and co-founder of SplxAI, to unpick the tangled challenges of securing the next wave of generative AI before it becomes too integrated, too complex and too risky to control.

Generative AI is reshaping everything from business operations to personal lives, but the race to capitalise on its potential leaves us with difficult questions. Are we allowing technological progress to sprint ahead of security? Is anyone putting robust protections at the heart of these new AI systems? Ante shares stories from the frontlines - explaining why both East and West are taking wildly different approaches, why securing AI isn’t as simple as plugging in a new tool and how the real vulnerabilities lie hidden in the everyday systems we’re already beginning to trust.

Three key talking points to listen out for:

1. Why securing AI is fundamentally different - and harder - than traditional IT - Ante shares real scenarios where the unpredictable, fast-evolving nature of large language models means old school security techniques simply can’t keep pace. Find out why continuous testing, automation and security-by-design are more critical than ever.
2. Hidden risks as AI agents take on human-like roles in business - We explore where the most pressing security gaps lie as AI agents begin to make decisions, handle confidential data and even manipulate users. Learn how attackers are already exploiting these systems - and what steps organisations can take to avoid catastrophic mistakes.
3. The battle between business priorities and security fundamentals -
4. Hear our thoughts on why commercial pressure and the quest for innovation often override basic security and discover hands on, pragmatic advice for leaders aiming to bake security into AI projects from day one - before it’s too late.

Whether you’re a CISO, an AI developer or a cyber strategist, this episode of Razorwire will arm you with practical insights and hard-won lessons on defending against the unknowns of AI.

Why Continuous Security Testing Is Essential:

"So imagine you do the security evaluation [of AI] on day one, then they change it a hundred times and you don't do another pen test. It's not relevant anymore. So, yeah, the continuous thing is important. Automation is important. And with AI, which is non-deterministic and which is still very changeable day by day, it's different than web security or API security… It's just unstable."

- Ante Gojsalić, on why traditional security approaches fail with AI systems

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Rise of Generative AI - Understand what generative AI actually is and how to assess its rapidly expanding applications within your organisation's threat landscape.
• Global AI Arms Race - Learn how different regional approaches to AI development affect your security strategy and vendor selection decisions.
• Security vs Speed in AI Development - Discover practical ways to balance innovation pressure with security requirements without stifling business growth.
• Emerging Threats to AI Systems - Identify specific...

Welcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.

In this episode, James Rees is joined by security awareness specialists Amy Stokes-Waters and Jemma to dismantle outdated approaches to security training. From click-through fatigue to the critical importance of culture change, our experts explore why traditional computer-based training fails to make organisations truly secure.

Listen as Amy and Jemma share their expertise on transforming security awareness from a box-ticking exercise into meaningful behaviour change. Their refreshingly honest assessment of the "80% compliance myth" and why focusing on business impact rather than personal consequences undermines effectiveness will have security professionals nodding in recognition.

Whether you're a CISO struggling with training completion rates, an IT professional tired of being ignored, or someone who's repeatedly clicked "next" through mandatory security modules wondering if there's a better way, this conversation offers practical alternatives to the stale CBT approach that dominates the industry.

Tune in for a candid discussion that feels like eavesdropping on three security professionals brainstorming how to fix what's broken in security awareness while acknowledging the realities of human behaviour.

3 Key Talking Points:

1. Why Traditional Security Training Fails Everyone Discover the fundamental flaws in conventional security awareness approaches that waste both time and budgets. When Amy reveals that "less than 1% [of IT budgets] is spent on humans" while "95% of incidents are caused by humans," you'll understand why throwing money at technical solutions while neglecting human factors is a losing strategy. Listen for actionable insights on avoiding the compliance trap that leaves organisations vulnerable despite ticking all the regulatory boxes.
2. The McDonald's Approach to Security Awareness Learn why successful security awareness should mirror effective marketing campaigns rather than dreaded annual training sessions. Our experts break down how security teams should adopt McDonald's persistent, multi-channel strategy instead of expecting one-off sessions to change behaviour. You'll gain practical strategies for implementing "security by osmosis" that keeps protective measures visible and top-of-mind without creating training fatigue or resistance.
3. 
   
4. Measuring What Actually Matters Transform how you evaluate security awareness effectiveness with metrics that genuinely reflect improved security. When Jemma dismantles the "80% of people scored 80%" myth, you'll understand why completion rates and phishing test results fail to indicate real security improvements. Listen for concrete guidance on tracking meaningful engagement metrics like security team contact, proactive reporting, and actual incident reduction that demonstrate true cultural change rather than superficial compliance.

"What a lot of people are doing is security training for compliance, but they're not actually doing anything around the culture. They're hitting the compliance metrics. Brilliant. But the actual culture of the organization is still inherently insecure."

- Amy Stokes-Waters, on the difference between compliance and cultural change

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Budget Reality Check: Learn why organisations spending less than 1% of IT budgets on human factors whilst 95% of incidents are...

Welcome to Razorwire, the podcast that challenges conventional thinking about cybersecurity with insight, humour and a dose of reality.

In this brilliantly unfiltered episode, we're joined by security professionals Iain Pye and Chris Dawson for a no-holds-barred discussion about security measures that cross the line from prudent to preposterous. From biometric authentication dilemmas to the maddening theatre of airport security, our experts dissect the fine balance between protecting assets and actually getting things done.

Listen as Chris and Iain lock horns on what constitutes "reasonable" security, with Chris arguing for Fort Knox-level protection while Iain advocates for practicality, whilst your host Jim attempts to referee. Their real-world examples of security absurdity, including trapping thieves in revolving doors and putting warning signs in car parks, will have you nodding in recognition or shaking your head in disbelief.

Whether you're a battle-scarred security professional or maybe just someone who's stood impatiently in endless security queues wondering why your belt buckle is suddenly a threat to national security, this conversation offers both genuine insight and proper laughs about the sometimes bizarre world of overzealous security controls.

Tune in for a refreshingly honest chat that feels like overhearing three security experts having a pint down the pub whilst debating the madness that sometimes defines our industry.

3 Key Talking Points:

The Security vs Practicality Tightrope

Listen as our experts dissect the eternal balancing act between locked-down security and business functionality. When Chris boldly claims he'd implement "seven layers of security" for critical infrastructure while Iain argues for practicality, you'll gain valuable perspective on finding that sweet spot where protection doesn't become paralysis.

The Psychology Behind Security Resistance

Discover why people willingly hand over biometric data to tech giants yet baulk at the same requests from employers. Our conversation uncovers the fascinating psychological disconnect between consumer and corporate security acceptance, offering insights you can apply immediately to your own security implementation strategies.

Beyond Bureaucracy: When Risk Management Goes Wrong

Experience the painful yet hilarious reality of security bureaucracy gone mad, from needless warning signs in car parks to the absurdity of airport security theatre. You'll leave with a clearer understanding of how to champion meaningful security measures while avoiding the trap of controls that exist merely to tick compliance boxes.

"Information security professionals the world over, in various different cultures and various different parts of the world have had the words echoing through the halls: ‘Isn't that a bit much?’"

- James Rees, Razorthorn Security

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Finding the Balance: Discover how to navigate the tension between robust security measures and practical business operations without alienating your colleagues
• Biometric Backlash: Understand why people readily surrender their biometrics to tech giants but resist providing the same data to employers
• Security Theatre: Learn to identify when security measures serve more as performance than protection, particularly in public spaces like airports
• Risk Management Revelations: Gain insights into creating...

How can overcoming personal adversity lead to a successful career in cybersecurity?

Welcome to Razorwire, the podcast that delves into the world of cybersecurity by sharing the journeys of its most inspiring figures.

Join us for a truly heartwarming episode as we welcome Jemma, the brilliant mind behind CultureGem and a passionate champion for security behaviour and culture. Jemma's incredible journey - from surviving homelessness to becoming a respected voice in InfoSec - reminds us how our different paths can bring richness and depth to our industry.

Jemma shares her powerful story and gives fresh perspectives on the human side of cybersecurity, why accessibility matters in learning and the reason technical solutions alone will never be enough. We discuss the changing face of InfoSec culture, the eyebrow-raising phenomenon of "cyberlebrities", and how we might better spend our security budgets to protect the people who matter most.

Whether you're a seasoned professional or just starting your InfoSec journey, you'll find wisdom in Jemma's approach to making security concepts meaningful for everyone - from corporate executives to her beloved nan.

Tune in for a conversation that, for me, genuinely felt like catching up with a friend at the pub, whilst challenging us all to think differently about creating a more inclusive approach to security.

3 Key Talking Points:

1. The Human Element of Cybersecurity

Learn why organisations allocate less than 1% of security budgets to human factors despite 97% of incidents being attributed to human error. Jemma explains how addressing this disconnect creates stronger security cultures and reduces vulnerabilities.

1. Accessibility as a Security Imperative

Discover how CultureGem's accessible learning approach removes barriers to understanding security concepts. Jemma demonstrates why making security comprehensible to everyone isn't just inclusive - it's fundamental to effective protection.

1. The Evolving InfoSec Community

Gain perspective on industry dynamics from "cyberlebrities" to challenges faced by professionals from non-traditional backgrounds. This discussion gives valuable context for navigating the InfoSec community.

"If 10% of an IT budget is spent on cyber, which is there or thereabouts, less than 1% is spent on human side of cyber. Yet 97% of incidents are put down to, rightly or wrongly, human error."

- Jemma, Founder of CultureGem

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Overcoming Adversity: Learn how navigating difficult circumstances can build transferable skills for an InfoSec career
• Budget Realignment: Discover why redistributing your security budget towards human factors can address the root cause of 97% of incidents
• Inclusive Security: Explore how removing barriers to learning strengthens your organisation's overall security posture
• Employee Engagement: Find out how to move beyond compliance to create genuine security motivation amongst your staff
• Community Dynamics: Navigate the changing InfoSec landscape and its impact on collaboration and knowledge sharing
• Diverse Recruitment: Understand the value of hiring security professionals with unconventional backgrounds and experiences
• Translating...

In this latest episode of Razorwire, I sit down with the brilliant Stefania Chaplin to explore the often overlooked yet crucial skill of effective communication in information security.

Throughout our conversation, we discuss why communication matters so much in our field, especially during critical moments when tensions run high. Stefania brings her trademark enthusiasm and wealth of experience to highlight approaches that work across different contexts, cultures and situations.

As our profession has evolved, and particularly when working with colleagues remotely, our approach to communication needs to adapt accordingly. Whether you're just starting out or have been in the trenches for decades, I guarantee you'll take away some valuable insights on a skill that I've found to be just as important as technical expertise throughout my career.

3 Key Talking Points:

Managing Communication During Incidents

Discover practical strategies for effective communication during high stress security incidents. Learn how to establish clear communication channels, manage stakeholder expectations and create space for your team to resolve issues without constant interruptions. Stefania shares techniques from her experience, including the importance of creating transparent incident documentation and using mindfulness to maintain clear thinking under pressure.

Cross-Cultural Communication in Global Teams

Gain insights into navigating the complexities of multicultural teams in information security. With remote work connecting professionals across different time zones and cultural backgrounds, understanding how communication styles vary globally has never been more crucial. Learn how different cultures approach feedback, instructions and hierarchy, drawing from Stefania’s multicultural background and experiences working as a digital nomad.

Adapting Your Message to Different Audiences

Master the art of tailoring your security communication for different stakeholders. Whether you're speaking with developers who need technical details or executives who need the headlines, find out how to switch hats effectively. This practical knowledge will help you build credibility with technical teams whilst ensuring leadership understands the key security messages they need for decision-making.

"What happens when you have a cybersecurity incident and you're working in a global organisation with employees from all different countries and cultures in a very high stress environment? In those moments, communication really matters."

Stefania Chaplin

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Incident Clarity - Transform your incident response with effective communication strategies for high stress scenarios
• Global Trust - Build trust across global teams by understanding cultural communication differences
• Stakeholder Speak - Tailor your security messaging for maximum impact with different stakeholders
• Focus Shield - Protect your technical team from distractions during critical incidents
• Pre-Crisis Planning – Advice on creating communication plans before incidents occur to reduce chaos when they happen
• Mental Control – Learn breathing techniques to maintain clarity during high pressure security events
• Remote Mastery - Navigate the complexities of remote teams across different time...

In our latest episode, join me, James Rees, for a chat with Nick Palmer from Censys about the critical importance of attack surface management. With 25 years of experience in the industry, Nick explains how today's threat landscape has evolved dramatically, with attackers now discovering vulnerabilities within hours rather than weeks.

We explore the challenges of maintaining visibility across expanding digital footprints, particularly with cloud adoption creating new blind spots for security teams. Nick shares eye-opening real-world examples that illustrate the hidden vulnerabilities present in even seemingly secure environments.

We cover how organisations can gain continuous visibility of their assets, extend security monitoring to third party suppliers and build a security culture that protects customer data effectively.

A must-listen for security professionals seeking practical advice on protecting against modern cyber threats.

Key Talking Points:

1. Attack Surface Velocity: Learn how attackers can discover vulnerabilities within just hours instead of weeks, and how Censys's daily internet scanning helps organisations keep pace with this alarming speed. Nick talks about the mechanics behind this acceleration and what it means for your security strategy.
2. Supply Chain Security: Discover the hidden risks in your vendor ecosystem through Nick's shocking real-world example of compromised medical equipment. This is a key example on why monitoring your suppliers' security posture is just as crucial as your own.
3. 
   
4. Beyond Compliance: Understand why building a genuine security culture trumps mere regulatory compliance. Nick and I discuss practical approaches to embedding security consciousness throughout your organisation, from the C-suite to frontline staff.

Gain practical insights that will help you better defend your organisation. This conversation goes beyond theoretical concepts to deliver actionable security wisdom you can implement immediately.

"If you are looking at your external attack surface any less than daily, you're missing a trick. It has to be scanned at least daily, preferably in real time."

-Nick Palmer, Censys

● Attack Surface Management: Learn how to identify and manage your organisation's vulnerabilities to prevent cyber attacks.

● Evolution of IT and Security: Gain historical perspective on how security challenges have evolved to better prepare for future threats.

● Supply Chain Security: Discover techniques to protect your business from vulnerabilities introduced by third-party suppliers.

● Legislation and Compliance: Understand how to navigate new regulations like DORA to avoid penalties and legal consequences.

● Phishing Defence: Master strategies to protect your organisation from increasingly sophisticated social engineering attacks.

● Rapid Response: Learn why and how to accelerate your security monitoring to match attackers' discovery capabilities.

● Cloud Security: Acquire practical approaches to securing cloud and virtual environments against emerging threats.

● Building Security Culture: Develop effective methods to embed security awareness throughout your organisation.

● Continuous Monitoring: Implement cost-effective techniques for ongoing attack surface visibility to catch vulnerabilities before attackers do.

● Security Tooling:...

In this episode of Razorwire, we’re looking into the contentious realm of AI and data privacy. This week, I’m joined by Amy Stokes Waters, CEO of The Cyber Escape Room Company, and Ryan Mangan, a chartered IT professional and Microsoft MVP, to explore the ethical implications of feeding our personal data into AI systems.

Join our discussion on recent controversies, including Adobe's T&C changes and Clearview's facial recognition technology, while questioning who truly benefits from AI data collection. We debate the balance between technological advancement and personal privacy rights, highlighting the disparities in how different organisations handle consent and transparency.

From medical research to creative rights, this episode addresses how AI development is outpacing both regulatory frameworks and organisational policies. As businesses increasingly rely on AI-powered tools, what safeguards should we demand, and how much of our digital footprint are we willing to sacrifice?

3 Key Talking Points:

1. The Opt-Out Illusion: Discover how major tech companies are quietly changing their terms of service to automatically opt users into AI training programmes using your data. We reveal the hidden challenges of truly removing your information once it's been absorbed into AI systems and what this means for your digital privacy.
2. Policy vs. Protection Gap: Learn why most organisations lack proper AI usage policies, leaving customer data vulnerable. Our experts discuss how even well-intentioned employees are likely uploading confidential information to ChatGPT without realising the risks and what safeguards businesses should implement immediately.
3. The Jurisdictional Minefield: Understand the complex legal landscape where regulations like GDPR and HIPAA struggle to keep pace with AI development. Our conversation explores the dangerous territory of international data jurisdiction and how conflicting regulations create loopholes that affect your privacy rights.

"I think it's really positive that actually these things are coming out and that there are court cases and legal action being taken against companies who are using data without consent." Amy Stokes Waters

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Spot stealth data collection – Identify how companies like Adobe and LinkedIn are changing their terms of service to automatically opt you into AI training programmes
• Protect your creative work - Understand the risks to your intellectual property when uploading content to cloud services with AI features
• Navigate consent manipulation - Recognise the tactics used to hide opt-out options and how to find them
• Safeguard sensitive information - Prevent employees from inadvertently exposing confidential data through ChatGPT and similar tools
• Understand data sanitisation - Learn what proper data anonymisation actually means and why it matters for your privacy
• Balance innovation with privacy - Discover how organisations can ethically use AI for advancements in healthcare while protecting personal data
• Create effective AI policies - Develop clear guidelines for your business on appropriate AI usage before data breaches occur
• Recognise AI's limitations - Identify when AI might present biased or false information, particularly in specialised fields like...

Our latest episode brings in security expert Iain Pye, who shares military tales with me, your host James Rees, about what really happens when everything goes wrong. We get stuck into the nitty-gritty of incident response - the sleepless nights, the pressure from executives, and how to keep your team going when they're running on fumes.

From ransomware attacks to system meltdowns, we chat about war games and escape room scenarios, exploring how organisations can build proper resilience rather than just ticking compliance boxes. We dig into why most incident response plans gather dust in drawers and what happens when you actually need to use them. Ian brings a refreshing military perspective to corporate incident management, showing how battlefield experience translates surprisingly well to handling information security crises.

Whether you're dealing with compromised systems or insider threats, this episode packs practical wisdom for those moments when everything falls apart.

3 Key Talking Points and Reasons to Listen:

1. Building Resilience Through War Games: Discover why military-style drills and wargaming are crucial for effective incident response. Iain and I explore how regular team exercises - from realistic ransomware scenarios to creative "zombie apocalypse" simulations - help build the muscle memory and team dynamics needed when real crises hit. We share practical examples of how to run these exercises effectively.
2. Managing Team Stress in a Crisis: Learn the critical importance of managing your team during long running incidents. We break down the practical aspects often overlooked in incident response plans - from implementing proper shift patterns to ensuring your team stays fed, rested and functional during multi day crises. Find out why pushing your team to exhaustion is a recipe for disaster.
3. Turning Incidents into Improvements: Understand why post-incident analysis is where the real value lies. We discuss how to turn incident learnings into actionable improvements, including how to leverage serious incidents to secure necessary budget improvements. Learn why the "five whys" methodology is essential for preventing future incidents and strengthening your security posture.

On building muscle memory through repeated training:

"It's drills essentially. It’s doing the same thing over and over again and having that natural reaction. So you train your body - your mind, essentially - so if the proverbial poo does hit the fan, you can react in the right way and in accordance with what your SOPs [Standard Operating Procedures] might be."

Iain Pye

Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen

• Military Training for Incident Response: Learn how military-style drills can transform your team's ability to handle high-pressure security incidents with confidence and precision.
• Importance of Incident Response in Infosec: Master the essential skill of incident response and protect your organisation from data breaches and ransomware attacks effectively.
• Human Reactions to Emergencies: Discover practical techniques to keep your team calm and focused when emergencies strike, avoiding costly panic-driven mistakes.
• Role of Team Trust: Build unshakeable team trust that enables swift, coordinated responses during critical...