Penetration testing is crowded with great brands and even greater illusions.

In this episode, William Wright, CEO of Closed Door Security and UK Council member at CREST, breaks down the stark difference between real pen testing and glorified vulnerability scans.

We get into how to vet providers, what a good report actually looks like, why references matter, and how threat-led testing changes the game from “find issues” to “prove business-relevant risk.”

William shares war stories: a bank test that missed an IDOR exposing transactions, a $65k engagement that produced 70+ pages of screenshots but ignored systemic compromise, and how weak internal testing loops create “unknown unknowns” that later become ransomware incidents. If you buy, run, or rely on pen tests, this is your field guide to getting value and avoiding smoke and mirrors.

Most transformations start with the tech and stall with the people. In this episode, Joe Mathewson (IAM Transformation Lead at HSBC) shares a refreshingly practical playbook for turning identity programs into business outcomes.

We dig into how to lead change in complex environments: begin with the why (not the tool), tailor the message by audience, and bring operations in from day one so the final solution is adopted, not resisted.

Joe unpacks how security can enable revenue by giving the business controlled speed (think: day-one access, adaptive auth, and cloud controls), and he shows how to write business cases that land. If you’ve ever been told “we’re rolling out this product because…,” this episode will help you flip the narrative, get buy-in, and deliver any program the business actually champions.

What you’ll learn:

• The “Start with Why” method for security transformation (and how to use it with execs vs. engineers)

• Bottom-up stakeholder engagement that survives tool changes and re-orgs

• Turning IAM into a service: enabling risk-taking safely to grow revenue

• Business-case proof points: day-one access, JML automation, and killing tick-box recerts

• How to sell change without creating a “no department”

What does a modern SOC really look like? Craig Gilliver (Head of Cyber, Sector Alarm Group) joins me to unpack how to build a security operations function that fits the business you actually run. Coverage that matters, visibility you can act on, and costs you can defend!

We get into: why every SOC should start with business risk (not “collect everything”); the coverage vs. storage trade-off and how to show ROI beyond license spend; why SOC teams often become “productive disruptors” who expose missing owners, undocumented systems and CMDB gaps; and how to keep analysts sharp when the alert firehose never stops.

Craig also tackles the AI hype head-on & why attacker tooling is evolving faster than many defenses. Listen to his pragmatic take on The Board conversation: security is one voice at the table, so bring signal, not noise.

If you’re building, rebooting or right-sizing a SOC, this one’s a blueprint.

AI isn’t coming - it’s already in your business.
In this episode, Matt Neal, Founder of Artificia1, reveals how businesses are unknowingly exposing themselves to risk through “Shadow AI” - and what they can do about it.

From ChatGPT use in marketing teams to users buying AI tools on their own credit cards, Matt breaks down the uncomfortable truth: you can’t block AI adoption - but you can guide it safely.

We cover:

• Real examples of Shadow AI across departments

• How to safely adopt tools like ChatGPT, Gemini, and Copilot

• Why banning tools leads to user workarounds

• What every business should do before they roll out AI

• The rising importance of the Chief AI Officer

Whether you’re in IT, security, or business leadership, this is the episode that will help you prepare for the AI-infused future that’s already arrived.

In the Ministry of Defence, getting digital identity right isn’t just about access control, it’s about operational readiness.

In this episode, I sit down with Richard Curtis, Program Manager for Digital Identity at the UK MOD, to explore what it takes to lead secure, agile identity programs across one of the most complex operating environments on the planet.

Richard shares:

• Why he uses “Tiger Teams” to solve delivery bottlenecks

• How the MOD balances agility with Secure by Design principles

• The red flags he watches for when building identity teams

• How he uses BLUF (Bottom Line Up Front) to cut through noise and build advocacy

• Why the emotional connection to cyber work makes the mission personal

Whether you're running IAM in a critical infrastructure org or navigating transformation under pressure, this episode will leave you with practical tactics and thoughtful leadership insight.

AI is already reshaping how product teams build, launch, and evolve digital experiences. But what happens when those experiences have security blind spots baked in from the start?

In this episode, I sit down with Kevin Magee, CTO of All Human, to explore how AI is accelerating product roadmaps—and the cybersecurity implications many teams are ignoring.

Kevin explains:

• How AI is changing the way teams brainstorm, prototype, and ship features

• Why traditional DevOps isn’t enough when LLMs are in production

• What “non-deterministic behavior” really means and how it can lead to dangerous outcomes

• How to create a human-in-the-loop process that includes security without blocking innovation

• Why your AI chatbot could be the next insider threat if you're not careful

This episode is essential listening for any security leader trying to stay ahead of how AI is used inside their business, not just to defend it.

How do companies keep buying Ferraris when all they need is a bike?
I sit down with Daniel Álvarez García, Senior IAM Manager at PwC Spain and author of the widely followed Future of Digital Identity newsletter, to explore the 7 most common IAM mistakes companies make—and how to fix them.

Daniel shares brutally honest lessons from the field:

• Why IAM tools are often underused (and overpriced)

• How to build a realistic identity roadmap before (or after) making a major purchase

• Why your cloud apps are your problem—not your provider’s

• What metrics and SLAs matter most for onboarding, offboarding, and critical access

• How identity teams can move from firefighting to building foundations

Whether you’re about to invest in IAM or already stuck trying to justify one—this episode is a playbook in how to approach identity strategically, not reactively.

🎧 Listen on Spotify or watch on YouTube now.

In this episode of Cyber Fusion Forum, James Oakes sits down with Michael Dybek, Senior Solutions Consultant and identity evangelist, to unpack a growing challenge in modern cybersecurity: over-relying on traditional network security while neglecting identity.

Michael shares candid insights on how too many organisations still treat cybersecurity as a tick-box exercise—securing just 40-50% of what’s actually at risk.

The conversation dives deep into:

• Why hybrid work environments demand layered security approaches

• The risk of choosing “safe buys” instead of fit-for-purpose IAM strategies

• Why defining what “good” looks like in identity is so elusive

• How to justify dual investments (like IAM and NetSec) to non-technical stakeholders

• What to look for in a consulting or reseller partner—beyond just the logo wall

  
  

If you’re navigating the trade-offs between IAM, network tools, and business realities—or trying to make smarter security investments that actually work—this one’s for you.

In this episode of Cyber Fusion Forum, we down with Carl Pickering — a veteran Linux engineer and Lead Platform Engineer at MetDesk — to explore what secure software delivery really looks like at the coalface of DevOps and platform engineering. 

Carl shares candid insights from nearly three decades in tech, reflecting on: 

• Building security into the dev cycle without slowing delivery 

• The human element in mistakes, misconfigurations, and burnout 

• How to use CVEs, SBOMs, and CI/CD pipelines to validate security early 

• The Log4j scramble — and how he’d handle it now 

• Creating business buy-in when pressure mounts to release fast 

This episode is packed with practical wisdom for any engineer, manager, or CISO trying to harden delivery pipelines without creating blockers — and for any business leader learning how (and when) to listen to their tech teams. 

In this episode, I sit down with Owen Jones — founder of Loopli and creator of the OSbD™ (Organisational Security by Design) framework — to unpack why traditional InfoSec often fails to scale, and how to build security into your business without burning out your teams or your budget.

We talk about:

• What modular security looks like in practice — and why it reduces compliance overhead by up to 50%

• Why most GRC efforts overload the business (and how to reverse that dynamic)

• How to make cybersecurity a strategic asset for finance, ops, product, and procurement

• Why cyber insurance requirements are a ticking time bomb — unless InfoSec has a seat at the table

• How to operationalise security into workflows, not just policy docs

Owen doesn’t just talk frameworks — he’s built them into fast-growing startups and complex enterprises alike. If you’ve ever struggled to articulate InfoSec’s value to the business, or you’re stuck in audit purgatory, this one’s for you.