The Resilience Factor Podcast
Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?
Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.
Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.
The Resilience Factor Podcast
S1 E11 Cyber resilience priorities for 2026 with Brian Deitch, Simon Linstead & Prof. Buck Rogers
In this special episode, host Jenny Radcliffe hosts a roundtable with returning guests Simon Linstead, Professor Buck Rogers, and welcoming Brian Deitch, Chief Technology Evangelist at Zscaler, to reflect on the cybersecurity lessons of 2025 and the priorities for 2026. The experts advocate for a return to the fundamentals in 2026, stressing "simplification over sophistication."
Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the Resilience Factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking. Not only that, but you'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organisational resilience within a fast-moving security landscape. Hello and welcome to Zscaler, the Resilience Factor Podcast with me, your host, Jenny Radcliffe. This week, we are joined by Return of Friends of the Podcast, co-founder and president at Simple Security, Simon Lindstedt, and strategic cybersecurity and risk advisor, Professor Buck Rogers. And we also welcome a new face to the podcast, Brian Deech, Chief Technology Evangelist at C Scalar. With over a decade of experience in cybersecurity, Brian has made for companies including F5 Networks, Milestone Systems and the Apollo Group, focusing on SSL, TLS inspection, authentication and threat hunting. At Zscalar, he helps organisations securely transform their IT infrastructure and embrace cloud-native strategies that reduce risk and improve resilience. Welcome everyone and welcome listeners. We hope you enjoy the conversation. Welcome gents and slightly belated Happy New Year to you all.
SPEAKER_03:Happy New Year, Jenny.
SPEAKER_01:It's the time of year when we have to still say Happy New Year and then we have to start talking about what we think is going to happen this year in terms of cybersecurity and do a little bit of reflection over 2025. So I felt like I had to still say Happy New Year. It's been such a quiet start. So anyway, before we look forward to what 2026 has in store for the industry, I wanted to check in and actually on that topic, check how 2025 actually went for everybody. We're looking at the biggest challenges in the industry that you had to overcome for this little slightly different than usual chuck. Simon, what were the biggest industry challenges that you found this year that you know that you felt that yourself and people in your community had to had to overcome?
SPEAKER_03:So it's a it's a difficult one because there was just so much. I mean, it was it was attack after attack for those working in the trenches. Um I'd like to spin a bit of a more positive light on it in a way and say I feel like 2025 felt a bit like a year where the industry at least stopped talking about resilience and actually started testing it and trying it out, which obviously I know personally can be exhausting, but it's also I think for the industry very motivating and also maybe clarified what really matters. And and I love the fact that this series has been a part of the process, shining a light on that.
SPEAKER_01:Yeah, I mean I think it was by it was out of necessity really that you know it it became something that wasn't even remotely optional last year, didn't it? I mean, uh maybe maybe come to Brian next. I mean, would you echo what Simon said there?
SPEAKER_00:Yeah, but everyone can take a collective sigh, because I'm gonna also say Gen AI was a mofo, right, to kind of deal with. And I I do think that uh LLMs are like children, right? They're they're easy to make, they're expensive to raise, and then clearly a lot of people didn't think that actually through. Um, so I I felt like we did a lot of shadow AI discovery and then trying to map that to data security, right? How are these channels getting out there? And then last but not least, uh I think governance around that was just an entire lag as well.
SPEAKER_01:Buck, what about you?
SPEAKER_02:Yeah, I was gonna say, I suppose for me, 2025 was was the year Patrick finally admitted that cyber resilience wasn't a tooling problem, it's a leadership and a consistency problem. I think you know, less nation-state ninja hackers and more we broke ourselves at 2 a.m. in the morning because we designed something uh ad hoc. So I'd say it was the year of self-inflicted injuries, a lot of it.
SPEAKER_01:Yeah, I agree. And I think as well, for me, what I saw was this this has become it's no longer something that's adjacent. I think that's one of the things that I'd agree with sort of what you say. It's not adjacent to normal business, it's not something that um only people who work in security know about now. I feel like everyone has an opinion on AI and on cyber, or almost everyone. Um, and we've had to face that as an industry across last year. Now we've got last year commented on, we're gonna look forward. I know Sam, you sort of hinted at this, instead of being sort of pessimistic and sort of saying everyone's gotta change what they do and adapt really quickly and and everything else. Let's try and kind of think about what you know people actually got right um and maybe what what they should prioritize on for next year. What are the sort of sort of areas that IT leaders should really prioritize in 2026 to make to make everyone more secure and efficient? If you can come to you first, Simon.
SPEAKER_03:Yeah, of course. I mean, uh as Brian said, there is there is so much going on, but let's be honest, it for me it's firstly a relentless focus on the fundamentals that so many people don't seem to get right, like identity, patching, visibility, backups. It's not exciting, um, but it's hugely effective. And for the conversations I've had over the last 12 months, it seems that the organizations that are doing this well are quietly outperforming the ones that aren't. So the basics is the first one for me. Um, and I have to say this because the name of my company, um, simplification over sophistication. I think fewer tools, better integration, clearer ownership, clearer outcomes. For me, complexity um is now a risk in itself in the industry, and I think we're seeing that more and more with more things being laid on top of each other that aren't particularly well configured or working very well. Um, next one would be security that maps the business outcomes. My background's business. Before I came into this industry, I think the majority of the industry are woefully poor at framing risk in terms of leadership actually understand um things like downtime, reputation, revenue, not C VSS scores, perhaps. That's just my opinion coming from outside in, I suppose. Um, and the last one would be operational resilience, not just prevention. And Bucks already alluded to it. Um, incidents are going to happen. So designing systems processes and the people around them to recover quickly and confidently. They'd be my four things for the year.
SPEAKER_01:Well, that's pretty comprehensive. I'd agree with you on one thing. One thing I always think is that complexity is a lag factor in almost every area I've ever worked on with every client I've ever worked with. The more complex it is, and like we can't you can't help some complexity though.
SPEAKER_03:No, absolutely not.
SPEAKER_01:Um, but I know, but unnecessary complexity, try and simplify where you can. Um what what about uh Brian? What would you say? I mean, what are you saying that you think people should really focus on to kind of calm the noise and really prioritize properly?
SPEAKER_00:Yeah, actually, if I can comment on his whole business outcomes thing, I think that's kind of paramount, right? If you're just out there, you're a CISO and you're just looking for like a really cool mousetrap, then good luck getting budget, right? But if you can solve for some business outcomes, then you're gonna have a much better uh you know outcome from that. But if we focus on the basics, identity is new perimeter. If you can't confidently answer the question of who or what's coming in and talking to what, like as the kids would say, you're cooked, right? And so I think we have to kind of focus on identity. Um the next one, like every breach, every hack, it's always around data, right? And so you have to understand of where your data actually lives, understand that it's just not in the data set anymore. It could be in the private cloud, it could be in SaaS, it could heck be in AI workflows, MCP servers, things like that. And then I maybe the I was toying with the last idea is they come up with mail only three, their visibility of perfection, but I think uh kind of just assume breach and design for resilience. I actually had a call with a customer the other day, and he's just like, I know definitively if we're breached, I'm up and running in 56 hours. He's like, I'm dialed in like that. And I think that's actually kind of a cool way to do it. Actually be able to understand, like, you know, things are gonna happen, but resiliency is gonna be the the thing that's gonna win it at the end of the day.
SPEAKER_01:Was that their worst case though? Like at the when someone says, Yeah, I know I'm up and running in 56 hours, like I that type of statement that what when I've heard that from social engineering uh clients, that makes me worry because it's specific, and I just wonder are they really planning for the best case when they can say something like that? The worst case, I mean.
SPEAKER_00:Yeah, yeah. I think that's more of a best case outcome, not necessarily worst case. Yeah, yeah. But it seems that you know he was he was very confident in the fact that like they have all their ducks in a row. Um they they have gone through exercises in which they can shut down data centers or specific applications or or groups of users, right? And just keep the lights on and running, moving workloads from, let's say, off of AWS and into Azure, actually, you know, doing a lot of the the work up front, which is kind of interesting, right? Because he's like with us, he's like, well, what happens if there's like a catastrophic thing with Z Scar? Like, how do you guys build around that? How do you what's your resiliency plan and how like how do I move quickly? A lot spoiler alert, a lot of uh lot of API calls is what he's really looking for.
SPEAKER_02:On that gen, I I'd say I I think the interesting bit is the organizations that I helped last year, the best weren't the most advanced, they were the calmist. They were the ones that they may not have had all worlds to them, but they were like Brian said, they rehearse it, they practice it, and they had that moment.
SPEAKER_01:Yeah, I mean, I what I always think is, and I say it to people, is like as long as you can, the the morning after that breach, the morning after a disaster, that you can look in the mirror however it's gone and said, Yeah, I did everything I could. I couldn't think of anything else. We were on it, we we did everything we could. And then no matter really how it's gone, if you've definitely done everything you can think of, you've invested as well as you could, you've put the best tech in, you've trained the people, then I think then it's that look in the mirror moment for a CISO and for a security team, isn't it? It's to say, well, you know, it went however it went, but we we did what we could do. We didn't think of anything else. We try, you know, it's and I don't mean from a legal point of view or a compliance point of view, I just mean from a point of view of like they sit down the next day and say that these were the wins, this is what went well and what we expected, and we were covered for that. Our recovery's gone well, the tech work where it could. Then I think if anything's gone wrong, then you know, you know, we we are only human, as I would say. You've done what you can do. Um, would you say that ties in with what you'd say were priorities, Buck, or anything to add?
SPEAKER_02:So I'd I yeah, I'd I'd flip it slightly, mate. I because I think most organisations already know what to do. I think the gap is doing fewer things more reliably. Okay. So I'd say on fundamentals, you know, patch management, identity hygiene, backups, really boring stuff, like eating your cyber vegetables, but get them get them right. And then I think teams are much better than give credit for.
SPEAKER_01:Yeah.
SPEAKER_02:Um, I think you know, the best resilience I saw in 2025 came from teams that were experienced people, trusted to do like you've just said, trusted to make the right decisions, not from playbooks being followed blindly, but using their intuition, their training, their experience, and being allowed to get on and be successful.
SPEAKER_01:But for me, the the area that they need to focus on in t and it fits in with lots of other topics, is identity security around AI and tools and scams and social engineering. Because I think the roots into organisations now, um still, as it's always been are individuals very often, and and the training of those, but it's making sure that people understand how convincing that social engineering is going to be with the visual, with the visual backup and everything else, with defakes and voice cloning and everything. And I know compared to what you know everyone talks about with the technology, um, and you know, we're gonna get onto that in a minute. That perhaps isn't the most important thing, but that's the thing I say, you do not when I see the amount of scams and the way that it's being used, um, a lot of employees just won't stand a chance in spotting it. They have to know that it might come at them this way. Um, and so for me, the area to uh focus on in training in terms of human awareness and awareness training this year is is that it's that who you think it is really might be the most convincing thing you've ever seen, and it just may not be. Go on, Simon.
SPEAKER_03:Um, I was fortunate enough this year, last year as well as the year before to be a team member on a physical penetration test for some critical national infrastructure here in the UK. And the one we did last year, multiple sites. Um, we did one of the sites the year before, and then all of the sites got trained between that event and the one we did in 2025, and the difference in the staff from that training was absolutely phenomenal, and it made the difference between us getting through and not getting through. So I just wanted to reiterate what you were saying about the importance of educating your staff around that.
SPEAKER_01:Yeah, the only way we've ever been effectively stopped really is being a well-trained staff member. I think one of the things that I'm hearing from from everyone, um, and you know, we're not we're not laughing yet. This is supposed to be light horses. It's hard to be light horses, and you know, I'm not gonna be light horsed now, frankly. But um, we're sort of hearing about moving on from this reactive uh protection. I think that's it's just no longer what anyone's doing, but you know, everyone's trying to be proactive and strategic about it. So, practically speaking, how do teams really get to focus on those strategies rather than reacting to the emerging risks? Because those risks that keep coming up and those threats that keep coming up, I think it's very difficult to say to people, don't be reactive. It's almost like I I wonder, and I'm gonna come maybe come to book first on this one because uh you're just the person that I I want to ask this first. But like, is it it's I almost feel sometimes like there needs to be two teams, like one to react and one to strategize. And however, I know that that can't I feel like I know that can't work, but what do you think?
SPEAKER_02:Yeah, so it's interesting. I think if you're gonna redesign your security program every time LinkedIn sneeze is you're never gonna get anything done, are you? No, but you I think there's a can you educate the senior leadership so they understand they've got confidence in your assessments because like you said, you can't have two teams unless you're a very large organization, and then can you stick by what you believe is the right strategy? And actually, I think where I find it really helpful is work across your peer group, don't just rely on isolation on what you think a good security strategy to do. Speak to the CFO, speak to the CTO, and it should be a sort of a team sport now rather than you being in your little silo because they will help you with what's coming on the board agenda, what's you know, what financial pressures there are to give you that wider uh side. But I would definitely say you've got to start, stop chasing the metro headlines every time. Take a breath, have confidence in your programme, work across your beer group, and actually as a CISO, make friends with the other C-suite people. You know, you're not as important as you think you are, you're just one of the board, get stuck in. I understand their needs as well.
SPEAKER_01:Yeah. Do you know I we used to I co-located teams I managed? Now, these were not all the security teams, I have to say, uh back in the past, but it's not always possible. But I used to I used to always wonder why everyone sort of sat in department offices and things uh all the time. So I think sometimes just physically moving people in with other people is quite helpful. Um Simon, uh it comes to Simon next. I mean, what do you think? You know, how can how can you be Simon? And this is interesting to me to come from you with with the business knowledge that you've got. I mean, how do you, you know, what's your thoughts on that? Like, how do you how do you have they've got to be reactive? But how can they how can you have a sustainable strategy? You know, looking forwards and and and and and and not not focusing on that when you do have to be reactive to some extent. That sounded very complicated.
SPEAKER_03:It is complicated. I mean, the only thing I'm gonna reiterate really on this is what Buck said about the calm. Um, we've been through not cyber attacks but in financial services, we had some pretty disastrous things happening from a data recovery perspective and a couple of other bits. And if you've practiced for it and you've practiced for it again, not just you, but everyone within the organization, because everyone's going to be affected, I think that's where people go wrong. It's leadership who are sometimes the only ones involved when really you need to bring in the wider organization to help you in those situations. And staying calm for me is a winner in any situation, especially when it gets to something like that. And I think that personal resilience, that ability to slow down you know, yourself, slow down the decision making, perhaps enough to improve the quality of the decisions you're making. You know, in security, we're rewarded for that speed, but I think resilience improves when we build space for reflection, for learning, and better communication. And I think all that relates to to prevention.
SPEAKER_01:I'm I mean, I'm sure, I'm sure having the right tech and the right architecture in place is gonna help with that, isn't it, Brian? I mean, how do we help teams become more strategic rather than as reactive as they have to be? You know, they have to be reactive. How how are we how can how can they be more strategic as well?
SPEAKER_00:Um, I think the first thing I would look at is focus on what doesn't actually change year over year, threat after threat. And it's always going to be identity, it's gonna be data and the access, right? Understanding your attack surface, doing end user education, and then try to design for you know adaptability, not really perfection. Focus on least privilege, continuous uh verification, do your red teaming exercises, actually move on that once you do find stuff. Um I mean, I think measure outcomes, not necessarily alerts. We can get alert fatigue totally, but it's not necessarily like how many threats are blocked, but like how fast we detected these things, they're contained and recovered. And then uh since we are doing a podcast and trying to have fun right here, Simon, you said uh the comment on the data recovery, and it brought back like a Vietnam flashback for me. And I was I'm not gonna say what company I was at. And uh we we had a very similar ex uh ex uh exercise going on in our production environment. We ended up calling it the sampocalypse because the we had a production data center, then we had a a DR one stand-up ready to go. We were confident, it's like, hey, no big deal. We're just gonna move all the traffic over here and we come right back up, or we could take an outage, move the data from left to right. Uh, we went to go do it, and it's like, hey, nothing's on. And so we're like trying to figure out like why is nothing actually responding. Rats in the secondary data center chewed through all the cables. Oh no. It was so bad, like we actually thought it might have been like a business ending event. Kinetic interface.
SPEAKER_01:I love it. Yes, kinetic interference.
SPEAKER_00:How do you plan for that?
SPEAKER_01:No, that's it, a black swan event. No, black rats event. Okay. Well, look, you know, we we I I feel like you know, we always try, and and these kind of summary podcasts, we're always trying to sort of you know get make it a bit like. Horses. I'm sure people have listened to lots of them. And we want to leave some sort of nice advice for people. I mean, I've got notes here, and they tell me to say aspirational advice, which I keep I keep tripping up over all these uh um alliterations at the moment. But is is there I mean 2026, you know, already has been a big year in many ways, you know, um culturally and everything else. It is there something that we can be hopeful about in 2026 in terms of the industry? It can security people at this very uh interesting time of our lives in terms of the tech and the culture and everything else. Is there things that they can feel hopeful about?
SPEAKER_02:Let's go to Book. Book, go on. Yeah, I was gonna say I think what the house is one of the healthiest shifts we're seeing is I'm seeing teams saying we're not chasing everything, we're not we're not chasing every alert, we're not chasing every headline threat. And I think that we're getting more maturity and less complacency. So I think that's a good thing, and I think the teams are a lot better than the headlines report where you know you see this ransomware attack, that breaks that they're good, hardworking professionals just trying to do the right thing.
SPEAKER_01:Can I just follow us up on that book? Because you know, one thing that I that I tend to advise people is to is to sort of specialise quite early on. And I just wonder whether that ties in a little bit with what you're saying. It's almost like, you know, pick one thing that you that you can really focus on and get really good at it, yeah, as opposed to trying to cover everything. Is that sort of what you mean? Yes, mate, I do.
SPEAKER_02:I think I think because uh you know proper resilience isn't about needing to act faster, reacting less often, and to do that, you need the right skills. So focus on something that's your strength, something that you enjoy, and then develop as a profession. Yeah. So I'd agree with you.
SPEAKER_01:I think it's deciding what's noise and what and what's a priority again. We're back to that.
SPEAKER_02:Yeah.
SPEAKER_01:Uh Brian or Simon, uh something, something that we can be hopeful about in 2026.
SPEAKER_00:Oh, look at Simon giving me the floor. He's such a nice guy. All right, so yeah, we're all gonna die. Oh, wait a second, you said aspirational. Um I think that uh security, right, at least from my lens, right? I think security is being finally being treated less like a cost center and more like a business enabler, to be honest with you. Agreed. Um, you know, something that actually helps organizations move faster, not slower. Like the the the security team is no longer the the the purveyor of no with their pitchforks. Um, I would like to say, you know, whether you are a Zscaler customer or not, if you go out to our little website, you see our marquee customers, and you're trying to figure out like, hey, you know what, our organization still sees um security as being the purveyor of no or an obstacle. Uh, I'd love to help you network. Reach out to me on LinkedIn, I'll connect you with the right people in your vertical and whatnot. And uh yeah, little little olive branch will definitely go a long way.
SPEAKER_01:Simon?
SPEAKER_03:Yeah, I'm gonna take a slightly different spin on it because of my experience, really. Um I've seen a massive shift in 2025. I do a lot of work on personal resilience with people in the industry personally, and I'm really hopeful about a shift in that mindset of people focusing on their own personal resilience before they think about the business resilience. Because if you're not resilient yourself, you're not in the right place. So we're seeing more and more leaders, I think, accept that. It's not about being perfect, it's about being prepared, transparent, and adaptable. And for me, that's a much healthier and more human model for security. And I also think it's one that scales as well. And I hope that that kind of sea change that I saw last year continues into 2026 with more leaders taking the time to focus on themselves and their resilience because I no doubt it's gonna be another to quote our late queen, Annas Horribilis. I think she said, another tough year.
SPEAKER_01:So do you know it's interesting you say that, Sammy, because that almost harkens back to what you said at the very beginning about um, you know, I think I comment is that you know, it'd be people have had to like teams have had to learn to do this, and it's almost like that's on the tech side, on the breach side, on the whole sort of security uh landscape. But it's interesting that you say that that's the same thing that you see, and it's again. I wonder if it's out of necessity that you we just a young industry with just learning, you just people will burn out, you've got to have that personal side.
SPEAKER_03:I mean, can can I can I be a bit cynical? I mean, it and I'm being cynical in a positive way about Gartner for once. I mean, one of Gartner's focuses for 2025 was resilience. That has had an impact. It's had an impact. No matter what your opinion of Gartner, I think having resilience as a focus has really made people stop and think and change the way they act. So for me, I'm all of a sudden a fan of Gartner. I'll leave it at that.
SPEAKER_02:Well, the other thing is when something bad goes wrong, so we have a cyber chicken liquor moment, we all think who's gonna get sacked because of it, don't we? Yeah. So you look at the ransomware attacks in the UK, who's gonna go, the CISA or the CTO? And I I do think, although we talk about resilience, a bit, oh yeah, we embrace it, we still need to get away from this sort of mentality that someone's got to fall on the sword for rather than go and it's like any other organization, and we learn from it.
SPEAKER_00:Buck, I have a question for you, man. You know, given your role, do you really think that there is that fall on the sword moment? Like if you are really good being a CSO or CISO, and you've gone and reported up to the CEO and the board and said, Hey, listen, these are our gaps. And if you're not gonna fund me to fix these, and you have to understand that this is gonna be a risk, and if something bad does happen, I don't think that I should be losing my job. No, you shouldn't, but they do. But they still do, wow.
SPEAKER_02:Yeah, I've seen three ransomware attacks, large ones, and beforehand they said X is gonna happen, and then you either got a choice, are you gonna resign because they're not gonna fix it, or do you wait to see something goes wrong and then you have to deal with the pieces afterwards? I mean, if you're regulated, if you go for protection, if you're not regulated, it's all about margins, and if they don't agree with you, then you need to make a choice, don't you, on your reputation.
SPEAKER_00:I would love to know if there's anyone listening that was a victim of a ransomware attack, but you had reported that up to the board and said, hey, listen, these are our gaps, and if it has happened, we get popped like a due date, I don't want to lose my job. Did you are there any success stories? We'd love to know.
SPEAKER_01:That's a great thing. That'd be great to know. Yeah, get in touch and let us know about that. I mean, I can I uh obviously through doing the Resilience Factor podcast and our on our other episodes are easy to find. Um I've spoken, it's particularly on AI, and and I I I've been a bit of a a negative person on that. Um I literally said a negative, Nelly. Um, but I have been negative about it because as that they were so awesome and cool. There were so many things, you know. You said Brian, like we're all gonna die. Yeah, it's like that's one of those t-shirts that I'm starting to see at conferences and hacker meets and stuff, um again, because they never stop wearing it really. But uh I think the thing that I'm taking as hopeful as someone who's very sceptical about our about about the speed of adoption, the problems and everything else, is is is I was told that um AI defenses are catching up with AI attacks. In other words, that that we can put a lot more sort of we can put faith that it's gonna help us defend because I think a lot of the time people think, well, you know, it certainly as I say in in in what I do that the speed and the depth and the scale of the attacks is just you know breathtaking, but that the defenders are starting to keep up. So I be I was hopeful about that, and I was also I'm kind of trying to be hopeful about industry collaborating a little bit more with with kind of you know govern government and officials and recognising that it's a threat that goes beyond the business. I just wondered if anyone wants to say that I'm dreaming there, or am I am I right in the world?
SPEAKER_00:You're dreaming there. Glasses happen, empty Simon. All right.
SPEAKER_03:Influencing influencing any government of any political party is not an easy thing and it takes a very long time.
SPEAKER_02:But the but the best defence against AI is sand thank you, otherwise they kill the unicorn.
SPEAKER_03:That is true. And I I'm all I'm all for automation with with accountability, and I think at the moment it's great if it's removing work, but not where it removes understanding. And my concern with automation and AI as a whole is that we're gonna start to lose the understanding, which is fine for people in the industry at level two, level three SOC analysts. But what about the ones coming in who are being replaced by AI now? I'm not sure. I think that's a concern for the industry. Brian, you look like you've got a response to that.
SPEAKER_00:Oh, I'm locked and loaded, buddy. I am so ready for this one. I would tell you, like, I was I thought the same thing. Like you you grew people through your organization through the help desk or entry-level sock, and and now you're quote unquote replacing these things. But if we all go back in time, with the exception of Simon, because you didn't start off, you know, uh doing IT, but largely it was like, you know, in the late 1900s, I guess I'll date myself. It was like, hey, do you know how to turn a computer on, Brian? I'm like, yeah, like you got the job, right? Like that the barrier to entry was really, really low. And over time, you know, like things are changing. So as we have new help desk people coming in or new sock people coming in, it's gonna be less about the replacing them and more about these people that actually know like prompt engineering, right? They're gonna know how to get ask the right questions to get stuff out over time. Now, with that said, generally speaking, if I am confronted with some type of agentic AI, I don't want anything to do with it. I'm like, I just I just know it's not gonna work. So, but yesterday I had to make a phone call uh to uh I guess I'll call it Ford dealership, and boom, it's like, hey, I would like to schedule an appointment. It's got the voice AI thing. I'm like, okay, I'll give it a shot. What's your problem? Hey, the uh the the aux switch, it turns on the light bar on my truck, not working, no power to it. And uh the lady robot demon, I don't know what we want to call it, comes up. He's like, I understand they're having a problem with your light switch, blah blah blah. And uh, what is the year? Make a model of your vehicle 2025, Ford Raptor R, blah blah blah. He's like, Oh, we'll get you scheduled. I like the way you drop that in there, Brian, by the way. Very nice truck. Yeah, yeah, it's a pretty cool truck. Um that's a that's a redneck truck, not bad boy. Well, yeah, I am there. Everything about me is redneck, trust me. Like as as as described. And so, anyways, I'll get to the point here. Uh, and it's summarizing, it's like taking everything that I'm saying and it's putting it like it's giving me the feedback, right? And like I'm I mean, I'm not even talking like the aux switch slash uplifter is technically the name. There's no like I checked the the fuse, the fuse is good, but there's no power coming to it, right? So I'm telling it all these things, and it's like, oh, do you need a ride home? I'm like, yes, I do. Boom. Finally, AI is working. And then uh immediately the first red flag is the text message that comes in. It's like, hey, your uh 2025 different vehicle that I didn't even say we're gonna have it come in for a uh battery replacement. I was like, what the hell? And then someone calls me, he's like, hey, I'm kind. He's like, hey, Brian, just want to confirm your appointment today for the oil change. I'm like, okay, we give up. I'm not doing it anymore. I'm pressing zero for a real person. I lost. Yeah. Draw it then, mate. AI will eventually work, but you know, this time it did not.
SPEAKER_01:I think that it's very difficult at this time of year um to predict anything uh with any accuracy. If we get it right, we'll pat ourselves on the back next year, and if we got it wrong, we'll say, well, that's our predictions. I've got two more things to ask you. One's very short, and one's got to be as short as possible. But what is your resilience resolution? In other words, for 2026, what you want to get better at in terms of resilience this year? Sh nice and quick. Simon, can we go to you first?
SPEAKER_03:Yeah, not cyber related fitness.
SPEAKER_01:Fitness.
SPEAKER_03:That's mine.
SPEAKER_01:That so that ties in with the personal resilience. Excellent. Let's go to uh Brian.
SPEAKER_00:Yeah, so everyone's gonna judge me right now. I have no idea, but uh like 17 years ago I found out that I had tuberculosis, and it was like uh it's not a thing to like worry about until you get into your 50s. Well, anyways, I'm really close to 50, and the remediation is to take one pill a day for six months. I have tried many times over the years to get this done, and I always fail. But this year is gonna be the year that I actually do the treatment correctly. Um, but my resilience superpower is that I I think I have a very low emotional ceiling. I've seen enough of like this is the end of the world moments and cybersecurity or whatever, that majority of them they're they're really not, right? And so when things go wrong, we fix them, we learn from our mistakes and just move on. Simple as that.
SPEAKER_01:Excellent advice. Buck, you're gonna wrap this up for me?
SPEAKER_02:Yeah, yeah. I'm gonna say I'm gonna make I'm gonna make uh security karma, less heroics, less drama, far few 3 a.m.
SPEAKER_01:in the morning, rise on fire moments. Excellent. I don't know what my resilience power might be for 2026. I think uh very much in line with what's going on in the world and in the industry and in technology. I think I am gonna try and get better at uh living in and being grateful for the moment and not looking not looking forward all the time to when this is gonna be.
SPEAKER_03:Be present, uh Jenny, be more present. I love it.
SPEAKER_01:Be present, yeah. Because today is a gift. See, look at that, Simon. Look how easily I slipped into motivational nonsense. So good. I want to say thank you very much to every uh to all my guests this week, to Simon Lindsted, to Buck Rogers, and to Brian Deach. Um, thank you, Brian, for telling us uh your resilient superpower. Um, and thanks again, guys, for let's see and tie this up again in a year and see how well we did. So, let's reflect on the lively round table with Professor Buck Rogers, Simon Lindstedt and Brian Deach. It's the start of the new year, so all three gave their thoughts on the priority areas IT leaders should focus on. First up, Professor Buck Rogers.
SPEAKER_02:I think most organisations already know what to do. I think the gap is doing fewer things more reliably. On fundamentals, patch management, identity hygiene, backups, really boring stuff like eating your cyber vegetables, but get them right.
SPEAKER_01:Simon Lindstedt also thinks IT leaders should go back to the fundamentals. And the results show it.
SPEAKER_03:And from the conversations I've had over the last 12 months, it seems that the organizations that are doing this well are quietly outperforming the ones that aren't. Simplification over sophistication. I think fewer tools. For me, complexity is now a risk in itself.
SPEAKER_01:Brian Deach says that IT leaders should look at identity as the new perimeter.
SPEAKER_00:If you can't confidently answer the question of who or what's coming in and talking to what, like as the kids would say, you're cooked. Every breach, every hack, it's always around data, right? You have to understand of where your data actually lives, understand that it's just not in the data set anymore. It could be in the private cloud, it could be in SaaS, it could heck be in AI workflows, MCP servers, things like that.
SPEAKER_01:And after the year we all just had, Book left us with a bit of hope for 2026.
SPEAKER_02:We're not chasing every alert, we're not chasing every headline threat, and I think that we're getting more maturity and less complacency. So I think that's a good thing. I think the teams are a lot better than the headlines report where you know you see this ransomware attack, that breach that they're good, hardworking professionals just trying to do the right thing.
SPEAKER_01:The Resilience Factor Podcast is brought to you by Zscalar, a leading cloud-based cybersecurity platform, revolutionising the way businesses protect themselves from cyber threats. By transitioning from traditional appliance based systems to a cloud delivered model and the implementation of Zero Trust principles, Z Scalar provides businesses with optimal protection from cyber threats.