S1 E12 Are Resilience Strategies Too Inward Looking with Martyn Ditchburn Artwork

The Resilience Factor Podcast

Cyber resilience is fast emerging as the driving force behind critical business continuity in our digital era. Faced with brownouts, blackouts, and the ‘when not if’ nature of cyberattacks, how do businesses harness this resilience for stronger cybersecurity and networking?

Listen in to The Resilience Factor as our hosts — renowned social engineer Jenny Radcliffe and Zscaler’s own Kate Baker — explore how organizations and employees can fail forward to adapt with confidence.

Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies, and practical advice, The Resilience Factor offers audiences insights on the tools and strategies needed to build business and personal resilience.

All Episodes

The Resilience Factor Podcast

S1 E12 Are Resilience Strategies Too Inward Looking with Martyn Ditchburn

April 28, 2026 • Zscaler • Season 1 • Episode 12

0:00 | 21:10

Send us Fan Mail

In this episode, host Jenny welcomes Martyn Ditchburn, CTO in Residence at Zscaler, to discuss the findings of Zscaler's latest research, "The Ripple Effect." Martyn and Jenny delve into how business resilience is changing, moving beyond perimeter defence to an assumption of breach. The conversation highlights the speed of change and the dangers of FOMO leading to the rapid deployment of AI without proper governance. Martyn advocates for a shift from reactive security to "resilience by design" and introduces the concept of treating AI as a user, applying Zero Trust principles to these new, highly autonomous agents to manage risk and complexity.

Meet Martin Ditchburn And His Role

SPEAKER_00 0:01

Cyber resilience is fast emerging as the driving force behind survival and success in a world of unprecedented digital transformation. Through trend-based discussions with cybersecurity experts and pioneers, real-life case studies and practical advice, the Resilience Factor offers the tools and strategies needed to build business and personal resilience in all areas of cybersecurity and networking. Not only that, but you'll get to hear from a range of industry-leading professionals and experts at the very top of their game. Join us as we build a vital resource to drive organisational resilience within a fast-moving security landscape. This week, we are joined by Martin Ditchburn, CTO and residence at Cscaler. Martin works closely with customers, industry leaders and internal teams to understand how shifts in technology, from cloud to AI, are reshaping cyber risk. With a background that spans security architecture, large-scale enterprise environments, and emerging technology strategy, Martin brings a practical, long-term view of how security models need to evolve to support modern business resilience. Welcome listeners. We hope you enjoyed the conversation. Welcome Martin.

SPEAKER_01 1:16

Thank you, Jenny. It's really great to be here today.

SPEAKER_00 1:18

Lovely to have you. Can you tell us a bit about your role at T-Scaler and how you spend your time as the extremely cool title of CTO in residence?

SPEAKER_01 1:28

Sure, yeah, happy to. So as you mentioned, CTO Residence for a Mia. I've worked in the IT industry for about 25 years, five of those focusing on uh cyber security. Uh and a lot of my role kind of involves working with CISOs, CIOs, and you know, CTOs around transformation strategy, the impact and the realities of what those strategies mean, uh, what comes next and what should they care about. Uh so really kind of security in IT, what it should look like in the business uh in ways that don't slow it down.

SPEAKER_00 1:58

Just to say, I mean, that must have changed a lot over the years because I don't think people had the time initially to be as strategic as they needed to be. But now I don't suppose there's any ex any excuse not to be. I mean, you have to be strategic about your thinking.

SPEAKER_01 2:14

Yeah, I think you have to. Yeah, you do. It's because the world is moving faster than it ever has before, with certainly challenges that we couldn't have envisioned, yeah, probably about, you know, even 24 months ago, the world is a very different place. So strategy has never been more important than it has been today, but also how quickly you can change some of those things and adopt uh new ways of working, also critical to a lot of business success today.

From Perimeter Defence To Assume Breach

SPEAKER_00 2:36

Yeah, I I can imagine. And I mean, you must have seen over those 25 years, I said you must have seen the evolution of all the different kind of waves of technology. We are the resilience factor podcast. So, how has business resilience sort of changed over time from your perspective?

SPEAKER_01 2:56

Yeah, I think it's really night and day. Um, and all those things have changed quite quickly. So most of the focus, you know, probably for the last 10 years or so has been about protecting the perimeter, uh, you know, focusing on preventing those breaches, um, you know, high observation to kind of learn things and and view elements within your control. Um, but that's certainly changed, you know, particularly recently. You know, the boundary is kind of dissolving, it's now everywhere. Your applications are out in the cloud, data is moving around organizations that aren't your own. So this is kind of pivot towards um, you know, what does the new boundary look like? Uh companies are kind of thinking about not uh if but when they get breached, so assuming failure and assuming breach. Uh and a lot of these things now are having to extend outside of the four walls as it has to be, you know, for the last 25 years or so to encompass you know things like supply chain, external threats, uh, and all those kind of complexities that go with it.

Why Zscaler Commissioned The Ripple Effect

SPEAKER_00 3:50

You can't blame people for a first focusing on that perimeter and just sort of protecting the castle. And now that I I just don't suppose there's any way that you could get away with it, really. What strikes me about what you're saying is just how quickly everything's changed and to what degree everything's changed. Um it amazes me really that that the the conversations that we're having on the resilience factor, so some elements of them, like you say, even two years ago, just wouldn't have wouldn't have had the same answers from our guests at all. Um I I wanted to sort of speak to you about what C Scalar kind of commissioned because because one of the reasons that we got you on the show today is to discuss the finding of um the latest research that C Scalar did, um, which was called the Ripple Effect, and it was a it was resilience research, but a continuation of the resilience factor report, which was last year, which is why we're called the resilience factor. Couple of questions, really. I mean, firstly, sort of high level, I suppose, Martin, in the time that we've got. But what was what was that Ripple Effect report trying to uncover? And why was sort of now the time for Zscaler to commission that research?

The Watermelon Effect In Security

SPEAKER_01 5:01

Yeah, I think uh a lot of it sort of is is based on the idea that the world has changed. Uh, you know, in the last 18 months, we've seen geopolitical instability, we've seen the emergence and high adoption of AI, uh, you know, data sovereignty and localized laws in IT is changing rapidly. So we kind of really wanted to sort of look at, or rather, ask organizations what their current IT strategy was and really how they're adapting to kind of some of those new emerging pressures. And some of the things we saw was this idea of this watermelon effect, right? So I think confidence was really high about their organizations having a really great strategy and everything within their control was was really good. But as we started to kind of go through and sort of probe deeper, you know, scratch below that surface, we were quickly finding out that actually they didn't have quick answers to some of the emerging technologies. Uh, there was a lack of confidence around how to secure AI, for example. Some didn't have answers to emerging capabilities like quantum. So, really, it was just a snapshot in time against the strategy to see if we could understand where people were rather than where they wanted to be.

SPEAKER_00 6:06

So, Martin, let me just probe that just a little bit because I just want to be clear what what you're saying. So, are you saying that the initial questions people have put more investment into sort of cyber resilience and security, but that when we probed a little bit, that there wasn't the confidence that they that they'd done enough to deal with some of these emerging technologies? Is is that what you're saying?

SPEAKER_01 6:30

Yeah, that would be a really you know clear, uh clear view of kind of representing it. I think about 90% of those um those respondents kind of asked so that there was you know an increased investment in their organizations, but about 61% of that was all inward looking. So anything around external threats, you know, emerging technologies just weren't fundamentally being addressed. And I think that was starting to show that um, you know, particularly with uh incidents in the news, successful cyber, you know, attacks in the news, you know, on certain retailers and you know automotive manufacturing organizations, has really kind of galvanized this idea that actually things aren't as good as they as they should be, and organizations perhaps are not investing in the right places, but they are certainly investing, is the clear message.

SPEAKER_00 7:12

Yeah, I I think I always you know I haven't spoken to other guests about about this type of thing, and certainly about AI. It was the idea that it's constantly evolving and adapting from an attack perspective, and I guess the confidence isn't there that from a defence perspective it always keeps up, for example. Um I wonder if that's what's leading to that kind of mismatch in confidence.

AI Waves And Supply Chain Reality

SPEAKER_01 7:36

I I really think that's part of the story. Um, and I think to really sort of unpack it, you know, terms like AI and cloud mean different things to different people. You know, they're kind of their waves are very different, and some of the capabilities are very different. Uh so I think when you're talking about AI, uh depending on the type of wave you're in, whether it's predictive, generative, or agentic, will greatly influence kind of the threats and capabilities you need to sort of deal with those things. I mean, agentic is being talked about rapidly as a as an emerging kind of threat, um, but organizations aren't there yet today. Uh, but it's certainly something they have to be thinking about today. But certainly there are some some real things ahead, uh, or rather of upon us that actually probably as pressing, which is supply chain. Um, I think we only have to look as far as the things that are happening in in the Middle East right now to know that organizations are having to rapidly change the way they think about where they source their goods and services, the countries that they operate on those things, but also, you know, how do they how do they do that at pace, you know, at scale? Um, like we said earlier on, things aren't slowing down, they're only speeding up.

SPEAKER_00 8:38

Yeah, I mean, I mean, the report focuses heavily on those kind of external factors, that's those external forces. I mean, you've mentioned quite a lot of them here, you know. I mean, I'm just looking at some notes. We've got things like, you know, you mentioned supply chain volatility, we've got geopolitical tensions. I guess the other one is, you know, and I'm seeing it every day just on my feeds of AI cyber attacks, you know, cyber attacks now at a geopolitical level, not just uh industry level as well. I mean, how how what do you see, or what did the reports show about that side of things? Was there anything that came came through about that? Were people prepared?

SPEAKER_01 9:20

I think across the board people felt that they had a lack of visibility into where AI was being used, you know, in their organizations. Um, you know, certainly threats are coming at them faster than they have ever have been before. Um, you know, so AI kind of shifts the risk from being quite passive to being sort of autonomous. Uh, you know, and those sort of tools are making uh very accessible to to people outside the organizations uh you know the capabilities to kind of uh I I guess breach these organizations or at least certainly attempt to, those things are on the rise. And as we know, it only takes one successful uh kind of breach to kind of translate into something that's very real and very high impacting for organizations.

Shadow AI And Missing Guardrails

SPEAKER_00 10:00

So I mean what are they what are businesses I suppose you kind of answered it, but I mean I suppose it's things things like Shadow AI and everything else. I mean, what are businesses underestimating when they sort of try and embrace this and and and and put it into their strategy? Um there are dangers here, aren't there? And and and I guess there's benefits and dangers. What is it that businesses, in your opinion, and even anecdotally in your in your experience, what is it that they're underestimating about this stuff? What what do you think they could focus on more?

SPEAKER_01 10:37

Yeah, I think they're really underestimating the governance that required uh you know for these types of new emerging technologies. But there's this kind of friction, you know, very clear between the business desire to go fast and to make money, and of course, the security governance that kind of needs to go around it in order to do those things safely. Um, you know, I think looking at the report, about 50% of the organizations are deploying AI without guardrails, and that's really to kind of get past this FOMO that people experienced, you know, when cloud kind of came around, which is some organizations embraced it and they gained competitive advantage, others didn't embrace it quick enough and they're sort of left behind. And people don't want to do that with AI, right? They want to gain those advantages pretty quickly. So they're kind of doing so uh with a degree of known, unknown risk.

SPEAKER_00 11:24

That's I I love that you say it's FOMO because that so sums it up for me. That that's what like you cannot now, you can't even, you know, look up a recipe or I don't know, or travel or anything without, oh would you like AI? It is a FOMO, isn't it? Which means it's they're sort of grabbing it without really understanding it. But yeah, I'm not sure you can entirely understand something that's evolving so quickly. You can only do your best to to prepare and to strategize for it. Is this do you think this is the most exciting period in your career? And and I I say exciting without saying whether that's positive or negative. It must be one of the most significant moments in a 25-year career.

SPEAKER_01 12:06

It's right up there. I mean, I you know, I still remember the the days where you know the internet moved from dial-up to sort of broadband, and that was pretty interesting, and you know, the dot-com bubbles were pretty interesting. But this does feel new, and the reason it feels new is because of the speed and the you know the advancements that's kind of coming with it. Um, you know, there's really great advancements in education and medicine and you know, all those kind of great things you'd want from technologies like AI, but it's coming with threats at a scale we haven't seen before. It's accessible to far more many people uh than it ever has been. So, you know, it's not just for the privileged few, it's kind of accessible to the layman. You know, so vibe coding and those types of things are kind of giving, you know, giving people who wouldn't ordinarily access these opportunities the chance to do it. Um, but also organizations are working online in ways they never have before. You know, I think with COVID in particular, people are now outside the organization, they're working from different locations, they're working on different types of devices. The expectation has changed quite dramatically in terms of where people access their data. You know, so these are really you know rapidly changing times, but it is exciting, and it's exciting for all the great reasons that we we think these things can come at, but it's also exciting because we don't know how this is going to pan out yet, and we certainly haven't unpacked everything to recognise what all the risks are today.

Resilience By Design Over Reactive Security

SPEAKER_00 13:24

No, no. I I think one thing though that the report does show, just to get back to that, because I could I'm dying to probe you about all the stuff that you've done over that 25-year career, but one thing the report talks about, and I think you're sort of saying it, is and you mentioned it at the beginning, is that shift from being reactive, which used to be by definition, security had this reactive, huge reactive element to it, to sort of designing in resilience, resilience by design. Practically speaking, what would what does that look like for for clients and and for firms? What does it look like to change from reactive to resilient by design?

SPEAKER_01 14:06

Yeah, I think organizations have to deal with the complexity challenge and they have to deal with some of the you know the bodies that they you know they thought were long since dead and buried. Um, you know, these things aren't just bolt-on, right? I think if you're going to really embrace these new technologies, you have to look at it from a strategic kind of approach, and that kind of sometimes means going a little bit backwards before you can go forward. You know, so you are gonna have to deal with your legacy and technical debt, you know, you are gonna have to deal with the architecture. But once you do it, you're in a really great place. You know, the idea of adopting platforms is a really great one because you can dial out, you know, turn on the knobs and the switches to kind of dial up the capabilities when you need it. You can, you know, you can grow and shrink the organizations as you kind of need to. So you kind of need to be in this place that's you know, IT needs to be flexible rather than brittle. Um, you know, complexity kills agility and it certainly slows the business down. So there's certainly some of the things that the organizations are going to have to deal with, uh, but speed is is right up there in terms of being able to adapt and respond.

Treating AI Like A User

SPEAKER_00 15:04

One thing that I just wanted like that I loved the concept of uh that came from the report. I just wanted to just get your take on it before we kind of wrap this up was the idea of treating AI like a user. Um, can you talk to me a bit about that? Because I thought that was such a clever thing to sort of imagine you've got this really clever but potentially malign user in your organization. So someone who's who's possibly got malintent but is really smart. I mean, what talk to me a bit about that because that's the first time I'd really thought of it like that. It's a clever way of doing it, I think.

SPEAKER_01 15:37

Yeah, I think security organizations have kind of worried about AI, and and quite rightly too. But there are some, you know, whilst AI has been particularly revolutionary, there are some really good evolutionary security practices that you know we should look at. So when we talk about you know AI, particularly agentic, uh you're right, it it is it is a higher form of automation, it is smarter than the average kind of uh you know technology that we've seen before. But it can also act on your behalf, right? Businesses are now giving over control and automation to some of these services, and they can be you know coerced and corrupted. Um, so really all the hallmarks that you'd associate with protecting your organization from users is applicable to agentics. You know, the idea that you should be segmenting it from business systems, you know, regulating access, making sure it doesn't have more than it should have, um, establishing behavior uh and kind of watching that behavior to make sure it doesn't change and deviate, you know, watching those you know abnormal anomalies. Um and I think zero trust as kind of those terms works really well in that, right? The idea of uh you know removing that kind of surface area compromise, preventing that lateral movement and you know, stopping that data exploitation, they apply really well to the modern technologies and not just you know the ones from a couple of years ago.

Superpower Question And Key Recap

SPEAKER_00 16:55

Well, to be continued, I am sure. I'm sure that we'd have a whole different set of talking points and maybe some of the same ones in six months or a year's time if you come back to to talk about it. But it's been fascinating to read that report, and again, that report is the Ripple Effect um Commission by Zscaler. So it's it's it's an interesting piece of work, and uh, I'm sure we put links to it um in the podcast notes. Uh but before I let you go, we have a question that we ask all our guests, Martin. Embrace yourself. It's it's a bit weird, but it's a good one to see what people think. Martin, what is your resilience superpower?

SPEAKER_01 17:31

Oh gosh. Um I I think it's probably pattern recognition. Uh I seem to have this knack that you know, it doesn't matter what the technology wave is, uh, it kind of creates the same risks, it just does it, does it faster. So certainly seeing those patterns and applying those fixes, certainly something that um, you know, I seem to have a knack for.

SPEAKER_00 17:50

Well, humans, pattern recognition. One of the things that identifies us humans, and perhaps that is a superpower. Martin, it's been an absolute pleasure speaking to you, and thanks to our audience for listening to another episode of the Resilience Factor Podcast. So let's reflect on that conversation with Martin Ditchburn. We looked at the findings of Zscaler's most recent report, the Ripple Effect, a survey of 1,750 IT leaders across 14 markets.

SPEAKER_01 18:24

I think confidence was really high about the organizations having a really great strategy and everything within their control was really good. But as we started to kind of go through and sort of probe deeper threats below that surface, we were quickly finding out that actually they didn't have quick answers to some of the emerging technologies. Uh, there was a lack of confidence around how to secure AI, for example. Some didn't have answers to emerging capabilities like quantum.

SPEAKER_00 18:49

The report also found that there was increased investment in cybersecurity, but 61% was inward-looking.

SPEAKER_01 18:57

So anything around external threats, you know, emerging technologies just weren't fundamentally being addressed. And I think that was starting to show that um, you know, particularly with uh incidents in the news, successful cyber, you know, attacks in the news, you know, on certain retailers and you know, automotive manufacturing organizations, has really kind of galvanized this idea that actually things aren't as good as they as they should be, and organizations perhaps are not investing in the right places, but they are certainly investing, is the clear message.

SPEAKER_00 19:24

Martin also touched on organizations changing from being reactive to being resilient by design.

SPEAKER_01 19:31

If you're going to really embrace these new technologies, you have to look at it from a strategic kind of approach, and that kind of sometimes means going a little bit backwards before you can go forward. You know, so you are going to have to deal with your legacy and technical debts. You know, you are gonna have to deal with the architecture. But once you do it, you're in a really great place. You know, IT needs to be flexible rather than brittle. Um, you know, complexity kills agility and it certainly slows the business down.

SPEAKER_00 19:55

We were also introduced to the intriguing idea of treating AI like you would a user.

SPEAKER_01 20:01

So, really, all the hallmarks that you'd associate with protecting your organization from users is applicable to agentics. You know, the idea that you should be segmenting it from business systems, you know, regulating access, making sure it doesn't have more than it should have, um, establishing behavior and kind of watching that behavior to make sure it doesn't change and deviate, removing that kind of surface area compromise, preventing that lateral movement and you know, topping that data exploitation, they apply really well to the modern technologies and not just you know the ones from a couple of years ago.

SPEAKER_00 20:33

And you can find a link to the Ripple Effect report in this episode's show notes. The Resilience Factor Podcast is brought to you by Zscalar, a leading cloud-based cybersecurity platform, revolutionising the way businesses protect themselves from cyber threats. By transitioning from traditional appliance based systems to a cloud delivered model and the implementation of Zero Trust principles, Z Scalar provides businesses with optimal protection from cyber threats.