With the rise of sophisticated cyber threats and the growing complexity of the digital landscape, entities are in a desperate battle to stay ahead of potential risks. Information security is no longer just an IT issue but a critical component of business strategy and governance. To shed light on the current state of cybersecurity and effective communication strategies in this field, Information Security Buzz recently spoke with Gary Hibberd, the ‘Professor of Communicating Cyber’ at ConsultantsLikeUs. Gary shares his expertise on the evolving challenges and the importance of clear communication in navigating cybersecurity threats.
Can you share your journey into cybersecurity and what you do now?
I started right after school, wanting to work in technology. Back in the early eighties, I watched a movie about hackers and thought it was fascinating what these individuals could do with computers. I became determined to learn everything about computers and programming languages. I began with programming, then expanded to networks, systems support, and building PCs, working in IT for about ten years. Throughout that time, I also assisted employers in writing policies and procedures to better understand technology.
In 1997, someone handed me the Data Protection Act and asked for help understanding it—what it meant for our business. That was the pivotal moment. Since then, I’ve focused exclusively on data protection, with information security, cybersecurity, and privacy as subsets of that. Today, I run a consultancy called “Consultants Like Us,” where we help organizations understand information security, cybersecurity, data protection, and privacy in simple terms—explaining what they need to do and how to protect themselves.
As we approach 2025, what are the biggest threats and challenges in cybersecurity that you see?
Without a doubt, AI stands out. As organizations consider incorporating artificial intelligence, it’s crucial to understand both its potential and its limitations. There are also compliance and ethical concerns surrounding AI’s use, but the bigger issue lies in how threat actors are leveraging it. AI-powered attacks are becoming increasingly common, with bad actors using AI to automate and scale their attacks. This lack of understanding—how AI can be weaponized—is a significant concern.
In addition to AI-related threats, other cybersecurity risks remain, including ransomware, extortion, and state-sponsored attacks. There is a lot of global uncertainty with various governments and geopolitical tensions, creating both internal and external threats that organizations must address.
Can you share examples of how organizations use AI for good and for harmful purposes?
AI, like all technology, is neutral—it’s not inherently good or bad. It’s all about how it’s used. On the positive side, AI is great for automating mundane tasks. For example, chatbots are widely used to automate responses on websites, improving efficiency. However, the same technology is exploited by bad actors for malicious purposes. We’ve seen AI being used to create sophisticated social engineering chatbots, which are part of large-scale phishing attacks. These bots convince victims to grant access to sensitive systems under the guise of urgent account issues.
On the flip side, AI is also enhancing cybersecurity efforts. It’s being used to improve threat detection and incident response. AI tools within networks can autonomously detect threats or attacks and even mitigate them before alerting a human. This integration of AI into the cybersecurity toolkit is proving to be a game-changer, though, as mentioned, these tools can be used for malicious purposes as well.
What are FTC safeguard rules? And why are they important?
The FTC Safeguard Rules are regulations established by the Federal Trade Commission in the U.S. to guide financial institutions—ranging from small accountancy firms to large banks—on how to protect sensitive data. These rules focus on maintaining confidentiality, integrity, and availability of data, especially regarding data subjects like consumers. The rules have been updated to ensure organizations are taking the necessary steps to safeguard personal information, and non-compliance can lead to significant penalties.
A common misconception is that the FTC rules mirror GDPR regulations in Europe, but they’re specific to the U.S. financial sector. Unlike GDPR, which is broadly applied, the FTC rules are targeted at ensuring financial institutions uphold data protection standards that affect how they handle sensitive information.
How can organizations foster a strong cybersecurity culture that engages all employees, not just IT and security professionals?
Building a strong cybersecurity culture begins with acknowledging that every organization already has its own unique culture. To influence it, start by integrating cybersecurity into the existing culture instead of trying to force a separate “cybersecurity culture.” People often view cybersecurity as an abstract issue, something that falls solely on IT teams. When you associate cybersecurity with everyday values like fairness or customer service, employees start to see its relevance.
For example, if an organization’s value is fairness, you can link that value to data protection by demonstrating how proper data handling ensures fairness to customers. This connection makes the principles of cybersecurity more tangible and relatable. It’s about making people understand that cybersecurity isn’t just about technology—it’s about protecting real people.
When approaching an organization, I always ask about their core values, objectives, and mission. Cybersecurity should support these goals. If an organization values fairness, protecting customer data in line with regulations is a direct reflection of that. Helping employees recognize these links makes the issue more meaningful.
The key is to engage people in a way that resonates with them personally and professionally so they see cybersecurity as relevant to their work. This approach is far more effective than imposing a top-down cybersecurity culture without context.
I believe executive support is crucial. When executives align with business goals, their backing filters down through the organization, doesn’t it?
Absolutely. Executive support is vital for creating a robust cybersecurity culture. It’s not just about setting up clear policies and procedures but also ensuring that cybersecurity aligns with the organization’s goals. When executives are onboard and understand the importance of cybersecurity, their support influences the rest of the organization.
For example, I worked with a dynamic, young organization that had no clear policies at first. They had just bought templates for security policies but didn’t fully understand them. After sitting down with them and simplifying the language to make it more relatable, their entire team became more engaged.
When working with boards, I always ask, “What do you want from your security program?” Every board member has their own priorities, whether it’s growth, efficiency, or staff retention. Understanding these goals helps frame cybersecurity as a tool for achieving those objectives. If you can connect cybersecurity to their personal and professional goals—like ensuring business continuity or even just getting their weekends back from IT crises—that’s how you gain real support.
When executives are invested in cybersecurity, it cascades down through the organization. It starts with simple conversations that align cybersecurity with business priorities, and from there, the culture can evolve.
What new technologies are CISOs currently considering for investment, and how do these align with their budgets? Are there trends in increased investment in certain tools while cutting back on others? Any insights?
There’s definitely a trend towards investing in a unified security platform—essentially a “single pane of glass.” These platforms provide a centralized dashboard that gives CISOs a clear view of what’s happening on their networks, as well as insight into external threats, data flow, and potential vulnerabilities. A lot of investment is going into data loss and data leak prevention tools, which are crucial for protecting sensitive information.
That said, the overarching trend I see is the continued focus on Security Operations Centers (SOCs), Security Information and Event Management (SIEM) systems, and Security Orchestration, Automation, and Response (SOAR) technologies. These tools help provide a comprehensive, real-time overview of network activity, making it easier to detect and respond to threats. As organizations increasingly operate in complex, distributed environments, these platforms are becoming more indispensable.
When it comes to budgets, I’ve found that the key to securing the necessary investment is aligning the technology with the broader objectives of the organization. It’s not just about the latest tech; it’s about demonstrating its value in a way that makes sense to the business. CISOs who can clearly articulate how a given technology will contribute to business goals—whether it’s improving operational efficiency or ensuring business continuity—are more likely to secure the budget they need.
On the flip side, there are trends of cutting back on tools that are no longer relevant or too complex. For instance, legacy technologies that don’t integrate well with modern, cloud-based infrastructures are being phased out in favor of more flexible, scalable solutions. As budget constraints become a reality, it’s essential to focus on the tools that provide the greatest return on investment, such as DLP, SOAR, and those unified security platforms.
What advice can you give to students in secondary school, A-levels, or university who want to get started in cybersecurity?
I always feel a bit of a fraud when giving advice here, because I went straight from school into a job—through a government-funded youth training scheme, not university. However, having seen many people who have pursued university degrees, I can offer a few key pieces of advice.
First, university is valuable, but it mainly shows that you know how to research, stick with a topic, and present your ideas in a structured way. That said, in the modern cybersecurity field, formal education alone isn’t enough. If you’re serious about entering the field, I’d recommend starting with certifications like CompTIA Security+. It’s a great foundational course that provides solid knowledge upon which you can build. I know it sounds basic, but don’t underestimate it. It’s crucial to have a strong foundation in cybersecurity principles before moving on to more specialized areas.
Second, be a sponge. Read as much as you can, from books to blogs to technical manuals. Cybersecurity is a broad field, so dive into areas that interest you, whether that’s ethical hacking, risk management, or frameworks like ISO 27001. Expand your knowledge continuously—watch YouTube tutorials, listen to podcasts, and engage with content across all mediums. The more you learn, the more you’ll see how different aspects of cybersecurity fit together.
Finally, network. Go on LinkedIn, follow cybersecurity professionals, and engage in online forums. Learn from those with experience and participate in discussions. Networking is crucial for gaining insights into the industry and understanding emerging trends. Plus, it opens doors to opportunities you might not find otherwise.
Formal education, self-directed learning, and networking are the three pillars of success for anyone entering the cybersecurity field.
Watch the full interview on YouTube here
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
