This year’s Channel Islands Cyber Security Conference charged for tickets for the first time and still drew its highest turnout in a decade. A good portion of attendees made the trip from Guernsey and the UK to join the discussions.
It’s a clear sign that security has become everyone’s business. It has gone from being a back-office function to a board-level issue, drawing investment and scrutiny well beyond IT. And as a result, CISOs now have to contend with new demands.
Our own CISO, Peter Lescop, sees these changes from a dual vantage point: inside JT and across the community. He sat down in an interview with our security partner, Cortida, to talk through how the role is evolving:
Cybersecurity and the boardroom
Today, the CISO role doesn’t resemble what it was ten years ago. Now that boards are increasingly treating cybersecurity as a standing agenda item, CISOs can’t just be security technicians. They have to become business leaders, considering not just cyber security, but it’s context within the wider business and how it can enable business objectives.
Audit functions in many industries now demand firmer assurance from IT, often without fully grasping what’s realistically controllable. Security teams are also expected to quantify complex risks that don’t always lend themselves to neat numbers.
To meet these more exacting expectations, CISOs need to change how they present risk when reporting upward.
“The days of telling [the board] that your firewall is vulnerable to x or y exploitand it’s terrible and the world’s going to fall apart because of some other three-letter acronym is probably not the right way,” Peter explained.
Instead, CISOs should recognise that board members bring different perspectives: some may be more technical, others focused on finance or compliance. To meet those perspectives, they must calibrate their message to the shared lens, which is often risk: quantify downtime and cost exposure for finance, for example, and state notification obligations and timelines for governance.
Crisis management and communication
CISOs also have to plan for the messier side of security: what happens when an incident materialises and becomes public. Responding to such incidents are generally successful if you prepare, deciding roles and ensuring decision paths are well established before an incident happens, when decisions are still hypothetical and low risk.
The CISO doesn’t need to call every shot. After all, a cyber attack doesn’t stay within IT. It ripples through nearly every part of the business. Communications should oversee the timing and tone of announcements while HR addresses staff concerns and questions. The legal team should assess legal risk tied to response actions, and senior leaders could approve decisions that affect service uptime. Those roles need to be clear well before anything happens.
More than just writing a plan, Peter recommends rehearsing escalation routes and sign-offs to make lines of authority clearer. This is a good way to pin down ownership and see how decisions will play out once the clock’s running. Starting with simple table top exercises, working through basic scenarios is a good first step.
Rehearsals also help teams get comfortable with the uncomfortable, like knowing when to ask well-meaning colleagues to step back so the investigation can move forward. This is far easier to do when roles are understood and routinely practiced.
Cyber security as a cost centre and budget
Cybersecurity investment has become easier to justify in recent years as high-profile attacks give C-suite leaders a direct view of the catastrophic knock-on effects breaches can trigger.
“[As a CISO], you have second-hand evidence of how these cybersecurity incidents can impact [your company] and the type of consequences that can arise, whether that’s economically, reputationally, and so on,” Peter explained. “Look at what’s happened over here. If the same happens to us, this is what the outcome could be.”
That frame of reference can make it easier to convince senior stakeholders to fund proactive security measures. But deciding where to put that money — especially as regulators add new reporting requirements and boards expect every investment to tie back to business priorities — is often harder than securing the budget itself.
Tender requirements can also steer where that budget goes. Peter notes that customers increasingly expect robust security practices from their suppliers, and that procurement processes now often include explicit security checks.
“You stand out from your competitor if you are a secure operator, if you can ensure that your customers can rely on you from a secure supply chain perspective. That’s a huge tick in the box to make your argument for your budgets.”
Training, awareness, and social engineering
Simulations and training are still extremely useful as first-layer barriers. But while they cover the basics, these programs can’t replicate how attackers adapt and exploit live uncertainty.
Repetition can also work against an organisation: when people see the same training format over and over, they start clicking through it without thinking. This makes it harder to gauge how they’d react in a real incident.
Instead of relying solely on training, Peter recommends that CISOs establish a supportive security conscious culture, a workplace where people are comfortable reporting mistakes and flagging suspicious activity as soon as they notice it, without fear of blame.
JT builds this mindset across teams and reinforces it with controls designed to catch human lapses before they snowball.
“It shouldn’t be possible for an individual to accidentally send an e-mail externally with heaps of personal data without some kind of failsafe to stop them doing so,” he explained.
“People will make mistakes, and you have to have compensating controls for those mistakes. Ultimately, there needs to be an awareness that you can trust people, but you need to verify.”
AI and cybersecurity: The promise and peril
Attackers now use AI to construct context-aware phishing content, making scams more difficult to distinguish from legitimate messages.
But the defensive side also gains from this polarising technology. AI tools can lower the skill threshold for threat analysis. Plain-language query systems now allow less-experienced junior team members to perform advanced searches without needing to write complex scripts
Still, he cautioned against treating AI as a plug-and-play fix-all. It’s only useful if the data underneath is solid and reliable. Poor input or misunderstood signals will skew results, no matter how advanced the tool.
Ultimately, the fundamentals must be in place, access controls, detection systems, and well-understood infrastructure, before AI can do anything meaningful.
“If you don’t even have the basics in place, there’s no point worrying about AI threats. You’re going to fall over the first hurdle,” Peter warned.
The future of the CISO role
Even as the tooling evolves, the demands placed on CISOs continue to grow, and not always in sustainable ways. What used to fall under business continuity now often lands on the CISO’s desk.
To keep the role from becoming unmanageably broad, some organisations are starting to split duties between CISOs and new roles such as Chief Resilience Officers.
From Peter’s perspective, there’s no shortage of people who want to work in this space, just a shortage of open doors, the talent shortage in cyber security is a myth. That’s part of what drives JT’s mentoring efforts. Through its work with Cortida, the company is also helping new talent find their footing and contribute to a stronger local security ecosystem.
JT is helping CISOs adapt
JT is proud to be at the heart of the Channel Islands’ digital future. We’re trusted by businesses to deliver secure and digital infrastructure solutions tailored to their specific requirements.
Through our long-standing partnership with Cortida, we help clients harden their defences against attacks with hands-on support in:
- Security Governance, Risk & Compliance (GRC) consulting
- Penetration testing and cloud assessments
- Certification audits (Cyber Essentials, PCI DSS, ISO)
- Embedded experts (vCISO, vDPO, and more)
If you’re looking for experienced cybersecurity guidance or want to build resilience into your digital operations, contact the JT team today.