Lessons from Offensive Security: How Organisations Can Improve Cyber Resilience

In an environment where cyber threats evolve faster than regulation, UK organisations are being asked to defend themselves with rules written for a different era. That tension sits at the centre of a recent episode of the Security Strategist, where host Trisha Pillay speaks with William Wright, Chief Executive Officer of Closed Door Security and Scotland’s first accredited (chartered) hacker. Their conversation moves beyond headlines and funding announcements to examine why, despite growing awareness and investment, both public and private sector organisations in the UK continue to be compromised.

The Biggest Cybersecurity Challenges Facing UK Organisations

As Wright explains, cybersecurity cannot be understood purely from policy documents or tooling dashboards. It has to be understood from the attacker’s point of view. From where he stands today, the UK cybersecurity landscape is marked by a growing gap between how organisations believe they are protected and how exposed they actually are.

One of the most persistent misconceptions Wright highlights is the belief that buying cybersecurity tools automatically makes an organisation secure. Too many businesses, he argues, rely on poorly implemented services or procure technology they don’t fully understand.

The result is a false sense of confidence. Organisations assume they are protected, but still fall victim to ransomware, business email compromise, and financial fraud. Often, the tools they’ve invested in are never properly tested, validated, or tuned to their environment.

Awareness is another issue. Despite constant media coverage of cyber attacks, cybersecurity is still not consistently treated as a board-level risk. When it remains a technical afterthought rather than an operational priority, organisations struggle to respond effectively when incidents occur.

Wright also challenges the idea of a simple “skills gap.” While much of the discussion focuses on a lack of junior talent, he argues the real problem sits at the top. Too many cybersecurity decisions are being made by individuals without deep, hands-on experience, particularly in senior or policy-shaping roles. This lack of expertise leads to misaligned strategies, both in organisations and in government.

The UK Government’s Cyber Action Plan

The UK government’s £210 million cyber action plan is, in Wright’s view, a welcome signal but not a solution. Any investment in cybersecurity is positive, yet the plan largely reflects practices the private sector has been using for years.

This creates a familiar pattern as the private sector absorbs the damage, while the public sector learns from it later. Economically, Wright argues, this approach is flawed. When businesses are repeatedly compromised, the impact extends far beyond individual organisations.

Legislation is another weak point. Cyber threats evolve daily, but laws move slowly. The Computer Misuse Act, for example, has not been meaningfully updated in over a decade. In a world of cloud computing, automation, and AI-driven attacks, this leaves the UK operating with outdated guardrails.

What Government Can Learn From Offensive Security

As the CEO of an offensive security firm, Wright sees the same pattern repeatedly that organisations are compromised using relatively unsophisticated methods. These are not advanced, state-of-the-art attacks. They are basic weaknesses that remain unaddressed. The problem, he suggests, is that policymakers are often advised by people who have never actively attacked real systems. This disconnect shows up in legislation and regulation that look sound on paper but fail in practice.

Other governments have taken a different approach. Bug bounty programmes, for example, allow ethical hackers to test government infrastructure and responsibly disclose vulnerabilities. These programmes force transparency and accountability. Despite this, the UK has been slow to adopt similar models.

Read What is Vibe Coding? Understanding the New Era of AI-Assisted Development

When Coding Becomes Conversation

How natural language prompts and LLMs are redefining software delivery, talent models and accountability in enterprise development.

Where Cyber Resilience Efforts Should Focus Next

Beyond legislation, Wright points to funding and enforcement as critical gaps. Many public sector organisations know where their risks are, but lack the budget to fix them. Meanwhile, regulatory bodies often lack the authority to enforce remediation.

Without both funding and enforcement, reports identifying serious vulnerabilities are filed away rather than acted upon. This cycle repeats until an attack forces emergency investment, which is often too late.

Emerging Threats Organisations Must Prepare For

Looking ahead, Wright identifies two major areas of concern. The first is the use of AI in cyber attacks. AI is not replacing attackers, but it is dramatically accelerating them. Tasks that once took hours can now be completed in minutes, shrinking the window for detection and response.

The second is technology supply chain risk. Attacks on widely used software tools can give attackers access to thousands of organisations at once. Past incidents involving widely trusted vendors show how devastating these compromises can be, particularly when they go unnoticed for long periods.

Despite the scale of the challenge, Wright’s advice is grounded and practical. Multi-factor authentication is non-negotiable. Organisations without MFA are, in his words, “sailing blind.”

He also urges businesses to validate their security investments. Spending heavily on defence while allocating minimal budget to testing is self-defeating. Security tools do not work perfectly out of the box, and testing must go beyond surface-level assessments. Finally, Wright stresses the importance of depth. Black-box testing alone is not enough. Organisations need to assume breach scenarios and test how attackers move inside their environments, particularly through identity-based attacks such as phishing.

Read It’s ChatGPT’s 1st Birthday!

AI Defenders Versus Attackers

How LLM-driven attacks, disinformation and expanding healthcare attack surfaces demand AI-native detection, resilient architectures and new cyber skills.

Takeaways

• Cybersecurity is frequently mistaken for deploying tools, rather than managing risk.
• Cyber risk must be treated as a board-level responsibility, not a technical afterthought.
• The real cybersecurity skills gap exists at senior and decision-making levels.
• Cyber legislation is largely reactive and struggles to keep pace with modern threats.
• Bug bounty programmes can help governments identify weaknesses before attackers do.
• Offensive security insight strengthens defensive strategy and decision-making.
• Legacy systems can be secured when risks are properly understood and addressed.
• AI is accelerating the scale and speed of cyber attacks, not replacing attackers.
• Security investments must be validated through continuous testing and assurance.
• Multi-factor authentication is a foundational requirement for modern cyber resilience.

Chapters

00:00 Introduction to Cybersecurity Landscape

02:56 William Wright's Journey in Cybersecurity

05:56 Current Cybersecurity Challenges in the UK

08:53 Evaluating the UK Government's Cyber Action Plan

12:03 The Impact of Legislation on Cybersecurity

15:01 Lessons from Offensive Security for Government

16:55 Notable Cybersecurity Breaches and Their Impacts

19:59 Future Focus: Improving Cyber Resilience

24:01 Emerging Cyber Threats: AI and Supply Chain Risks

27:48 Practical Advice for Organisations

31:05 Conclusion and Key Takeaways