Diligent Q&A – Oliver Newbury on building cyber resilience, the double-edged sword of AI and navigating regulations
With Diligent's Cyber Risk Virtual Summit less than a week away, we sat down with Oliver Newbury, Senior Advisor, TPG and Former Global CISO, Barclays, to discuss the most pressing cybersecurity trends impacting EMEA organizations today. Don’t miss the chance to hear more from Oliver and other industry leaders—register for the summit today!
Q. Hi Oliver! Tell us about your background.
A. Over the years, I’ve had the privilege of working at the forefront of technology and cybersecurity. Today, I serve as a Senior Advisor at TPG, helping businesses drive growth and innovation. I also sit on the Board of Directors at Immersive Labs, a platform revolutionizing how teams upskill and prepare for cyber threats, and serve as strategic advisor at Halcyon, where I focus on improving global cyber resilience through helping customers resist and recover from ransomware attacks. My previous roles include leading global cybersecurity as Barclays' CISO and advancing tech innovation as CTO for BT’s Security Division.
Q. What are the most significant trends shaping the EMEA risk landscape in cybersecurity and AI? How should organizations prepare for these emerging threats?
A. Unfortunately, the EMEA risk landscape is significantly influenced by geopolitical conflicts, such as the Russia-Ukraine war and the ongoing tensions in the Middle East. These events have introduced new layers of cyber threats, including state-sponsored attacks targeting critical infrastructure and businesses.
Another key trend is the rising intersection of AI and cybersecurity. While AI offers transformative benefits in automating threat detection and response, it also introduces new vulnerabilities, such as adversarial AI and the misuse of generative AI for more sophisticated phishing and deepfake attacks.
As a result, there is a growing requirement for leadership, including board members with the help of CISOs, to develop cyber literacy. Cyber risk must be communicated in a clear and digestible way to enable effective decision-making at the highest levels. This involves establishing a robust framework for governing and managing cybersecurity, benchmarking against industry peers, and packaging insights into straightforward, actionable reports. Reporting must no longer be an afterthought but rather an integral part of organizational governance.
Organizations must also adapt to increasing regulatory scrutiny and evolving compliance requirements, such as NIS2 and the EU AI Act. Preparing for these challenges requires a proactive, holistic approach. Companies should:
- Enhance their AI governance frameworks.
- Strengthen incident reporting protocols to meet regulatory timelines.
- Conduct regular cyber resilience exercises to ensure preparation for complex scenarios.
- Engage leadership to ensure cyber risk literacy and alignment with overarching business goals.
Q. In your experience, how is AI reshaping cybersecurity strategies, both as a tool and a potential vulnerability?
A. AI's impact on cybersecurity is threefold. First, organizations must think about how they’re securing AI models. As companies increasingly integrate AI into applications, the technology itself becomes a potential attack vector. Tailored security strategies, similar to those developed during the transition to cloud computing, are essential.
AI can also be used as a security tool. AI-powered tools improve detection, automate responses, and serve as a sort of copilot for security teams. An obvious benefit is in addressing critical areas like identity management and vulnerability prioritization, and we're already seeing much more of this as the use of AI broadens.
The third, most worrying impact is AI in adversarial hands. Threat actors are beginning to exploit AI, from crafting sophisticated phishing emails to using deepfakes for social engineering attacks. These advancements raise the stakes for defenders, requiring continuous innovation in security approaches.
Q. Your upcoming session in Diligent’s 2025 Cyber Risk Summit covers NIS2, the EU AI Act, and DORA. In your opinion, what is the most challenging aspect of navigating these regulations for organizations operating in EMEA?
A. A significant challenge will be incident reporting. Organizations will need to develop disciplined reporting frameworks and be aware of the time it takes to get these reports out and ensure they’re compliant with regulatory requirements. This is particularly difficult for industries not traditionally subject to rigorous regulatory oversight.
Third-party risks are another challenge. Many regulations emphasize securing supply chains, requiring companies to take compliance to an added layer of depth. This can become quite challenging with complex supply chains and not necessarily having this type of leverage over critical suppliers. So thinking about how they're going to bring all this into practice through robust third-party risk management practices is going to be quite important.
Q. Resilience is a central theme of this summit. How can organizations build robust cybersecurity frameworks that align with evolving EU standards? What role do leadership and board-level engagement play in strengthening resilience?
A. Resilience has become absolutely central to cybersecurity in recent years. While organizations have made significant progress in building defenses, the reality is that no defense is perfect. Resilience focuses on the next step: assuming something will go wrong and planning how to recover quickly, minimize disruption, and ensure services continue without widespread or systemic impacts.
Building resilience starts with understanding your business at a fundamental level. This means knowing your critical services and the people, processes, technology, and third parties that support them. Once you have that baseline, you can start testing disruption scenarios—like ransomware attacks—and plan how to reconstitute systems, shift resources, and recover as quickly as possible, minimizing the window of impact for customers.
Leadership and the board play an essential role here. Resilience isn’t just a technical issue, it’s a business-wide challenge. Boards need to be actively involved, not only governing but also participating in crisis management exercises. Regular, realistic testing—at least annually—is key, with scenarios that stress the organization’s systems and plans. These exercises should go beyond just checking the box; they need to drive learning, improvement, and readiness.
Ultimately, resilience requires a holistic approach that connects every part of the business. It's not just about protecting against threats but ensuring that, when challenges arise, the organization can respond effectively and continue to thrive.
