The Calm in the Chaos

In the world of information security, the true test of a leader doesn't happen during a successful audit. It happens at three o'clock on a Saturday morning when your phones notifications starts pinging and you realise your network is under active attack.

In the second episode of the Arcane Link podcast, host Ruben Clarke sat down with Andy Latham, a man who has lived through those Saturday mornings. Andy is a former Global CISO and a technical leader who has navigated the high stakes world of enterprise security for decades. This article explores his refreshingly honest take on incident management, the hidden risks of legitimate software, and why the human element is still the most important link in the chain.

The full conversation is available on YouTube and all major podcast streaming platforms:

From Atari Code to the Global C Suite

Andy didn't take a conventional route into security. His journey began in the eighties with an Atari 800 XL computer and a stack of magazines. Like many of his generation, he spent hours typing out lines of code without fully understanding them, just to see a game appear on the screen.

I didn't understand a single thing that I was typing, but I knew that if I did it exactly as it was written, you would get a game at the end of it.

This early obsession with how things work under the bonnet led to a career in software engineering and eventually technical leadership. His pivot into security happened after a major incident forced his board to realise that while their product was excellent, their security posture was an afterthought.

Andy stepped up to lead the recovery and discovered a talent for the high pressure reality of the work. He eventually moved into Global CISO roles, managing vast networks before becoming a fractional advisor for businesses today.

Incident Management: The Art of Staying Calm

When a cyber attack hits, the technical failure is often overshadowed by the human failure. Andy notes that in the heat of a breach, it's common to see people panicking, shouting, and desperately trying to find a scapegoat. This is the worst possible environment for recovery.

You have got to keep a level head. You cannot panic. Your job is to provide a focused plan and remind everyone that now is not the time for blame.

Incident response isn't about finding someone to fire; it's about finding a way back. The role of a security leader in a crisis is to be the calmest person in the room. Blame can wait for the retrospective. In the moment, you need a clear head and a practiced plan.

The Power of the Tabletop Exercise

To achieve this level of calm, you must practice. Many companies have an incident response plan that sits in a digital drawer gathering dust. Andy suggests that the board should run regular tabletop exercises to test their decision making. Who speaks to the press? When do we notify the regulators? If these questions aren't answered before the crisis hits, you're already behind the curve.

Beyond the Firewall: Modern Defence Strategies

The traditional castle and moat approach to security is no longer enough.

Andy highlights several areas where businesses are often surprisingly vulnerable despite having expensive firewalls in place.

The Weaponisation of the Legitimate

Attackers have realised that it's much easier to use your own tools against you than to write complex new viruses. They use legitimate software like remote access tools and common system administration scripts to move through your network. Because these tools are already approved, they often fly under the radar of traditional antivirus software.

The solution is strict application control. You must know exactly what software is allowed to run on your production servers and block everything else by default. If a database server suddenly tries to run a file sharing tool, your systems should kill that process instantly.

Controlling Egress Traffic

Most security teams focus heavily on ingress traffic, who is trying to get into the network? However, Andy argues that egress traffic is just as critical. Once an attacker has a foothold, they need to communicate with their own server to steal your data.

By strictly controlling where your servers are allowed to connect, you can break the chain of the attack. If your business has no reason to talk to a specific geographic territory, you should block that connection entirely. A deny all approach for outbound traffic from sensitive servers is one of the most effective ways to stop a breach in its tracks.

The Last Line of Defence: Air Gapped Backups

Andy is very clear on one point: you must operate under the assumption that you will eventually be compromised. When that happens, your backups are the only thing standing between your business and total ruin.

Modern ransomware is designed to find and delete your backups before it encrypts your main files. If your backups are sitting on the same network as your production data, the attacker will find them.

True resilience requires air gapped backups. This means there is a physical or logical separation that prevents an attacker from jumping from the main network to the backup vault.

You must assume you will be hit; your ability to recover depends on having backups that the attacker cannot see.

Shadow AI and the New Frontier of Risk

The rise of generative AI has created a new challenge that Andy refers to as Shadow AI. Developers and staff are eager to use tools like Cursor or ChatGPT to increase their productivity. While the efficiency gains are fabulous, the security risks are significant.

The primary concern is the leakage of intellectual property. If a developer pastes your proprietary source code into a public AI model, that data is now out of your control.

We're using these tools to be faster, but we must be sure we're not being faster at making mistakes.

To counter this, Andy suggests the use of secure universal prompts. This involves creating a set of mandatory instructions that are given to the AI before any work begins. These prompts can include security guardrails, such as a requirement to follow the OWASP top ten principles.

By wrapping the AI in a layer of governance, you can reap the rewards of the technology without leaving the door open for catastrophic mistakes.

The Human Firewall

We often hear that people are the biggest risk, but Andy prefers to see them as the primary asset. Almost every attack he sees involves some form of social engineering.

The trick to building a genuine security culture is not another dry PowerPoint presentation. Andy suggests running brown bag lunch sessions on personal cyber hygiene. When you teach staff how to protect their online banking and their kids' social media accounts, they naturally start bringing that vigilant mindset to the office.

Start to think about how you can protect yourself personally, because that naturally then flows into the corporate world.

Looking Forward: Supply Chains and Quantum Threats

As the conversation draws to a close, Andy looks at the hurdles on the horizon. The first is the supply chain. We are only as secure as the weakest link in our vendor list. We must move away from simple box ticking exercises and move toward continuous, meaningful assessment of our partners.

The second is the looming threat of quantum computing. While it feels like science fiction, the ability for quantum machines to break modern encryption is a real concern. We must start thinking about quantum safe algorithms today so that we are prepared when the technology matures.

Key Takeaways from This Conversation

Prioritise Calm: Incident response fails when leaders panic. Rehearse your plan until the reaction is second nature.
Control Your Outbound Traffic: Do not just watch who comes in; watch who your servers are talking to.
Air Gap Your Backups: If the attacker can see your backups, they can destroy them. Keep them separate.
Govern Your AI: Use secure universal prompts to ensure that productivity gains do not lead to data leaks.
Human First Security: Build culture by helping people protect their personal lives first.

Why We Are Doing This?

Arcane Link exists to lift the lid on the human side of security, to have the conversations that normally stay off camera, and to remind people that you are allowed to be pragmatic, curious, and occasionally unsure.

We are not here to scare anyone.

We are here to help businesses understand the why, so the how becomes manageable.

If Episode 002 resonates and you are looking for a consultancy that prefers light touch systems over paperwork marathons, you already know where to find us.