Sync NI hosted a roundtable of leading cybersecurity professionals from across Northern Ireland to discuss the evolving threat landscape, the enduring challenges of skills and investment, and what the region needs to do to protect and grow its cyber sector.
The pace of change in cybersecurity has always been relentless. But according to a group of senior professionals who gathered for a frank roundtable discussion hosted in Rapid7’s Belfast offices, something has shifted. The threats are faster, smarter, and more deceptive than ever before. The tools available to attackers have democratised in ways that would have seemed implausible even five years ago. And while Northern Ireland's cyber community is widely regarded as one of the most collaborative and capable in the UK, significant structural challenges remain from boardroom blind spots to a skills pipeline that needs to adapt to ensure it remains fit for purpose in a rapid-evolving threat landscape.
The panel brought together voices from across the ecosystem: Chaired by Rapid7’s Thom Langford, CTO EMEA and joined by Ned Faulkner, AI Security Engineer at Version One; Jason Donnan, Security Manager at Apex Fintech Solutions Joanne English, Cluster Manager for NI Cyber; Ben Harrison, founder Loquerion Security and Colin Metcalfe, Cyber Defence Operations Manager at TP ICAP. The conversation ranged across AI-driven threats, nation-state activity, the limitations of threat intelligence, and the urgent need to rethink how the industry attracts and retains talent.
We are often told that we currently exist in a new threat landscape however while this might appear to be true, fundamentally it’s the same playbook, just it is now playing out at a terrifying new speed fuelled by advancements in technology. As a statement, this is a good place to start a conversation with industry experts who work at the coalface of Cyber Security and get a sense of the issues addressing the sector.
There was broad consensus that the fundamentals of cyber-attack and defence haven't changed however their velocity and sophistication absolutely have. "History doesn't repeat itself, it rhymes," observed Version 1’s Ned Faulkner. "We're seeing that exactly with how AI is being used for things like deepfakes and supply chain attacks. These aren't unfamiliar attacks. What has changed is the speed and complexity."
The days of spotting a phishing email by its broken English and obvious spelling mistakes are over. Modern AI-generated communications are fluent, contextually accurate, and increasingly indistinguishable from the genuine article. Voice cloning, the panel noted, now requires as little as three to five seconds of audio that can be easily harvested from a LinkedIn video or corporate marketing content to produce a convincing imitation of a senior executive. The implications for social engineering attacks are significant.
Loquerion’s Ben Harrison drew on an analogy that resonated throughout the discussion: "Humans invented scissors. It was a good day all around. Shortly thereafter, someone started running with them." The dual-use nature of almost every powerful cyber tool means that defensive and offensive capabilities advance in lockstep. Blocking one attack vector simply redirects adversaries to the next.
What has genuinely changed, the group agreed, is the speed of exploitation. Where previously a zero-day vulnerability might sit dormant for weeks or months between discovery and active exploitation, that window has now collapsed to days, sometimes hours. Attackers, increasingly operating with automated pipelines and near-zero marginal cost per attack, can afford to throw everything at every target. "99-plus percent of attacks don't get through the initial phase," observed Ben Harrison, "but they're all automated, so the cost is so low that you may as well throw everything at the wall."
If there was a sweepstake for how long it would take for Mythos to enter the conversation… it was hardly surprising it was mentioned shortly after the introductions were barely complete. When raising the question of AI being utilised as an offensive weapon, the conversation inevitably turned to Anthropic's recently disclosed 'Mythos', an AI model that, in controlled testing, was reportedly capable of identifying and chaining exploits autonomously, including the detection of a 27-year-old unpatched vulnerability in an open-source system. Anthropic has chosen to keep the model closed-source, citing the risks of public release.
"The key thing this has spotlighted," said Ned Faulkner, "is how AI can be used both offensively and defensively." The panel was careful not to overstate the threat as for the moment there remains genuine debate about how much of the Mythos narrative is security research and how much is marketing but the directional implications are serious. If AI systems can reliably chain exploits and identify vulnerabilities at a scale and speed no human team can match, the already-stretched patching cycles faced by most organisations become effectively untenable.
Apex Fintech Solutions, Jason Donnan, drawing on his background in health service cybersecurity before moving to FinTech, put the challenge bluntly: "Nobody can keep up with patching cycles as things currently are. If they start throwing out critical vulnerabilities at a really high rate, we're in serious difficulty."
Jason Donnan, Security Manager at Apex Fintech Solutions"
Debate moved somewhat predictably to the subject of ‘Boards, Budgets, and the Language Problem’
Perhaps the most animated part of the discussion centred on a problem that has dogged the cybersecurity industry for years: the chronic failure to translate technical risk into language that resonates in the boardroom. Several panellists noted that despite years of effort to elevate cyber to board-level status, the result has often been slower procurement cycles rather than faster responses.
"By the time a request for new tooling gets to board level and gets agreement, the world has changed so rapidly that everything being discussed is already obsolete," noted NI Cyber’s Jo English, reflecting feedback from member companies in her organisation. This was further mirrored by TP ICAP’s Colin Metcalfe who added the observation that the organisations most likely to act are often those responding to a recent incident, or a change of CISO, rather than proactively planning ahead.
Ben Harrison argued that the fundamental problem is one of category: cybersecurity is being treated like a project, when it’s actually an ongoing adversarial relationship with no fixed endpoint. "You can't win cybersecurity by defining a three-year strategy, setting the budget, executing, and declaring it finished. The adversary reacts to everything you do. It is war, not in terms of explosions and shooting, but it is a war."
The panel's recommended approach was to reframe the conversation entirely, away from fear, uncertainty, and doubt, and towards risk-adjusted return on investment. "Rank your risks by return on investment to address them," suggested Ben Harrison. "Start with impact and likelihood, then consider the cost to reduce that risk to a point where you can sleep at night, and then just start spending down that list until you're comfortable. That language lands in boardrooms, because risk and price are things boards understand."
Equally important, the group argued, is improving the industry's ability to demonstrate the value of what it does, something cybersecurity has historically been poor at. "How do you prove a negative?" acknowledged Rapid 7’s Thom Langford. "How do you prove something didn't happen because you did something?" It remains one of the sector's most persistent unsolved problems.
The conservation moved on to address the impact of nation States, blurred lines, and the limits of threat intelligence
The discussion also addressed the growing convergence of nation-state actors, criminal groups, and hacktivists, a trend that is fundamentally complicating defensive planning. The model is increasingly one of state-sponsored outsourcing: sovereign cyber operations providing cover, resources, or simply looking the other way while affiliated criminal groups conduct attacks against designated targets.
"China hacks for data, North Korea hacks for money, and Russia hacks for mischief," as one widely cited formulation has it. The problem, as Colin Metcalfe noted, is that when you combine that three-way motivation with increasingly sophisticated tooling and a broad community of independently motivated bad actors, the attack surface becomes almost impossible to map reliably.
This matters particularly for how organisations consume threat intelligence. Jason Donnan highlighted the risk of treating intelligence feeds, even from high-fidelity sources such as FS-ISAC (FS-ISAC is a not-for-profit organization that advances cybersecurity and resilience for the global financial system representing over 5000 organisations globally) as definitive or complete. "Threat intelligence must be tailored to your industry, business and assets to provide true benefit," he said. "If not, it can lead to false positives and waste analysts time investigating due to the quantity of intelligence feeds available." The group cautioned against single-source dependency and urged organisations to apply contextual judgement rather than treating any intelligence report as a final word.
On the supply chain front, Jason Donnan pointed to a rapidly escalating problem: vendor proliferation. “This expands the attack surface and introduces risks that you do not fully control”. It has been highlighted by the number of recent third-party breaches and is concerning due to the impact. “A compromised vendor can become an indirect route into your environment, even if you have strong defences in place”.
One question that was offered to the floor was whether are we currently suffering from a skills gap or rather, or was the attitude gap being overlooked?
If boardroom engagement was the session's most animated topic, the skills conversation was arguably its most hopeful. The panel pushed back sharply against the conventional narrative of a widening skills gap driven by supply failing to meet demand. The real problem, several argued, is that the industry continues to hire badly.
"We have an attitude gap, not a skills gap," challenged Thom Langford, playing devils advocate in his role as chair. "We just seem to expect that we can only ever hire round pegs to fit round holes." The panel offered vivid counterexamples. Colin Metcalfe described hiring a 17-year-old with no A-levels who became one of the best cyber analysts he had ever worked with. Jason Donnan noted that one of the most effective members of his security operations team came from a backgrounds in design and architecture, bringing entirely fresh perspectives to threat analysis. "If people have the same background, they all come up with the same conclusion," he observed. "Having people from different backgrounds is genuinely fascinating as well as operationally beneficial."
Ben Harrison was characteristically direct about what the industry should be looking for: "You can't teach passion. If you put a puzzle in the middle of the interview room, the person you want is the one whose eyes light up the moment they see it." He was equally critical of some educational pathways that have prioritised tool familiarity over genuine problem-solving instinct. "They didn't teach them to be cybersecurity professionals. They taught them to use the tools from ten years ago."
The group also stressed that cyber careers extend well beyond the technical. Governance, policy, risk management, audit, and business continuity roles are all vital and yet these careers are chronically under-promoted in schools and universities. One example stood out: a head of cyber audit hired for their degree in human psychology, who turned out to be an exceptional interviewer of technical staff precisely because they asked questions no one else had thought to ask.
Retention, too, came under scrutiny. Colin Metcalfe highlighted the unsustainable pressure placed on analysts where burnout within 18 to 24 months is common hence the need to build genuine flexibility and training investment into working models. "The time for certification should be within your working week, not tagged on to the other 38 hours," he said. Pay-back clauses tied to certification costs were singled out as a particular barrier, especially for talented staff in lower-wage markets.
So what comes next, as the threat landscape evolves how does insider threats, autonomous systems and the human question factor into all of this?
Looking ahead, the panel identified several emerging threats that warrant serious attention. The rise of the human insider threat, not in the traditional sense of a disgruntled employee, but in the form of state-sponsored actors infiltrating companies through remote hiring processes. This was flagged as a growing and underappreciated risk. The widespread shift to remote and hybrid working has made this significantly easier to execute, and deepfake technology means that even sustained video-call contact may not reliably verify identity.
AI-driven propaganda and influence operations were also raised as a significant near-term concern and the systematic use of social media to manipulate public opinion across borders, at a scale and sophistication that will only grow. "We need some kind of global governance and cross-border agreement on standards for verifying whether content is human-generated," said Ned Faulkner. "That is going to be a major topic."
Further out, Ben Harrison drew attention to the concept of fully autonomous companies, organisations with no human employees, operating entirely through AI and robotics as a genuinely novel attack surface. "Human out of the loop will be getting bigger," he said. On quantum technologies, the panel was measured: significant, yes, but the killer application remains unclear and the timeline uncertain.
