Analysis and perspective from Nick and Jessica Ashley on cyber risk, health policy, and the decisions that sit at the centre of both.
Technical controls have matured. Adversaries adapted. The vulnerabilities that now matter most are not in the stack. They are in decision-makers, process owners, and the cognitive shortcuts that govern behaviour under pressure.
Regulatory compliance establishes a floor. For critical infrastructure operators, that floor is necessary and nowhere near sufficient. The gap between what CIP requires and what an adversary can exploit is where breaches happen.
Executive risk reports are typically designed to satisfy audit requirements. Boards read them and believe they are informed. The organisation remains exposed. The reporting structure is the problem.
Regulated industries are asking the same question about AI adoption: how do you govern something that moves faster than your risk frameworks? Build governance proportionate to consequence, not to novelty.