-
Classifying AI Risk Before You Deploy It
I was doing a review for a client in the entertainment sector recently. Not a cyber incident. A broader governance piece. During the review we found tools already embedded in their outreach operation. Approved software. Budget already signed off. Users already dependent on it. One of them was segmenting audiences. Deciding, in effect, who got…
-
Your Risk Appetite Doesn’t Matter When You Inherit Theirs
I got a call from a client after their MSP went dark. Not a courtesy call. A crisis call. The service had been breached. Everything dependent on it had stopped. They were buying laptops, actual laptops, from a shop, just to keep people working. The breach lasted over a month. When I arrived, the first…
-
The Risk Register Nobody Looks At
Someone asked a simple question in a quarterly risk review last month. “What’s actually different in the business since last quarter?” The register was updated. RAG statuses were current. Actions had owners. Nobody could answer. That’s a large manufacturing client. Well-governed on paper. But the register had been maintained religiously while the business ran in…
-
What GDPR Actually Ask For
Most GDPR programmes spend too much time producing artefacts and not enough time proving judgement. Somewhere along the way, privacy compliance became a document factory. Another policy. Another register. Another DPIA filed in a folder nobody opens. But that is not what the law asks for. UK GDPR asks for something more practical and more…
-
The Quiet Risk Behind the AI Rush
We’ll Pick That Up in the Next Release Mid-career. An operational system going live. “We’ll pick that up in the next release.” The controls weren’t forgotten. They were scheduled. That’s a different problem. Forgotten means oversight. Scheduled means someone looked at the risk, decided the timeline mattered more, and moved on. The downside still felt…
-
When Defence Spending Becomes a Cyber Security Problem
The UK government wants to hit 3% of GDP on defence by 2029, several years earlier than originally planned. That’s an additional £17.3 billion a year by 2029/30 on the OBR-based estimate that’s been widely cited. No formal decision has been taken yet and the Treasury is reportedly cautious, but the direction is clear. At…
Acceptable Risk (Documented)
Because "documented" isn't a mitigation strategy
