Graham Cluley has spent more than three decades watching cybercrime grow from niche computer mischief into a boardroom threat.
The award-winning cyber security expert, speaker, blogger and podcaster began his career in the early 1990s, writing the first Windows version of Dr Solomon’s Anti-Virus Toolkit before holding senior roles at Sophos and McAfee. Today, he is one of the few voices in cyber security who can explain hacking, scams and AI risk without burying audiences in jargon. Both of his podcasts – Smashing Security and The AI Fix – have won European Cybersecurity Blogger Awards.
His work has taken him to major stages including RSA, Black Hat, WebSummit and Infosec, while his commentary has appeared across the BBC, CNN and The New York Times. Through his talks and podcasts, Graham turns technical risk into stories people remember, and, more importantly, act on.
In this exclusive interview for the IT Security Guru, conducted by the London Keynote Speakers Agency, Graham discusses why cyber security training should never be boring, how AI is changing the fight between attackers and defenders, and why protecting an organisation starts with making people care.
You are known for making cybersecurity easier to understand for people outside the technical world. How do you turn complex threats into advice people can actually use?
Graham Cluley: “It’s important to strip away the jargon.
“Us nerds love the acronyms and the buzzwords, but it’s like we’re speaking a foreign language to the typical person. We have to put these things into language people will understand and use relatable analogies, things they can actually get a proper grip on.
“I think that’s really important. Use humour as well. The best way to learn is by telling funny stories.
“So many people, when they’re given induction training, think, “This is something I’ve just got to sit through and put up with.” It doesn’t have to be like that. It can be fun.
“It can be something people are talking about in the weeks following the presentation, saying, “Oh my goodness, that story of how that hack occurred or what happened to that company because it did X, Y and Zed.”
“It will stick in people’s brains and help you keep your company protected.”
AI is changing cybersecurity on both sides of the fight. How do you see it reshaping the threat landscape for attackers and defenders?
Graham Cluley: “Artificial intelligence is changing the world. There’s no doubt about that.
“However much we may want to stop it, like King Canute sat on the beach in his throne trying to stop the waves coming in, AI is coming and it’s changing everything.
“It’s changing things for the attackers. It has democratised cybercrime.
“Do you remember those old phishing emails you used to get, which were badly worded with spelling mistakes? It was obvious it wasn’t really a prince from Nigeria contacting you.
“AI means the emails and messages will look completely faultless. They won’t look like they have any errors in them, and they will be targeted towards you because AI will be able to go onto the net and learn things about you.
“It can learn how your bosses communicate with you, use the same language and make it really attractive for you to click on a link.
“There are other kinds of cyberattack as well, which will be augmented and powered by artificial intelligence and grown at an enormous rate.
“But let’s not be too scary, because the good news is AI can also be used to defend your organisation.
“AI is a tool. It can be used for bad. It can be used for good.
“The people defending your organisation, and the technologies they use, are using AI to better detect anomalies, spot strange behaviour on your network, prevent it and shut it down.
“It’s swings and roundabouts. There’s a good side to it. There’s a bad side to it, but we can’t deny it’s happening.
“I think we’d be wise, if we want to defend ourselves, to really embrace it in the right way.”
When people leave one of your talks, what do you want them to understand about cybersecurity that they may not have realised before?
Graham Cluley: “I hope they’ll think cybersecurity and hacking aren’t boring.
“I hope they’ll realise AI is interesting. I hope they’ll be entertained and amused.
“Most importantly, I hope they’ll be empowered to take the knowledge they’ve gained during the presentation to better defend their company, and have stories to share with their colleagues and peers.
“It shouldn’t be a snoozefest. It shouldn’t be a snorefest.
“It should have lots of energy, really engage the audience and make them think, “Oh my golly, I’ve never thought of that before.”
