The Business of Cybersecurity

There are genuinely useful distinctions (DORA being rules-led vs UK regime outcome-led, the 24-hour/10-question reporting requirement, intentionally vague incident definitions, concentration and nth-party risk), but they're diluted by ad reads, repetition, and platitudes like 'protection isn't enough.'

“operational resilience regime in the UK is outcome led”

“you're obliged to do that within 24 hours”

The content is largely a competent explanation of existing regulations rather than fresh or contrarian thinking; the 'collective defence' and 'resilience is board-level' framings are widely circulated takes.

“protection is not enough”

“when it comes to cybersecurity, they aren't competitors, they have adversaries, they have shared adversaries and we need a collective defense”

Ben Gibbons is a relevant senior practitioner—Managing Principal for Banking, Financial Services and Insurance at Orange Cyberdefense, the largest MSSP in Europe—with direct exposure to FS clients and regulatory work.

“my official title is Managing Principal for Banking, Financial Services and Insurance at Orange Cyber Defence”

“we've got about 60 active clients of different shapes and sizes”

Strong use of named examples and concrete numbers: the F5 breach, Clop campaign accounting for 18% of Q1 2025 extortion victims, the 40% third-party stat, 12-25 million pound cost estimate, £90m government pledge, Grisledger's 16,000 suppliers, and 19,000 incidents analysed.

“F5 is used by about 80 % of Fortune Global 500 companies”

“accounted for around 18 % of all cyber extortion victims”

The host asks topical, organized questions but they are long, leading, and PR-friendly; there is no pushback, no probing of Orange Cyberdefense's commercial framing, and claims go unchallenged.

“So does that statistic confirm that supply chain exposure has become one of the most defining cybersecurity risks”

“I think that is a powerful moment to end on so much food for thought there and I cannot thank you enough”