Fireside Chat with Jane Frankland MBE: Cybersecurity, AI & the Future of Digital Defense in 2025

In this fireside chat, we welcome Jane Frankland MBE, a seasoned cybersecurity expert whose career began in the late 90s with the creation of a penetration testing firm before moving into senior executive roles.

She shares her motivations for entering cybersecurity, explaining how her initial interest in the field’s financial potential evolved into a deep commitment to combating cybercrime and protecting global safety and freedom. Drawing from extensive experience, she offers valuable insights into emerging cybersecurity trends for the coming year, as well as the challenges and opportunities that lie ahead.

Key topics include the role of AI in cybersecurity, its real-world limitations, and how it compares to human expertise. The discussion also covers the evolving threat landscape, from advanced hacking techniques like phishing and credential stuffing to strategies CISOs can implement to reduce credential-related breaches.

Another critical focus is the growing significance of APIs as a new battleground, along with the need for a proactive security culture that addresses these threats. Additionally, the conversation explores increasing regulatory demands and the importance of building a robust security strategy rather than merely meeting compliance requirements.

Key moments:

• [00:21] Meet Jane Frankland
• [03:02] Real-World Limitations of AI in Cybersecurity
• [06:41] AI-First vs Human-First in Cybersecurity: A CISO’s Decision
• [11:17] The AI Arms Race in Cybersecurity
• [12:27] Advanced Hacking Techniques Beyond Phishing
• [14:10] Strategies to Minimise Credential-Related Breaches
• [17:05] Why APIs Are a Prime Target for Cyber Attacks
• [18:28] CISO's Role in Securing APIs
• [21:58] Meeting Regulatory Demands Without Checkbox Compliance
• [26:37] Communicating Cybersecurity Risks to Business Leaders

Useful links

• Follow Tech Insights For Professionals on LinkedIn
• Follow Jane Frankland on LinkedIn
• Jane Frankland Website
• IN Security, the book

Insights For Professionals

You came into cybersecurity by building a penetration testing firm in the late 90s, and after selling it 16-years later you moved into several executive roles. What motivated you to pursue this field, and how do you stay ahead in an ever-evolving field?

Jane Frankland MBE

Yeah, I mean, look, when I first came into cybersecurity, I've got to admit, the attraction really was to make money. But that said, when I looked at how incredibly exciting, dynamic and, groundbreaking it was – certainly back in the late 90s, which is when I came into it – cyber was such a new field. And it really felt to me like this kind of untapped goldmine of opportunities.

So for me, it really was – yes, it was about doing something that excited me. Yes, it was about doing something that was innovative – and it was a really practical way to build a company by going and solving a problem. And then, the more I got into it, the more it changed. It became so much more than that, and I realised its full potential.

I looked at how criminals were exploiting the digital world for really horrific things, like trafficking drugs, ammunition, even human lives, and the exploitation of children. So for me, it became so much more meaningful than simply building a business to grow, sell, exit, and go off and do something different.

The other thing I want to say is, because me looking at it now, especially where we are in the world, back in the day, it also was very much a case of looking at it from a peace perspective. And I really think that is kind of more where I am now. I mean, I'm working from a defense perspective, not in the peace division of the industry. But I'm very aware of the part that it plays in maintaining the world's safety, maintaining our freedom and also peace.

Certainly, as a child growing up in the 80s, peace was very important to me. We had the tension of the Cold War, and that left such a lasting impression on me. So I think it's just interesting to see where the industry is moving, having been in it for so long, for certainly over two decades. And what keeps me in the industry is the people, but really it's this kind of mission to keep the safety and the security of the world. That's what keeps me in it and excites me to do more in the field.

Insights For Professionals

AI is often marketed as a game-changer in cybersecurity, but what are its real-world limitations?

Jane Frankland MBE

Yeah, well, you're absolutely right. Everybody is talking about AI right now, and it really is a powerful tool for detecting patterns, automating processes, and analysing large data sets. But it is so far from being perfect. And I think its biggest limitation right now is its dependency on quality training data. So if data is outdated or if it's biased, then AI really can make some key threats and it can generate false positives.

AI also struggles to identify completely novel attack methods since they don't necessarily align with previously observed patterns. And it also requires an awful lot of computational resources, you know, power to make it viable for smaller organisations. And I know the cost of it is coming down and we're going to see that. But those for me, are really some of the limitations that it has.

When I think about humans and the part that they play in it, AI still struggles compared to human expertise. I think AI is great at handling repetitive tasks and large scale analysis, but it still lacks that contextual understanding and creativity. While it may flag unusual activity, humans are still needed to interpret whether this is an actual attack or just irregular, harmless behavior.

We saw this particularly with the Twitter 2020 attack, where attackers came in, they impersonated, and they got access to some high profile figures on Twitter. And then they asked for money, of course they did. And AI was very good at detecting the unusual patterns, but it was actually humans that came in and identified the social engineering that had happened that AI couldn't interpret.

Jane Frankland MBE

The other thing that AI does or fails to do is it fails understanding human motivations behind the attack which are absolutely critical for threat hunting and for profiling diverse hacker attacks, like the one that I just mentioned with Twitter.

Humans absolutely excel at strategic decision-making and nuanced problem-solving in ways that AI just cannot simply replicate. AI also fails to understand context. For example, if we take a spear-phishing attack, an email that mimics a CEO's tone and content – they're often bypassed. They bypass the phishing filters. But humans can pick these up – something that doesn't quite feel right, something that doesn’t sound right. They pick up that context. A slightly different incorrect phrasing, or an unusual timing, or something else that just doesn't feel right. Humans pick that up, and machines don't. So these are a few areas where we're seeing the limitations of AI.

Insights For Professionals

What would you recommend to a CISO to decide between what should be AI-first and what should be human-first, or is it hybrid always?

Jane Frankland MBE

When CISOs are looking at this, you've got to look at the environment. You've got to look at what is our budget, what our view on risk is (and the company's view), and what we're seeing now is that threat actors are increasingly using AI to automate attacks, and it's really posing a real problem for the defenders.

For example, when I spoke about phishing emails a few minutes ago – these are getting so much better. Gone are the days when you could advise your employees, you do training, security awareness training, and advise them to look out for bad grammar.

Because of things like AI, specifically ChatGPT, that's not a problem anymore because hackers are using those tools and more to do a better job. So that's not the case. And then when you look at things like deepfakes, they're becoming also really problematic because the technology is available and it's also extremely affordable.

And so the costs are coming down and it's widely available, then we're seeing hackers using that technology to do more to con CFOs and other employees into doing things that they wouldn't already do.

We saw this with the Arab attack, whereby cybercriminals staged a meeting posing as employees and got an employee to transfer (I think) $25 million US dollars into their bank account. This was done incredibly professionally and obviously it was so convincing that the employee actually did it.

So these are just some of the things that CISOs are aware of and becoming more aware of and actually have to safeguard their organisation from.

I think another great example where we're seeing hackers, attackers and our adversaries using AI is for things like AI-powered malware. Sometimes we refer to it as intelligent malware. And I think this is an issue (and it's kind of exciting as well in some kind of like warped way that I’m thinking about this). But it is a real issue for the CISOs and our cyber risk owners out there because these types of attacks can now dynamically adapt to avoid detection. They’re making defense far more challenging. It's actually transforming the cyber landscape by using machine learning to avoid detection.

So unlike traditional malware, for example, this advanced threat can adapt its behavior in real-time. It can analyse a system's defences (such as antivirus software and firewalls) and identify a system in an organisation as weak points. So then it modifies its code structure, encrypts methods, or it can actually use the payload to slip past these safeguards undetected.

It also has a polymorphic nature, ensuring that it can generate countless variations of itself, rendering signature-based detection tools nearly obsolete. It's very sophisticated in how it works, continuously learning from its environment and tailoring its tactics.

So that is a huge problem for CISOs having to defend their organisations, and the only way they can do so is by using and adopting a defense-in-depth strategy. All that means is that actually recognising that no single tool or technology is perfect, and it builds redundancy into its defences to prevent attackers from succeeding. So it means that at every stage, every layer, you've got all these multiple layers there that are protecting the system and data and ensuring that if one layer or defense fails, the others remain strong so that the attacker cannot traverse anywhere within the network.

Insights For Professionals

So we have attackers using AI and we have defenders using AI. Are we in AI arms race?

Jane Frankland MBE

So are we in an AI arms race? I would say we definitely are. Defenders can obviously harness AI to detect threats. And that’s what they’re doing and that’s really exciting, and that’s all really good for innovating. But equally, our attackers, the hackers out there are also using it. So they’re exploiting AI to make their methods far more sophisticated or just scalable. So they’re kind of giving us a harder time because of it.

And it's leading to escalating complexity in cyber warfare and it’s also reinforcing the need for us to actually innovate more and to collaborate more with our security community.

So, yes, I do think we are in an arms race, but we've always been in an arms race when it comes to looking at our adversaries (the hackers out there) and defending our organisations.

Insights For Professionals

What advanced techniques are cybercriminals using to harvest credentials, and how are these attacks evolving with AI and automation?

Jane Frankland MBE

Phishing is a really good one; it's amazing how sophisticated the phishing attacks are becoming. But after that, it's really about credential stuffing. That really is a big one.

So I would say imagine trying to actually put a key in the giant lock box, just to try every single key in a giant lockbox. And we’re seeing attackers use stolen usernames, passwords and then run them on dozens of websites—your email, bank account, shopping accounts, etc.

And certainly with automation, they can test these combinations at lightning speed and they can break through captchas and other protections. And so if you're using and making the same passwords across accounts, you're actually making it very easy for the hackers out there.

So we’re seeing a big increase in that. We’re also seeing session hijacking, and I think this could be the scariest of the bunch. And this is when we’re seeing hackers steal your session token (the thing that keeps you logged in after entering your password). Certainly with AI, they're finding ways to do this without raising any flags, letting them know that they’ve actually accessed sensitive systems without needing your credentials at all. So those are a few things. There are many more. But just to give you an example.

Insights For Professionals

Beyond strong authentication, what innovative strategies should CISOs adopt to minimise credential-related breaches and lateral movement within networks?

Jane Frankland MBE

Well, there are lots of tools available. But I think one of the things that they can do is actually adopt and use human risk management solutions. And that's really where, yes, you're using the technology, but you're also using technology in another way.

You're looking at the behavior of your employees. So what's their profile? And you're using tools to help you ascertain that. And then you're also looking at their roles and their responsibilities and you're adapting in accordance with that. So you're giving them security awareness training that is fit for purpose and that complements the technology that you're using.

So that when something does happen, that alert is triggered, or you can actually contact their line manager and let them know that there is risky behavior going on and that needs to be prevented. And I think the really good thing about that is, is when you can actually do that, when you can have an intervention and that goes through the line manager, as opposed to you as a security practitioner, professional, CISO, cyber risk owner, then you're actually making sure that you’re embedding security into the organisation and that it’s not just seen as something that, well, that’s what security does. You’re actually making it a shared responsibility, which is what your security should be.

The technology has to be there and it has to exist to support you in your job, to ensure that your organisation can trade and that is protected and that you are reducing risk. But what you want is the stakeholders and leaders in the organisation to be with you on this journey. And you want to embed it into the culture and use your employees as your greatest defense (not your greatest weakness, which is a lot of the time how they're portrayed), and use technology additionally to boost your efforts.

Like I said a few minutes ago, AI can be really helpful. It can spot anomalies and behavior that is not ordinary, but it can also get things wrong, and that’s where you need the training. You need to educate your users and make sure that they can pause and also they have the confidence to actually alert you or stop themselves and say actually this doesn't feel right. I'm just going to check with someone – that could be security – as to what I need to do, but I'm going to stop as opposed to move forward with clicking on this email, transferring money, whatever it is because it doesn't feel right.

Insights For Professionals

What makes APIs such a prime target for attackers, and how are threat actors exploiting them in ways that many organisations overlook?

Jane Frankland MBE

APIs are everywhere, powering pretty much everything from your favourite apps to enterprise systems. But here is the thing about APIs. They have become the new cyber battlefield, and for a really good reason. And it’s because APIs are the keys to the digital kingdom. And they are the doorways into applications, services, and data – which make them so irresistible for hackers.

If you think about it as well, APIs are designed to connect systems and share data. And the same openness that makes them so effective for business also actually creates opportunities for cybercriminals.

So when hackers are targeting them, because APIs handle all this stuff and they use data, transactions and critical business operations, then when it comes misconfigurations, or outdated endpoints, or insufficient authentication, then you’ve actually got a problem because that’s really like rolling out the red carpet for them.

Insights For Professionals

What innovative strategies should CISOs adopt to secure APIs, especially as organisations move toward cloud-native and microservices architectures?

Jane Frankland MBE

Yeah, certainly securing APIs is a really tough challenge, and it's become a whole new ball game when you're actually building. Certainly if you look at cloud-native and microservices architectures.

And the reason why that's becoming an issue is because instead of a few monolithic systems talking to each other, you've got tons of tiny and interconnected services all relying on APIs to communicate. It’s like an absolute web of complexity and certainly if security is not built into the foundation, then vulnerabilities are going to spiral out of control really fast.

So one of the first strategies for CISOs is to go all in on the principle of zero trust. And so this means that every single API to API interaction has to be verified, authenticated, and also authorised. So that’s actually having no assumptions, no shortcuts. And you really need a robust authentication framework like 0Auth or JSON web tokens to control access between services.

And of course, the other thing that you can't do is you just can't hand out full access. You've got to use granular permissions so that each service can only access exactly what it needs to – nothing more.

And as you move deeper into the microservices and adopt service mesh technology (which is good), if you think of a service mesh as your API traffic controller, then it actually manages and secures communication between services, handling encryption, authentication, and even monitoring. And so that's basically giving your microservices environment a built-in security guard for every interaction.

Another big one is API gateways. They're not just about routing traffic—they're your frontline defense against malicious activity targeting your APIs. And an API gateway gives you tools to enforce your rate limiting, your throttle suspicious requests, and to block anything that doesn't follow your predictive policies.

Plus you can also integrate it with other security tools to scan traffic or detect unusual patterns in real time. Speaking of patterns, you just simply have to log everything – API calls, failures, anomalies etc. And you literally got to use advanced monitoring tools (ideally, one's powered by AI) to flag strange behavior.

For instance, if an API starts getting hammered with a ton of requests from a single IP, your networking system really should be smart enough to block it before things escalate. And CISOs really should be looking for the tools that provide both real-time alerts and also deep analytics.

Insights For Professionals

How can organisations meet increasing regulatory demands without security becoming just a ‘checkbox’ exercise?

Jane Frankland MBE

This is such a good question, and it really is a tough one because checking boxes really might meet the compliance requirements, but it won't actually protect your organisation. I think compliance really does drive an awful lot of effort in an organisation, but you've got to make sure that your company is secure as well for various reasons; you've got that obligation to your stakeholders.

So I think the first step is really changing the mindset, and compliance really should be a byproduct of a strong security posture, not the other way around. So instead of asking, "What do we need to do to be compliant?" you've got to start asking, "What do we need to do to actually stay secure and resilient?"

Most regulations – whether we're talking about HIPAA or the GDPR – are essentially trying to establish basic security hygiene. So if your focus is on building a robust security strategy, compliance really does become a natural outcome. So how can you actually make that happen?

Well, you first got to be doing regular risk assessments. That's really where a lot of it starts. And you've got to understand exactly where your vulnerabilities are and you’ve got to understand what data is at risk. You've got to understand your assets and not everybody actually understands all of their assets.

And you've got to understand what systems need critical protection and where the attackers are likely to strike.

And these assessments musn’t happen when auditors are around (I've seen that too often); they've got to be continuously happening, as new threats are going to be emerging all of the time, and also new systems are going to be coming online, new technologies are going to be coming online.

And then after that, really what you’ve got to do is you’ve got to look at automation. And this is absolutely huge because it’s one of the biggest reasons security turns into a checkbox exercise is the amount of manual work involved. So automated compliance tools can really track your security controls. They can monitor who's accessing sensitive data, and they can even flag policy violations in real time. So that’s all really good, it’s just like having a second pair of eyes on your entire system, your entire organisation 24/7, which is going to save you time and it’s really going to help you spot gaps before the regulators come in or the attackers do.

So another part of the puzzle is to really map your compliance controls to real-world security frameworks. For example, if you're following regulations like the GDPR or the CCPA, then you’ve got to pair that with something like NIST or ISO 27001 as your baseline security framework.

And then these frameworks can actually go beyond what is legally required. Emphasising practices like segmentation, encryption, and incident response plans. All of those things that we’re continually being told that organisations don’t have and need to have because they keep their systems secure

Yeah, certainly when it comes to incident response, that I'm smiling because that is so often overlooked and a really well-defined and tested incident response plan is absolutely crucial in this day and age – and it's certainly invaluable for compliance because so many regulators are looking for it.

They require organisations to report breaches within specific timelines. No one wants to be in a position where they're coming under scrutiny, and increasingly we're seeing CISOs actually needing to protect themselves with directors insurance, liability insurance because they're coming under the spotlight. And some CISOs are at risk of serving jail time. So that’s the position that we’re in now.

So there is responsibility to the stakeholders, which I mentioned before, to your customers, but also you’ve got to look out as a CISO and a cyber risk owner for yourself and make sure that you are personally protected, because no one wants to go down that route.

Insights For Professionals

How can CISOs effectively communicate risk and security priorities to business leaders who may not understand the technical landscape?

Jane Frankland MBE

We talk about communication a lot in security and how leaders can do a better job. One of the easiest ways is actually to go back to, not basics, but to use plain business language. You are dealing with highly complex technical threats. A lot of the time your audience isn't looking for a deep dive into encryption algorithms or firewall rules or whatever.

What they care about is the business – revenue, reputation, operations, maybe something else depending on who you're talking to.

So the key really is, trying to make sure that security becomes a priority for them. So it's really about getting into their world, understanding what really matters to them, whilst also ensuring that you're able to convey the issues.

When I'm talking to security leaders and CISOs about this, I really start with a marketing exercise. If you were looking at this as a persona or avatar, you'd really be trying to understand what's going on in their world so that you can help them whilst helping yourself, so it's a different approach.

The other way when you have all of that information is to use data to tell stories, because I would say facts tell, stories sell. So when you're communicating to business leaders, yes they love metrics that connect security to outcomes, but they really love the stories. The stories get through so much more, so you've got to make it tangible. You've got to make it real. You've got to bring these challenges to life. So stories are a really good aid.

When it comes communicating the risks to a wider audience, understand where they’re at, understand what matters to them. Use data but use stories.