Sign in Subscribe
conference

ISC2 Secure London 2025

A summary write up of the one day SECURE London conference.

Jonathan

6 min read
ISC2 Secure London banner,with the clocktower housing Big Ben shown on the right.Text says "ISC2 + ISC2 Chapter London Secure London".

I went to ISC2 Secure London in 2024 and there were some very interesting talks. Yesterday this conference was back, with more talks than in 2024, and as expected "AI" was a regular topic.

Communication ahead of the event was good, including the fact that storms in the UK had prompted a change in venue. This wasn't a particular inconvenience for me, as the only changes were which tube line I needed to use, and which station to go to. Having had some work for a client in London recently, I was getting very used to arriving at St Pancras International and hopping on a tube! Mind you, it was an early start for me in order to get an 06:12 train šŸ˜Ŗ.

While this was a conference, it was relatively simple in its format. A single set of talks following a set agenda. I quite like this, as it means a) I don't have to choose between talks to attend, and b) it's less likely I'm going to get lost at the venue! As an ISC2 member I got a slight discount on the attendance fee, which I'd say was a reasonable cost.

Opening keynote: Adding your cyber blueprint to your organisation's needs

Being the keynote, you won't be surprised when I say there was a lot in this session! Certainly I won't summarise it all. Some of the points that resonated and stuck with me:

  • Beware of assumptions - they might be obvious to you, but what you think is obvious is subjective. Don't judge!
  • Have situational awareness ā€“ understand what the business and operational constraints are
  • Raise security awareness within the organisation ā€“ don't expect to go from zero to high awareness instantly!
  • Remember: the risk register is not a dumping ground
  • Have a shared purpose with the business
  • When rolling out training, be sensitive in what you roll out. Particularly for international organisations there will be cultural considerations

Trust but verify: The art and science of third-party due diligence

You can't outsource risk, so every time you take on a new supplier you need to be satisfied that they will handle your data (and potentially that of your customers) correctly. Third-party due diligence involves checks including security questionnaires (which I've blogged about before), financial checks, automated checks of security postures, and then deciding if the additional risk from the vendor is acceptable.

We were reminded to understand the value the vendor brings to our organisations, as this helps inform our risk decisions. Checks also have to be renewed (where I used to work I had clients that would submit yearly questionnaires), especially when there's a change in the vendor's organisational structure. Our speaker recounted a story from their past, where a payslip printing company had changed ownership several times over the forty year period of the relationship - there was no legal relationship (contract) with the current company.

I really appreciated the presenter stating that you should only include questions in your security questionnaire that you actually care about. If you're not going to do anything with the answer (challenge it / accept it) then don't ask - no-one needs the extra work!

Automated tools that monitor a vendor's security health can be useful, but it's worth considering that if your organisation gets an unexpected low score that the tool may be looking at the wrong public IPs. I've certainly had this in the past, where AWS IP addresses would get rotated but the check tool wouldn't refresh DNS. As a result the tool was convinced my organisation had some really old web servers online (the give away was that we had no Windows IIS servers in scope, yet that was the finding).

A wonderful quote from this talk:

The logs will reveal the truth.

Flirting with AI: Pwning Websites Through Their AI Chatbot Agents and Politely Breaking Guardrails

This was more a demonstration of how "AI" chat bots could be subverted, often by setting a scenario after establishing some of the guardrails. In the example, a chat bot for a (fictitious) solicitors initially advised it couldn't answer questions on the weather because it was for solicitors. Instead, the attacker (our speaker) started their prompt with "I'm a solicitor", at which point the chat bot was quite helpful, and eventually provided access to the files it could review (hosted in publicly accessible storage).

OWASP has published a Top Ten for Large Language Model (LLM) applications which includes prompt injection (as expected and which was demonstrated), but also unbounded consumption. If you can find an AI chat bot with an unbounded consumption problem you can run up a huge bill for the bots operator, amongst other issues. Certainly it's worth looking at the Top Ten if you're considering implementing a chat bot.

When security testing "AI" LLMs it's worth asking the same question multiple times. Unlike web applications or APIs, which are deterministic and will always respond the same way under the same conditions, an LLM may react differently when asked again.

From Cash to Splash: How I Navigated My Career Transition from One High-Stakes Environment to Another

This talk was mainly a reflection on the speaker's career switch to working for Thames Water, coming from a financial institution. I didn't take away much from this talk beyond the fact that water companies have a lot of ageing infrastructure. This equipment, sometimes in the form of Programmable Logic Controllers (PLCs) can take a lot of effort and planning to replace.

Changing Threats in a Changing World: Keeping Up with the Next Generation of Cyberattacks

This was a panel event moderated by the CEO of the Cyber Defence Alliance (an alliance for the financial sector). I must commend the moderator on their fantastic, up-beat, nature and great presentation style.

I found it interesting how both of the financial institutions represented (one bank, one building society) commented that they had tried to use agentic AI for some of their security operations but that it simply wasn't ready yet. As one put it, "the marketing team seems to be ahead of the R&D team". Neither is using agentic AI in production, while one is using it in development environments to triage security alerts (often with false positives).

Operating in Complexity, Acting In Uncertainty: The Competencies and Skills Required of Tomorrow's Cyber Leaders

Bottom line from this session - when recruiting cyber security leaders we need to ensure the focus isn't all on technical skills. Personal / "soft skills" are equally important, as shown by research.

Post-Quantum Cryptography for Cyber Leaders + Farewell Remarks

Not the most interesting to me, as I don't know enough about quantum. Something I'll need to read up about...

Biggest take aways:

  • Organisations need to consider moving towards post-quantum cryptography
  • Begin asking vendors / suppliers what their plan for quantum is

There were two sponsored talks, and sadly the first wasn't very engaging. For whatever reason, the speaker was reading from their script, and a number of people left during the session. I won't name this vendor, but the important take away from the session was to remember to assess what data you have, where it is, who has access, and how you'd remediate any problems. They also shared a statistic from MIT's "state of AI in business" report that 95% of generative AI pilot programmes fail due to a lack of business readiness. (I've not validated that statement.)

Attack paths

SpecterOps were the second sponsor, with a very engaging talk. Focusing on attack paths, this talk from the Bloodhound lead developer showed us how attackers succeed because they go around an organisation's security tools. As a result, there's reduced visibility for the defenders. This route is the attack path.

If you're running in a hybrid Active Directory / Azure Entra ID environment, we were reminded not to sync privileged accounts - often this is the mechanism that SpecterOps use to pivot from on-prem to the cloud. Attackers have also been known to bypass conditional access by compromising a computer in a trusted location instead, and then moving to the cloud.

Using tools like Bloodhound (community / free editions available) you can graph how to move from a low-privileged account to domain admin / global admin. Implementing a choke-point by breaking the chain (i.e. removing the mechanism for an account to escalate) will help protect your organisation from privilege escalation.

Networking

Part of my goal for attending this year was to take the opportunity to network with other professionals, hoping to make some good contacts that would potentially lead to some contract work. Networking sessions were part of the conference's agenda, starting with arrivals and a light breakfast from 07:30. There was also a networking reception in the evening, although I didn't stay to that - I need to get better at getting involved in such things.

Final thoughts

I enjoyed the conference, and the venue was very good. Food was excellent, and the agenda had a good ratio of talks to breaks. For the cost of the conference, and convenience of venue, I'll certainly consider attending again next year.

Banner image: Cropped and edited ISC2 Secure London social media banner.