In today's episode, I welcome Ricardo Ferreira, EMEA Field CISO at Fortinet, to discuss how the UK's proposed Cybersecurity and Resilience Bill compares to the EU's NIS2 directive. Ricardo brings a wealth of experience in cybersecurity strategy and regulation, and he shares why he believes the UK's bill is missing key components that could make it truly effective.
With Brexit allowing the UK to take an independent approach, Ricardo argues that there is a unique opportunity to cherry-pick the most effective elements from NIS2 while avoiding its potential pitfalls. But is the current bill providing enough clarity?
Ricardo highlights how the legislation introduces buzzwords like "digital supply chain" without actually outlining a clear path for addressing cyber threats. In contrast, NIS2 lays out a prescriptive approach that includes risk profiling, supply chain security frameworks, and post-breach recovery strategies.
We also explore the growing need for board-level accountability in cybersecurity. Should executives and directors be held personally responsible for cyber resilience within their organizations? And how can governments ensure that businesses have both the guidance and incentives to proactively address security risks rather than reactively scramble to contain breaches?
With cyber threats only growing more sophisticated, the role of regulation in mitigating risk has never been more important. But does the UK's current legislative approach go far enough? And what lessons can be learned from international frameworks like NIS2?
Tune in for an insightful discussion on the future of cybersecurity policy, where it's headed, and what needs to change to create truly resilient digital infrastructures. As always, I'd love to hear your thoughts—how should governments balance regulation with innovation in cybersecurity?
[00:00:03] How do you shape a cyber security bill that truly strengthens national defences while balancing industry collaboration and best practices? Well, my guest today, his name is Ricardo. He's the EMEA field CISO at Fortinet. And together we're going to discuss the UK cyber security and resilience bill and what it could learn from EU's NIST2 directive.
[00:00:29] With NIST2 already out there, the UK has somewhat of a unique opportunity to pick and choose the most effective components of international regulations. So my guest Ricardo is going to be offering a critical perspective today on where the current bill is possibly falling short. So together we'll dive into the topics far and wide from workforce training to post breach recovery and the cultural shift that still needed to make cyber security a boardroom priority.
[00:01:00] But enough scene setting for me. Let's get Ricardo onto the podcast right now. Well, thanks for joining me on the podcast, Ricardo. Can you tell everyone listening a little about who you are and what you do? For sure, Neil. It's a pleasure to be here. Hello, my name is Ricardo Ferreira. I'm a Portuguese now living in the sunny UK for almost 13 years now.
[00:01:24] My background has been on cyber security since I was a teenager, actually working on deception technology. But at the time it was honeypots. They also did the dissertation on that. And then the career obviously evolved and progressed up until now more on a field CISO within Fortinet. And what does that entail? So if you think about the Venn diagram, right? Is it at the intersection of advisory, marketing and sales?
[00:01:53] So making sure that I interact with customers from the top G2000 and understanding their cyber security roadmap on how Fortinet can also help. And obviously also giving my opinion on basically distilling my thoughts and what is going on out there so that they could make informed decisions. Excellent. Well, thank you for joining me on the podcast. And you said 13 years since moving from Portugal there. And you even mentioned sunny UK, but nowhere near as sunny as Portugal.
[00:02:22] Do you miss anything about home in 13 years? Is it food, sunshine or something else? Anything you miss there? Yeah. So I miss the food, the wine, especially from the area we come about. It's the Doro, which normally people know it from the Porto wine, but I'm more on to the traditional wine. The food here in the UK also have a lot of diversity of food. But what I miss is probably the temperature, the temperature. Yeah, the temperature and the sunny.
[00:02:51] When the sun comes out, you can really feel it on your skin, that burny feeling, you know. So I miss that. I miss that. I bet. Oh, well, thank you for joining me on the podcast today. And obviously, I brought you on not to talk about food, sunshine and wine, although we could have a Splinter podcast on that very subject.
[00:03:11] But one of the things I want to talk about is the main areas where UK cybersecurity and resilience, Bill, is falling short compared to the EU's NIST 2 directive, which we're hearing more and more about. Anything you can expand on around that? Sure, Neil. So actually, I started looking at NIST 2 when the draft came out. So that was a while back on 2020, if my memory serves me right.
[00:03:38] And I was quite relieved, I think that's the right word, on the UK coming up with this UK cybersecurity and resilience bill. First, because I felt that Europe, the EU, was advancing the state of art regarding on how they are trying to make sure that the state members are actually protecting against the advanced cyber threats. And from the UK, there was nothing, just a mute, right?
[00:04:05] And when it came out, as you also seen, I felt that it was a bit short, lacking the meat on the bones per se, you know? So either A, the plan, the strategy hasn't still been fully developed, or B, they want a bit more time because I think it was going to be proposed to the parliament this year.
[00:04:29] So I'm not sure, but it just reads a bit of fluff, you know, Neil? So there's a lot of buzzwords there, the supply chain, the digital supply chain, but it doesn't talk on actually on how. It's not prescriptive. It doesn't actually tell you what the organisations will need to do, or how big the stick is going to be from fines, or whatever they are trying to do in order to make that.
[00:04:55] So that's where I felt that it felt short regarding, in opposition to the NIST 2. I completely agree with you. And as an eternal optimist, I would say that maybe the UK is positioned post-Brexit. Maybe it provides some opportunities to cherry pick some of those most effective elements of NIST 2. Am I right in saying that? And if so, what should they prioritise? What do you think? Oh, in my opinion, Neil, I think you're spot on.
[00:05:23] And I think if we learn something from GDPR, it was actually that because when the EU drafted GDPR, you now see a lot of emerging economies picking specific provisions. For example, South Africa, Mexico, etc., in Middle East, and so on. They are picking cherry some of the parts of GDPR that make sense, and they are coming up with their data privacy regulatory frameworks, which I think it's amazing.
[00:05:53] And then transposing this to what you just asked about this opportunity for Brexit, for UK post-Brexit, I think they are in a uniquely position.
[00:06:03] And I think also reading from and seeing, hearing and reading from what the politicians were trying to do was to uniquely position the UK as a friendly nation to be more regulatory open to organisations so that they could also attract talent, for example, in AI and so on. So to answer your question, I think they are in a super unique position.
[00:06:31] And if I was in charge, I would probably start looking at that supply chain, the risk frameworks, and obviously the board liability as well. Completely agree with you. And I also think you're in somewhat of a unique or have a unique perspective here too.
[00:06:52] So in your opinion, how should the UK address that lack of detail in the legislation about how digital supply chain attacks will be tackled? Anything you can share on how you see things here and some more of those opportunities maybe? So I think first of all, I think for any successful project, Neil, there needs to be different stakeholders and gather their input and making sure that their opinions are weighted.
[00:07:20] So I think governments must work with the wider industry in order to develop that detailed guidance. It cannot just be putting your finger up and seeing where the wind is blowing. There needs to be some concrete input from the industry, from the organisational bodies, from the NOGs and so on, right?
[00:07:42] So second, there also should be a clear description of the associated risk profiles because the UK has the CNI, the critical national infrastructure. But there should also be an alignment to those industries and what is the risk profile that they need to actually be categorized.
[00:08:02] Thirdly, I think that making sure that not just the technical aspect of it, for example, making sure that there's a risk framework or that there's a big stick, a big liability, big fines, but also making sure that the people aspect, and this is something that needs to actually mandate is the training of the workforce. So I think that that is also something that should be positioned on this new bill.
[00:08:29] What lessons do you think the UK could learn from this too? And by that, I mean in terms of outlining practical measures to strengthen cyber defenses and ultimately try and improve accountability at the board level. Any big lessons to be learned there? I think they were quite prescriptive, Neil. And if you look at what they were saying, there's several topics.
[00:08:50] In my opinion, for example, the supply chain security, making sure that we understand on how those third party providers and their risk is computed. For example, if I'm consuming from ABC on how do I assess the risk from ABC and then factor that into my own risk profile, that should be key, right?
[00:09:12] And if you look at the trend from a worldwide perspective, and NIST too falls nicely into that category, is that there's a big focus on the post breach, meaning that the recovery and response are top of mind, right? So if we talk about business continuity, that should also be top of mind. And this is something that NIST places a big focus on it.
[00:09:40] So I think for this upcoming bill, making sure that we also place our mindset on that response and recovery category post breach, you know, I think that should be the way going forward. Because that's a trend. And this is how organizations understand that having something 100% foolproof is not going to generate dividends. You need to be sure that if some event happens, a breach, whatever, you're able to bounce back very quickly.
[00:10:08] So if we zoom out for a moment and look at this cybersecurity and resilience bill that we're talking about today, how can the UK ensure that it remains relevant, especially in the face of so many rapidly evolving cyber threats and AI and good AI versus bad AI and so much going on there? How do they keep this relevant?
[00:10:26] I think as with any framework, right, it needs to have mechanisms for regular reviews and updates, because one of the challenges when you're developing a framework is that sometimes they get out of drift, and there's not a clear process in order to review that. So having those mechanisms in order to review the drift, in order to review how far away they drifted from that original goal, there needs to be something like that.
[00:10:56] So that's number one, right? Yeah. Secondly, making sure that there's advisory committees that has a breadth of stakeholders that can inform in order to monitor and also provide a bit more intel on those techniques and those threats, emerging threats, what is going on out there. I think there needs also to be some advisory committees.
[00:11:21] And this is something that NIST2 actually placed a lot of focus on, hey, how do we make sure that we can cross collaborate and can we exchange data amongst ourselves? And lastly, I would say that supporting the research into emerging security technologies. For example, something that I still haven't seen a lot is that we talk a lot about supply chains, right?
[00:11:47] There's been this big breach on that open source software, the XZ, the compression library. For some reason, it isn't as talked as other breaches, but it was an open source. It was a very small component, but that component was used by the majority of large projects, right? And if you look at the timeline, it was clearly a state actor.
[00:12:11] So what I'm trying to say is that making sure that the government supports research in this emerging security technologies, AI, cloud and so on, in order to make sure that they make informed decisions. And I think one of the standout aspects of NIST2 is the assigning of responsibility for cybersecurity directly to the board. It's one way to get attention from them as well once they're accountable for that. But what do you think are the specific advantages of doing that, do you think?
[00:12:41] And ultimately, is it critical for the UK's build too? So Neil, I think first of all, it's critical. So that's my first point. It's critical and important because traditionally, cybersecurity has always been perceived as a cost center and a blocker. Yeah. And this changes things because now they understand that it's a business risk and it's just not the IT guys like trying to derail the project.
[00:13:11] No, it's a business risk, right? So I think that it drives better resource allocation for security. And you wouldn't believe me before this NIST2, I would talk with CISOs and before and after. And you could see that the budget was clearly augmented post NIST2 for the cybersecurity, right? Yeah.
[00:13:36] And I think the last but important is that everybody talks about culture and strategy, but having the bottom up, the people that actually do the work being security conscious, but at the same time also having the leadership, being understanding cybersecurity risks and being accountable, it creates a new dynamic.
[00:14:26] I agree. I think the way that they can balance is, for example, developing and maintaining that resilience and recovery plans. For example, drafting the business continuity plans, making sure that there's a recovery and a specific timeline associated with it. Because if you look to NIST2, the preliminary reporting is 24 hours, Neil. Yeah. And that's a game changer, right?
[00:14:54] So having something like that forces organizations to think through and then also make sure that they develop a plan in internal communications or whatever they need to do in order to roll this up. It requires a substantial reorganization, right? So defining that security requirements and that progress reporting, I think is key, along as measuring the effectiveness of whatever organization is trying to do.
[00:15:23] If it is the KPI in order to respond or recover. Those are also the KPIs that need to be reported back. And I think the bill should also leverage those KPIs that the CISA use and make them part of their repertoire as well. And thankfully, there does seem to be somewhat of a global epiphany that working in silos is not the best way.
[00:15:49] And in cybersecurity in particular, collaboration is so important. So in your experience, what should collaboration between governments, businesses and international partners play in better shaping cybersecurity legislation? And how do you think the UK's approach compares to the rest of the EU? Because again, I think you've got a unique vantage point here. Yeah.
[00:16:14] So if we go back, Neil, and sorry for this tangent, but if we go back and think about design thinking and policy design, right? You'll always see that one of the ways that you can create actually a policy that is successful is making sure that you get those inputs from the wider industry.
[00:16:34] So that should be part of the framework on how the UK is actually collaborating, the government, the business and the international partners, making sure that their stakeholders and their inputs are weighted, right? Yeah. Secondly, I think there also needs to be detailed guidance for those industries and having like a partner, maybe going broader, not just the NCCS or for example, in Europe, they have Anisa.
[00:17:01] And if you look at the Anisa webpage, they provide a lot of technical support for organizations, telcos, financial services on how they need to implement this niche too, what is the risk platform, what is the best. And personally, when, for example, I was looking at the vulnerability reporting from the UK government, there was this, the Government of Cyber Coordination Center.
[00:17:31] The GC3, right? Yeah. And I was flabbergasted when you submit a report and that report goes to HackerOne, which, you know, there was a lot that a couple of years ago, there was a lot of hype surrounding this new vulnerability reporting service. And now you just click and it goes to HackerOne. So I think that just highlights how we could do better. And it's not just putting the report to HackerOne.
[00:17:58] No, we need to do better and getting that information to our industries and our economy as well. Well, we started our conversation today talking about how 13 years ago you left behind sunshine, fine wines and great food to take your tech career to the next level. But as we come full circle now, I think we can both agree that none of us are able to achieve any degree of success without a little help along the way in our career.
[00:18:24] Very often somebody sees something and has invest some of their time and so much more that helps us in ways that they probably don't realize. So is that a particular person that you're grateful towards who maybe played a part in helping you get you where you are today that we can give a little shout out and a little thank you to?
[00:19:12] Yeah, for sure. Thank you.
[00:19:45] Thank you.
[00:20:16] Thank you. Thank you. So when I was talking about OpenStack and the contributions that I did, obviously I got the role. Yeah. So now today thinking about how that experience shaped me, I learned that true leaders and thank you campus for that. It's just that they don't manage resources. They invest in people's futures, even when the return is immediate. Wow. What a powerful moment to end our conversation on today. Absolutely love that.
[00:20:45] He's probably unaware of the impact he's had on your career. So it's so important to give him a shout out. But I love the whole, almost the universe giving you a nod back and everything coming full circle. But for everyone listening, just wanting to find out more information about anything we discussed today. Maybe they want to connect with you, talk about your work at Fortinet and find out more what's happening there. Where would you like to point out more? Where would you like to point out more? So they can go to our website, fortinet.com. There's also my LinkedIn.
[00:21:14] And if you want to read the stuff that I've been working on, which is aligned to NIST2, Dora, you can also go to Fortinet blog and search my name, which you can find all the repertoire and all the blogs that I've been producing. Awesome. Well, I will provide links to the website, your blogs, and indeed your LinkedIn so people can find you nice and easy. We covered a lot there, not just talking about the UK cybersecurity and resilience bill, but also what's missing from that legislation?
[00:21:42] How does it compare to the EU's and what the UK bill can learn from this too? And we could even have another episode talking about the other regulations and legislations that are being created all around the world outside of UK and Europe. But more than anything, thank you for starting this conversation today, Ricardo. Thank you, Neil, for having me. Nick, it's clear that the UK has an opportunity to create a cybersecurity bill that will not only address today's challenges, but also set a benchmark for the future.
[00:22:09] And Ricardo's insights highlight the importance of learning from that EU2 directive and focus on supply chain risk, board accountability and post-breach resilience. And the message is clear, isn't it? Effective legislation requires clarity, collaboration and an actionable framework, a framework that unites stakeholders across all sectors.
[00:22:34] But what are your thoughts on this approach to the cybersecurity legislation? Could it become a global leader by adapting the best elements of international frameworks? Or does it indeed risk falling behind? Love to hear your perspectives on this. Please join the discussion. Email me, techblogwriteratoutlook.com, LinkedIn, Instagram, X, just at Neil C. Hughes. Interested in your thoughts on this one?
[00:23:04] But as for me, I've got another guest to prepare for. They'll be coming your way bright and early tomorrow morning. Hopefully you'll join me again. I will speak with you then. Bye for now.