What happens when a country aims to carve its own cybersecurity regulatory path post-Brexit while the rest of the region moves toward harmonized frameworks like the EU’s NIS2 directive? In this episode of The Business of Cybersecurity Podcast, we unpack the evolving conversation around the UK’s Cyber Security and Resilience Bill with Ricardo Ferreira, Field CISO at Fortinet.
Ricardo offers a sharp, comparative analysis between the UK's proposed bill and the EU's more prescriptive NIS2 directive. He explains why the UK's current approach lacks the specificity needed to tackle critical issues like supply chain security, board-level accountability, and sector-specific risk frameworks. While the UK’s legislative draft includes promising buzzwords and broad commitments, Ricardo notes that it falls short on actionable guidance and enforcement mechanisms—areas where NIS2 has already set a clearer precedent.
But amid these gaps lies a strategic opportunity. Ricardo discusses how the UK can leverage its regulatory independence to selectively adopt the most effective elements from NIS2, crafting a more agile and industry-friendly cybersecurity framework. He highlights the importance of involving diverse stakeholders—from industry bodies to international partners—in shaping regulation that’s both resilient and responsive to evolving threats.
The conversation also explores:
- The importance of making board members directly accountable for cybersecurity risk
- Why workforce training must be mandated alongside technical requirements
- Lessons from NIS2 on post-breach response and business continuity planning
- The need for advisory committees and continuous legislative updates to keep regulation relevant in an AI-driven threat environment
Ricardo closes the episode with a personal story about how visionary leadership early in his career helped shape his trajectory—reminding us that real resilience is built not just through technology or regulation, but through people who see potential and invest in it.
If you're navigating cybersecurity compliance, policy development, or executive accountability, this episode is a timely and thought-provoking listen.
[00:00:06] Welcome back. I'm Neil C. Hughes, host of the Tech Talks Daily Podcast, where for the last 10 years, I've been fortunate to interview more than 3,000 tech leaders, business innovators, and even the occasional celebrity. Celebrity is like Star Trek's William Shatner, of all people.
[00:00:23] But today, I'm excited to unveil the Tech Talks Network. It's a collection of my shows designed to explore every corner of enterprise technology and the impact that it is having on our life, work, and even world.
[00:00:37] So, the Tech Talks Network consists of eight podcasts. Tech Talks Daily, AI at Work to understand how artificial intelligence can deliver a measurable difference inside your workplace, The Business of Cybersecurity, IT Infrastructure as a Conversation, where we can geek out a little bit on some of those infrastructure questions, Conversations from the Show Floor, where I will take you directly onto the Show Floor at the biggest tech events in the world.
[00:01:06] And share some of those conversations of what people are talking about. And there is also startup builders and backers, and we also bring it back to business in the business technology perspectives and understand the real difference that technology can make. And finally, we have Consulting the Future, a podcast that unites all those conversations from Deloitte, EY, Accenture, PwC, Gartner, all the usual suspects.
[00:01:32] And each of those eight podcasts will focus on a unique part of the tech ecosystem, helping you stay informed, inspired, and ready for what's next. So, please check out techtalksnetwork.com. You'll find links to everything that you need right there. And let me know your thoughts. The reason I've done this is I record 400 interviews plus a year, and many of that information can get lost after a couple of weeks.
[00:01:57] And I think niche shows focusing on unique areas will help you drill down to that information that you need. So, check that out and let me know. But back to this show. Today, I've got a great guest lined up for you. He's going to be offering a critical perspective today on where the current bill is possibly falling short.
[00:02:16] So, together, we'll dive into the topics far and wide from workforce training to post-breach recovery and the cultural shift that still needed to make cybersecurity a boardroom priority. But enough scene setting for me. Let's get Ricardo onto the podcast right now. Well, thanks for joining me on the podcast, Ricardo. Can you tell everyone listening a little about who you are and what you do? Ricardo Ferreira For sure, Neil. It's a pleasure to be here.
[00:02:45] My name is Ricardo Ferreira. I'm a Portuguese now living in the sunny UK for almost 13 years now. My background has been on cybersecurity since I was a teenager, actually working on deception technology. But at the time, it was honeypots. They also did the dissertation on that. And then the career obviously evolved and progressed up until now more on a field CISO within Fortinet. And what does that entail?
[00:03:14] So, if you think about the Venn diagram, right? Is it at the intersection of advisory, marketing and sales? So, making sure that I interact with customers from the top G2000 and understanding their cybersecurity roadmap on how Fortinet can also help. And obviously, also giving my opinion on basically distilling my thoughts and what is going on out there so that they could make informed decisions.
[00:03:42] Excellent. Well, thank you for joining me on the podcast. And you said 13 years since moving from Portugal there. And you even mentioned sunny UK, but nowhere near as sunny as Portugal. Do you miss anything about home in 13 years? Is it food, sunshine or something else? Anything you miss there? Yeah. So, I miss the food, the wine, especially from the area we come about. It's the Douro, which normally people know it from the Porto wine, but I'm more on to the traditional wine.
[00:04:11] The food here in the UK also have a lot of diversity of food. But what I miss is probably the temperature, the temperature. Yeah, the temperature and the sunny. When the sun comes out, you can really feel it on your skin, that branny feeling, you know? So, I miss that. I miss that. I bet. Oh, well, thank you for joining me on the podcast today. And obviously, I brought you on not to talk about food, sunshine and wine, although we could have a Splintner podcast on that very subject.
[00:04:40] But one of the things I wanted to talk about is the main areas where UK cybersecurity and resilience, Bill, is falling short compared to the EU's NIST 2 directive, which we're hearing more and more about. Anything you can expand on around that? Sure, Neil. So, actually, I started looking at NIST 2 when the draft came out. So, that was a while back on 2020, if my memory serves me right.
[00:05:07] And I was quite relieved, I think that's the right word, on the UK coming up with this UK cybersecurity and resilience bill. Yeah. First, because I felt that Europe, the EU, was advancing the state of art regarding on how they are trying to make sure that the state members are actually protecting against the advanced cyber threats. And from the UK, there was nothing, just a mute, right?
[00:05:34] And when it came out, as you also seen, I felt that it was a bit short, lacking the meat on the bones, per se, you know? So, either A, the plan, the strategy hasn't still been fully developed, or B, they want a bit more time because I think it was going to be proposed to the parliament this year.
[00:05:58] So, I'm not sure, but it just reads a bit of fluff, you know, Neil? So, there's a lot of buzzwords there, the supply chain, the digital supply chain, but it doesn't talk on actually on how. It's not prescriptive. It doesn't actually tell you what the organizations will need to do, or how big the stick is going to be from fines, or whatever they are trying to do in order to make that.
[00:06:24] So, that's where I felt that it felt short regarding, in opposition to the NIST 2. I completely agree with you. And as an eternal optimist, I would say that maybe the UK is positioned post-Brexit. Maybe it provides some opportunities to cherry-pick some of those most effective elements of NIST 2. Am I right in saying that? And if so, what should they prioritize, what do you think? Oh, in my opinion, Neil, I think you're spot on.
[00:06:52] And I think if we learn something from GDPR, it was actually that. Because when the EU citted and drafted GDPR, you now see a lot of emerging economies picking specific provisions. For example, South Africa, Mexico, et cetera, Middle East, and so on. They are picking cherry some of the parts of GDPR that make sense. And they are coming up with their data privacy regulatory frameworks, which I think it's amazing.
[00:07:22] And then transposing this to what you just asked about this opportunity for UK post-Brexit, I think they are in a uniquely positioned.
[00:07:32] And I think also reading from and seeing, hearing and reading from what the politicians were trying to do was to uniquely position the UK as a friendly nation to be more regulatory open to organizations so that they could also attract talent, for example, in AI and so on. So to answer your question, I think they are in a super unique position.
[00:08:01] And if I was in charge, I would probably start looking at that supply chain, the risk frameworks, and obviously the board liability as well. Completely agree with you. Completely agree with you. And I also think you're in somewhat of a unique perspective here too.
[00:08:22] So in your opinion, how should the UK address that lack of detail in the legislation about how digital supply chain attacks will be tackled? Anything you can share on how you see things here and some more of those opportunities maybe? So I think first of all, I think for any successful project, Neil, there needs to be different stakeholders and gather their input and making sure that their opinions are weighted.
[00:08:50] So I think governments must work with the wider industry in order to develop that detailed guidance. It cannot just be putting your finger up and seeing where the wind is blowing. There needs to be some concrete input from the industry, from the organizational bodies, from the NOGs and so on, right?
[00:09:11] So second, there also should be a clear description of the associated risk profiles because the UK has the CNI, the critical national infrastructure. But there should also be an alignment to those industries and what is the risk profile that they need to actually be categorized.
[00:09:31] Thirdly, I think that making sure that not just the technical aspect of it, for example, making sure that there's a risk framework or that there's a big stick, a big liability, big fines, but also making sure that the people aspect, and this is something that needs to actually mandate, is the training of the workforce. So I think that that is also something that should be positioned on this new bill.
[00:09:58] What lessons do you think the UK could learn from this too? And by that, I mean in terms of outlining practical measures to strengthen cyber defenses and ultimately try and improve accountability at the board level. Any big lessons to be learned there? I think they were quite prescriptive, Neil. And if you look at what they were saying, there's several topics.
[00:10:20] In my opinion, for example, the supply chain security, making sure that we understand on how those third party providers and their risk is computed. For example, if I'm consuming from ABC on how do I assess the risk from ABC and then factor that into my own risk profile, that should be key, right?
[00:10:41] And if you look at the trend from a worldwide perspective, and NIST too falls nicely into that category, is that there's a big focus on the post breach, meaning that the recovery and response are top of mind, right? So if we talk about business continuity, that should also be top of mind. And this is something that NIST places a big focus on it.
[00:11:10] So I think for this upcoming bill, making sure that we also place our mindset on that response and recovery category post breach, you know, I think that should be the way going forward. Because that's a trend. And this is how organizations understand that having something 100% foolproof is not going to generate dividends. You need to be sure that if some event happens, a breach, whatever, you're able to bounce back very quickly.
[00:11:38] So if we zoom out for a moment and look at this cybersecurity and resilience bill that we're talking about today, how can the UK ensure that it remains relevant, especially in the face of so many rapidly evolving cyber threats and AI and the good AI versus bad AI and so much going on there? How do they keep this relevant? I think as with any framework, right, it needs to have mechanisms for regular reviews and updates.
[00:12:03] Because one of the challenges when you're developing a framework is that sometimes they get out of drift and there's not a clear process in order to review that. So having those mechanisms in order to review the drift, in order to review how far away they drifted from that original goal, there needs to be something like that. So that's number one, right? Yeah.
[00:12:28] Secondly, making sure that there's advisory committees that has a breadth of stakeholders that can inform in order to monitor and also provide a bit more intel on those techniques and those threats, emerging threats. What is going on out there? I think there needs also to be some advisory committees.
[00:12:51] And this is something that NIST2 actually placed a lot of focus on, hey, how do we make sure that we can cross collaborate and can we exchange data amongst ourselves? And lastly, I would say that supporting the research into emerging security technologies. For example, something that I still haven't seen a lot is that we talk a lot about supply chains, right?
[00:13:16] There's been this big breach on that open source software, the XZ, the compression library. For some reason, it isn't as talked as other breaches, but it was an open source. It was a very small component, but that component was used by the majority of large projects, right? And if you look at the timeline, it was clearly a state actor.
[00:13:41] So what I'm trying to say is that making sure that the government supports research in this emerging security technologies, AI, cloud and so on, in order to make sure that they make informed decisions. And I think one of the standout aspects of NIST2 is the assigning of responsibility for cybersecurity directly to the board. It's one way to get attention from them as well once they're accountable for that. But what do you think are the specific advantages of doing that, do you think?
[00:14:11] And ultimately, is it critical for the UK's build too? So Neil, I think first of all, it's critical. So that's my first point. It's critical and important because traditionally, cybersecurity has always been perceived as a cost center and a blocker. Yeah. And this changes things because now they understand that it's a business risk and it's just not the IT guys like trying to derail the project.
[00:14:41] No, it's a business risk, right? So I think that it drives better resource allocation for security. And you wouldn't believe me before this NIST2, I would talk with CISOs and before and after, and you could see that the budget was clearly augmented post NIST2 for the cybersecurity, right? Yeah.
[00:15:05] And I think the last but important is that everybody talks about culture and strategy, but having the bottom up, the people that actually do the work being security conscious, but at the same time also having the leadership, being understanding cybersecurity risks and being accountable, it creates a new dynamic.
[00:15:56] I agree. I think the way that they can balance is, for example, developing and maintaining that resilience and recovery plans. For example, drafting the business continuity plans, making sure that there's a recovery and a specific timeline associated with it. Because if you look at NIST2, the preliminary reporting is 24 hours, Neil. Yeah. And that's a game changer, right?
[00:16:24] So having something like that forces organizations to think through and then also make sure that they develop a plan in internal communications or whatever they need to do in order to roll this up. It requires a substantial reorganization, right? It requires a substantial reorganization, right? So defining that security requirements and that progress reporting, I think is key, along as measuring the effectiveness of whatever organization is trying to do.
[00:16:52] If it is the KPI in order to detect some breach, if it is the KPI in order to respond or recover, those are also the KPIs that need to be reported back. And I think the bill should also leverage those KPIs that the CISO use and make them part of their repertoire as well. And thankfully, there does seem to be somewhat of a global epiphany that working in silos is not the best way.
[00:17:19] And in cybersecurity in particular, collaboration is so important. So in your experience, what should collaboration between governments, businesses and international partners play in better shaping cybersecurity legislation? And how do you think the UK's approach compares to the rest of the EU? Because again, I think you've got a unique vantage point here. Yeah.
[00:17:42] So if we go back, Neil, and sorry for this tangent, but if we go back and think about design thinking and policy design, right? You'll always see that one of the ways that you can create actually a policy that is successful is making sure that you get those inputs from the wider industry.
[00:18:04] So that should be part of the framework on how the UK is actually collaborating, the government, the business and the international partners, making sure that their stakeholders and their inputs are weighted, right? Yeah. Secondly, I think there also needs to be detailed guidance for those industries and having like a partner, maybe going broader, not just the NCCS or for example, in Europe, they have Anisa.
[00:18:30] And if you look at the Anisa webpage, they provide a lot of technical support for organizations, telcos, financial services on how they need to implement this niche too, what is the risk platform, what is the best. And personally, when, for example, I was looking at the vulnerability reporting from the UK government, there was this, the Government of Cyber Coordination Center.
[00:19:00] The GC3, right? Yeah. And I was flabbergasted when you submit a report and that report goes to HackerOne, which, you know, there was a lot that a couple of years ago, there was a lot of hype surrounding this new vulnerability reporting service. And now you just click and it goes to HackerOne. So I think that just highlights how we could do better. And it's not just putting the report to HackerOne.
[00:19:28] No, we need to do better and getting that information to our industries and our economy as well. Well, we started our conversation today talking about how 13 years ago you left behind sunshine, fine wines and great food to take your tech career to the next level. But as we come full circle now, I think we can both agree that none of us are able to achieve any degree of success without a little help along the way in our career.
[00:19:54] Very often somebody sees something and has invests some of their time and has so much more that helps us in ways that they probably don't realize. So is that a particular person that you're grateful towards who maybe played a part in helping you get you where you are today that we can give a little shout out and a little thank you to?
[00:20:41] Yeah, for sure. Thank you.
[00:21:15] Thank you.
[00:21:45] Thank you. Thank you.
[00:22:18] Thank you. Thank you.
[00:22:51] Thank you. Thank you.
[00:23:21] created all around the world outside of UK and Europe. But more than anything, thank you for starting this conversation today, Ricardo. Thank you, Neil, for having me. I think it's clear that the UK has an opportunity to create a cybersecurity bill that will not only address today's challenges, but also set a benchmark for the future. And Ricardo's insights highlight the importance of learning from that EU2 directive and focus on supply chain risk, board accountability,
[00:23:47] and post-breach resilience. And the message is clear, isn't it? Effective legislation requires clarity, collaboration, and an actionable framework, a framework that unites stakeholders across all sectors. But what are your thoughts on this approach to the cybersecurity legislation? Could it become a global leader by adapting the best elements of international frameworks?
[00:24:15] Or does it indeed risk falling behind? Love to hear your perspectives on this. Please join the discussion. Email me, techblogwriteratoutlook.com, LinkedIn, Instagram, X, just at Neil C. Hughes. And please remember, if you enjoyed today's podcast, check out our other seven shows over at the Tech Talks Network. So that's techtalksnetwork.com, where we now have a growing ecosystem of eight
[00:24:43] podcasts, tech talks daily, AI at work, the business of cybersecurity, IT infrastructure as a conversation, conversations from the show floor, startup builders and backers, business technology perspectives, and consulting the future. There is so much content over there. And you know what? It's all free. So please check those out. Let me know your thoughts. And I'll be back again with another guest tomorrow. Bye for now.