The Internet Will Never Be This Secure Again, IIE's Kevin Curran on AI and Cybersecurity

[00:00:00] So a big thank you to NordLayer for backing the podcast and supporting the kind of real-world cybersecurity conversations that we need more of. Because as someone that records 65 plus interviews a month, I've personally seen a huge increase in browser-based attacks over the past year, whether that be phishing, malicious extensions, account takeovers, the list is long. And it's all happening where people spend most of their time, inside the browser.

[00:00:29] So NordLayer's new business browser, that's built to address exactly that. It blocks malicious sites before they load. It limits risky behaviors like uncontrolled downloads or data sharing and gives you visibility into how your team interacts with web apps. And it also helps you stay compliant by controlling access and enforcing policies without the need to rely on multiple disconnected tools.

[00:00:55] So for anyone listening that is thinking seriously about reducing risk in SaaS-heavy environments, this feels like a smarter and more focused approach. And you can learn more about it by visiting nordlayer.com slash browser. Let me know what you think. But now, let me introduce you to today's guest.

[00:01:19] What if the biggest cyber security threat in 2026 is not the attack that you see coming, but the one being quietly built by the very tools that we're all racing to adopt? Well, my guest today is Professor Kevin Curran. He's a professor of cyber security at Ulster University. And this conversation felt like sitting down with someone who has had a front row seat to the entire evolution of our digital world.

[00:01:48] Because he has spent decades teaching computer networks and cyber security, worked extensively with the industry and advised on legal cases and given thousands of media interviews, translating deeply technical issues into something that everyone can understand. A man after my own heart. And what I loved about this discussion today is that it goes far beyond the usual headlines about skills shortages and cyber risk.

[00:02:16] We're going to get into why cyber security has become such a massive priority. Why that talent gap still exists and how AI is already reshaping both the threat landscape and career opportunities around it. And he'll also talk about why this could be the moment where junior talent, career switchers and AI native professionals all collide to become some of the most valuable people in the room.

[00:02:42] And there's a real sense of urgency in this conversation because we're going to talk about why keeping software updated still matters. Why security certifications carry very real weight and how universities need to rethink what they teach and why agents, plugins and AI workflows. All these things create a whole new layer of risk that many organizations are possibly not fully ready for yet.

[00:03:06] So if you want a conversation that blends practical advice, big picture thinking and a few honest warnings about where this may be heading next, you're going to have a lot of fun with this one. But enough from me. Let me introduce you to my guest right now. So thank you for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do? Yeah, my name is Kevin Curran. I'm professor of cyber security at Ulster University.

[00:03:34] I have been there 27 years in a teaching role. So I do the usual. I teach computer networks for 27 years. Not many people have the same module for 27 years and cyber security for the last maybe 12 years. Because, again, cyber security was not a subject when I was in college. And, you know, I publish my supervised research students. I work with industry.

[00:04:03] I do a lot of legal work in court cases as a legal expert. That increases over the years because everything now is digital. And I do a lot of media, which is probably one of the most exceptional things about me. Two and a half thousand interviews over the last 18 years. Well, it's a pleasure to have you join me today. There's so many things I was excited to talk with you about.

[00:04:26] Because when it comes to cyber security, it's so attractive, especially for younger people now entering the workplace, wanting something that will future-proof their career. I say to anybody that asks me, I say, head for cyber security. One, there's like 10, 15 different fields that you can enter. Zero percent unemployment. And you can work anywhere you want in the world because the demand is that high. But as you said a few moments ago, 15 years ago, nobody was teaching this stuff in school.

[00:04:54] So how do you explain the cyber security talent gap that we're seeing here and its potential impact on the industry? Because there's no shortage of demand. It's getting that talent into the funnel, isn't it? Absolutely. When I started using computers and went to college, there was no passwords on computers. You went to your computer, you had your floppy disks, and you took your floppy disks with you. Then we had hard drives again. You might store something else.

[00:05:22] But everything was, there was no need to worry about cyber because none of us had any bank details on our computers. Websites didn't really exist back then. There was nothing confidential. All of a sudden, the web came. And then we started to do commerce on the web. And then, of course, we have social media. And then we had cameras with phones. And all of our photographs were digitized.

[00:05:46] So all of a sudden, a computer or a phone or a tablet became a hub, which contained a lot of private information and a lot of banking details again. And, of course, companies stored a lot of personal identifying information. They stored credit cards. And there was also incentive for hackers because there was no hacking back then. You couldn't make money. So what's happened really is, of course, private information is held and we've got to keep that secure.

[00:06:13] Then a marketplace emerged for hackers and nation state hackers, you know, agencies. So for crypto, of course. And there was an incentive because the early viruses were just proof of work, proof of concepts. You couldn't make money. Then crypto came along. And all of a sudden, you could or tried to remain anonymous and look for payments from ransomware and from denial of service attacks.

[00:06:39] Then also your ordinary criminals who just look to scoop up all the credentials about Bitcoin and whatever else. So there is money to be made out there. So all of a sudden, the infrastructure that we all started to use became very important to secure. So hence, we we ended up with a brand new kind of area of computer science, which is cybersecurity. And as you said, there are so many areas into it. You know, there's a networking aspect.

[00:07:05] There's a reversing program code looking for exploits. There's penetration testing, cloud security. You know, so you pick your area as such. And it's one of the most crucial areas, of course, because now, especially companies are have to be compliant and they are subject to fines.

[00:07:26] So no longer is it, you know, does the IT manager or this chief information security officer, whoever they are, whatever title they have, have to go begging to the C-suite. Because the C-suite already know about compliance. And again, so the budgets have increased, of course, because people have learned, companies have learned. Again, there's unfortunately, you know, Marks and Spencer is may go out of business because of that cyber attack. You know, people have moved on.

[00:07:55] People will go for the cheaper prices and where the resist the path to resistance is easiest to shop. And they will have found other outlets again and Land Rover Jaguar again. So and unfortunately, I feel this will be the year of the major strikes. I think today's the first time I've said it. It came to me yesterday. The Internet will never be as secure as it is now. And I think, well, it doesn't seem that secure.

[00:08:22] But when we look back, we'll see, oh, my goodness, we wow. I can't believe I didn't have to do this and this and this back in the start of 2026. I hope I'm wrong because. Yeah, I mean, you mentioned the Marks and Spencer's and Land Rover there. I think those two attacks were responsible for over one billion pounds alone, as it shows you the scale of what we're talking about here.

[00:08:49] And I mentioned there's a lot of opportunities for students and people wanting to enter the workforce now. But I would also argue there's an opportunity for everyone here, especially when we're talking about AI replacing or displacing certain job roles. There's a whole other heap of job roles that are being created here. So how can organizations maybe make cybersecurity an attractive field for career switchers, too? Because there is a great opportunity there, isn't there? Absolutely.

[00:09:17] Again, they've got to be competitive salaries. Yeah, yeah. And again, bring them to training as such. But type people are always wanting to upskill, you know, and people know that, you know, what I like teaching about cybersecurity, because it's kind of like doing a degree in psychology. Even if you didn't get a job and the jobs are there. But, you know, you have learned things which are very important for life.

[00:09:44] And someone who studies psychology and pays attention will not suffer the slings and hours of someone else who has never thought about how humans operate and the common pitfalls. Same with cybersecurity. Because even if I know many of my students will go into different fields, you know, within computer science. Every one of them needs to know about cybersecurity and the attack vectors.

[00:10:08] And it's great to have a ground up view like I have. In other words, where I understand cybersecurity to really understand it, you've got to know your communications. What's the difference in Bluetooth and Wi-Fi and Zigbee and GPS and you name the protocol, the bandwidth, whatever else, because they all have different attack vectors again and ways to get into machine. And then within a machine, what is runnable?

[00:10:36] Now, that has slightly been blurred at the moment with agents because you don't know which level of the stack and it seems to have access right down to the low level. But generally, it's great being able to know, you know, how the broader computing devices and phones and, you know, where are the real risks, of course.

[00:10:56] And after each semester, really, you know, I go through everything, well, not everything, as much as you can from cryptography, the primitives, trust no one, the CIA triad, confidentiality, integrity, availability. These are the, you know, what we're always striving for in cybersecurity. And then we go into pen testing, the protocols, whatever else. But ultimately, it comes down to, and this is very valid for people in these coming weeks, is to keep your software updated.

[00:11:26] If the operating system on your device asks, tells you there's an update available, just take it. Especially in this weather right now, given what happened, one of the biggest events in the cybersecurity industry happened this week in the last two days. And that was Claude and Tropic have announced that their latest model, Mythos, will not be given to us,

[00:11:53] but rather given to the consortium, the likes of Amazon Web Services, Apple, Google, and others, because it is so effective to find the security flows. And it's better than the greatest penetration tester on Earth. So there's power there. So that has shaken the landscape, because now we can see, again, an anniversary. And of course, you straight away go to nation states, knowing the power that they have, knowing these flaws, whatever else.

[00:12:22] We have to see how we navigate this space in the coming months, really, and obviously years, if we have. But that has been a major wake-up call to the industry. And of course, for any business leaders listening, and they want to hire the staff to improve their cyber hygiene and be more compliant, etc., finding someone with the right certifications combined with the experience that they're looking for is a very, very challenging task,

[00:12:48] especially when you're looking for the right price, because so many people in demand right now, getting somebody at your budget can be difficult, too. So instead of hiring new people, how can companies effectively upskill the talent that they already have, people that want to upskill and are passionate and are looking for that entry point? There is wonderful training, obviously, online and certificates. And it's the one industry sector within computer science where certificates really do matter.

[00:13:17] A lot of the other – I mean, you could say that. I mean, of course, data science has its – and whatever else. But no, generally, a lot of other fields, you generally go on your CV and your experience, and maybe it was on your LinkedIn profile, and you're hired as a developer. But cybersecurity, especially, you're looking for the ISAC certificates and, you know, the Google, Microsoft, whatever else. But – and your CISP and – and these have been proven, and these are, you know, whatever is to pen testing,

[00:13:46] Red Team, Bluetooth, whatever you want. But certificates within cybersecurity are a must. I always encourage my students to register for, you know, some easy hits you get along the way, which are free, you know, on Amazon and Cloud. You know, it's in their interest, of course, to provide free certificates. I guess, but even the key ones are not that expensive, some of the security plus and all that, a few hundred.

[00:14:11] So that is the number one way because the materials, yeah, are kept fairly up-to-date and relevant. And, yeah, can be more up-to-date, of course, than a university course because you're teaching more or less the core principles. So cybersecurity courses are a must. You know, especially when you're younger, you shouldn't really have free time. You should be pushing yourself to up-skilling these sectors.

[00:14:36] And, in fact, yeah, there is one trainer I use quite a lot. I use their free labs with my students. And, I mean, it's – try HackMe. And I love their model. And there's some great courses on there. And it's not expensive. And they've got different pathways. And what's great about try HackMe is you log on to the website. You pick the module or whatever it is.

[00:15:02] And it will launch your VM in one half of your window. The other half is your exercises and your step-by-step. And there's walk-throughs. And you never get stuck. And it just works from anywhere on your tablet, on your – you know, you don't need to have the old-fashioned VMs installed and trying to keep them up. And what happens when you're remote? Try HackMe is a wonderful resource for people breaking into the industry.

[00:15:29] Big thank you to Donodo for supporting the Tech Talks network and making these conversations possible. Because when your lake house stores the data, the real challenge is getting that data where it needs to go and faster. And your lake house stores the data. But Donodo helps deliver it faster. So with real-time access, built-in governance and a business-ready data marketplace,

[00:15:57] Donodo can help your teams unlock insights without costly duplication. And you can learn more by simply visiting Donodo.com. For schools and universities that are rethinking their approach to cybersecurity education, any tips there on keeping pace with the evolving industry? Because it's moving at such a rapid rate, isn't it? Very much. I mean, the obvious one, though, is AI. Is to incorporate AI.

[00:16:27] And quicker than we would have thought, academia has to move from what we were doing before, which is maybe the principles of software engineering. How does a decision tree work? You know, binary search. Because now coding is done by the machine. And we become orchestrators. And no one's really arguing with that.

[00:16:52] You know, now it really is direct in the cloud code or codex, whatever, telling what you want. And, of course, the best people using this are the people who have planned properly, broken it down into steps, and verified. And, of course, have the right skills within their plugins. And they're building gradually out their AI and their test frames as well. But they're not coding anymore at a certain level. They're trusting.

[00:17:19] And, again, so we, academia, we can be seen as too fine-brained in an old-fashioned way. Now we should be moving up the stack and saying, okay, now you're speaking to the computer. Of course, you have to, of course, if you're in this prize, you have to be able to work it out, how to, you know, how to incorporate with the still same workflow the industry has, which goes on to the pipeline. There is testing there. But still, you're not expected to write hand code anymore.

[00:17:46] So to be an orchestrator, to know how it works, to know how to test it. And the same with cybersecurity. It's to see now that you're not just sitting there with a blank sheet, and you go off manually, and you do a pen test. But now you use kind of a tool higher than that. And you're able to orchestrate. And just, and again, it goes back to judgment. What people are all saying about the future of AI is it belongs to those who have good judgment

[00:18:10] and have domain expertise and know how to use AI as the Einstein in a box, but how to verify it, validate it. And they're the ones who will get ahead. But I wouldn't dream of teaching now without incorporating AI in most steps and frameworks. And there still is a bit of, yeah, there still is a nervous energy within the industry. Most of us, we see the agents are kind of a natural progression.

[00:18:40] And that is an LLM behind it. And of course, local models will become more useful, which they are now very much more widespread because of the security implications. And they can be perfect at just for the tasks that you need on a local. And then you can obviously offload or use the LLM broader models online when you need them, the frontier models.

[00:19:07] But you can get a lot done with local models. So we believe the agents, and then it's the agent harness as well. And NVIDIA, of course, have come up with Nemo Claw, because Open Claw seems to be such a winner at the moment with a lot of support. But it's not for everyone. And then there's Herms, which people are moving to. I've looked at Paperclip. But I've experienced what I've noticed a lot of other people within the AI business or within the AI sector in the last few weeks and months have experienced.

[00:19:35] It's a burnout because I follow so hard. And I don't want to miss out because I'm competitive. But there's so many options. And I see it from here and there. And it's hard to filter out the, especially on X, which is a great place to follow AI leaders. Most of them are there so much quicker than anywhere else is on X, where the conversations are taking place. But you really get torn. And I've been exhausted some days.

[00:20:03] But it was good that I know I'm not alone. And in some ways, I've got to hold back. And the one lesson I've learned in recent weeks is not to be too quick with implementing, downloading, and installing and running with, because flaws are being found very much in the gold rush. And I believe, actually, most companies really right now should nearly rip out every skill they have or examine them because I think a lot of the nation state hackers and even the main hackers

[00:20:32] themselves have uploaded a lot of skills, a lot of LLN material, which is generally imported as skills, knowing that they can exploit them whenever in the couple of weeks, months. And because we're just trusting too far that we've broken out of enterprise environments, out of sight of firewalls, outside of all the seekers we've been putting in over the last few years,

[00:20:56] because it is very hard for any kind of endpoint detection system to follow every single, whatever. It's really important, especially when the application layer, someone downloads cloud desktop and then starts uploading skills and everything else. And it's just random packets going out over the, you know, out over the ether. So I think skills will be a huge problem in the, until we have, you know, that kind of again, kind of a guarded app store again.

[00:21:26] Could we, we know they, we know the benefits of Apple having guardianship over the app store. It just is a lot safer than an app store where anyone can upload anything. And it's good to have a guardian there. So we need something like that for skills, especially in plugins of all sorts for the AI era. Such a great point there. And there's also a lot of nervous energy around AI removing some of the entry roles. And of course, investing in junior level roles, apprenticeships and non-traditional pathways

[00:21:55] have always been seen as a way to broaden the candidate pool. And I'm sure that will continue. But from your point of view, what is something that maybe a junior level person could bring to a security team maybe a security expert might lack? Do you see anything there? Any examples? Persistence really. And yeah, the tools, the easiest way for someone, for some young person is to become AI native.

[00:22:24] It's to go into that job and basically just have all the frameworks up, all the tools, figure out where AI is going to, because that can easily jump ahead of someone who's stuck in the old ways. The developers are 20 years and there is a sorrow. There is a definitely universal sorrow within. Once you understand it, I've had it.

[00:22:49] I've gone through it in January in my bed, staring at the ceiling when I realized that I have to readjust because of AI. You know, I can see the end and I can see along the way, I can see everything, of course. And I don't know the end time for AGI or whatever else. But I can see my job as a professor. I can see universities being shaken.

[00:23:15] I can see, obviously, I can see the cybersecurity nightmare potential along the way. But I'm also, you know, but I'm not living in fear. I just had to readjust. And I think everyone has to do that. It's just that we're ahead of the game, us in tech. Anyone that's paying attention. Everyone would have to go through some sort of metamorphosis. And it's fine because ultimately we shouldn't be defined just by the role we do. We're much larger as humans.

[00:23:46] But what I would do is just go knees deep into AI and figure out the frameworks, figure out about Asians, figure out about how do you talk to this machine? I'm still trying to. I'm still trying to find out how do I talk? How do I get the best responses from it? How on earth does telling it that you are a role X, you've seen, I don't know if you've seen those prompts. Yeah. Or you tell it, you are a world leading whatever.

[00:24:11] That, again, I want to understand that fully because to me, why would that, how on earth would that steer it? Because without telling it you are a world leading expert, if I ask it a question, any of the models, why doesn't it give me the best answer? Why did I have to tell it about the role? You know, and so I, again, I want to know about it. You know, I want to know about the way, you know, not so much the way it's. I want to understand it.

[00:24:40] So the best analogy is, like I said, I see, obviously I can only see in a 3D dimension, but I see valleys and peaks within this LLM of a trillion parameters. And over in some corner is a valley and is to do with tractors. And then there's a valley, maybe a layer above it, which is even larger, and that's farming.

[00:25:07] And then something to do with agriculture and the earth over there. And then with tractors, you have whatever goes with that, you know, different things. And in other words, that the LLM itself has ridges and valleys and the sharper the ridges, the more accurate or deep it is about a topic. And that's it, because it is new. I've never had to think. With Google, you just knew, OK, keywords matter. You do a search and it'll do its best to get back to you.

[00:25:36] But with so much information coded, almost everything, you know, and we know ultimately a store in vectors and matrices, whatever, but that doesn't help. Yeah. And then you have different representations as well. You know, the representation space, as we say. So, yeah, I'm intrigued and I'm determined, you know, to understand as much as I can about how to interact and get the best out of this beast.

[00:26:06] Absolutely love it. That passion really shines through. And I'd love to get a few takeaways for people listening to maybe take away an action and think about. And we've talked about how AI is transforming the threat landscape. But what are the top AI related skills that cybersecurity professionals need now? How can they be trained in them? What should they be doing if they want to get involved in this and be working in this field?

[00:26:33] I was, you know, a quick win probably is agents. Yeah. Study agents and even be framework agnostic. Like, you know, it doesn't have to be Claude or it doesn't have to be Herms or whatever else. Just understand, OK, an agent is generally something. Yeah. It's a task you give and some way you've got to control it.

[00:27:01] And an agent can also be because we're seeing the shadow organizations, not the right word, but we're seeing organizations being broken down into roles. Again, with Paperclip and these frameworks where you have CEO and then CFO and you have your again. And you can import organizational charts which correspond to different sectors.

[00:27:21] And again, the Gary Tan one is the one I used within Paperclip because it's a kind of a program and it's got audit checks for code and whatever else. And so in other words, understand agents and how that businesses generally look like they're moving towards agent architectures where every role is taken by an agent and an agent has a predefined task.

[00:27:44] Now, of course, then you could try to build your marketing agent from start by telling it roughly, you know, or even shadow on the person you have in marketing at the moment. But generally people import these marketing kind of personas and they do all the tasks, go here, go there and everything else. But understand the agents will more or less replicate humans. There'll be a lot of agents probably bring down social networks and everything else, but they have tasks and then you can set them to run. You can improve them.

[00:28:14] They can be self-improving, of course. We're in this era, these magical eras, of course, where skills are and you can set out a research task and it doesn't stop. The auto research loop by Andrew Karpathy, the guy behind Tesla and OpenAI. He's one of the most amazing guys on AI. He's given away a lot of advice free. Again, he's a guy who developed self-drive, full self-driving for Tesla. He was head of AI at Tesla. He's also one of the co-founders of OpenAI and a nicer guy you couldn't meet.

[00:28:43] And he's adored by people because he's kind of well, most people in tech are honest, actually. You know, it's just a fact. You know, we're knowledge cravers as such, but we are very truthful. But agents is it. So understand agents, how they're going to be in it. But also then, OK, then look, look at the stack and see, OK, well, here's an agent going there, but it needs credentials.

[00:29:05] How do I know someone doesn't hijack my agent and take on my agent and scoop on my PayPal account, my Revolut, my bank? It doesn't exfiltrate documentation again because this is a new area. So therefore, it's an easy way for you to jump, jump over the people who were there 20 years before you, 10, that they're in their area.

[00:29:26] But you have thought deeply about agents and you've been researching the course, you're keeping up to date and you're seeing, OK, I'm going to look for the source of sync of everything in my company or the company just hired me. You know, where are the loopholes? Where might our personally identified information be leaked? What are others doing? How can I restrain the company but also give freedom to developers? Because that's a balancing act at the moment.

[00:29:52] AI can do so much, but you're nuts if you give it complete freedom by bypassing all the compliance we already have. Likewise, if you're really restricted and you ban everyone from coming in, even with your phone on them or a laptop and you nail it down, well, then you're going to be out of business possibly in a year or two.

[00:30:12] So companies have to find the balance between degrees of freedom for innovation and also like not completely getting snookered by via coding or just exfiltration of data. But agents, for me, would be the place to start and see how that transforms and whatever else. And in a larger scale, if it wasn't even cybersecurity, it would also be workflows again, which because not everything that can be automated needs to be automated.

[00:30:40] Some things which are automated shouldn't be and some things which aren't automated should be. So, again, that's a very good skill to have to know what within the organization should be and shouldn't be. But definitely to see how those agents know and these frameworks, how do they fit in? And how can we protect our users and our company from prompt injections and all these new, you know, attack vectors? So many big points there.

[00:31:07] And for people listening, I will include a link to your LinkedIn. I know you're very active there. You post a lot of great content there. And I also put up a link to try and hack me that you mentioned. Anywhere else you'd like me to pop a link on there for anyone wanting to carry this conversation on that we started to today? Because we may have given somebody a light bulb moment out there. So I will have links to everything that I mentioned there. I encourage people listening to, first of all, read some of the content that you're putting out there. Great work, by the way.

[00:31:37] And also, I'd love to stay in touch with you. See how this continues to evolve. The speed of change is just phenomenal at the moment. So it'd be great to get you back on either later this year or early next year. See what's happening there. But more on earthy, just thank you for taking the time to sit down with me today. Appreciate you, Tom. No, that's all, Neil. It was lovely to meet you. And I'd love to be back on again. Of course, yeah. Anytime. There was so much in that conversation today with Kevin that could easily stay with you long after this episode ends.

[00:32:03] One of the things that stood out to me is that cybersecurity is no longer some niche technical discipline that's sitting quietly in the corner of a business. It's now tied to resilience, trust, compliance, growth, reputation, and increasingly, survival. So when Kevin says the internet may never be as secure as it is right now, that is the kind of line that should make us all sit up a little straighter.

[00:32:31] And at the same time, I do think that there is something encouraging here for all the anxiety around AI automation and changing job roles. This is opening doors for people willing to learn, adapt, and move quickly. So whether you are a student, someone that wants to switch careers, or someone already in tech trying to stay relevant, I think Kevin made a strong case that there is still huge values placed in curiosity, persistence,

[00:32:58] and a willingness to get hands-on with the tools that are shaping the next phase of this industry. And I also loved his honesty about the human side of all this. Yep, even experts are trying to keep up. Even people deep in the field are rethinking how they work and what they need to learn. And how fast the ground is shifting beneath them is something we all feel. And hopefully that makes it feel less like a story about fear and more about adaptation.

[00:33:27] And maybe there is a real takeaway here, that the people who do well in this next chapter won't be the ones pretending everything is under control, but the ones paying attention, asking better questions, and learning fast enough to keep pace with the change. So are you and your organisation doing enough to prepare for an AI-shaped cyber security future? Or are still many of you still treating it like tomorrow's problem and putting out fires today?

[00:33:55] Love to hear your thoughts. TechTalksNetwork.com. You'll find this and 4,000 other interviews over there. So many amazing insights from fantastic guests. Please check those out and send me an audio message or a DM over there, and I'll get straight back to you. But that's it for today. So thank you for listening as always. And I'll speak to you all again very soon. Bye for now. Bye for now. Bye. Bye.