Matt PalmerWriting
A long-running personal blog on cyber security, assurance and governance. Subscribe via RSS (opens in new tab).
- 5 October 2025Cyber Security Management · Cyber Security
The Emperor’s New Clothes: Why Compulsory CBTs and Phishing Tests Keep Failing
Most phishing training, and indeed most compulsory computer-based training (CBT) modules, are largely ineffective in reducing incidents - and are therefore a waste of time and resources. Finally we have the data we need to challenge this, and find a better path to user awareness
- 25 June 2025
Lessons from the Titanic: when you don’t respond to a crisis
When the RMS Titanic hit an iceberg on 15 April 1912, she set off flares and her wireless operator sent out a distress call. The RMS Carpathia responded, but by the time she arrived, the Titanic had already sunk: only those who had made it to the lifeboats could be saved. Some 1,
- 15 June 2025
Introducing Guernsey Cyber Security Centre
In creating Guernsey Cyber Security Centre, JCSC are working with the States of Guernsey to ensure all the Channel Islands have access to specialist support for cyber security incidents, as well as advice and guidance to built better and more effective defences.
- 1 December 2024National Cyber Security & Resilience · Cyber Security
Is hacktivism ever acceptable?
This week I attended CSO Online's CSO Security Summit in London, which was tracked into protection and culture tracks. One of the most interesting aspects of this was the focus on mental heath. As any incident responder (professional or accidental!) will know, these can be very s
- 1 December 2024
CSO30 award: thank you
Thank you to CSOonline for the CSO30 cyber security award this week. It's much appreciated and a pleasure to be in such good company with so many capable and passionate people. Cybersecurity is still an incredible field where no two roles, or people, are the same.___Matt Palmer i
- 10 September 2024Cyber Security · Incident Management
Introducing Incidentally: Why We Must Embrace Risk and Learn From Incidents
Progress demands risk, and incidents are inevitable. Based on 25 years of personal experience, Incidentally will explore the role of risk in driving success, particularly in cybersecurity, and how we can manage and learn from an incident or cyber crisis.
- 27 April 2024Cyber Security · National Cyber Security & Resilience
Breaking Down Cybersecurity: The Real Meaning Behind the Jargon
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's that got to do with footballs anyway? I've written this simple breakdown of the five key cyber security terms - confidentiality, integrity, ava
- 21 March 2024Projects and Change · National Cyber Security & Resilience
Applying agile principles to public sector change
Shortly after 2001, I was one of many to sign the agile manifesto for software development. This document went on to start a global movement and change how technology change is done: from grandiose projects that often failed, to iterative change that often delivered. But agile pr
- 11 March 2024Cyber Security · National Cyber Security & Resilience
Why is Jersey introducing a new Cyber Security Law? (opens in new tab)
under our proposed new Cyber Security Law, Jersey Cyber Security Centre (JCSC) will have no power to fine or penalise bad behaviour. We will have no power to insist, unless through adoption of our recommendations by an existing business or regulator. No power to name and shame th
- 25 February 2024Cyber Security · Cyber Security Management
Challenging password dogma
Most best practice advice on passwords is terrible. But why? This article explains which password advice should be followed and which advice is harmful, and shows you what a good password policy should contain.
- 21 February 2024Boards & Governance · Cyber Security
10 steps to effective board leadership on cyber security
Boards and non executive directors can lead from the front on cyber security and reduce risk for your organisation. Yet sometimes it is not easy to find a path forward to engage in a technical area. Here are 10 practice suggestions to take forward with your cyber security leader.
- 19 February 2024Non Executive Directors · Boards & Governance
When Cyber Security Board Reports Fall Short
Reporting cyber security to the board involves a delicate balance. Cyber security technical details need to be turned into strategic plans that match the organization's risk tolerance and business goals. Here’s how it can go wrong, and what it takes to get it right.
- 18 February 2024Cyber Security · Cloud Computing
Does moving to the cloud mean compromising on security?
Will moving to the cloud improve cyber security, or are cloud services an unnecessary cyber risk? The transition to cloud computing is an evolution that many organisations are still undertaking to improve efficiency, scalability, and flexibility in their operations. Cloud service
- 14 February 2024Cyber Security Management · Boards & Governance
How to get fast board buy-in for your cyber security project
To experts, the business case for cyber security change programmes can seem clear as day — it can be hard to understand why rational business leaders may say no to investment. Yet they do.Here’s how to get a yes.Winning board support for cyber security projects is a critical chal
- 14 February 2024Post Incident Reviews
Lessons from the MGM cyber attack
On September 12, 2023, MGM Resorts International experienced a cyber attack that resulted in them shutting down their systems. The investigation is ongoing, but crime groups Scattered Spider and APLHV are believed to have used social engineering to hack into the company. What do
- 6 February 2024Post Incident Reviews
What can we learn from the March 2017 Equifax data breach?
The Equifax data breach of March 2017 was one of the most publicized cybersecurity incidents in recent years. Millions of people had their confidential information stolen, increasing the risk of identity fraud and even financial loss. Learning from this event is paramount for cy
- 3 February 2024Post Incident Reviews
Lessons from cyber attacks on the education sector
In 2023, schools saw a noticeable surge in cyber attacks. Various institutions across the US and UK have been targeted by hackers that steal information, exploit money, and shut down networks or systems. Learning from these incidents can help boards, directors and governors, and
- 31 July 2023Cyber Security · Artificial Intelligence
Welcome to the never-war
The never-war is no longer about war or peace, but about continuously varying scales of conflict. It extends not just to kinetic action (soldiers and tanks) but also to offensive cyber activity. It does not have a defined start or declared end goals, and it often exists without a
- 30 July 2023Cyber Security
We’re hiring
At Jersey Cyber Security Centre (CERT.JE), we are hiring a Head of Legal & Governance, Cyber Risk Officer & Cyber Engagement Officer
- 25 July 2023Artificial Intelligence
Our kids will share a world with Artificial Intelligence. Why is education not preparing them for it?
for all the current hype about AI, today's remarkable large language models (LLMs) are not really it. But they are the start of a fundamental change in who we are, as well as what we do and how we do it, because it will be the LLMs and not us who will finally invent true Artifici
- 24 July 2023Artificial Intelligence
AI as a force for good
It's rational to be concerned about AI, but we need to see the opportunity, too. That's why I'm honoured to be one of the 1,300 signatories to the BCS letter highlighting the benefits of responsible artificial intelligence.
- 23 July 2023Cyber Security · Risk Management
Crossing the road
That malicious hacker, organised crime group or aggressive nation state doesn't care about you, and they will simply run you over. So look left and right. Do the basics. Every time.