Ben Hanson is a renowned cyber security speaker known for his thought-provoking insights into the intersection of technology, culture, and business resilience. With years of experience advising global enterprises, he has witnessed firsthand how digital threats evolve—and how organisations must adapt their mindset, not just their defences, to stay secure.
As companies across finance and fintech race to innovate, Hanson argues that maintaining digital integrity is not just a compliance concern—it’s an enabler of progress. He challenges organisations to rethink how they approach security, moving beyond reactive measures and towards a culture of proactive, identity-centric protection.
In this exclusive interview with The Cyber Security Speakers Agency, Ben shares his reflections on the role of purpose in cyber careers, why cultural transformation is as important as technological investment, and how identity has become the defining frontier of modern cybersecurity.
Q1. From your perspective, why is cybersecurity such a pivotal force behind the success and stability of today’s digital economy—and what makes it such a meaningful career path?
Ben Hanson: “Well, what we do in cybersecurity actually enables the whole of society to flourish. I mean, in this day and age, that is absolutely true. Recently, I was working in a coffee shop in the village that I live in, and it was early in the morning.
“Outside the window, I could see mums and dads walking with their kids through the village square to school, and I was working on my laptop with a very large bank, helping them through a particular security challenge they were having.
“I remember thinking as I looked outside at these folks walking across the square — what we’re doing matters to every one of those people, but none of them know it. You know, if you lose a global systemic financial institution like a large systemic bank, it doesn’t just affect cities and nations. It affects the financial systems of entire continents, which undermines the fabric of society in a very tangible, very practical way.
“So this, for me, is both the great responsibility of working in cybersecurity but also the privilege of working in cybersecurity. You can invest yourself in something that really, really matters.
“And I think if you have a North Star in your career — that you want to invest yourself in work that’s meaningful, that’s consequential — you can’t find an industry to work in that’s more consequential than this one. So that’s what I love about it the most.”
Q2. For professionals aiming to stand out in cybersecurity, particularly within fast-moving financial and fintech environments, what guiding principles or approaches do you believe make the biggest difference?
Ben Hanson: “I’d give two pieces of advice. First of all, I would say remember who you work for and why. Security and risk management are not an end in themselves; they both exist to enable your business or organisation to achieve and sustain its goals and objectives.
“For a very long time, security organisations, also IT organisations, have defined themselves as separate from their business. You’ll actually hear technology people, security folks refer to the rest of their organisation as “the business”, as though they were not a part of it. So, we’re over here in the security ivory tower doing what we do, while all the business people are over there doing whatever it is they do.
“The problem with that, straight out the gate, is twofold. Number one: that business signs our paychecks, which leads to number two — the only reason that anyone in security even has a job is because we work for growing, successful, innovative businesses.
“So, if you can remember that security’s job is to enable your business to achieve and sustain its business goals and objectives, it will help you not to bias towards security controls that are overly risk-averse. It will help you prioritise business enablement over simply stopping bad things from happening, because those are two very different things.
“So, remember who you work for and why.
“A second piece of advice I would give is to be careful about being overly technology-centric in security. That might sound like kind of a weird thing to say, but security practitioners tend to have technology backgrounds — I include myself in this — networks, infrastructure. That is a good thing, but it also has some consequences if you’re not careful.
“One of those is that we tend to look at problems through technology lenses, and we tend to see solutions through technology lenses. This predisposes us to what I would call “silver bullet syndrome” — technology is the answer, what’s the question? That is not true.
“Technology can enable transformation, but it cannot sustain it. All sustainable transformation is a transformation of culture — the three Bs: the beliefs, the biases, the behaviours of your organisation.
“If you don’t also transform the way that you think about and approach security, the non-technical dynamics, any success you make in the short term you can’t sustain. You’ll find yourself drawn backwards towards where you were — and many of you will have experienced this.
“A great illustration of this is with Verizon. We all look forward to reading the Verizon Data Breach Investigation Reports that they do every year. They used to do one about PCI — so organisations that do payment card processing, payment card acquiring — and a really interesting thing they showed in the last one of these was that a significant percentage of organisations that achieve PCI accreditation in year one fail an audit and lose that accreditation in year two.
“Now why is that? It’s because organisations spend an inordinate amount of time, energy, and money trying to get somewhere, but they don’t consider what they need to do to stay there. As I said, the status quo has an incredible gravitational pull associated with it, and it takes a lot of energy to escape that gravitational pull.
“So organisations may make some progress by deploying new technology — we do this all the time in security — but inevitably, over time, the gravitational pull of that status quo, the culture as we’ve known it, which did not evolve, pulls us back to the world that we’re trying to move on from.
“So many people will be familiar with Peter Drucker’s famous quote that “culture eats strategy for breakfast,” and I would just like to say, actually, culture eats everything for breakfast — including that shiny new security toy that you just bought.”
Q3. The cybersecurity landscape is constantly evolving. What paradigm shifts have most transformed the industry in recent years, especially in relation to identity management and digital finance?
Ben Hanson: “It’s the central role of identity in security — the “identity as the modern perimeter” idea. Attackers are becoming more identity-centric, and the industry is still trying to catch up with the implications of identity becoming essentially the central focus of what we have to protect.
“If you go back to the early ’90s, this is when enterprise firewalls came to the fore. This was before widespread cloud adoption, so it was very easy for organisations to draw a very stark dividing line delineating their traditional etwork perimeter, and delineating what was inside versus outside, what was trusted versus untrusted, what was us versus them.
“If you fast-forward to the early 2000s, now with very widespread adoption of the internet but also adoption of cloud, you had organisations like Jericho Forum talking about de-perimeterisation. The traditional network perimeter was eroding and was now contracting around assets themselves, and this is where we got the “endpoint is bastion” idea. This led us into very advanced endpoint protections — EDR platforms.
“We’ve now taken another step towards the central role of identity in security. I think there are three reasons why this is happening. First of all, if you look at modern access scenarios, especially post-COVID, oftentimes the user’s corporate identity is the only common factor across all of the various domains.
“You have people using networks that you can’t control — at their house, at the coffee shop. You have people using endpoints — depending on your “bring your own device” strategy — that you can’t control, or control as well as you might like. They’re accessing data on systems that you don’t control, accessing SaaS applications that are run by someone else.
“So almost out of necessity, because it’s the only common unifying factor across all of those components, identity becomes the fulcrum around which all of these other pieces balance.
“Another reason, a second reason why this is happening, is attacker behaviour. Attackers have always been identity-focused — effectively every attack is an attack on identity at some point. Around the middle of the attack chain, attackers try to get control of privileged identity so that they can get access to the data they want.
“But even though that’s true, it’s still shifted even further. Very common attacks — attacks in the news right now — are compromising cloud-native identities, moving to cloud-native applications, compromising application service principles, connecting via API to cloud-native services, extracting data out of those services. Nothing about that attack sequence touches your endpoint.
“So, if you’re still focusing most of your attention on your devices, you’re going to miss a lot, because those kinds of attacks don’t trigger any endpoint controls — and if they do, by that point it’ll be far too late.”
This exclusive interview with Ben Hanson was conducted by Mark Matthews of The Motivational Speakers Agency.
