2025: AI-powered cyber threats & next-gen security: key priorities, strategic investments, and executive buy-in
tmc3’s Interchange 2025 Roundtable brought together industry leaders to discuss the evolving cybersecurity landscape in the public sector. A key theme throughout the discussion was how AI-driven threats, supply chain vulnerabilities, and regulatory challenges are reshaping the way organisations must approach security. Public sector bodies often struggle to keep up with the rapid advancement of AI-powered cyber threats, lacking the internal expertise and resources to effectively respond. Participants emphasised the need for greater collaboration, regulatory flexibility, and proactive risk management to address these emerging risks.
One of the most pressing concerns raised was supply chain security. While organisations can mandate cybersecurity certifications like Cyber Essentials+ and ISO 27001, enforcing compliance across complex supply chains remains difficult—especially when smaller subcontractors are involved. The group debated whether a uniform security requirements should be introduced across the public sectors supply chain to create consistency and improve resilience.
Another critical issue discussed was the role of AI in both cyberattacks and defence. While AI is enabling attackers to automate phishing, deepfake social engineering, and exploit development, the fundamental nature of cyber threats remains unchanged. Organisations must shift towards AI-driven security tools to improve threat detection and response capabilities. However, concerns were raised about whether existing regulations are too rigid, potentially slowing down the adoption of innovative cybersecurity measures.
Leadership accountability was another major topic, with a focus on CTOs, CISOs, and DPOs. Many organisations continue to struggle with legacy IT infrastructure, which presents significant vulnerabilities. Leaders must take a proactive approach to identifying and mitigating risks rather than ignoring outdated systems until they become critical failures. The discussion also highlighted how smaller organisations, which often lack the budget for a full-time Chief Information Security Officer (CISO), could benefit from outsourcing cybersecurity leadership through a virtual CISO (vCISO) model. This would allow them to access high-level expertise without the cost of a permanent hire.
The human element of cybersecurity was another key focus. Organisations need to prioritise cyber awareness training to reduce risks associated with human error. Implementing structured phishing simulations, role-based security training, and executive briefings can help build a stronger security culture. The roundtable also explored whether mandatory device downtime outside of working hours, a practice seen in financial services, could reduce cyber risks in public sector environments.
A major challenge for many public sector organisations is securing funding for cybersecurity initiatives. To gain leadership buy-in, cybersecurity teams must be able to quantify risks in financial terms and demonstrate how cyber incidents impact business operations. The group emphasised the importance of embedding security requirements into procurement policies to ensure vendors meet security standards from the outset, rather than treating cybersecurity as an afterthought.
The roundtable discussion at Interchange 2025 provided valuable insights into the evolving cybersecurity landscape. A huge thank you to all who attended and contributed to these discussions. We look forward to continuing these important conversations in the future.