After nearly thirty years in cyber and crisis leadership, Sarah Armstrong-Smith says the thing most people in her position won't: whatever we're doing isn't working. We sat down at InfoSecurity Europe to talk about why more technology keeps making things worse, the human being behind every "X million records," and the worst-case scenario that keeps her up at night.
There is a con called the Spanish Prisoner. A letter arrives from a stranger: a wealthy man sits in a foreign jail, and for a small advance to free him, he will reward you many times over. The trick is at least four hundred years old. It is also, give or take a few details, the email sitting in your spam folder this morning.
I keep that in mind whenever someone tells me cybercrime is a technology problem. The tools change. The mark does not. We are still robbed through the same prehistoric wiring: a flash of fear, a moment of greed, a decision made in panic before the slow part of the brain wakes up. That is the thread I pulled on with Sarah Armstrong-Smith at InfoSecurity Europe.
Sarah spent nearly thirty years in cyber and crisis leadership, was Chief Security Advisor at Microsoft, and now runs Secure Horizons. She has written two books on the human side of all this and sits on the UK Government Cyber Advisory Board. After all of it, she says the thing most people in her position will not say out loud: whatever we are doing is not working. More tools, more money, more people, more AI, and the problem keeps getting worse. Attack, wake-up call, attack, wake-up call. How many wake-up calls, she asks, does anyone need?
I asked what keeps her up at night. She described an industrial accident on the scale of 9/11, triggered through a network: the first time a cyber incident kills people in numbers. We have been lucky so far. She doubts luck is a plan.
The industry loves a big number, and the number is exactly where the human disappears. X million records stolen, Y terabytes gone. The day before, my friend Geoff White sat in this same chair and described a ransomware attack that shut down a hospital, which meant a woman missed the cancer appointment she had counted on. That is an Armageddon, and it has a name and a face. Sarah, as it happens, knows Geoff’s work well enough to carry a line from him on the back of her book. The human element keeps finding the same small circle of people willing to talk about it.
So how do we move this from a line item to a fact of society? Her answer is collective resilience. There is no prize for being the last one standing, because we are all wired into the same supply chain, the same dependencies, the same brittle web. And the smallest businesses, the ones without a war chest to ride out the storm, are the ones we discuss the least.
Then a statistic. Close to half of all crime in the UK is now fraud or cyber. Around one percent of policing is pointed at it. Read those two numbers again. We fund what we can see, and we want officers on the street because a visible patrol both deters the thief and reassures the neighbourhood. The crime that actually empties our accounts happens somewhere we have agreed not to look. Follow the money, Sarah says, and you rarely stop at one criminal’s pocket. It pays for the next thing: drugs, weapons, and more often than people imagine, the trafficking of human beings.
Will AI save us? She did not flinch. Whatever you build to detect, the other side uses to evade. The asymmetry holds. Technology is part of the answer and never the whole of it, because the problem was never only technical.
So what do we carry forward, and what do we leave behind? We carry the person behind the number: the one who misses the appointment, the small shop that never reopens. We leave behind the fantasy that a clever enough machine will spare us the harder work, which is teaching a whole society to recognize the Spanish Prisoner when it arrives, wearing this year’s technology.
Sarah’s books are linked below, with a second edition on the way. Geoff’s conversation is part of this same coverage. And if you want more of these, the newsletter lives at marcociappelli.com.
Let’s keep thinking.
— Marco
Co-Founder ITSPmagazine & Studio C60 | Creative Director | Branding & Marketing Advisor | Personal Branding Coach | Journalist | Writer | Podcast: An Analog Brain In A Digital Age ⚠️ Beware: Pigs May Fly | 🌎 LAX🛸FLR 🌍
Marco Ciappelli is Co-Founder & CMO of ITSPmagazine, Co-Founder & Creative Director of Studio C60, Branding & Marketing Advisor, Personal Branding Coach, Journalist, Writer, and Host of An Analog Brain In A Digital Age podcast. Born in Florence, Italy, and based in Los Angeles, he explores the intersection of technology, society, storytelling, and creativity — with an analog brain, in a digital age. His on-the-ground event coverage is produced with ITSPmagazine co-founder Sean Martin under the On Location With Sean Martin And Marco Ciappelli banner.
🌎 marcociappelli.com | itspmagazine.com | studioc60.com
Sarah Armstrong-Smith is one of the most recognized voices in cybersecurity and crisis leadership, with nearly three decades on the front line of major incidents, beginning with the Millennium Bug. She served as Chief Security Advisor for Microsoft EMEA from 2020 until 2025, and earlier led business resilience and crisis management at the London Stock Exchange Group, with senior roles at Fujitsu, EY, and AXA. She is now Executive Director of Secure Horizons. A Fellow of the British Computer Society and a member of the UK Government Cyber Advisory Board, she is the author of two Kogan Page books — Effective Crisis Management (2022) and the Amazon No. 1 bestseller Understand the Cyber Attacker Mindset (2024), with a second edition on the way. Her work centers on the human element of security: the psychology of attackers, the people behind the headlines, and what it takes to build collective resilience.
🔗
LinkedIn: linkedin.com/in/sarah-armstrong-smith
Website: saraharmstrong-smith.com
More from this event:
Full InfoSecurity Europe 2026 coverage: ITSPmagazine InfoSecurity Europe 2026
All ITSPmagazine event coverage: Technology & Cybersecurity Conference Coverage
TRANSCRIPT SUMMARY & QUOTES — Sarah Armstrong-Smith | InfoSecurity Europe 2026
(Host: Marco Ciappelli — An Analog Brain In A Digital Age / On Location)
----- EPISODE SUMMARY -----
Recorded On Location at InfoSecurity Europe 2026, Marco Ciappelli sits down with Sarah Armstrong-Smith — former Chief Security Advisor at Microsoft, now Executive Director of Secure Horizons, author, and member of the UK Government Cyber Advisory Board — for a conversation about the human element of cybercrime. After nearly three decades in cyber and crisis leadership, Armstrong-Smith makes an uncomfortable case: despite more tools, money, people, and AI, the problem keeps getting worse, and the industry keeps treating each attack as a fresh wake-up call. She names her worst-case scenario — a 9/11-scale incident triggered through a network, with real fatalities — and argues for reframing cybersecurity away from headline numbers and toward the individual human being harmed, the patient who misses a cancer appointment, the small business that never reopens. The two trace how the newest attacks rely on the oldest human wiring, from the centuries-old Spanish Prisoner con to modern social engineering, and why this is a whole-of-society problem rather than an IT one. Armstrong-Smith points to a stark mismatch — close to half of UK crime is now fraud or cyber while roughly 1% of policing addresses it — and follows the money to its darker destinations in organized crime and human trafficking. On AI, she is clear-eyed: it will arm defenders and attackers alike, and it will never be the savior. The fix, she argues, is collective resilience and education across society. A second edition of her book is on the way.
----- 3 QUOTES — SARAH ARMSTRONG-SMITH -----
On the core problem:
"We've got huge amounts of tech, huge numbers of people, and now AI, and ultimately it's getting worse. We repeat the same thing over and over, then act surprised when it's another attack, another wake-up call."
On the worst case:
"My worry is a 9/11-type incident, an industrial accident of a size and magnitude where we end up with fatalities. Are we going to wait for that before we ask what we're going to do?"
On where it really leads:
"Follow the money. It's rarely just lining someone's pockets — it funds drugs, weapons, and more often than not, the trafficking of humans."
----- 3 QUOTES — MARCO CIAPPELLI -----
On reframing the number:
"We always talk about big numbers in cybersecurity. But a hospital shutdown means one person doesn't get the cancer treatment scheduled today. That is an Armageddon."
On the oldest con:
"You go back to the Spanish Prisoner — knocking on the door, pretending to be someone else. We're working with our prehistoric brain, and that's how you make people decide in a moment of panic."
On the answer:
"We need a serious societal intervention — to talk about this in schools, at the basic level — instead of security people only talking to security people."