PODCAST EPISODE | Redefining CyberSecurity With Sean Martin — On Location at InfoSecurity Europe 2026On Location With Sean Martin And Marco Ciappelli The UK’s threats change by the day. Its laws change over years. Sean Martin sat down with James Morris — former Member of Parliament, now Director of the CSBR — to ask how a government writes cyber policy fast enough to matter, and why “resilience” has quietly stopped being a technical word.
PODCAST EPISODE | Redefining CyberSecurity With Sean Martin — On Location at InfoSecurity Europe 2026
On Location With Sean Martin And Marco Ciappelli
The UK’s threats change by the day. Its laws change over years. Sean Martin sat down with James Morris — former Member of Parliament, now Director of the CSBR — to ask how a government writes cyber policy fast enough to matter, and why “resilience” has quietly stopped being a technical word.
📺 Watch | 🎙️ Listen | https://www.itspmagazine.com/infosecurity-europe-2026-infosec-london-cybersecurity-event-coverage
A threat that updates every morning. A legislative process that measures itself in years. Somewhere between those two clocks sits the whole problem of cyber policy, and most of the time we pretend the gap isn’t there.
When Sean Martin sat down with James Morris at InfoSecurity Europe, that gap was the quiet subject under everything they discussed. This is Sean’s territory, the place where cybersecurity stops being a lab problem and becomes a business and a political one. Morris knows it as well as anyone. He spent fourteen years as a Member of the UK Parliament, fought five elections, served under five prime ministers, and chaired the cross-party group on cybersecurity before leaving to run the CSBR, an independent policy centre working at the seam between cyber and resilience.
What struck me, listening back, is how little of their conversation was actually about technology.
The UK has a Cyber Security and Resilience Bill moving through Parliament. It was introduced more than a year ago. It still won’t be operational for the better part of another year. Meanwhile the world it was written for has already moved: AI went mainstream, alliances shifted, and the head of GCHQ began saying out loud the kind of thing intelligence chiefs usually keep behind closed doors. You cannot legislate at that speed, so the government did the only thing a slow system can do when it fears the future. It gave itself the power to act later. More discretion, more designation, more reach from the top.
Sensible, maybe. But Morris names the cost, and it is the part I keep turning over. A law written from the top down only works if the people at the bottom believe in it. Otherwise companies perform compliance instead of building resilience, gaming the enforcement regime rather than getting safer. The letter without the spirit.
Then there is the word itself. Resilience used to mean power plants and railways, the critical national infrastructure everyone pictures. But when Marks & Spencer and Jaguar Land Rover were knocked sideways by breaches that wouldn’t even fall under the new bill, the definition cracked open. Resilience, Morris argues, is really about the underpinnings of an economy. And almost as an aside, he extends it to the resilience of the political system itself, a system that burns through leaders and demands answers by the next news cycle.
That line belongs in a sociology seminar, not a cyber panel. Because the deepest vulnerability he describes is not a zero-day. It is an attention span. We have built institutions optimized for the short term and handed them a problem that only yields to patience. The threat is fast. The fix is slow. Our politics rewards fast.
I grew up in a city that took more than a century to finish a single cathedral. Nobody who laid the first stone lived to stand under the dome. That kind of time has gone out of fashion, and cyber resilience is exactly the sort of thing that suffers for its absence.
So what do we carry forward, and what do we leave behind? Morris offers the practical half of the answer to business owners: stop treating this as an IT task to delegate, move it into the boardroom, rehearse the breach before it happens, and plan for the day the press is on your lawn. The harder half is cultural. We have to relearn patience inside systems built to forget it.
Sean’s full conversation with James Morris is linked below, along with the rest of our InfoSecurity Europe coverage. It is worth your time.
Let’s keep thinking.
— Marco
https://www.marcociappelli.com
Co-Founder ITSPmagazine & Studio C60 | Creative Director | Branding & Marketing Advisor | Journalist | Writer | On Location With Sean Martin And Marco Ciappelli | 🌎 LAX🛸FLR 🌍
Sean Martin, CISSP, is the co-founder and Director of Operations and Programming at ITSPmagazine, and the host of the Redefining CyberSecurity podcast. An information security and technology veteran of more than thirty years and a multiple-time CISSP, he led engineering and delivery for hundreds of cybersecurity products before turning to journalism and broadcasting. Through Redefining CyberSecurity he keeps pressing one question: if we are selling security insincerely, buying it indiscriminately, and deploying it ineffectively, how do we make it usable, honest, and a real source of business value? He teaches at Pepperdine’s Graziadio Business School and broadcasts from New York City.
🌎 seanmartin.com | LinkedIn: linkedin.com/in/imsmartin
James Morris OBE is the Director of the CSBR, the Centre for Cybersecurity and Business Resilience, an independent UK policy centre launched at the Palace of Westminster in late 2024. He was the Member of Parliament for Halesowen and Rowley Regis from 2010 to 2024, serving in roles including Senior Whip and Minister in the Department of Health, and chaired the All-Party Parliamentary Group for Cyber Security and Business Resilience. Before politics he was a technology entrepreneur, a management consultant, and chief executive of the think tank Localis. At the CSBR he convenes academics, business leaders, and policymakers in expert roundtables to shape the UK’s response to the Cyber Security and Resilience Bill and the wider resilience challenge.
🔗 LinkedIn: linkedin.com/in/james-morris-obe | Website: thecsbr.com
More from this event:
Full InfoSecurity Europe 2026 coverage: ITSPmagazine InfoSecurity Europe 2026
All ITSPmagazine event coverage: Technology & Cybersecurity Conference Coverage
TRANSCRIPT SUMMARY & QUOTES — James Morris | InfoSecurity Europe 2026
(Host: Sean Martin — Redefining CyberSecurity / On Location)
----- EPISODE SUMMARY -----
Recorded On Location at InfoSecurity Europe 2026, Sean Martin sits down with James Morris — former UK Member of Parliament and Director of the CSBR, the Centre for Cybersecurity and Business Resilience — for a conversation about how a slow-moving democracy writes policy for a fast-moving threat. Morris explains the thinking behind the UK's Cyber Security and Resilience Bill, why the government has chosen to give itself broad powers to act later rather than over-prescribe now, and the danger that top-down rules produce compliance theatre instead of real security. They trace how the meaning of "resilience" has widened from power plants and railways to the underpinnings of the whole economy — pushed along by breaches at Marks & Spencer and Jaguar Land Rover that the new bill wouldn't even capture — and why supply chains and "critical suppliers" now demand special attention. Morris closes with plain advice for business owners: treat cybersecurity as a board-level responsibility, rehearse breaches before they happen, and prepare for the reputational storm that follows. Underneath it runs a sharper question Sean draws out — whether our short-attention-span politics can sustain the long-term patience real resilience requires.
----- 3 QUOTES — JAMES MORRIS -----
On resilience as more than technology:
"Resilience is about the underpinnings of a modern economy. We're not just talking about technical resilience — we're talking about something much more overarching than that."
On legislating for an uncertain future:
"You can't prescribe, because we don't know what the technological developments are going to be. So the government has dealt with that uncertainty by giving itself the power to act if something emerges later."
On who owns the problem:
"It's not a peripheral technical issue for the IT people. It's a boardroom issue. CEOs can't just delegate it and assume it's going to get sorted out."
----- 3 QUOTES — SEAN MARTIN -----
On his lens:
"I like to look at the operational and business side of cyber — the impact these things have on the bottom line, and on how teams are actually run."
On defining the word:
"Resilience — what does that even mean? Is it protection? Detection? Response? Doing the right thing for the business in the first place? I hear everyone use the word, and some people pick and choose what works for them."
On the ripple effect:
"You talked about a couple of companies that got hit, and that impacts everyone who serves them and everyone they serve. When something big happens, it's a huge shake-up across the whole supply chain."