Nigel Gibbons

APT28 exploit routers to enable DNS hijacking operations NCSC.GOV.UK

TurboQuant: Redefining AI efficiency with extreme compression research.google/blog/turboquan…

The tough Royal Navy I once saw in Strait of Hormuz is long gone thetimes.com/article/678e93…

US Treasury Weighs Cyber Insurance Backstop bankinfosecurity.com/us-treasury-we…

I am the Senior Director of Incident Response at a firm that bills $1,200 an hour to show up after the breach. I have eleven years of experience. Two certifications. A laminated badge that says TRUSTED ADVISOR that I clip to my lanyard at client sites. My team is on retainer with 340 companies. Our contract guarantees a four-hour response window. We have never once arrived and found nothing wrong. Some context. The average data breach in the United States now costs $10.22 million. That is the number after our involvement. Before our involvement, it was just a breach. After our involvement, it is a remediated incident with a final report, an executive summary, a lessons-learned workshop, and a twelve-month monitoring extension. That is $10.22 million, distributed across forensics, legal, notification, credit monitoring, and us. Especially us. My firm's revenue grew 34 percent last year. Breaches grew 50 percent. We do not experience these as separate trends. We call this incident response. My calendar. Monday I am on a call with a healthcare company whose patient records are on a Telegram channel. Tuesday I fly to a manufacturing client whose OT network has been encrypted for nine days. Wednesday I present at a conference about the importance of proactive security posture. Thursday I am back at the healthcare company because we found a second intrusion they did not know about. We bill for both. I have a slide in my conference deck titled "The Cost of Inaction." It shows a bar graph where the red bar is the average breach cost and the blue bar is the average annual security spend. The red bar is $10.22 million. The blue bar is $66,000. I never mention that the red bar includes our fees. We call this thought leadership. The negotiation. When a client gets hit with ransomware, they call us. We assess the situation. We determine the blast radius. We tell them their options. Option A is rebuild from backups, which takes weeks and costs millions in downtime. Option B is pay the ransom, which we will handle through our negotiation team. Last year the median ransom demand was $59,556. Up 368 percent from the year before. Our negotiation team achieves a 65 percent reduction on average. The client pays around $20,000. We bill $180,000 for the engagement. We call this cost savings. Eighty-two percent of clients who pay negotiate the price down. We present this at board meetings as evidence of our value. The board nods. Nobody asks why the attackers always settle. Nobody asks what a 65 percent discount means when the list price went up 368 percent. Nobody asks why the negotiation feels less like a hostage crisis and more like a purchasing department calling a vendor about volume pricing. One analyst on my team asked. During a quarterly review. She pulled the data and showed that our average engagement cost plus the negotiated ransom payment was, within a 6 percent margin, identical to the average ransom demand before negotiation. She presented this finding with a chart. I thanked her for the analysis and said we would take it under advisement. She was reassigned to the compliance documentation team, which does not have access to negotiation data. She stopped asking. We call this organizational alignment. The retainer. Our retainer costs $240,000 a year. For that, a company gets our four-hour response guarantee, quarterly tabletop exercises, an annual penetration test, and a dedicated account manager named Brian who sends a newsletter every month about emerging threats. Brian's newsletter contains the same threats we respond to. Brian is very good at identifying trends because Brian has access to our incident database, which contains the breach patterns of all 340 retainer clients. We anonymize the data, of course. We publish it in our annual threat report, which we distribute at the same conferences where we present about the cost of inaction, which drives new retainer sales, which gives us access to more breach data, which makes the threat report more authoritative, which sells more retainers. We call this the flywheel. A poster in our office says "TRUST IS OUR PRODUCT." It hangs above the desk of the team that writes the proposals. The proposals cite the threat report. The threat report cites the incidents. The incidents are why the clients need us. We are why the incidents become data points. The data points become the threat report. The threat report becomes the proposal. I have never been able to identify where this circle begins. I have also never tried. The economics. The cybersecurity industry will grow to $11.2 billion by 2034. Eight-point-four percent compound annual growth. That growth is measured in dollars spent responding to breaches that are also growing. The industry's success metric and the problem it solves are the same number moving in the same direction. When breach volume goes up, our revenue goes up. When breach volume goes down, we say it is because our services are working. When breach volume stays flat, we release a report saying it will go up next quarter. It always does. I sit on the advisory board of a startup that sells breach prediction analytics. They use our threat data. We invested in their Series A. Their product tells companies they need incident response retainers. They recommend us. We recommend them. Their growth validates our market. Our market validates their growth. We call this the ecosystem. Last quarter, 78 percent of incidents required regulatory notification. Up from 54 percent the year before. More notifications mean more legal engagement. More legal engagement means longer remediation timelines. Longer timelines mean higher bills. Higher bills mean higher breach cost averages. Higher averages go into the next threat report. I have a sticky note on my monitor that says "EVERY INCIDENT IS A REFERENCE." It has been there for three years. I wrote it during a planning session about pipeline development. Not product pipeline. Sales pipeline. The quiet part. Twenty-nine percent of ransomware victims paid last year. Record low. We presented this at our all-hands as a win for the industry. What I did not mention is that 29 percent of a 50 percent larger victim pool is more total payments than 63 percent of last year's pool. The denominator grew faster than the numerator shrank. More companies paid in absolute terms. More money moved. More engagements. More billable hours. We toasted to the declining payment rate. I pay for my children's private school with the margin on ransomware negotiations. My mortgage is financed by tabletop exercises for companies that will be breached within eighteen months. My retirement account tracks the S&P Cybersecurity Index, which goes up when breaches go up, which is when my firm's revenue goes up, which is when my bonus hits. I have a financial interest in the problem I am paid to solve. Everyone in this industry does. We do not discuss this at the conferences. We discuss zero trust architecture and defense in depth and the importance of a security-first culture. We say these words from stages sponsored by firms that sell the tools that generate the alerts that nobody reads that become the breaches that become our engagements. We call this incident response. The credential. I renewed my certification last month. Twenty continuing education credits. I earned eight of them by attending webinars hosted by our own marketing team. I earned four by writing a blog post about resilience. I earned the remaining eight by presenting at a conference about the evolving threat landscape, using a slide deck built from our clients' anonymized breach data, to an audience of potential clients. My certification proves I am qualified to respond to incidents. The incidents prove the certification is necessary. The certification board is funded by membership dues from practitioners and sponsorships from vendors who sell incident response services. I cannot find the part where someone outside this arrangement checks whether any of it works. Some numbers. The average total cost of a ransomware breach is $5.08 million. Our average engagement bills $380,000. We respond to approximately 200 incidents a year. That is $76 million in incident response revenue. Our proactive services -- retainers, pen tests, tabletop exercises -- generate another $81 million. Total revenue: $157 million. If breaches dropped by half tomorrow, we would lose $38 million in incident response revenue. We would also lose retainer renewals, because the renewal pitch depends on the threat report, which depends on the incident volume. Nobody has ever asked what our ideal breach rate is. The answer is: exactly high enough to sustain 15 percent year-over-year growth while remaining low enough that regulation does not restructure the industry. We call this market equilibrium. There is a framed quote in our boardroom. It says "PROTECTING WHAT MATTERS MOST." It was there when I joined. It will be there when I leave. It does not specify who is being protected, or from what, or whether the protection is working. I am the Senior Director of Incident Response. The breach is the product. The response is the service. The client is the revenue. The threat report is the brochure. We call this incident response. I have never been able to tell where the guard ends and the thief begins. But we carpool.

The KadNap Botnet blog.lumen.com/silence-of-the… #cybersecurity

One every six minutes: the victims scammed on Facebook or Instagram thetimes.com/article/1bd31b…

King's study finds AI chose nuclear signalling in 95% of simulated crises kcl.ac.uk/news/artificia… #privacy

Samsung updates ACR privacy practices after Texas sues TV manufacturers therecord.media/samsung-update… #cybersecurity #privacy

Crypto platform Step Finance shutting down after $40 million theft therecord.media/step-finance-c… #cybersecurity

EU propose that under 16s be barred from social media without parental consent, questionable value v. a ban therecord.media/eu-lawmakers-p… #privacy #SocialMediaTrends

Ransomware payments dropped in 2025 as attack numbers reached record levels therecord.media/ransomware-pay… #cybersecurity

US threatens Anthropic with deadline in dispute on AI safeguards bbc.co.uk/news/articles/… #cybersecurity #cloud

‘Social media killed our children’: big tech must take action thetimes.com/article/aa0f63…