Inside the episode: What I learned from speaking with Phil Clayson
I recently sat down with Phil Clayson, a seasoned CTO with an impressive track record, for an episode of Communicating Cyber – the series where cyber security leaders go beyond the jargon to share stories, strategies and lessons from the real world.
Phil’s journey has taken him across diverse industries – from telecoms to energy, emergency services, and media – with names like Sky, SSE, and TalkTalk on his CV. His impact, however, goes far beyond just infrastructure and incident response. Phil’s been instrumental in launching digital products, driving market expansion, and making data genuinely work for businesses, not just for security.
What struck me most about our conversation was Phil’s unique perspective, having been on both sides of the cyber communication coin: both sending and receiving critical security messages. This duality has clearly shaped his pragmatic, people-first approach.
The CTO as a critical translator
One of the most insightful points Phil made early on was about the CTO’s role as a “translation function” when it comes to cyber communications. He eloquently described it:
“You end up being a translation function. So you need to understand how to communicate in both directions. And you sort of end up being a message box to a degree, hopefully a useful one.”
On one side, you have highly skilled cyber security teams – “geniuses,” as Phil called them – who “absolutely know their stuff” but “not necessarily always the best communicators in a language that the board would understand.” The CTO’s job, as Phil explained, is to distill those complex technical messages into digestible, business-centric insights for the board.
Conversely, boards often lack deep cyber literacy. Phil noted that “not that many boards are cyber literate in the way they could be.” The CTO then has to translate the board’s strategic directives back to the technical teams, ensuring alignment between business needs and technical priorities. It’s about being “a fluid translation function to keep everybody moving in the right direction together.” This really resonated with my own experience; it’s a constant balancing act.
Lessons from a defining moment: the TalkTalk breach
Our conversation naturally gravitated towards a pivotal moment in Phil’s career, and indeed in UK cyber security history: the TalkTalk cyber attack in October 2015. It was a period of “very long days” for us both, working together to navigate what was then an unprecedented event for a major UK telco.
Phil reflected on how, nearly a decade later, similar incidents are still making headlines, with companies like Marks & Spencer, Co-op, and Harrods recently experiencing attacks. As the NCSC continues to describe these as “wake-up calls,” it highlights the enduring challenge.
Back in 2015, there was “no playbook” for handling such a large-scale breach in a telco. What began as a suspected denial-of-service (DoS) attack quickly escalated. The subsequent remediation effort was immense: “more than any of us ever imagined actually fixing the root cause of the problem, tactically in the immediate term and strategically over a two-plus year period, investing one hundred and fifty million pounds and having many, many dozens of people working full-time on all sorts of cyber remediation.”
One of the critical realisations during that time was the lack of accurate asset management information. TalkTalk, like many large organisations, was a “collection of historic acquisitions,” with “about 13 different M&As” stacked on top of each other. A spreadsheet believed to be the “single point of truth” for IT systems listed a couple of hundred entries. However, it quickly became apparent that this list was incomplete.
To address this, an “amnesty” was declared, encouraging engineers to come forward with undeclared systems, with assurances that they wouldn’t be penalised. This led to a dramatic increase in the known IT estate:
“A couple of hundred or so systems ended up being circa 600 in a matter of two or three weeks. So it more than doubled. And then it stabilised and we felt we’d got somewhere close to the truth.”
This newfound clarity allowed us to finally “have structure in how to deal with something of that scale.” As I always say, you can only protect what you know about. It’s quite difficult to defend things if you don’t know they exist!
The ‘burger’ analogy and visualising risk
One of the most memorable takeaways from the TalkTalk experience was the development of a unique risk communication tool. A quiet but brilliant individual on the team spent weeks diligently building a meaningful risk profile for the business. This led to a system where every IT system was categorised across various operational risks, including resilience and “fragility.”
With around 600 systems and a dozen different risk measures, presenting this data to the board was a significant challenge. This is where the “burger” analogy was born. As Phil recounted:
“One of the guys from one of the suppliers on the team came up with this icon. It’s sort of an image… And the risk director… sat in a board meeting and said, ‘This thing looks like a burger.’… Actually, it was helpful and it stuck.”
This visual, an A0 plotter print with 600 ‘burger blobs’ grouped by business unit, became a powerful communication tool. It was printed daily, reflecting the rapid pace of change and enabling everyone, from the executive team to frontline staff, to see the progress being made. It even fostered a sense of “gamification” around reducing risk. While it might seem “quaint” or “arcade” looking back, it was “the most effective way at the time” to convey complex risk information. It certainly opened my eyes to the power of a really simple, clear visual.
Winning hearts and wallets: the challenge of cyber investment
Phil shared some candid thoughts on the difficulties of securing cyber security investment. He noted that in any given year, you probably only get “three or four wins in the material sense with the board.” The challenge is that cyber investment is often viewed as “a never-ending pot of money,” and unlike a new product or market expansion, it doesn’t offer a direct, tangible return on investment.
“Cyber investment is sometimes harder to validate because what you’re doing, you’re buying insurance by investing for hopefully not getting or having a breach in the future. But no one would ever say doing this will prevent you having a breach. It will move you closer to it.”
This leads to the difficult “insurance style” conversation, where 100% security is an impossible guarantee. Phil strongly advised against “backing an exec or an exec team or shareholder group into a corner” with dire warnings, as this often triggers a “defense mechanism.” Instead, he advocates for building trust and laying thorough groundwork well in advance:
“You have to build a level of trust to say these are three or four big ticket items you need to do in a year. This will give you better human protection by being more aware… It will give you the early warning signals you need if something goes wrong… And if it does go wrong… then you’ve got maybe some investment in order to remediate, do instant management, and instant response and so forth more quickly.”
Phil stressed the importance of a “12 to 18 month ahead plan,” using language that gradually builds acceptance over time. This approach allows for refinement of the message and ensures stakeholders are sensitised to upcoming needs.
Useful analogies for communication
When it comes to simple analogies to aid understanding, Phil offered a brilliant one, particularly for investors:
“You can buy a very, very old, battered up and invested, non-well not well-maintained car. And you know that if you buy a really, really cheap car, at some point, you have to do something about it unless you’re very, very lucky… The other end of the scale correlates more to a brand-new car that you bought straight from a dealer you paid top rate for with all the premiums or warranties and everything else. And yes, it might still have a problem, but actually you’ve got what you maintain at that level. We want to maintain that.”
My own go-to car analogy for security controls is that they’re like the brakes on a car. People often see security as “slowing us down,” preventing them from doing what they want. But, as I put it, “how quickly would you drive if you didn’t have any brakes on your car? If they had the security controls in your business, and they give you the ability to drive quickly and then come to a stop or to turn left or turn right and pivot when you want to do so in a controlled manner.” It’s about enabling speed and agility, not hindering it.
The evolving role of the CISO and board engagement
Phil and I discussed whether boards truly want to understand cyber security or if they tend to shy away from it. While he believes there is a “desire to understand,” cyber security presents a unique challenge because it’s not something leaders have “grown up with over their career” in the same way they have with finance or marketing.
“No one generally teaches you throughout your career about cyber. So it’s come a little bit like in some respects in recent years. It’s a bit left field.”
This can make it feel “nuanced” or even “intimidating” for non-technical board members. The intangible nature of cyber risk, compared to, say, a physical health and safety risk, further complicates understanding.
Phil noted a softening in the perceived urgency of CISO roles since the post-2015 surge, suggesting an unspoken assumption that “it’s business as usual, isn’t it?” This is concerning, especially with the emergence of new threats like AI.
“I don’t think it should have fallen away as much as it might have appeared. It’d be a really interesting stat. I don’t have them on set, but we really just start to look at the FTSE 350 and go, ‘Who’s got a CISO on the exec board? Who’s got a CISO as a minus one to an exec member? How often do they review risk as a board specifically around cyber?’ I bet that the data would be actually quite worrying in terms of the few, very few people dedicated.”
He’s absolutely right. Our own research, drawing from the DCMS Cyber Breaches Survey, indicates that while about 75% of UK boards claim cyber security is a high priority, less than a third have ever conducted a cyber risk assessment. This highlights a significant disconnect between stated priorities and actual proactive measures.
The long-term vision: embedding cyber culture
Phil wrapped up our conversation with a truly profound observation, drawing a parallel to a conference he attended where four children spoke about AI. Their simple, direct message resonated deeply: “How can you teach us and how can you expect us to learn about the best ways to use AI ethically and safely as we grow up if our teachers don’t understand it and our parents don’t understand it?”
This sparked a thought for cyber security:
“Can you, should you, as a society, start to build cyber awareness in the current school population and maybe early career people? So on the basis that when they do get to be execs in a decade or two, then it’s just in their blood to think about it, talk about it, accept it. It’s not an add-on. It’s not a bolt-on. Can you start to change culture a little bit that way?”
This long-term cultural shift, while a decade or two in the making, is crucial to prevent future organisations from being “on their knees for weeks trying to recover from a cyber attack.” It’s about making cyber security an intrinsic part of how we operate, not just a reactive measure. It’s a grand idea, and one that resonates deeply with me.
A big thank you to Phil for sharing not just the big wins but the hard-earned lessons that come along with leading complex change in our modern world. If this sparked an idea, challenged your thinking, or gave you some practical takeaways, please subscribe and share this with your friends or colleagues. And let’s keep the conversation going – I’d love to hear your thoughts, so get in touch on LinkedIn.
Until next time, thank you very much.
