Inside the episode: What I learned from speaking with Simon Goldsmith
I had the pleasure of sitting down with Simon Goldsmith, CISO at OVO, for this episode of Communicating Cyber. Simon’s career is as varied as it is impressive, from mechanical engineering in Turin, through electronic warfare for helicopters at the MOD, to consulting, retail, and now leading security at a digital-first energy company. What struck me most was how much his perspective is shaped by systems thinking, and how that translates into the way he communicates cyber security in fast-moving organisations.
From bullet holes to survivability
Simon told me about one of his early experiences working in defence. He recalled the classic wartime image of bullet holes in aircraft and how people often misinterpret it.
“People assume you should add armour where the holes are. But the planes that came back weren’t the problem, the ones that didn’t return are the ones you needed to understand.”
He described it as the “survivability onion”: don’t be seen, and if you are, don’t get acquired; if you are acquired, don’t get engaged; if you are engaged, don’t get hit; if you get hit, don’t fall out of the sky.
That mindset has clearly stayed with him. Rather than just adding more armour, he sees security as a system: intelligence, anticipation, and resilience. It’s a far more useful way to frame discussions with leaders than simply saying, “We need more controls.”
Stories and analogies open doors
Simon admitted he probably overuses analogies, but I don’t think that’s a bad thing. As he put it:
“It breaks down the initial barrier for people who think cyber is only a technical discipline. You need to pique their interest and give them a route in.”
He shared an example of explaining identity-led attacks to senior executives. They don’t need to know the technical detail of browser session hijacking, but they do need to grasp that the attack model has flipped: criminals now often target people and identities first. That’s a story executives can engage with, and it builds a bridge into the technical conversation.
Knowing your audience
One of Simon’s big lessons came from working in retail. Unlike financial services, where security is core to the value proposition, retail customers simply expect security to be there. They’re not paying extra for it.
“Going around saying ‘security first’ just isn’t going to work. You’ll have senior people asking, ‘Why are you trying to make your problem my problem?’”
The answer is to frame value in the language of whoever you’re talking to. With a CFO, that might mean describing cyber as downside risk, complementing the upside risk they’re already focused on. With product managers, it might mean positioning security as an enabler to go faster. And sometimes, it’s about finding the right metaphor. Simon laughed about the boiling frog analogy (though his vegetarian wife isn’t a fan) as a way of explaining slow creep and weak signals in security.
The challenge of “good enough”
I really appreciated Simon’s honesty about moments that didn’t go as smoothly as he’d liked. He recalled being told:
“We’re not a bank. We don’t need to win the race, just beat our competitors. So how do we end up somewhere in the middle?”
His emotional reaction was telling, “We’re the only team you’ve asked to be average” but on reflection he reframed it as an opportunity. Security teams can still be the best at aligning strategy to business context, running leaner and smarter than the competition. That’s still winning, just on different terms.
It’s a helpful reminder that sometimes we need to lean into continuous improvement, measuring progress step by step rather than chasing a perfect but unattainable end state.
User stories and feedback loops
A theme Simon kept coming back to was user story mapping. He sees security through multiple lenses: what good looks like to engineers, regulators, executives, customers, and even attackers. Each has a different definition of “done”, and security leaders need to tell stories that meet each perspective.
He also talked about feedback loops. Too often, security focuses only on generating signals like pen test reports, vulnerability scans, without ensuring those signals are received, understood, acted on, and validated. For Simon, it’s about designing security as a complete system of feedback and continuous improvement.
Embracing speed and innovation
What I found refreshing was Simon’s take on pace. Many people see faster technology cycles as an enemy of security. Simon sees it as an opportunity. Ephemeral infrastructure, automation, and rapid rebuilds can make systems more secure if engineered deliberately.
“Moving faster can actually equal better security as long as you approach it with the right mindset.”
That mindset is about being open, collaborative, and inclusive. It’s about recognising that attackers innovate too, and our job is to stay in front of both the technology curve and the adversary curve.
Final reflections
Talking with Simon reinforced for me how much of cyber security communication comes down to systems thinking and storytelling. Analogies aren’t childish, they’re bridges. Value isn’t abstract, it’s contextual. And good security isn’t one definition, it’s many, tailored to each stakeholder.
If there’s one lesson I took away, it’s that resilience isn’t about adding more armour. It’s about seeing the whole system, telling stories people can connect with, and building feedback loops that help us improve continuously.