A realistic MVP of tech and teams
15th October 2026 • Park Plaza Victoria, London
Cybersecurity is entering a period of hard trade-offs.
Most organisations have become structurally dependent on digital technology faster than they have become structurally capable of securing it. And most organisations will never have enough people, budget or specialist expertise to secure every system, supplier, identity, application and data flow to the level they would like.
Nor can they build every capability in-house: cloud security engineering, identity architecture, incident response, threat intelligence, third-party assurance, application security, OT security, Al governance, resilience testing and regulatory evidence production are all competing for limited capacity.
The next phase of cyber maturity will therefore depend increasingly on making better decisions under permanent constraint. Security leaders must decide:
• What must we own internally?
• What can we safely outsource?
• What should be automated?
• What should be escalated to the board as an accepted business risk?
• What must we stop doing because it consumes capacity without materially reducing risk?
• How do we prove resilience/security without creating a compliance bureaucracy?
• Which suppliers are genuinely part of our resilience model, and which are themselves a source of risk?
At the same time as these concrete operational issues around resources and CISO capacity, security teams are also being dragged into the wider problem of European and UK technology dependency — a much bigger challenge than patching, tooling and compliance. They are now central to decisions about cloud concentration, Al adoption, supplier resilience, operational continuity, data control and institutional trust.
DORA, NIS2, the Cyber Resilience Act and the UK's own cyber resilience agenda are all symptoms of the same shift: governments and regulators no longer regard cyber as a technical risk owned by security teams. They increasingly view it as a systemic resilience issue affecting financial stability, healthcare delivery, energy security, public services and democratic confidence.
Add all of this together and it's clear that CISOs and their security teams face an impossible capacity gap. So, what does a practical ASO capacity framework look like? What tooling and teams does it imply? What genuinely matters? What must security own directly and have in-house? What does a strategic outsourcing strategy look like? How can capacity be freed up through complexity reduction, automation, and third-party tools? And can teams honestly document unresolved capacity gaps to make them formally accepted business risks — rather than silently absorbing impossible expectations?
The e-Crime & Cybersecurity Congress Mid-Year Summit is designed around that gap. It will examine how CISOs can prioritise under constraint: what to own, what to outsource, what to automate, what to escalate, what to stop doing, and how to make a credible investment case for the security capabilities on which organisational and national resilience now depend.
The e-Crime & Cybersecurity Congress Mid-Year Summit will look at how security teams and the business must respond to a new era in cybersecurity. Join our real-world case studies and in-depth technical sessions from the most sophisticated teams in the market.
Key Themes: AI and Quantum
Identity, authority, and control for non-human actors
CISOs must rethink core identity and governance frameworks, including the adoption of robust agent identity models (spanning machine, service, and workload identities). and clearly defined delegation structures that determine what authority an agent holds and who grants it. What technologies can help them maintain visibility and control?
Data protection and leakage risks
What does "insider threat" mean when the actor is non-human? For CISOs, the focus shifts to monitoring the behaviour of agents as well as users, developing capabilities to detect anomalous machine activity, and establishing effective controls that balance guardrails, detection, and containment. Do you need Al defences to do that?
Al anti-phishing and social engineering defences
Al is shifting defence from static filtering to behavioural detection at scale, flagging anomalies that rules/ signatures miss. It can also enable pre-emptive defence against social engineering, identifying manipulation cues. The result is a move from reactive blocking to adaptive defence reducing both successful attacks and analyst workload. Can you help?
Who needs to be quantum-ready?
Anyone responsible for long-lived sensitive data or critical infrastructure has a quantum problem. That means banks, governments, telecoms, energy, healthcare whose datasets need to last decades. If your encryption protects value over time, you need crypto-agility and a migration path now, not when quantum arrives. How does this work in the real world?
Integrity and the Al-enabled supply chain
Al-native operating models imply dependence on a complex supply chain of foundation models, internal systems, and external APls and orchestration layers that collectively produce legal work. Imagine the consequences of hacking such a system. So how do CISOs stop that happening?
Intelligent Threat Detection
CISOs now must build a single coherent security program that simultaneously satisfies divergent regulatory demands; they must interpret vague legal standards into technical architectures, and they risk non-compliance if auditors, regulators, or courts interpret differently later; they face unrealistic expectations around incident reporting; and they face personal liability. Can RegTech help?
Key Themes: Building Better Security
Making the best use of threat intelligence
In a preemptive security model, timing is everything - success depends on detecting and neutralising threats before they become active incidents. To do this, security operations can't just rely on internal telemetry (e.g., endpoint or network logs). They need external, real-time context about emerging threats - where do they get it?
Security Posture Management
Traditional vulnerability scanners don't handle cloud native architectures well. Today's cloud environments spin up thousands of ephemeral assets without a traditional OS, without an IP address for long. So how do you adapt to that dynamic, APl-driven reality? How can traditional tools connect the dots - not just generate tickets?
Improving continuous attack surface discovery
You need to know what attackers can see and what they can actually attack — and you need it on a continuous basis, not in some static inventory. Ideally you also need assets ranked by risk priority and put into the current threat and vulnerability context. Is this feasible and is it cost effective?
The power of automation
There's too much manual intervention in security. SOAR pulls data from SIEMs, EDRs, firewalls, cloud APls, ticketing systems threat intelligence feeds, and even email servers and coordinates actions across tools via APls and prebuilt integrations and intelligent playbooks. Well, that's the theory. How does it work in the real world?
Key Themes: Best Practice Fundamentals
Achieving visibility across ecosystems
From exposed initial access points such as warehouse management systems to complex machine control software, simply understanding your device and application landscape is a huge challenge. Can you help with asset tracking and endpoint visibility? And what about anomaly detection after that?
Transitioning OT to the Cloud?
OT traditionally was localised in particular sites and air-gapped from IT systems. But connectivity with broader corporate networks and the need to manage technology more centrally (especially during COVID) has seen companies looking at managed services in the Cloud for OT. Is this a way forward? Or does the Cloud just create more problems?
Defending against the latest ransomware variants
Ransomware evolution is forcing the hands of government and causing havoc in the insurance market. So firms must go back to basics (see below) but also invest in immutable back-ups and real resilience. Detecting early-stage infiltration is also critical. What else can CISOs do to better defend against ransomware?
Securing the basics
The endpoint and email are still a critical cybersecurity battleground. So, organisations still need EDR/XDR everywhere; they need advanced emaiI security; they need more aggressive patching of internet-facing anything. They need to move from awareness training to behavioural conditioning. What does that mean practically for CISOs?
Why zero trust, isolation and segmentation are key
There has been a shift in recent attacks away from the theft of data — now threat actors are concerned with interrupting all operation activity. It is now critical that business functions are separated, and that internet access to OT networks is limited. Can security teams still keep up with sophisticated foes? Should they upgrade their capabilities?
Dealing with regulations
CISOs now must simultaneously satisfy divergent regulatory demands; they must interpret often vague legal standards into technical architectures, and they risk non-compliance if auditors, regulators, or courts interpret those regulations differently later; they face unrealistic expectations around incident reporting; and they face personal liability. Can RegTech help?