David Clemente | Research Director, European Security
IDC
The cyber security industry has evolved tremendously over the years. What developments have surprised and interested you the most in that time?
Most interesting: The growth of insurance products as a means of transferring specific elements of cyber risk. When I started in cyber security, I never imagined the insurance industry would become a core part of cyber risk management, particularly for large enterprises.
Most surprising: Cyber security is a team sport, but I am still surprised at the impact that an individual or very small group can have on the state of cyber security at a global level. This is true ‘permissionless innovation’ for both attackers and defenders, and the results can impact billions of people.
Examples include Dan Kaminsky’s discovery of a critical flaw in the internet’s Domain Naming System (DNS), and Moxie Marlinspike and Trevor Perrin’s development of the Signal Protocol, a cryptographic protocol that is widely used to secure messages in Signal, WhatsApp, Google Messages, and others.
Looking ahead, what do you think will be the most significant changes and challenges in the next 25 years?
Most significant challenge: The prevention of cascading failure at a national, regional or global level.
There are many root causes of potential failure, but a key one is that, for many organisations, the immediate benefits of greater connectivity outweigh the future risks of an incident. Put simply, economic incentives tend to motivate these organisations to invest first in connectivity, and later (maybe) in security.
At the level of an individual organisation, an incident resulting from inadequate security is unfortunate but usually survivable. But, when this lack of security investment is replicated at scale – across an industry or country – it increases the likelihood of a vulnerability being exploited and spreading rapidly. The resulting damage could be severe and fundamentally change how governments incentivize private sector organisations to mitigate cyber risk.
Mike Bareja | Director of Digital Technologies, AI, Cyber and Future Industrials
Business Council of Australia
The cyber security industry has evolved tremendously over the years. What developments have surprised and interested you the most in that time?
I was struck by the boldness with which state actors moved beyond espionage to disruptive and destructive cyber operations, significantly altering the national security landscape faster than anticipated. The willingness to cross perceived red lines and the sheer scale demonstrated by incidents like SolarWinds or Volt Typhoon shifted the paradigm.
The swift transformation of hacking into organised, scalable criminal enterprises using business models like ransomware-as-a-service was remarkable, but inevitable. That’s where the money is. Seeing the development of dark web marketplaces, dedicated customer support for illicit tools, and sophisticated money laundering operations demonstrated a level of commercialisation and efficiency that mirrored legitimate industries. This democratisation of potent cyber weapons significantly lowered the barrier to entry for impactful attacks.
The persistent difficulty for policy, legislation, and international norms to keep pace with the velocity of technological change and threat evolution remains a fundamental challenge.
Looking ahead, what do you think will be the most significant changes and challenges in the next 25 years?
AI will dominate, powering both highly sophisticated, automated, and personalised attacks (including deepfakes) and the advanced defences needed to counter them (predictive analysis, automated response). Managing AI risks and opportunities will be paramount. This will become an AI-vs-AI battleground.
The looming threat of quantum computing breaking current encryption necessitates an urgent, large-scale migration to post-quantum cryptography (PQC). The "harvest now, decrypt later" tactic makes this a present danger requiring immediate planning.
The explosion of interconnected IoT and OT devices creates a vast, difficult-to-secure attack surface, increasing risks, especially where cyber-physical systems converge.
The critical skills shortage, particularly in Australia, demands new approaches to recruitment (diversity, alternate pathways), training, and retention. Simultaneously, defending against AI-enhanced social engineering targeting people will become harder.
Increasing use of cyber operations in geopolitical conflict and blurring of lines between cyber and information operations means conventional conceptions of ‘cyber’ will need to shift. This is also complicated by the increasing prevalence of so-called ‘grey zone’ activities, adversarial behaviour short of conflict, where cyber operations, information operations, espionage and economic warfare can overlap.
Leading cybersecurity analyst
Tier 1 analyst firm
The cyber security industry has evolved tremendously over the years. What developments have surprised and interested you the most in that time?
In the past years there has been tremendous evolution in our sector. The speed of innovation and the speed of which exponential technologies develop are getting faster everytime. What fascinates me is the human psychology and behaviour. Even though attack vectors develop and technologies with which we defend, response, remediate develop, the human psychology behind attacks remain broadly the same.
Looking ahead, what do you think will be the most significant changes and challenges in the next 25 years?
Looking ahead, I believe the most significant change and challenge in the next 25 years will be in the field of cybersecurity—driven by the rise of quantum technology and its intersection with artificial intelligence. On the positive side, these technologies could revolutionize how we detect and prevent cyber threats. AI can already identify suspicious behaviour and when paired with quantum computing, it could unlock advanced encryption methods and simulate complex attack scenarios before they happen, making systems far more resilient.
But the risks are just as massive. Quantum computing is about speed and scale—solving certain complex problems exponentially faster than classical computers ever could. Think of it as a massive upgrade in computational power, especially for specific types of problems like encryption, optimization, or simulation. Artificial intelligence (AI) is about intelligence and decision-making—recognizing patterns, reasoning through data, and making predictions or choices. So combines Quantum will provide the horsepower. It can handle calculations that would take classical computer years in possible second. AI will provide the brain t can make sense of massive amounts of data, find meaning and act on it. In other words, we have to think about this potential and this risk in advance. The challenge will be to stay one step ahead, we will have to invest not just in innovation, in global collaboration, regulation, and continuous adaptation.
Rob Black | Director
Cyber Leaders Challenge
The cyber security industry has evolved tremendously over the years. What developments have surprised and interested you the most in that time?
Seeing the rise of organised criminal groups offering cyber threats as a service, such as ransomware, has been fascinating as it has democratised the cyber threat capabilities allowing more people to conduct cyber attacks. It's blurred the lines of plausibility and attribution around state actors use of and instructing of OCGs as an extension of a hostile state’s foreign policy.
Looking ahead, what do you think will be the most significant changes and challenges in the next 25 years?
For me, I don’t think we have truly appreciated the novel challenges that the virtual domain, enabled through cyberspace, brings. I think we will see only an increasing impact on the virtual domain being utilised to manipulate an individual, group or population’s interpretation of what is happening and then their behaviour.
As individuals and society become more integrated with the cyber domain, and transhumanism becomes mainstream, differentiating out cyber, information and security is going to become almost impossible.
Samantha Kight | Head of Industry Security
GSMA
“GSMA congratulates NCC Group on celebrating 25 years of delivering a comprehensive portfolio of cybersecurity services and solutions that are essential to the protection of so many industry sectors, including the global mobile telecommunications industry that we represent.
As a valued GSMA member, and provider of auditing services to our Security Accreditation Scheme (SAS) and Network Equipment Security Assurance Scheme (NESAS), NCC Group has made a significant contribution to the development and success of our security assurance programmes. It is also an active and valuable contributor to GSMA’s other fraud and security activities and initiatives and its thought leadership and willingness to work collaboratively has greatly enhanced the value of the cybersecurity guidance and recommendations GSMA provides to its members.
NCC Group plays a key role in safeguarding technology providers and users and we wish it continued success.”
Steve Knibbs | VBSE Director
Vodafone Business Security Enhanced
“Collaborating with NCC Group has been instrumental in supporting the development of robust security strategies within our key accounts, significantly enhancing their cyber resilience.
NCC Group has consistently provided Vodafone with highly qualified and skilled cyber security personnel, playing a crucial role in some of our major accounts. Additionally, their value-added professional services have complemented our managed security services, enabling us to offer a holistic suite of solutions that address the diverse security needs of our clients.
Reflecting on NCC Group's contribution to the cyber industry over the last decades, their commitment to innovation and excellence has had a big impact. Their continued work in threat intelligence, penetration testing and incident response has set new standards and driven the industry forward. Our partnership has contributed to Vodafone’s success in the cyber security domain, and we look forward to continuing this journey together and achieving even greater milestones in the future."
Lord Holmes | Digital Technology Policy for Public Good
UK House of Lords
The cyber security industry has evolved tremendously over the years. What developments have surprised and interested you the most in that time?
What surprises me is how much the cyber landscape has transformed in the past 25 years and yet, by comparison, how little we are all talking about it.
High profile attacks focus the minds and the debate, but we need to be into this in all our discussion and debates; be us Parliamentarians, board members or citizens - cyber is a matter for us all.”
Laure Beaufils | His Majesty’s Ambassador to the Philippines
"In both the UK and the Philippines, we’ve seen how digitalization unlocks incredible potential for growth, inclusion, and innovation. But it also brings risks – and this means that resilience and cybersecurity must now be built into the very fabric of our digital economies.
Gone are the days when cybersecurity could be a back-office concern. It must now be a fundamental pillar of national security, economic strategy, and public trust. The greatest opportunity – and challenge – in cybersecurity will be how we harness innovation to stay ahead of evolving threats.
This is where companies such as NCC come in. I have seen firsthand how NCC Group has been a trusted partner in this journey – helping governments and businesses not only defend themselves against rising threats but build the resilience they need to thrive in a rapidly evolving landscape.
Congratulations to NCC Group on 25 years of outstanding leadership and impact, creating a digital future where security and innovation go hand in hand. We are proud of the work you are doing in shaping a safer, smarter, and more inclusive digital world."