In April 2025, at the ITER Private Sector Fusion Workshop in Cadarache, something remarkable unfolded. In a room filled with scientists, engineers and software visionaries, the line between big science and commercial innovation began to blur.   Three organisations – Microsoft Research, Arena and Brigantium Engineering – shared how artificial intelligence (AI), already transforming everything from language models to logistics, is now stepping into a new role: helping humanity to unlock the power of nuclear fusion.  Each presenter addressed a different part of the puzzle, but the message was the same: AI isn’t just a buzzword anymore. It’s becoming a real tool – practical, powerful and indispensable – for big science and engineering projects, including fusion.  “If we think of the agricultural revolution and the industrial revolution, the AI revolution is next – and it’s coming at a pace which is unprecedented,” said Kenji Takeda, director of research incubations at Microsoft Research.  Microsoft’s collaboration with ITER is already in motion. Just a month before the workshop, the two teams signed a Memorandum of Understanding (MoU) to explore how AI can accelerate research and development. This follows ITER’s initial use of Microsoft technology to empower their teams. A chatbot in Azure OpenAI service was developed to help staff navigate technical knowledge, on more than a million ITER documents, using natural conversation. GitHub Copilot assists with coding, while AI helps to resolve IT support tickets – those everyday but essential tasks that keep the lights on.  But Microsoft’s vision goes deeper. Fusion demands materials that can survive extreme conditions – heat, radiation, pressure – and that’s where AI shows a different kind of potential. MatterGen, a Microsoft Research generative AI model for materials, designs entirely new materials based on specific properties. “It’s like ChatGPT,” said Takeda, “but instead of ‘Write me a poem’, we ask it to design a material that can survive as the first wall of a fusion reactor.”  The next step? MatterSim – a simulation tool that predicts how these imagined materials will behave in the real world. By combining generation and simulation, Microsoft hopes to uncover materials that don’t yet exist in any catalogue.  While Microsoft tackles the atomic scale, Arena is focused on a different challenge: speeding up hardware development. As general manager Michael Frei put it: “Software innovation happens in seconds. In hardware, that loop can take months – or years.”  Arena’s answer is Atlas, a multimodal AI platform that acts as an extra set of hands – and eyes – for engineers. It can read data sheets, interpret lab results, analyse circuit diagrams and even interact with lab equipment through software interfaces. “Instead of adjusting an oscilloscope manually,” said Frei, “you can just say, ‘Verify the I2C [inter integrated circuit] protocol’, and Atlas gets it done.”  It doesn’t stop there. Atlas can write and adapt firmware on the fly, responding to real-time conditions. That means tighter feedback loops, faster prototyping and fewer late nights in the lab. Arena aims to make building hardware feel a little more like writing software – fluid, fast and assisted by smart tools.  Fusion, of course, isn’t just about atoms and code – it’s also about construction. Gigantic, one-of-a-kind machines don’t build themselves. That’s where Brigantium Engineering comes in. Founder Lynton Sutton explained how his team uses “4D planning” – a marriage of 3D CAD models and detailed construction schedules – to visualise how everything comes together over time. “Gantt charts are hard to interpret. 3D models are static. Our job is to bring those together,” he said.  The result is a time-lapse-style animation that shows the construction process step by step. It’s proven invaluable for safety reviews and stakeholder meetings. Rather than poring over spreadsheets, teams can simply watch the plan come to life.  And there’s more. Brigantium is bringing these models into virtual reality using Unreal Engine – the same one behind many video games. One recent model recreated ITER’s tokamak pit using drone footage and photogrammetry. The experience is fully interactive and can even run in a web browser. “We’ve really improved the quality of the visualisation,” said Sutton. “It’s a lot smoother; the textures look a lot better. Eventually, we’ll have this running through a web browser, so anybody on the team can just click on a web link to navigate this 4D model.”  Looking forward, Sutton believes AI could help automate the painstaking work of syncing schedules with 3D models. One day, these simulations could reach all the way down to individual bolts and fasteners – not just with impressive visuals, but with critical tools for preventing delays.  Despite the different approaches, one theme ran through all three presentations: AI isn’t just a tool for office productivity. It’s becoming a partner in creativity, problem-solving and even scientific discovery.  Takeda mentioned that Microsoft is experimenting with “world models” inspired by how video games simulate physics. These models learn about the physical world by watching pixels in the form of videos of real phenomena such as plasma behaviour. “Our thesis is that if you showed this AI videos of plasma, it might learn the physics of plasmas,” he said.  It sounds futuristic, but the logic holds. The more AI can learn from the world, the more it can help us understand it – and perhaps even master it. At its heart, the message from the workshop was simple: AI isn’t here to replace the scientist, the engineer or the planner; it’s here to help, and to make their work faster, more flexible and maybe a little more fun. As Takeda put it: “Those are just a few examples of how AI is starting to be used at ITER. And it’s just the start of that journey.”  If these early steps are any indication, that journey won’t just be faster – it might also be more inspired. 

Technology leaders are baffled by a “cacophony” of “buzzwords, hype and confusion” over the benefits of artificial intelligence (AI), according to the founder and CEO of technology company Pegasystems. Alan Trefler, who is known for his prowess at chess and ping pong, as well as running a $1.5bn turnover tech company, spends much of his time meeting clients, CIOs and business leaders. “I think CIOs are struggling to understand all of the buzzwords, hype and confusion that exists,” he said. “The words AI and agentic are being thrown around in this great cacophony and they don’t know what it means. I hear that constantly.” CIOs are under pressure from their CEOs, who are convinced AI will offer something valuable. “CIOs are really hungry for pragmatic and practical solutions, and in the absence of those, many of them are doing a lot of experimentation,” said Trefler. Companies are looking at large language models to summarise documents, or to help stimulate ideas for knowledge workers, or generate first drafts of reports – all of which will save time and make people more productive. But Trefler said companies are wary of letting AI loose on critical business applications, because it’s just too unpredictable and prone to hallucinations. “There is a lot of fear over handing things over to something that no one understands exactly how it works, and that is the absolute state of play when it comes to general AI models,” he said. Trefler is scathing about big tech companies that are pushing AI agents and large language models for business-critical applications. “I think they have taken an expedient but short-sighted path,” he said. “I believe the idea that you will turn over critical business operations to an agent, when those operations have to be predictable, reliable, precise and fair to clients … is something that is full of issues, not just in the short term, but structurally.” One of the problems is that generative AI models are extraordinarily sensitive to the data they are trained on and the construction of the prompts used to instruct them. A slight change in a prompt or in the training data can lead to a very different outcome. For example, a business banking application might learn its customer is a bit richer or a bit poorer than expected. “You could easily imagine the prompt deciding to change the interest rate charged, whether that was what the institution wanted or whether it would be legal according to the various regulations that lenders must comply with,” said Trefler. Trefler said Pega has taken a different approach to some other technology suppliers in the way it adds AI into business applications. Rather than using AI agents to solve problems in real time, AI agents do their thinking in advance. Business experts can use them to help them co-design business processes to perform anything from assessing a loan application, giving an offer to a valued customer, or sending out an invoice. Companies can still deploy AI chatbots and bots capable of answering queries on the phone. Their job is not to work out the solution from scratch for every enquiry, but to decide which is the right pre-written process to follow. As Trefler put it, design agents can create “dozens and dozens” of workflows to handle all the actions a company needs to take care of its customers. “You just use the natural language model for semantics to be able to handle the miracle of getting the language right, but tie that language to workflows, so that you have reliable, predictable, regulatory-approved ways to execute,” he said. Large language models (LLMs) are not always the right solution. Trefler demonstrated how ChatGPT 4.0 tried and failed to solve a chess puzzle. The LLM repeatedly suggested impossible or illegal moves, despite Trefler’s corrections. On the other hand, another AI tool, Stockfish, a dedicated chess engine, solved the problem instantly. The other drawback with LLMs is that they consume vast amounts of energy. That means if AI agents are reasoning during “run time”, they are going to consume hundreds of times more electricity than an AI agent that simply selects from pre-determined workflows, said Trefler. “ChatGPT is inherently, enormously consumptive … as it’s answering your question, its firing literally hundreds of millions to trillions of nodes,” he said. “All of that takes [large quantities of] electricity.” Using an employee pay claim as an example, Trefler said a better alternative is to generate, say, 30 alternative workflows to cover the major variations found in a pay claim. That gives you “real specificity and real efficiency”, he said. “And it’s a very different approach to turning a process over to a machine with a prompt and letting the machine reason it through every single time.” “If you go down the philosophy of using a graphics processing unit [GPU] to do the creation of a workflow and a workflow engine to execute the workflow, the workflow engine takes a 200th of the electricity because there is no reasoning,” said Trefler. He is clear that the growing use of AI will have a profound effect on the jobs market, and that whole categories of jobs will disappear. The need for translators, for example, is likely to dry up by 2027 as AI systems become better at translating spoken and written language. Google’s real-time translator is already “frighteningly good” and improving. Pega now plans to work more closely with its network of system integrators, including Accenture and Cognizant to deliver AI services to businesses. An initiative launched last week will allow system integrators to incorporate their own best practices and tools into Pega’s rapid workflow development tools. The move will mean Pega’s technology reaches a wider range of businesses. Under the programme, known as Powered by Pega Blueprint, system integrators will be able to deploy customised versions of Blueprint. They can use the tool to reverse-engineer ageing applications and replace them with modern AI workflows that can run on Pega’s cloud-based platform. “The idea is that we are looking to make this Blueprint Agent design approach available not just through us, but through a bunch of major partners supplemented with their own intellectual property,” said Trefler. That represents a major expansion for Pega, which has largely concentrated on supplying technology to several hundred clients, representing the top Fortune 500 companies. “We have never done something like this before, and I think that is going to lead to a massive shift in how this technology can go out to market,” he added. When AI agents behave in unexpected ways Iris is incredibly smart, diligent and a delight to work with. If you ask her, she will tell you she is an intern at Pegasystems, and that she lives in a lighthouse on the island of Texel, north of the Netherlands. She is, of course, an AI agent. When one executive at Pega emailed Iris and asked her to write a proposal for a financial services company based on his notes and internet research, Iris got to work. Some time later, the executive received a phone call from the company. “‘Listen, we got a proposal from Pega,’” recalled Rob Walker, vice-president at Pega, speaking at the Pegaworld conference last week. “‘It’s a good proposal, but it seems to be signed by one of your interns, and in her signature, it says she lives in a lighthouse.’ That taught us early on that agents like Iris need a safety harness.” The developers banned Iris from sending an email to anyone other than the person who sent the original request. Then Pega’s ethics department sent Iris a potentially abusive email from a Pega employee to test her response. Iris reasoned that the email was either a joke, abusive, or that the employee was under distress, said Walker. She considered forwarding the email to the employee’s manager or to HR. But both of these options were now blocked by her developers. “So what does she do? She sent an out of office,” he said. “Conflict avoidance, right? So human, but very creative.”

The recent wave of cyber attacks targeting UK retailers has been a moment of reckoning for the entire retail industry. As someone who went through supporting one of the largest retail breaches in history, this news hits close to home. The National Cyber Security Centre’s (NCSC) call to strengthen IT support protocols reinforces a hard truth: cybersecurity is no longer just a technical/operational issue. It’s a business issue that directly affects revenue, customer trust, and brand reputation. Retailers today are navigating an increasingly complex threat landscape, while also managing a vast user base that needs to stay informed and secure. The recent attacks don’t represent a failure, but an opportunity - an inflection point to invest in stronger visibility, continuous monitoring and a culture of shared responsibility that meets the realities of modern retail. We know that the cyber groups responsible for the recent retail hacks used sophisticated social engineering techniques, such as impersonating employees to deceive IT help desks into resetting passwords and providing information, thereby gaining unauthorised access to internal systems. Employees are increasingly a target, and retailers employ some of the largest, most diverse workforces, making them an even bigger risk with countless touchpoints for breaches. In these organisations, a cybersecurity-first culture is vital to combatting threats. Cybersecurity-first culture includes employees that are aware of these types of attacks and understand how to report them if they are contacted. In order to establish a cybersecurity-first culture, employees must be empowered to recognise and respond to threats, not just avoid them. This can be done through simulation training and threat assessments - showcasing real life examples of threats and brainstorming possible solutions to control and prevent further and future damage. This allows security teams to focus on strategy instead of constant firefighting, while leadership support - through budget, tools, and tone - reinforces its importance at every level. In addition to support workers, vendors also pose a significant attack path for bad actors. According to data from Elastic Path, 42% of retailers admit that legacy technology could be leaving them exposed to cyber risks. And with the accelerating pace of innovation, modern cyber threats are not only more complex, but often enter through unexpected avenues, like third-party vendors. Research from Vanta shows 46% of organisations say that a vendor of theirs has experienced a data breach since they started working together. The M&S breach is a case in point, with it being reported that attackers exploited a vulnerability in a contractor’s systems, not the retailer’s own. This underscores that visibility must extend beyond your perimeter to encompass the entire digital supply chain, in real time. Threats don’t wait for your quarterly review or annual audit. If you're only checking your controls or vendor status once a year, you're already behind. This means real-time visibility is now foundational to cyber defence. We need to know when something changes the moment it happens. This can be done through continuous monitoring, both for the technical controls and the relationships that introduce risk into your environment. We also need to rethink the way we resource and prioritise that visibility. Manual processes don’t scale with the complexity of modern infrastructure. Automation and tooling can help surface the right signals from the noise - whether it’s misconfigurations, access drift, or suspicious vendor behavior. The best case scenario is that security measures are embedded into all digital architecture, utilising a few security ‘must haves’ such as secure coding, continuous monitoring, and regular testing and improvement. Retailers who want to get proactive and about breaches following the events of the last few weeks can follow this action plan to get started: First, awareness - have your security leadership send a message out to managers of help desks and support teams to make sure they are aware of the recent attacks on retailers, and are in a position to inform teams of what to look out for. Then, investigate - pinpoint the attack path used on other retailers to make sure you have a full understanding of the risk to your organisation. After that, assess - conduct a threat assessment to identify what could go wrong, or how this attack path could be used in your organisation. The final step is to identify - figure out the highest risk gaps in your organisation, and the remediation steps to address each one. Strong cybersecurity doesn’t come from quick fixes - it takes time, leadership buy-in, and a shift in mindset across the organisation. My advice to security teams is simple: speak in outcomes. Frame cyber risk as business risk, because that’s what it is. The retailers that have fallen victim to recent attacks are facing huge financial losses, which makes this not just an IT issue - it’s a boardroom issue. Customers are paying attention. They want to trust the brands they buy from, and that trust is built on transparency and preparation. The recent retail attacks aren’t a reason to panic - they’re a reason to reset, evaluate current state risks, and fully understand the potential impacts of what is happening elsewhere. This is the moment to invest in your infrastructure, empower your teams, and embed security into your operations. The organisations that do this now won’t just be safer - they’ll be more competitive, more resilient, and better positioned for whatever comes next. Jadee Hanson is the Chief Information Security Officer at Vanta Read more about cyber security in retail Content Goes Here Harrods becomes latest UK retailer to fall victim to cyber attack Retail cyber crime spree a ‘wake-up call’, says NCSC CEO Retail cyber attacks hit food distributor Peter Green Chilled

When Russian troops invaded Ukraine on 24 February 2022, Russia’s datacentre sector was one of the fastest-growing segments of the country’s IT industry, with annual growth rates in the region of 10-12%. However, with the conflict resulting in the imposition of Western sanctions against Russia and an outflow of US-based tech companies from the country, including Apple and Microsoft, optimism about the sector’s potential for further growth soon disappeared. In early March 2025, it was reported that Google had disconnected from traffic exchange points and datacentres in Russia, leading to concerns about how this could negatively affect the speed of access to some Google services for Russian users. Initially, there was hope that domestic technology and datacentre providers might be able to plug the gaps left by the exodus of the US tech giants, but it seems they could not keep up with the hosting demands of Russia’s increasingly digital economy. Oleg Kim, director of the hardware systems department at Russian IT company Axoft, says the departure of foreign cloud providers and equipment manufacturers has led to a serious shortage of compute capacity in Russia. This is because the situation resulted in a sharp, initial increase in demand for domestic datacentres, but Russian providers simply did not have time to expand their capacities on the required scale, continues Kim. According to the estimates of Key Point, one of Russia’s largest datacentre networks, meeting Russia’s demand for datacentres will require facilities with a total capacity of 30,000 racks to be built each year over the next five years. On top of this, it has also become more costly to build datacentres in Russia. Estimates suggest that prior to 2022, the cost of a datacentre rack totalled 100,000 rubles ($1,200), but now exceeds 150,000 rubles. And analysts at Forbes Russia expect these figures will continue to grow, due to rising logistics costs and the impact the war is having on the availability of skilled labour in the construction sector. The impact of these challenges is being keenly felt by users, with several of the country’s large banks experiencing serious problems when finding suitable locations for their datacentres. Sberbank is among the firms affected, with its chairperson, German Gref, speaking out previously about how the bank is in need of a datacentre with at least 200MW of capacity, but would ideally need 300-400MW to address its compute requirements. Stanislav Bliznyuk, chairperson of T-Bank, says trying to build even two 50MW datacentres to meet its needs is proving problematic. “Finding locations where such capacity and adequate tariffs are available is a difficult task,” he said. Read more about datacentre developments North Lincolnshire Council has received a planning permission application for another large-scale datacentre development, in support of its bid to become an AI Growth Zone A proposal to build one of the biggest datacentres in Europe has been submitted to Hertsmere Borough Council, and already has the support of the technology secretary and local councillors. The UK government has unveiled its 50-point AI action plan, which commits to building sovereign artificial intelligence capabilities and accelerating AI datacentre developments – but questions remain about the viability of the plans. Despite this, T-Bank is establishing its own network of data processing centres – the first of which should open in early 2027, he confirmed in November 2024. Kirill Solyev, head of the engineering infrastructure department of the Softline Group of Companies, who specialise in IT, says many large Russian companies are resorting to building their own datacentres – because compute capacity is in such short supply. The situation is, however, complicated by the lack of suitable locations for datacentres in the largest cities of Russia – Moscow and St Petersburg. “For example, to build a datacentre with a capacity of 60MW, finding a suitable site can take up to three years,” says Solyev. “In Moscow, according to preliminary estimates, there are about 50MW of free capacity left, which is equivalent to 2-4 large commercial datacentres. “The capacity deficit only in the southern part of the Moscow region is predicted at 564MW by 2030, and up to 3.15GW by 2042.” As a result, datacentre operators and investors are now looking for suitable locations outside of Moscow and St Petersburg, and seeking to co-locate new datacentres in close proximity to renewable energy sources. And this will be important as demand for datacentre capacity in Russia is expected to increase, as it is in most of the rest of the world, due to the growing use of artificial intelligence (AI) tools and services. The energy-intensive nature of AI workloads will put further pressure on operators that are already struggling to meet the compute capacity demands of their customers. Speaking at the recent Ural Forum on cyber security in finance, Alexander Kraynov, director of AI technology development at Yandex, says solving the energy consumption issue of AI datacentres will not be easy. “The world is running out of electricity, including for AI, while the same situation is observed in Russia,” he said. “In order to ensure a stable energy supply of a newly built large datacentre, we will need up to one year.” According to a recent report of the Russian Vedomosti business paper, as of April 2024, Russian datacentres have used about 2.6GW, which is equivalent to about 1% of the installed capacity of the Unified Energy System of Russia. Accommodating AI workloads will also mean operators will need to purchase additional equipment, including expensive accelerators based on graphic processing units and higher-performing data storage systems. The implementation of these plans and the viability of these purchases is likely to be seriously complicated by the current sanctions regime against Russia. That said, Russia’s prime minister, Mikhail Mishustin, claims this part of the datacentre supply equation is being partially solved by an uptick in the domestic production of datacentre kit. According to the Mishustin, more than half of the server equipment and industrial storage and information processing systems needed for datacentres are already being produced in Russia – and these figures will continue to grow. The government also plans to provide additional financial support to the industry, as – to date – building datacentres in Russia has been prevented by relatively long payback periods, of up to 10 years in some cases, of such projects. One of the possible support measures on offer could include the subsidisation of at least part of the interest rates on loans to datacentre developers and operators. At the same time, though, the government’s actions in other areas have made it harder for operators to build new facilities. For example, in March 2025, the Russian government significantly tightened the existing norms for the establishment of new datacentres in the form of new rules for the design of data processing centres, which came into force after the approval by the Russian Ministry of Construction. According to Nikita Tsaplin, CEO of Russian hosting provider RUVDS, the rules led to additional bureaucracy in the sector (due to the positioning of datacentres as typical construction objects). And, according to his predictions, that situation can extend the construction cycle of a datacentre from around five years to seven years. The government’s intervention here was to prevent the installation of servers in residential areas, such as garages, but it looks set to complicate an already complex situation – prompting questions about whether Russia’s datacentre market will ever reach its full potential.

A significant cyber breach at His Majesty’s Revenue and Customs (HMRC) that saw scammers cheat the public purse out of approximately £47m has been met with dismay from security experts thanks to the sheer simplicity of the attack, which originated via account takeover attempts on legitimate taxpayers. HMRC disclosed the breach to a Treasury Select Committee this week, revealing that hackers accessed the online accounts of about 100,000 people via phishing attacks and managed to claim a significant amount of money in tax rebates before being stopped. It is understood that those individuals affected have been contacted by HMRC – they have not personally lost any money and are not themselves in any trouble. Arrests in the case have already been made. During proceedings, HMRC also came in for criticism by the committee’s chair Meg Hillier, who had learned about the via an earlier news report on the matter, over the length of time taken to come clean over the incident. With phishing emails sent to unwitting taxpayers identified as the initial attack vector for the scammers, HMRC might feel relieved that it has dodged full blame for the incident. But according to Will Richmond-Coggan, a partner specialising in data and cyber disputes at law firm Freeths, even though the tax office had gone to pains to stress its own systems were never actually compromised, the incident underscored just how widespread the consequences of cyber attacks can be – snowballing from simple origins into a multimillion pound loss. “It is clear from HMRC's explanation that the crime against HMRC was only possible because of earlier data breaches and cyber attacks,” said Richmond-Coggan. “Those earlier attacks put personal data in the hands of the criminals which enabled them to impersonate tax payers and apply successfully to claim back tax.” Meanwhile, Gerasim Hovhannisyan, CEO of EasyDMARC, an email security provider, pointed out that phishing against both private individuals and businesses and other organisations had long ago moved beyond the domain of scammers chancing their luck. While this type of scattergun fraud remains a potent threat, particularly to consumers who may not be informed about cyber security matters – the scale of the HMRC phish surely suggests a targeted operation, likely using carefully crafted email purporting to represent HMRC itself, designed to lure self-assessment taxpayers into handing over their accounts. Not only that, but generative artificial intelligence (GenAI) means targeted phishing operations have become exponentially more dangerous in a very short space of time, added Hovhannisyan. “[It] has made [phishing] scalable, polished, and dangerously convincing, often indistinguishable from legitimate communication. And while many organisations have strengthened their security perimeters, email remains the most consistently exploited and underestimated attack vector,” he said. “These scams exploit human trust, using urgency, authority, and increasingly realistic impersonation tactics. If HMRC can be phished, anyone can.” Added Hovhannisyan: “What’s more alarming is that the Treasury Select Committee only learned of the breach through the news. When £47m is stolen through impersonation, institutions can’t afford to stay quiet. Delayed disclosure erodes trust, stalls response, and gives attackers room to manoeuvre.” Once again a service’s end-users have turned out to be the source of a cyber attack and as such, whether they are internal or – as in this case – external, are often considered an organisation’s first line of defence. However, it is not always wise to take this approach, and for an organisation like HMRC daily engaging with members of the public, it is also not really possible. Security education is a difficult proposition at the best of times and although the UK’s National Cyber Security Centre (NCSC) provides extensive advice and guidance on spotting and dealing with phishing emails for consumers – it also operates a phishing reporting service that as of April 2025 has received over 41 million scam reports – bodies like HMRC cannot rely on everybody having visited the NCSC’s website. As such, Mike Britton, chief information officer (CIO) at Abnormal AI, a specialist in phishing, social engineering and account takeover prevention, argued that HMRC could and should have done more from a technical perspective. “Governments will always be a high tier target for cyber criminals due to the valuable information they hold. In fact, attacks against this sector are rising,” he said. “In this case, it looks like criminals utilised account take over to conduct fraud. To combat this, multifactor authentication (MFA) is key, but as attacks grow more sophisticated, further steps must be taken.” Britton said organisations like HMRC really needed to consider adopting more layered security strategies, not only including MFA but also incorporating wider visibility and unified controls across its IT systems. Account takeover attacks such as the ones seen in this incident can unfold quickly, he added, so its cyber function should also be equipped with the tools to identify and remediate compromised accounts on the fly. Read more about trends in phishing Quishing, meaning QR code phishing, is an offputting term for an on-the-rise attack method. Learn how to defend against it. A healthy dose of judicious skepticism is crucial to preventing phishing attacks, said David Fine, supervisory special agent at the FBI, during a presentation at a HIMSS event. Exchange admins got a boost from Microsoft when it improved how it handles DMARC authentication failures to help organisations fight back from email-based attacks on their users.

The security operations centre (SOC) has served public sector cyber teams well over the years but is fundamentally a reactive tool and now needs to be superseded by something else in order to address not just alerts about in-progress security events but the underlying risks that lead to them, all in the service of ‘doing’ cyber more efficiently and, crucially, cheaper. This is the view of Qualys CEO Sumedh Thakar, who, speaking at an event for federal government IT leaders hosted in the Washington DC suburbs at the end of May, defined the new-generation SOC as a ROC, where the letter R stands for risk. Thakar said that things needed to change in the cyber security world. “Continuing in the way that we have where we would scan every week or two and those scans were dumped somewhere on a hard drive somewhere and then someone goes and triages those manually and then you try to fix everything that comes your way – that approach is not really a success,” he said. “Continuing that approach is just not in the future.” He urged CISOs to stop putting so much effort into attack surface management and refocus on risk surface management, where risk management is defined as the mitigation of risk – or transfer of it to someone else – for the most plausible losses that could affect the organisation. It is not possible to get risk down to zero, so it is important to figure out how to address the most plausible factors and address those instead. For a company the most plausible loss will likely be a dollar revenue or profit figure. However, public sector organisations have it tough because they have a very different perspective on what ‘loss’ looks like beyond the financial cost. For example, they could and should be more worried about the safety of the general public or frontline personnel, national security, critical infrastructure security, economic stability, or public health, said Thakar, referencing attacks such as the infamous Colonial Pipeline incident, which paralysed petrol stations across a swathe of the US in 2022. “For most agencies it is really about aligning factors to what is the potential disruption to the mission, to the programme, that currently is important,” he said. Translating this into action for public sector buyers – wherever they may be located – Jonathan Trull, CISO and senior vice president of security solution architecture, and Mayuresh Ektare, vice president of product management at Qualys, said they wanted to help public sector CISOs make the most of the limited resources they have available to them in the face of a mountain of security data  “Our larger customers are having to deal with not a million findings, but hundreds of millions of findings on a daily basis. It is not humanly possible to go and patch or mitigate them all. This is where the concept of a risk operation centre is absolutely needed,” said Ektare. “You’ve got a limited number of resources at your disposal – how do you point them in the right direction so that you can actually reduce the risk that matters to your agencies the most.” Ektare described running an ROC as being a “peacetime” activity for defenders, comparing it to an SOC which is more akin to a wartime situation room. Trull, who spent 12 years working in cyber roles for the state of Colorado, rising to the post of CISO, said: “If this was a capability I’d have had back in the day … an ability to continuously aggregate [and] normalise, whatever standard they were using, because we didn’t dictate – it was very much you decide what tooling you want  and you use that tooling effectively. But what I needed was an accurate picture to advise the governor and the legislature what risks we’re facing on a monthly basis – that wasn’t available. “If you’re a customer a lot of this is built and in the solution, so in these federated environments in which you’re trying to gain control I can’t think of a better option than looking at this concept of an ROC,” he said. Read more about risk management Data risk management identifies, assesses and mitigates threats to organisational data, safeguarding sensitive information from unauthorised access. Knowing the types of risks businesses commonly face and their applicability to your company is a first step toward effective risk management. Every facet of business operations is exposed to risks, requiring a risk management team that's composed of a diverse mix of corporate executives and managers.

It has long been said that an organisation’s greatest asset is its people. Employees are the driving force behind innovation, customer engagement, revenue growth, and company culture. In an era where political, social, and economic climates are in constant flux, particularly with ongoing debates surrounding diversity, equity and inclusion (DEI), it is more critical than ever for organisations to recognise the value of an inclusive workforce. There is a well-known saying: “When America sneezes, the rest of Europe catches a cold.” (often attributed to Charles Maurice de Talleyrand, a French diplomat from the 18th and 19th centuries). It rings particularly true today, as shifts in political and social climates challenge the notion of diversity programmes. This is evident in the recent ruling by the UK Supreme Court that the legal definition of a woman is based on biological sex. However, history has shown that political regimes and societal norms can change rapidly. Regardless of where one stands on these issues, the reality remains that for an organisation to thrive, its people must feel valued, supported, and included. Despite the growing focus on DEI programmes since 2020, many past initiatives have not been as effective as hoped. To move forward, the DEI industry and DEI professionals must conduct a rigorous retrospective analysis: What has worked? What hasn’t been effective? How can we improve? Without tangible metrics and data-driven insights, it becomes difficult to measure the success and impact of these initiatives, and this lack of clear outcomes may have contributed to what some define as the “backlash against DEI.” A common challenge has been the prioritisation of diversity over inclusion, leaving organisations ill-prepared to integrate diverse talent effectively. This has often resulted in short-term disruption - what change management refers to as the "storming" phase of team development - which in turn has led to team friction, a lack of belonging, and ultimately higher turnover rates among underrepresented employees. Organisations have not allowed enough time for teams to progress to the "norming" and "performing" periods in the face of high pressure to deliver results. To counter this, organisations must shift their mindset to focus on inclusion and belonging first. When a workplace fosters an inclusive culture, diverse talent is naturally welcomed, supported, and empowered to succeed. Rather than viewing differences as an obstacle, businesses must embrace them as strengths that drive innovation and growth. I often advocate for culture “add” rather than culture “fit”. As a former project and programme manager who transitioned into HR, I have witnessed firsthand the value of applying change management principles to DEI efforts. A successful change programme requires clearly defined goals, strong leadership buy-in, stakeholder engagement, a structured delivery methodology, and measurable outcomes. When these elements are absent, initiatives tend to falter. By adopting a structured, results-oriented, and data-driven approach, organisations can embed true inclusion into their core business strategy rather than treating it as a secondary initiative or a “nice to have”. It’s also important to regularly assess and reflect on what has worked, what hasn’t, and adapt and improve accordingly. In agile methodology, we call these retrospectives. Inclusion is key to successful DEI initiatives. In the past, these efforts may have created exclusion by failing to involve those who do not identify with the Equality Act's nine protected characteristics (age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, sexual orientation). This has led to defensiveness and fear instead of an understanding of historical inequity. When you are accustomed to privilege, equality can feel like oppression or exclusion and so we need to focus on how we can reframe inclusion work as being beneficial to all rather than to a few. Using storytelling, education, and relatability helps onboard more allies, understanding that equity is crucial to achieve equality. Inclusion means widening opportunities for everyone rather than limiting them to a select few. A wealth of research underscores the positive impact of inclusivity on business success. According to CIPD, 70% of employees report that a strong DEI culture positively impacts their job satisfaction. Forbes also discovered that 88% of consumers are more likely to be loyal to a company that supports social and environmental causes. Additionally, employees working in inclusive environments are 50% more likely to stay with their current employer for more than three years. Just over half of UK consumers (53%) say a brand's diversity and inclusion efforts, influence their purchase decisions. In fact, brands failing to act on Diversity, Equity and Inclusion risk losing out on £102bn annual spend from marginalised groups. Boston Consulting Group’s research demonstrates that organizations with diverse leadership see 19% higher innovation revenues. Beyond traditional meritocratic arguments, one principle is clear: inclusivity must be at the heart of every business strategy. Organisations where employees feel seen, heard, and valued naturally attract a broader, more diverse talent pool. Such employees tend to be more engaged, loyal, and productive, further strengthening the organisation's overall success and their bottom line. The UK tech industry is poised for continued growth and innovation, with a focus on emerging technologies like AI and quantum computing, however there is also a need to address challenges like talent shortages and international competition to maintain its position as a global leader.  Almost 95% of employers looking for tech talent have encountered a skills shortage in 2022, according to HR and recruitment firm Hays. In today’s job market, competitive salaries alone are not enough to attract and retain top talent. Employees now prioritise benefits, flexible working arrangements, career growth opportunities, and a sense of belonging. Organisations that prioritise inclusion, equal opportunities, and adaptability will be better positioned to navigate the evolving talent landscape and sustain long-term success. Ultimately, fostering an inclusive workplace is not merely a moral obligation; it is a business imperative. Companies that prioritise inclusion are more likely to attract top diverse talent, enhance employee engagement, and drive sustainable growth. Companies that fail to create inclusive environments are setting themselves up for failure. We are seeing more and more cases of sexual harassment, bullying and discrimination cases with high price tags. So, whether through loss of business, bad publicity or legal consequences, the price tag on exclusion can be staggering. Inclusion should not be seen as a separate HR initiative but as an integral part of an organisation’s DNA with all leaders owning an inclusion goal as part of their performance management. What gets measured, gets done! However, this can only happen if leaders and managers understand what inclusion truly means and they recognise that a diversity of voices, experiences and opinions will benefit their teams rather than hinder them. The future of work is about more than just employment—it is about providing opportunities for people to live, support their families, and achieve personal and professional growth. A poll, conducted by Ipsos for PA Mediapoint, indicates widespread support among the British public for key workplace DEI drives, including flexible working (71%), gender pay gap reporting (65%), and inclusivity training (64%). People care about wellbeing, inclusion and culture, which is why it is so important that organisations create workplaces where everyone is valued, empowered, and given the chance to succeed. True prosperity comes from ensuring that every individual, regardless of background and differences, can flourish. So, Inclusion does matter, particularly if you value creating a positive work environment that benefits employees, impacts the bottom line, and ensures everyone feels included rather than excluded. Read more about DEI in tech A lack of work-life balance and discrimination are among the biggest challenges for women in tech, finds Lorien When asked their opinions on the growing use of AI, girls expressed concerns about possible biases it will perpetuate, while boys were worried about cyber security

Looker_Studio - stock.adobe.com News Analysis of job vacancies shows earnings boost for AI skills Even when parts of a job are being automated, those who know how to work with artificial intelligence tools can expect higher salaries By Cliff Saran, Managing Editor Published: 03 Jun 2025 7:00 UK workers with skills in artificial intelligence (AI) appear to earn 11% more on average, even in sectors where AI is automating parts of their existing job functions. Workers in sectors exposed to AI, where the technology can be deployed for some tasks, are more productive and command higher salaries, according to PwC’s 2025 Global AI Jobs Barometer. The study, which was based on an analysis of almost one billion job adverts, found that wages are rising twice as fast in industries most exposed to AI. From a skills perspective, PwC reported that AI is changing the skills required of job applicants. According to PwC, to succeed in the workplace, candidates are more likely to need experience in using AI tools and the ability to demonstrate critical thinking and collaboration. Phillippa O’Connor, chief people officer at PwC UK, noted that while degrees are still important for many jobs, a reduction in degree requirements suggests employers are looking at a broader range of measures to assess skills and potential. In occupations most exposed to AI, PwC noted that the skills sought by employers are changing 59% faster than in occupations least exposed to AI. “AI is reshaping the jobs market – lowering barriers to entry in some areas, while raising the bar on the skills required in others,” O’Connor added. Those with the right AI skills are being rewarded with higher salaries. In fact, PwC found that wages are growing twice as fast in AI-exposed industries. This includes jobs that are classed as “automatable”, which means they contain some tasks that can readily be automated. The highest premiums are attached to occupations requiring AI skills, with an average premium in 2024 of 11% for UK workers in these roles.   AI is reshaping the jobs market – lowering barriers to entry in some areas, while raising the bar on the skills required in others Phillippa O’Connor PwC UK PwC’s analysis shows that sectors exposed to AI experience three times higher growth in the revenue generated by each employee. It also reported that growth in revenue per employee for AI-exposed industries surged when large language models (LLMs) such as generative AI (GenAI) became mainstream. Revenue growth per employee has nearly quadrupled in industries most exposed to AI, such as software, rising from 7% between 2018 and 2022, to 27% between 2018 and 2024. In contrast, revenue growth per employee in industries least exposed to AI, such as mining and hospitality, fell slightly, from 10% between 2018 and 2022, to 9% between 2018 and 2024. However, since 2018, job postings for occupations with greater exposure to AI have grown at a slower pace than those with lower exposure – and this gap is widening. Umang Paw, chief technology officer (CTO) at PwC UK, said: “There are still many unknowns about AI’s potential. AI can provide stardust to those ready to adapt, but risks leaving others behind.” Paw believes there needs to be a concerted effort to expand access to technology and training to ensure the benefits of AI are widely shared. “In the intelligence age, the fusion of AI with technologies like real-time data analytics – and businesses broadening their products and services – will create new industries and fresh job opportunities,” Paw added. Read more about AI skills AWS addresses the skills barrier holding back enterprises: The AWS Summit in London saw the public cloud giant appoint itself to take on the task of skilling up hundreds of thousands of UK people in using AI technologies. Could generative AI help to fill the skills gap in engineering: The role of artificial intelligence and machine learning in society continues to be hotly debated as the tools promise to revolutionise our lives, but how will they affect the engineering sector? In The Current Issue: UK government outlines plan to surveil migrants with eVisa data Why we must reform the Computer Misuse Act: A cyber pro speaks out Download Current Issue What to expect from Aera Technology AeraHUB 25 – CW Developer Network NTT IOWN all-photonics ‘saves Princess Miku’ from dragon – CW Developer Network View All Blogs

Over the past few weeks, VMware customers holding onto their perpetual licenses, which are often unsupported and in limbo, have reportedly begun receiving formal cease-and-desist letters from Broadcom. The message is as blunt as it is unsettling: your support contract has expired, and you are to immediately uninstall any updates, patches, or enhancements released since that expiration date. Not only that, but audits could follow, with the possibility of “enhanced damages” for breach of contract. This is a sharp escalation in an effort to push perpetual license holders toward VMware’s new subscription-only model. For many, it signals the end of an era where critical infrastructure software could be owned, maintained, and supported on long-term, stable terms. Now, even those who bought VMware licenses outright are being told that support access is off the table unless they sign on to the new subscription regime. As a result, enterprises are being forced to make tough decisions about how they manage and support one of the most foundational layers of their IT environments. VMware isn’t just another piece of enterprise software. It’s the plumbing. The foundation. The layer everything else runs on top of, which is precisely why many CIOs flinch at the idea of running unsupported. The potential risk is too great. A vulnerability or failure in your virtual infrastructure isn’t the same as a bug in a CRM. It’s a systemic weakness. It touches everything. This technical risk is, without question, the biggest barrier to any organization considering support options outside of VMware’s official offering. And it’s a valid concern.  But technical risk isn’t black and white. It varies widely depending on version, deployment model, network architecture, and operational maturity. A tightly managed and stable VMware environment running a mature release with minimal exposure doesn’t carry the same risk profile as an open, multi-tenant deployment on a newer build. The prevailing assumption is that support equals security—and that operating unsupported equals exposure. But this relationship is more complex than it appears. In most enterprise environments, security is not determined by whether a patch is available. It’s determined by how well the environment is configured, managed, and monitored. Patches are not applied instantly. Risk assessments, integration testing, and change control processes introduce natural delays. And in many cases, security gaps arise not from missing patches but from misconfigurations: exposed management interfaces, weak credentials, overly permissive access. An unpatched environment, properly maintained and reviewed, can be significantly more secure than a patched one with poor hygiene. Support models that focus on proactive security—through vulnerability analysis, environment-specific impact assessments, and mitigation strategies—offer a different but equally valid form of protection. They don’t rely on patch delivery alone. They consider how a vulnerability behaves in the attack chain, whether it’s exploitable, and what compensating controls are available.  Read more about VMware security Hacking contest exposes VMware security: In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor. No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access. This kind of tailored risk management is especially important now, as vendor support for older VMware versions diminishes. Many reported vulnerabilities relate to newer product components or bundled services, not the core virtualization stack. The perception of rising security risk needs to be balanced against the stability and maturity of the versions in question. In other words, not all unsupported deployments are created equal. Some VMware environments—particularly older versions like vSphere 5.x or 6.x—are already beyond the range of vendor patching. In these cases, the transition to unsupported status may be more symbolic than substantive. The risk profile has not meaningfully changed.  Others, particularly organisations operating vSphere 7 or 8 without an active support contract, face a more complex challenge. Some critical security patches remain accessible, depending on severity and version, but the margin of certainty is shrinking.   These are the cases where enterprises are increasingly turning to alternative support models to bridge the gap—ensuring continuity, maintaining compliance, and retaining access to skilled technical expertise. Third-party support is sometimes seen as a temporary fix—a way to buy time while organizations figure out their long-term plans. And it can serve that purpose well. But increasingly, it’s also being recognized as a strategic choice in its own right: a long-term solution for enterprises that want to maintain operational stability with a reliable support partner while retaining control over their virtualization roadmap.What distinguishes third-party support in this context isn’t just cost control, it’s methodology.   Risk is assessed holistically, identifying which vulnerabilities truly matter, what can be addressed through configuration, and when escalation is genuinely required. This approach recognises that most enterprises aren’t chasing bleeding-edge features. They want to run stable, well-understood environments that don’t change unpredictably. Third-party support helps them do exactly that, without being forced into a rapid, costly migration or a subscription contract that may not align with their business needs.  Crucially, it enables organisations to move on their own timeline. Much of the conversation around unsupported VMware environments focuses on technical risk. But the longer-term threat may be strategic. The end of perpetual licensing, the sharp rise in subscription pricing, and now the legal enforcement of support boundaries all points to a much bigger problem: a loss of control over infrastructure strategy.  Vendor-imposed timelines, licensing models, and audit policies are increasingly dictating how organizations use the very software they once owned outright. Third-party support doesn’t eliminate risk—nothing can. But it redistributes and controls it. It gives enterprises more agency over when and how they migrate, how they manage updates, and where they invest. In a landscape shaped by vendor agendas, that independence is increasingly critical.  Broadcom’s cease-and-desist letters represent a new phase in the relationship between software vendors and customers—one defined not by collaboration, but by contractual enforcement. And for VMware customers still clinging to the idea of “owning” their infrastructure, it’s a rude awakening: support is no longer optional, and perpetual is no longer forever. Organizations now face three paths: accept the subscription model, attempt a rapid migration to an alternative platform, or find a support model that gives them the stability to decide their future on their own terms.  For many, the third option is the only one that balances operational security with strategic flexibility.  The question now isn’t whether unsupported infrastructure is risky. The question is whether the greater risk is allowing someone else to dictate what happens next. 

The Netherlands is facing a growing cyber security crisis, with a staggering 66% of Dutch businesses lacking adequate cyber resilience, according to academic research.   As geopolitical tensions rise and digital threats escalate, Rick van der Kleij, a psychologist and professor in Cyber Resilient Organisations at Avans University of Applied Sciences, who also conducts research at TNO, says that traditional approaches have failed and a paradigm shift is urgently needed.  Van der Kleij suggests that cyber security provides the illusion of safety rather than actual protection for many Dutch organisations. His stark assessment is that the Netherlands’ traditional approach to cyber risk is fundamentally broken.  “We need to stop thinking in terms of cyber security. It’s a model that has demonstrably failed,” he says. “Despite years of investment in cyber security measures, the frequency and impact of incidents continue to increase rapidly across Dutch businesses.”  This reflects the central argument of his recent inaugural lecture “Now that security is no more”, where he called for a paradigm shift in how Dutch organisations approach cyber risks.  Van der Kleij describes “the great digital dilemma” of balancing openness and security in a country with one of Europe’s most advanced digital infrastructures. “How can entrepreneurs remain open and connected without having to completely lock down their businesses?” he asks.  The statistics are stark. Van der Kleij’s study found that 66% of Dutch businesses are inadequately prepared for cyber threats. Recent ABN Amro research confirms the crisis: one in five businesses suffered cyber crime damage last year, rising to nearly 30% among large companies. For the first time, SMEs (80%) are more frequently targeted than large corporations (75%), marking a significant shift in cyber criminal strategy.  Despite the numbers, a perception gap persists. Van der Kleij identifies ‘the overconfident’ – Dutch businesses believing their cyber security is adequate when it isn’t. While SME attack rates soar, their risk perception remains static, whereas large organisations show marked awareness increases (from 41% to 64%). This creates a “waterbed effect” – as large companies strengthen defences, cyber criminals shift to less-prepared SMEs which are paradoxically reducing cyber security investments.  Van der Kleij emphasises a crucial distinction: while cyber security focuses on preventing incidents, cyber resilience acknowledges that incidents will happen. “It’s about having the capacity to react appropriately, recover from incidents, and learn from what went wrong to emerge stronger,” he says.  This requires four capabilities – prepare, respond, recover and adapt – yet most Dutch organisations focus only on preparation. The ABN Amro findings confirm this: many SMEs have firewalls but lack intrusion detection or incident response plans. Large companies take a more balanced approach, combining technology with training, response capabilities and insurance.  Uber’s experience illustrates the weakness of purely technical approaches. After a 2016 hack, they implemented two-factor authentication – yet were hacked again in 2022 by an 18-year-old using WhatsApp social engineering. “This shows that investing only in technology without addressing human factors creates fundamental weakness, which is particularly relevant for Dutch businesses that prioritise technological solutions,” van der Kleij adds.  Van der Kleij challenges the persistent myth that humans are cyber security’s weakest link. “People are often blamed when things go wrong, but the actual vulnerabilities typically lie elsewhere in the system, often in the design itself,” he says.  The misdirection is reflected in spending: 85% of cyber security investments go toward technology, 14% toward processes and just 1% toward the human component. Yet the ABN Amro research shows phishing – which succeeds through psychological manipulation rather than sophisticated technology – affects 71% of Dutch businesses.  “We’ve known for decades that people aren’t equipped to remember complex passwords across dozens of accounts, yet we continue demanding this and then express surprise when they create workarounds,” van der Kleij says. “Rather than blaming users, we should design systems that make secure behaviour easier. In the Netherlands, we need more human awareness in security teams, not more security awareness training for end users.”  Why do so many Dutch SMEs fail to invest in cyber resilience despite evident risks? Van der Kleij believes it’s about behaviour, not business size. “It’s not primarily about size or industry – it’s about behaviour and beliefs,” he says.  Common limiting beliefs among Dutch entrepreneurs include “I’m too small to be a target” or “I don’t have confidential information”. Remarkably, even suffering a cyber attack doesn’t change this mindset. “Studies show that when businesses are hacked, it doesn’t automatically lead them to better secure their operations afterward,” van der Kleij says.  The challenge is reaching those who need help most. “We have vouchers, we have arrangements where entrepreneurs can get help at a significantly reduced fee from cyber security professionals, but uptake remains negligible,” van der Kleij says. “It’s always the same parties who come to the government’s door – the large companies who are already mature. The small ones, we just can’t seem to reach them.”  Van der Kleij sees “relational capital” – resources generated through partnerships – as key to enhancing Dutch cyber resilience. “You can become more cyber resilient by establishing partnerships,” he says, pointing to government-encouraged initiatives like Information Sharing and Analysis Centers.   The ABN Amro research reveals why collaboration matters: 39% of large companies experienced cyber incidents originating with suppliers or partners, compared with 25% of smaller firms. This supply chain vulnerability drives major Dutch organisations to demand higher standards from partners through initiatives such as Big Helps Small.  European regulations reinforce this trend. The new NIS2 directive will expand coverage from hundreds to several thousand Dutch companies, yet only 11% have adequately prepared. Among SMEs, approximately half have done little preparation – despite Dutch police warnings about increasingly frequent ransomware attacks where criminals threaten to release stolen data publicly.  Van der Kleij’s current research at Avans University focuses on identifying barriers to cyber resilience investment through focus groups with Dutch entrepreneurs. “When we understand these barriers – which are more likely motivational than knowledge-related – we can design targeted interventions,” he says.  Van der Kleij’s message is stark: “The question isn’t whether your organisation will face a cyber incident, but when – and how effectively you’ll respond. Cyber resilience encompasses cyber security while adding crucial capabilities for response, recovery and adaptation. It’s time for a new paradigm in the Netherlands.”  Read more about Dutch cyber security

Maksim Kabakou - Fotolia Opinion Rethinking secure comms: Are encrypted platforms still enough? A leak of information on American military operations caused a major political incident in March 2025. The Security Think Tank considers what can CISOs can learn from this potentially fatal error. By Russell Auld, PAC Published: 30 May 2025 In today’s constantly changing cyber landscape, answering the question “what does best practice now look like?” is far from simple. While emerging technologies and AI-driven security tools continue to make the headlines and become the topics of discussion, the real pivot point for modern security lies not just in the technological advancements but in context, people and process.  The recent Signal messaging platform incident in which a journalist was mistakenly added to a group chat, exposing sensitive information, serves as a timely reminder that even the most secure platform is vulnerable to human error. The platform wasn’t breached by malicious actors, or a zero-day exploit being utilised or the end-to-end encryption failing; the shortfall here was likely poorly defined acceptable use polices and controls alongside a lack of training and awareness. This incident, if nothing else, highlights a critical truth within cyber security – security tools are only as good as the environment, policies, and people operating them. While it’s tempting to focus on implementing more technical controls to prevent this from happening again, the reality is that many incidents result from a failure of process, governance, or awareness.  What does good security look like today? Some key areas include: Context over features, for example, whether Signal should have been used in the first place; There is no such thing as a silver bullet approach to protect your organisation; The importance of your team’s training and education; Reviewing and adapting continuously.  Security must be context-driven. Business leaders need to consider what their key area of concern is – reputational risk, state-sponsored surveillance, insider threats, or regulatory compliance. Each threat vector requires a different set of controls. For example, an organisation handling official-sensitive or classified data will require not just encryption, but assured platforms, robust access controls, identity validation, and clear auditability. Conversely, a commercial enterprise concerned about intellectual property leakage might strategically focus on user training, data loss prevention, and device control. Best practice isn’t picking the platform with the cheapest price tag or the most commonly used; it’s selecting a platform that supports the controls and policies required based on a deep understanding of your specific risks and use cases.   There is no one-size-fits-all solution for your organisation. The security product landscape is filled with vendors offering overlapping solutions that all claim to provide more protection than the other. And, although we know some potentially do offer better protection, features or functionality, even the best tool will fail if used incorrectly or implemented without a clear understanding of its limitations. Worse, organisations may gain a false sense of security by relying solely on a supplier’s claims. The priority must be to assess your organisation’s internal capability to manage and operate these tools effectively. Reassessing the threat landscape and taking advantage of the wealth of threat intelligence tools available, helps ensure you have the right skills, policies, and processes in place.  The Computer Weekly Security Think Tank on Signalgate Todd Thiemann, ESG: Signalgate: Learnings for CISOs securing enterprise data. Javvad Malik, KnowBe4: What CISOs can learn from Signalgate. Aditya Sood, Aryaka: Unspoken risk: Human factors undermine trusted platforms. Raihan Islam, defineXTEND: When leaders ignore cyber security rules, the whole system weakens. Elliot Wilkes, ACDS: Security vs. usability: Why rogue corporate comms are still an issue. Mike Gillespie and Ellie Hurst, Advent IM: Signalgate is a signal to revisit security onboarding and training. Best practice in 2025 means recognising that many security incidents stem from simple human mistakes, misaddressed emails, poor password hygiene, or even sharing access with the wrong person. Investing in continual staff education, security awareness, and skills gap analysis is essential to risk reduction.   This doesn’t mean showing an annual 10-minute cyber awareness video; you need to identify what will motivate your people and run security campaigns that capture their attention and change behaviour. For example you could consider using engaging nudges such as mandatory phishing alerts on laptops, interactive lock screen campaigns, and quizzes on key policies such as acceptable use and password complexity. Incorporate gamification elements, for example rewards for completing quizzes, and timely reminders to reinforce security best practices and fostering a culture of vigilance.  These campaigns should be a mixture of communications that engage people coupled with training which is seen as relevant by the workforce, as well as meeting role specific needs. Your developers need to understand secure coding practices, while those in front line operations may need training in how to detect phishing or social engineering attacks. In doing so this helps to create a better security culture within the organisation and enhance your overall security posture.  Finally, what’s considered “best practice” today may be outdated by tomorrow. Threats are constantly evolving, regulations change, and your own business operations and strategy may shift. Adopting a cyber security lifecycle that encompasses people, process and technology, supported by business continuous improvement activities and a clear vision from senior stakeholders will be vital. Conducting regular security reviews, red-teaming, and reassessing governance and policies will help ensure that defences remain relevant and proportional to your organisation’s threats. Encryption, however, still matters. As do SSO, MFA, secure coding practises, and access controls. But the real cornerstone of best practice in today’s cyber world is understanding why you need them, and how they’ll be used in practice. Securing your organisation is no longer just about picking the best platform, it's about creating a holistic view that incorporates people, process, and technology. And that may be the most secure approach, after all.  Russell Auld is digital trust and cyber security expert at PA Consulting In The Current Issue: UK government outlines plan to surveil migrants with eVisa data Why we must reform the Computer Misuse Act: A cyber pro speaks out Download Current Issue NTT IOWN all-photonics ‘saves Princess Miku’ from dragon – CW Developer Network FinOps Foundation lays down 2025 Framework for Cloud+ cost control – Open Source Insider View All Blogs

Ever since Donald Trump returned to the White House earlier this year, diversity, equity and inclusion (DEI) initiatives have rarely been out of the headlines. One of Trump’s first acts as president was to sign two executive orders shutting down DEI programmes within the US federal government, with those government employees working in diversity roles placed on paid leave.   While Trump hasn’t yet targeted private sector DEI schemes, a recent Bloomberg analysis found that the top companies in the US S&P index had scaled back their DEI commitments since the president’s re-election. What does this mean for tech companies in the UK, and could a similar retreat happen in this country? While in the UK the Reform party has promised to ditch DEI initiatives from local government councils that it controls, a survey by Censuswide shortly after Trump’s election reported that almost three quarters of the more than 1000 organisations who responded were running DEI programmes, with more than a quarter planning to increase their budgets for these schemes in the coming year. These figures were backed up by a recent Ipsos survey that found widespread support among the UK public for a range of DEI initiatives such as flexible working arrangements, gender pay gap reporting and inclusivity training, with around two in five of those surveyed disapproving of Trump’s actions restricting DEI programmes in the US. So there doesn’t appear to be great public support in the UK for a retreat from DEI initiatives; quite the opposite in fact, and the legal landscape in this country in relation to diversity and inclusion issues is also significantly different to the US as a whole.   The Equality Act 2010 provides protection to UK employees from a range of different types of discrimination, including sex, race, disability and age, from the first day of employment and DEI programmes can be a very necessary step in helping companies prevent discrimination and defend these types of claims when they’re brought. Indeed, Employment Tribunals will often expect companies to have DEI policies in place as standard, particularly for larger employers, with the lack of such policies leaving companies much more exposed to successful discrimination claims.  The introduction last year of the obligation on employers to take reasonable steps to prevent sexual harassment has only increased the potential liabilities for companies who don’t take DEI issues seriously and having a clear and regularly updated policy specifically dealing with sexual harassment will be one of the first steps in demonstrating that the reasonable steps duty has been met.  The existing legal framework in the UK therefore limits companies from dramatically reducing their DEI commitments even if they wanted to and the current political climate is likely to mean that the obligations on employers in this area will only increase.  The Labour government is currently consulting on proposals to introduce ethnicity and disability pay-gap reporting, in addition to the existing gender pay-gap reporting requirements, along with pay transparency rules similar to those currently being introduced in the EU and bringing dual discrimination (where discrimination is due to a combination of protected characteristics) into effect. These initiatives all show the degree to which the UK, as well as the EU more generally, is taking a different approach to DEI issues than the US at the moment. For those employees who value DEI programmes, the US retrenchment in this area provides UK employers, particularly IT companies, with a really strong opportunity to position themselves as an attractive option for global talent.   A commitment to DEI initiatives can be a genuine point of difference in attracting the best candidates, especially for younger employees as the recent Ipsos survey showed, and whereas the US might have been a key destination in the past for ex-pat IT employees, the UK could be well placed to close the gap in the next few years.   Nick Le Riche is a Partner in the Employment Law team at the international law firm Broadfield. Read more on DEI How has US pushback affected UK DEI? The DEI backlash is over – we are talking a full scale revolt What companies are rolling back DEI policies in 2025?

With millions of businesses now using Amazon Web Services (AWS) for their cloud computing needs, it’s become a vital consideration for IT security teams and professionals. As such, AWS offers a broad range of cyber security tools to secure AWS-based tech stacks. They cover areas such as data privacy, access management, configuration management, threat detection, network security, vulnerability management, regulatory compliance and so much more.  Along with being broad in scope, AWS security tools are also highly scalable and flexible. Therefore, they’re ideal for high-growth organisations facing a fast-expanding and increasingly sophisticated cyber threat landscape. On the downside, they can be complex to use, don’t always integrate well with multi-cloud environments, and become outdated and expensive quickly. These challenges underscore the importance of continual learning and effective cost management in the cyber security suite. One of the best things AWS offers cyber security professionals is a centralised view of all their different virtual environments, including patch management, vulnerability scanning and incident response, to achieve “smoother operations”, according to Richard LaTulip, field chief information security officer at cyber threat intelligence platform Recorded Future. Specifically, he says tools like AWS CloudTrail and AWS Config allow cyber security teams to accelerate access management, anomaly detection and real-time policy compliance, and that risk orchestration is also possible thanks to AWS’s support for specialist platforms such as Recorded Future.  This sentiment is echoed by Crystal Morin, cyber security strategist at container security firm Sysdig, who describes AWS CloudTrail and AWS GuardDuty as “the bedrock” for organisations with a multi- or hybrid cloud environment.  She says these tools offer “great insight” into cloud environment activity that can be used to identify issues affecting corporate systems, better understand them and ultimately determine their location for prompt removal.  Having made tons of cloud security deployments for Fortune 200 companies in his previous role as global AWS security lead at consulting giant Accenture, Shaan Mulchandani, founder and CEO of cloud security firm HTCD, knows a thing or two about AWS’s cyber security advantages.  Mulchandani says AWS implementations helped these companies secure their baseline configurations, streamline C-suite IT approvals to speed up AWS migration, eliminate manual post-migration security steps and seamlessly scale environments containing thousands of workloads. “I continue to help executives at organisations architect, deploy and maximise outcomes using AWS-native tools,” he adds. As a senior threat researcher at cyber intelligence platform EclecticIQ, Arda Büyükkaya uses AWS tools to scale threat behaviour analysis, develop secure malware analysis environments, and automate threat intelligence data collection and processing.  Calling AWS an “invaluable” threat analysis resource, he says the platform has made it a lot easier to roll out isolated research environments. “AWS’s scalability enables us to process large volumes of threat data efficiently, whilst their security services help maintain the integrity of our research infrastructure,” Büyükkaya tells Computer Weekly. At log management and security analytics software company Graylog, AWS usage happens across myriad teams. One of these is led by EMEA and UK lead Ross Brewer. His department is securing and protecting customer instances using tools like AWS GuardDuty, AWS Security Hub, AWS Config, AWS CloudTrail, AWS Web Application Firewall (WAF), AWS Inspector and AWS Identity and Access Management (IAM).  Its IT and application security department also relies on security logs provided by AWS GuardDuty and AWS CloudTrail to spot anomalies affecting customer instances. Brewer says the log tracking and monitoring abilities of these tools have been invaluable for security, compliance and risk management. “We haven’t had any issues with our desired implementations,” he adds. Cyber law attorney and entrepreneur Andrew Rossow is another firm believer in AWS as a cyber security tool. He thinks its strongest aspect is the centralised security management it offers for monitoring threats, responding to incidents and ensuring regulatory compliance, and describes the usage of this unified, data-rich dashboard as the “difference between proactive defence and costly damage control” for small businesses with limited resources.  But Rossow believes this platform’s secret sauce is its underlying artificial intelligence (AI) and machine learning models, which power background threat tracking, and automatically alert users to security issues, data leaks and suspicious activity. These abilities, he says, allow cyber security professionals to “stay ahead of potential crises”. Another area where Rossow thinks AWS excels is its integration with regulatory frameworks such as the California Consumer Privacy Act, the General Data Protection Regulation and the Payment Card Industry Data Security Standard. He explains that AWS Config and AWS Security Hub offer configuration and resource auditing to ensure business activities and best practices meet such industry standards. “This not only protects our clients, but also shields us from the legal and reputational fallout of non-compliance,” adds Rossow. AWS tools provide cyber security teams with “measurable value”, argues Shivraj Borade, senior analyst at management consulting firm Everest Group. He says GuardDuty is powerful for real-time monitoring, AWS Config for security posture management and IAM Access Analyzer for privilege sprawl prevention. “What makes these tools powerful is their interoperability, enabling a scalable and cohesive security architecture,” says Borade. Although AWS is a valuable tool for cyber security professionals, Borade emphasises that it’s “not without limitations”. He says the platform’s lack of depth and flexibility means it isn’t always suitable for modelling complex cyber security threats or handling specific compliance issues. Rather, cyber security professionals should use AWS as a foundational element of their wider tech stack.  Using the AWS Security Hub as an example, Borade says it can effectively serve the purpose of an “aggregation layer”. But he warns that incorrect configurations often result in alert fatigue, meaning people can become oblivious to notifications when repeatedly spammed with them.  Borade also warns of misconfigurations arising from teams’ lack of understanding of how cloud technology works. Consequently, he urges cyber security teams to “embed cloud-native security into the DevSecOps lifecycle” and “invest in continuous cross-functional training”. For Morin, the biggest challenge of using AWS as a security tool is that it’s constrained by best practice gaps around areas like workload protection, vulnerability management, identity management and threat detection. She says one classic example is the difficulty cyber security teams face when monitoring access permissions granted over time, leaving organisations with large IT environments dangerously exposed.  Using multiple AWS security tools also increases the attack surface for cyber criminals to exploit. Morin warns that hackers may look for “visibility gaps” by sifting through different AWS planes, helping them “mask their activities” and “effectively bypass detection”. To stay one step ahead of cyber crooks, she advises organisations to invest in runtime solutions alongside AWS-native tools. These will provide real-time security insights. Technical and cost issues may also impact AWS implementations in cyber security departments, warns Mulchandani. For instance, Amazon Macie may be able to create inventories for all object versions across different buckets, but Mulchandani says this creates a “mountain of medium-severity findings” to decipher. “Without strict scoping, licence costs and analyst time balloon,” he adds. “Costs can also increase when an organisation requires a new AWS launch that isn’t available in their region and they subsequently invest in a temporary solution from a different vendor. For those new to using AWS security tools, Morin says an important first step is to understand the cloud security shared responsibility model. She explains that the user is responsible for securing their deployments, correctly configuring them and closing any security visibility gaps. AWS, on the other hand, must ensure the underlying infrastructure provided is safe to use.  As part of the users’ role in this model, she says they should enable logging and alerts for AWS tools and services used in their organisation. What’s also key is detailing standard organisational operating behaviour in a security baseline. This, she claims, will let organisations tell suspicious user actions apart from normal ones. Many tried-and-tested best practices can be found in professional benchmarks such as the AWS Well-Architected framework and the Center of Internet Security’s Benchmark for AWS. “Make use of the work of those who have been fighting the good fight,” says Morin. Finally, she urges anyone working in cloud security to remember that real-time operations are essential. Runtime security can help by protecting all running applications and data from the latest cyber security threats, many of which are preventable through automated processes.  Starting small is a good idea, too. Mulchandani recommends that AWS newbies begin with AWS tooling, and if any gaps persist, they can then look for third-party offerings. “Do not try to procure and integrate 20-plus external tools upfront as this will cause numerous architectural, security and cost challenges,” he says. With the rapid pace of innovation across the AWS ecosystem, Borade urges anyone using this platform to stay up-to-date with the latest releases by participating in certification programmes, attending re:Inforce sessions and tracking the latest release notes from AWS. In the future, he expects automation, AI-fuelled insights, “tighter” third-party integrations, and identity orchestration and policy-as-code frameworks to dominate the AWS cyber security ecosystem.  On the whole, understanding the AWS platform and its role in cloud security is a vital skill for cyber security professionals. And AWS certainly offers some great tools for managing the biggest risks impacting its popular cloud platform. But cyber security professionals looking to leverage AWS in their day-to-day roles must be willing to get to grips with some complex tools, keep up-to-date with the latest releases in the vast AWS ecosystem and ensure their department budget can accommodate spiralling AWS costs. Read more about AWS An AWS tech stack can aid business growth and facilitate efficient operations, but misconfigurations have become all too common and stall this progress. The AWS Summit in London saw the public cloud giant appoint itself to take on the task of skilling up hundreds of thousands of UK people in using AI technologies. Amazon Web Services debuts new Outposts racks and servers that extend its infrastructure to the edge to support network intensive workloads and cloud radio access applications.

News Sapphire 2025: BASF evolves business with move to SAP S/4Hana Germany-based global chemical giant BASF has elected to move its SAP IT estate to S/4Hana private cloud to evolve its business in uncertain times By Brian McKenna, Enterprise Applications Editor Published: 29 May 2025 15:30 Chemical industry giant BASF is moving its SAP IT estate to the supplier’s S/4Hana enterprise resource planning (ERP) system as part of a business modernisation strategy, it was announced at the SAP Sapphire user and partner conference in Madrid. Petra Scheithe, senior vice-president of digitalization of services and ERP platforms at BASF Business Services, outlined the latest development in the company’s long-standing relationship with SAP. BASF, which employs around 112,000 people, has been an SAP customer for 40 years. Its headquarters in Ludwigshafen are a half-hour drive from SAP’s in Walldorf. According to a joint SAP/BASF statement, the chemical firm “adopted a hybrid system landscape to integrate SAP S/4Hana Cloud into BASF’s vast system and reduce the complexity of on-premise management. With a clean core strategy in place, any new customisations and functional extensions will be cloud-ready, allowing simplified system maintenance and operations in the long run.” BASF also intends to use SAP’s artificial intelligence (AI) and sustainability software.   The first of its new systems on S/4Hana, in its coatings business, is already live. BASF has four “core businesses”, in chemicals, materials, industrial solutions, and nutrition and care, and four standalone business units in agriculture and surface technologies, catalysts and metals, battery materials, and coatings. BASF is also using SAP’s Joule copilot for initial use cases in SAP’s SuccessFactors HR system, and is looking at other cases for core business processes. “We signed a new strategic partnership with SAP in December 2024,” said Scheithe, in an interview at Sapphire. “This includes Rise [with SAP], which we did not have before.” Rise is a so-called business transformation as a service programme that is fundamentally about cloud migration, and getting customers, new and existing, onto a cloud-delivered version of its S/4Hana ERP system based on its in-memory database, Hana. BASF’s existing SAP estate is one single global instance. “That has brought some challenges with it because over the last decade, we have really grown that system to a point where we said ‘this is difficult to manage’,” said Scheithe. “We have a very broad product portfolio, from our agricultural business, our coatings business, catalysts, battery materials, and copper and metals,” she said. “Combining all of those requirements in one SAP system led to the point that we have more than 300,000 custom objects in the system, so it’s huge and monolithic. The transition to S/4Hana is a chance to clear that up.” The idea is to back up the BASF strategy, called Winning Ways, with a modernised ERP system. The overall corporate strategy has the goal of BASF being “the preferred chemical company to enable our customers’ green transformation”. It includes a €10bn investment in what the company calls a Verbund site in Zhanjiang in China. At these sites, production plants, energy and material flows, logistics, and site infrastructure are all integrated, according to the company. There are currently six worldwide. In relation to the SAP environment, Scheithe said they decided to split the one instance into several business-related ones. The new company strategy, minted in 2024, means there is a pillar dedicated to “differentiated steering with different market requirements”, she added. Read more about SAP customers Rise with SAP offers a path to the cloud for SAP customers, but adoption is still hindered by customer concerns over costs, flexibility and SAP's cloud-only innovation strategy. SAP sales tactic fuels IT disconnect. SAP customer unrest: How did we get here? BASF started to build an S/4Hana instance in 2022 for the coatings business, with “a greenfield approach using clean core strategy”. This went live in March of this year, “on time and on budget, which I am super proud of”, said Scheithe. The firm is now implementing S/4 for the battery materials division and piloting for the agricultural business. “Clean core” in an SAP context means keeping the core system as standard as possible, with minimal custom modifications.  They also opted for SAP’s Rise programme so that their systems are as close as possible to standard SAP and to leverage the IT supplier’s innovations in AI. Scheithe said she’s very interested to explore the use of the technology from SAP’s 2024 acquisition, WalkMe. This is a digital adoption platform technology that is increasingly associated with the use of SAP’s GenAI assistant, Joule. WalkMe sits on top of an organisation’s IT applications layer and determines where users might experience difficulties such as getting stuck when performing a process or task. WalkMe then provides guidance and automated processes that help the user complete the task. BASF is not using it as yet. It’s using Joule for HR tasks, in SuccessFactors, and Sheithe is especially interested in its use for developers. “We are not so naïve as to believe now that with implementing S/4 we will cover all our business requirements that we had in the past,” she said. “We have more than 300,000 custom objects in our system, and those were not done just because developers like to develop, but for business requirements. If we can’t get rid of those, we don’t want them in our core system, so it will be helpful if we have tools on hand that make our developers more efficient. This why I’m so excited about Joule for developers.” Thomas Saueressig, a member of the executive board of SAP for customer services and delivery, said: “We are proud to partner with BASF on this transformative journey. “By choosing SAP S/4Hana Cloud, BASF is laying a strong foundation for future growth and innovation,” he said. “The ability to leverage a clean core and standardised processes will provide BASF with the agility and resilience needed to thrive in today’s dynamic business environment.” In The Current Issue: UK government outlines plan to surveil migrants with eVisa data Why we must reform the Computer Misuse Act: A cyber pro speaks out Download Current Issue FinOps Foundation lays down 2025 Framework for Cloud+ cost control – Open Source Insider Bit Cloud offers Hope AI for developers  – CW Developer Network View All Blogs

ipopba - stock.adobe.com News Maturing UK fintechs increase tech and cyber security hiring Increased hiring reflects that fintechs are maturing and now require more cyber security and compliance experts By Karl Flinders, Chief reporter and senior editor EMEA Published: 27 May 2025 16:23 The UK’s financial technology sector, or fintech as it is widely known, will see a 32% increase in professional hiring this year, with cyber security and technology roles the most in demand. As the fintech sector matures, and companies underpinned by tech seek to expand product ranges, increased demand for tech-related roles is inevitable. According to a report from recruitment services firm Morgan McKinley and labour market data company Vacancysoft, the increase comes as many UK fintechs move beyond the startup phase, add products and scale their operations. Technology-related hiring will see the fastest growth at 39%, driven by the need for engineering, cyber security, and IT management and development professionals. “London continues to dominate hiring in this space, buoyed by the upcoming Cyber Security and Resilience Bill. As fintechs replace legacy systems and meet rising compliance expectations, system resilience and threat mitigation skills are in high demand,” said the report. Risk and compliance professionals are also in increasing demand. Hiring in this area is projected to rise by 29% in 2025, according to Morgan McKinley and Vacancysoft, with financial crime professionals and fraud-related roles most in demand. This increase is due to growing regulatory scrutiny and operational complexity. “As regulatory expectations shift from minimum standards to active governance, fintechs are investing accordingly, seeking experienced professionals to strengthen internal control frameworks and support future authorisations or licensing requirements,” said the report. Fintechs are prioritising strategic hiring, investment in high-impact roles in compliance, product engineering and IT security, according to the report. Meanwhile, hiring for generalist functions remains flat or subject to cost review, it said. Mark Astbury, director at Morgan McKinley in the UK, said despite the uncertain economic climate, the UK fintech sector will see “one of its strongest hiring outlooks in recent years”. He said the rise in professional vacancies is led by London, but is echoed nationwide. “The data tells a clear story: despite subdued venture capital flows, demand for specialist talent remains robust. This isn’t a hype-driven rebound, it’s a grounded response to real-world pressures. Fintech firms are hiring to meet rising regulatory expectations as they grow, to counter increasingly sophisticated financial threats, and to build more resilient digital infrastructure,” added Astbury. “The surge in fraud risk and compliance roles, alongside double-digit growth in IT security and engineering, reflects an industry maturing in response to both opportunity and obligation,” he said. The increased recruitment of professionals comes with the backdrop of sector investment falling by over a quarter to $9.9bn, down 27% from $13.6bn in 2023, according to KPMG’s Pulse of fintech report. In the report, KPMG said geopolitical uncertainty, high levels of inflation and higher interest rates all contributed to “more subdued levels of UK fintech investment”. KPMG’s figures mirror those published by Innovative Finance last month, which reported a 37% fall in investment in 2024 compared with 2023. Innovate Finance, the industry body for fintech in the UK, blamed tough market conditions that included “rising interest rates, geopolitical instability, as well as a recalibration in venture capital fundraising”. The UK’s fintech sector attracted $3.6bn investment last year, which was only bettered by the US. Read more about fintech In The Current Issue: UK government outlines plan to surveil migrants with eVisa data Why we must reform the Computer Misuse Act: A cyber pro speaks out Download Current Issue SAP Sapphire 2025: Developers take centre stage as AI integration deepens – CW Developer Network Microsoft entices developers to build more Windows AI apps – Cliff Saran's Enterprise blog View All Blogs

There are few industries these days that are not touched by artificial intelligence (AI). Networking is very much one that is touched. It is barely conceivable that any network of any reasonable size – from an office local area network or home router to a global telecoms infrastructure – could not “just” be improved by AI. Just take the words of Swisscom’s chief technical officer, Mark Düsener, about his company’s partnership with Cisco-owned Outshift to deploy agentic AI – of which more later – through his organisation. “The goal of getting into an agentic AI world, operating networks and connectivity is all about reducing the impact of service changes, reducing the risk of downtime and costs – therefore levelling up our customer experience.”  In other words, the implementation of AI results in operational efficiencies, increased reliability and user benefits. Seems simple, yes? But as we know, nothing in life is simple, and to guarantee such gains, AI can’t be “just” switched on. And perhaps most importantly, the benefits of AI in networking can’t be realised fully without considering networking for AI. It seems logical that any investigation of AI and networking – or indeed, AI and anything – should start with Nvidia, a company that has played a pivotal role in developing the AI tech ecosystem, and is set to do so further. Speaking in 2024 at a tech conference about how AI has established itself as an intrinsic part of business, Nvidia founder and CEO Jensen Huang observed that the era of generative AI (GenAI) is here and that enterprises must engage with “the single most consequential technology in history”. He told the audience that what was happening was the greatest fundamental computing platform transformation in 60 years, encompassing general-purpose computing to accelerated computing.  “We’re sitting on a mountain of data. All of us. We’ve been collecting it in our businesses for a long time. But until now, we haven’t had the ability to refine that, then discover insight and codify it automatically into our company’s natural experience, our digital intelligence. Every company is going to be an intelligence manufacturer. Every company is built on domain-specific intelligence. For the very first time, we can now digitise that intelligence and turn it into our AI – the corporate AI,” he said. “AI is a lifecycle that lives forever. What we are looking to do is turn our corporate intelligence into digital intelligence. Once we do that, we connect our data and our AI flywheel so that we collect more data, harvest more insight and create better intelligence. This allows us to provide better services or to be more productive, run faster, be more efficient and do things at a larger scale.”  Concluding his keynote, Huang stressed that enterprises must now engage with the “single most consequential technology in history” to translate and condense a company’s intelligence into digital intelligence. This is precisely what Swisscom is aiming to achieve. The company is Switzerland’s largest telecoms provider with more than six million mobile customers and 10,000 mobile antenna sites that have to be managed effectively. When its network engineers make changes to the infrastructure, they face a common challenge: how to update systems that serve millions of customers without disrupting the service. The solution was partnering with Outshift to develop practical applications of AI agents in network operations to “redefine” customer experiences. That is, using Outshift’s Internet of Agents to deliver meaningful results for the telco, while also meeting customer needs through AI innovation. But these advantages are not the preserve of large enterprises such as telcos. Indeed, from a networking perspective, AI can enable small- and medium-sized businesses to gain access to enterprise-level technology that can allow them to focus on growth and eliminate the costs and infrastructure challenges that arise when managing complex IT infrastructures.  From a broader perspective, Swisscom and Outshift have also shown that making AI work effectively requires something new: an infrastructure that lets businesses communicate and work together securely. And this is where the two sides of AI and networking come into play. At the event where Nvidia’s Huang outlined his vision, David Hughes, chief product officer of HPE Aruba Networking, said there were pressing issues about the use of AI in enterprise networks, in particular around harnessing the benefits that GenAI can offer. Regarding “AI for networking” and “networking for AI”, Hughes suggested there are subtle but fundamental differences between the two.  “AI for networking is where we spend time from an engineering and data science point of view. It’s really about [questioning] how we use AI technology to turn IT admins into super-admins so that they can handle their escalating workloads independent of GenAI, which is kind of a load on top of everything else, such as escalating cyber threats and concerns about privacy. The business is asking IT to do new things, deploy new apps all the time, but they’re [asking this of] the same number of people,” he observed.  What we are starting to see, and expect more of, is AI computing increasingly taking place at the edge to eliminate the distance between the prompt and the process Bastien Aerni, GTT “Networking for AI is about building out, first and foremost, the kind of switching infrastructure that’s needed to interconnect GPU [graphics processing unit] clusters. And then a little bit beyond that, thinking about the impact of collecting telemetry on a network and the changes in the way people might want to build out their network.”  And impact there is. A lot of firms currently investigating AI within their businesses find themselves asking how to manage the mass adoption of AI in relation to networking and data flows, such as the kind of bandwidth and capacity required to facilitate AI-generated output such as text, image and video content. This, says Bastien Aerni, vice-president of strategy and technology adoption at global networking and security-as-a-service firm GTT, is causing companies to rethink the speed and scale of their networking needs.  “To achieve the return on investment of AI initiatives, they have to be able to secure and process large amounts of data quickly, and to this end, their network architecture must be configured to support this kind of workload. Utilising a platform embedded in a Tier 1 IP [internet protocol] backbone here ensures low latency, high bandwidth and direct internet access globally,” he remarks.   “What we are starting to see, and expect more of, is AI computing increasingly taking place at the edge to eliminate the distance between the prompt and the process. Leveraging software-defined wide area network [SD-WAN] services built in the right platform to efficiently route AI data traffic can reduce latency and security risk, and provide more control over data.”  At the end of 2023, BT revealed that its networks had come under huge strain after the simultaneous online broadcast of six Premier League football matches and downloads of popular games, with the update of Call of Duty Modern Warfare particularly cited. AI promises to add to this headache.  Speaking at Mobile World Congress 2025, BT Business chief technology officer (CTO) Colin Bannon said that in the new, reshaped world of work, a robust and reliable network is a fundamental prerequisite for AI to work, and that it requires effort to stay relevant to meet ongoing challenges faced by the customers BT serves, mainly international business, governments and multinationals. The bottom line is that network performance to support the AI-enabled world is crucial in a world where “slow is the new down”.  Bannon added that Global Fabric, BT’s network-as-a-service product, was constructed before AI “blew up” and that BT was thinking of how to deal with a hyper-distributed set of workloads on a network and to be able to make it fully programmable. Looking at the challenges ahead and how the new network will resolve them, he said: “[AI] just makes distributed and more complex workflows even bigger, which makes the need for a fabric-type network even more important. You need a network that can [handle data] burst, and that is programmable, and that you can [control] bandwidth on demand as well. All of this programmability [is something businesses] have never had before. I would argue that the network is the computer, and the network is a prerequisite for AI to work.”  The result would be constructing enterprise networks that can cope with the massive strain placed on utilisation from AI, especially in terms of what is needed for training models. Bannon said there were three key network challenges and conditions to deal with AI: training requirements, inference requirements and general requirements.   He stated that the dynamic nature of AI workloads means networks need to be scalable and agile, with visibility tools that offer real-time monitoring, issue detection and troubleshooting. As regards specific training requirements, dealing with AI necessitates the movement of large datasets across the network, thus demanding high-bandwidth networks. He also described “elephant” flows of data – that is, continuous transmission over time and training over days. He warned that network inconsistencies could affect the accuracy and training time of AI models, and that tail latency could impact job completion time significantly. This means robust congestion management is needed to detect potential congestion and redistribute network traffic.  But AI training models generally spell network trouble. And now the conversation is turning from the use of generic large language models (see Preparing networks for Industry 5.0 box) to application/industry-dedicated small language models. Read more articles about AI for networking How network engineers can prepare for the future with AI: The rapid rise of AI has left some professionals feeling unprepared. GenAI is beneficial to networks, but engineers must have the proper tools to adapt to this new change. Cisco Live EMEA – network supplier tightens AI embrace: At its annual EMEA show, Cisco tech leaders unveiled a raft of new products, services and features designed to help customers do more with artificial intelligence. NTT Data has created and deployed a small language model called Tsuzumi, described as an ultra-lightweight model designed to reduce learning and inference costs. According to NTT’s UK and Ireland CTO, Tom Winstanley, the reason for developing this model has principally been to support edge use cases. “[That is] literally deployment at the edge of the network to avoid flooding of the network, also addressing privacy concerns, also addressing sustainability concerns around some of these very large language models being very specific in creating domain context,” he says.   “Examples of that can be used in video analytics, media analytics, and in capturing conversations in real time, but locally, and not deploying it out to flood the network. That said, the flip side of this was there was immense power sitting in some of these central hyper-scale models and capacities, and you also therefore need to find out more [about] what’s the right network background, and what’s the right balance of your network infrastructure. For example, if you want to do real-time media streaming from a [sports stadium] and do all of the edits on-site, or remotely so not to have to deploy [facilities] to every single location, then you need a different backbone, too.”  Winstanley notes that his company is part of a wider group that in media use cases could offer hyper-directional sound systems supported by AI. “This is looking like a really interesting area of technology that is relevant for supporter experience in a stadium – dampening, sound targeting. And then we’re back to the connection to the edge of the AI story. And that’s exciting for us. That is the frontier.”  But coming back from the frontier of technology to bread-and-butter business operations, even if the IT and comms community is confident that it can address any technological issues that arise regarding AI and networking, businesses themselves may not be so sure.  Research published by managed network-as-a-service provider Expereo in April 2025 revealed that despite 88% of UK business leaders regarding AI as becoming important to fulfilling business priorities in the next 12 months, there are a number of major roadblocks to AI plans by UK businesses. These include from employees and unreasonable demands, as well as poor existing infrastructure.   Worryingly, among the key findings of Expereo’s Enterprise horizons 2025 study was the general feeling from a lot of UK technology leaders that expectations within their organisation of what AI can do are growing faster than their ability to meet them. While 47% of UK organisations noted that their network/connectivity infrastructure was not ready to support new technology initiatives, such as AI, in general, a further 49% reported that their network performance was preventing or limiting their ability to support large data and AI projects.  Assessing the key trends revealed in the study, Expereo CEO Ben Elms says that as global businesses embrace AI to transform employee and customer experience, setting realistic goals and aligning expectations will be critical to ensuring that AI delivers long-term value, rather than being viewed as a quick fix. “While the potential of AI is immense, its successful integration requires careful planning. Technology leaders must recognise the need for robust networks and connectivity infrastructure to support AI at scale, while also ensuring consistent performance across these networks,” he says.  Summing up the state of the industry, Elms states that business is currently at a pivotal moment where strategic investments in technology and IT infrastructure are necessary to meet both current and future demands. In short, reflecting Düsener’s point about Swisscom’s aim to reduce the impact of service changes, reduce the risk of downtime and costs, and improve customer services. Just switching on any AI system and believing that any answer is “out there” just won’t do. Your network could very well tell you otherwise.  Through its core Catia platform and its SolidWorks subsidiary, engineering software company Dassault Systèmes sees artificial intelligence (AI) as now fundamental to its design and manufacturing work in virtually all production industries. Speaking to Computer Weekly in February 2025, the company’s senior vice-president, Gian Paolo Bassi, said the conversation of its sector has evolved from Industry 4.0, which was focused on automation, productivity and innovation without taking into account the effect of technological changes in society.   “The industry has decided that it’s time for an evolution,” he said. “It’s called Industry 5.0. At the intersection of the experience economy, there is a new, compelling necessity to be sustainable, to create a circular economy. So then, at the intersection, [we have] the generative [AI] economy.” Yet in aiming to generate gains in sustainability through Industry 5.0, there is a danger that the increased use of AI could potentially see increased power usage, as well as the need to invest in much more robust and responsive connected network infrastructure to support the rise in AI-based workloads.  Dassault first revealed it was working with generative AI design principles in 2024. As the practice has evolved, Bassi said it now captures two fundamental concepts. The first is the ability of AI to create new and original content based on language models that comprise details of processes, business models, designs of parts assemblies, specifications and manufacturing practices. These models, he stressed, would not be traditional, generic, compute-intensive models such as ChatGPT. Instead, they would be vertical, industry-specific, and trained on engineering content and technical documentation.  “We can now build large models of everything, which is a virtual twin, and we can get to a level of sophistication where new ideas can come in, be tested, and much more knowledge can be put into the innovation process. This is a tipping point,” he remarked. “It’s not a technological change. It’s a technological expansion – a very important one – because we are going to improve, to increase our portfolio with AI agents, with virtual companions and also content, because generative AI can generate content, and can generate, more importantly, know-how and knowledge that can be put to use by our customers immediately.” This tipping point means the software provider can bring knowledge and know-how to a new level because, in Bassi’s belief, this is what AI is best at: exploiting the large models of industrial practices. And with the most important benefit of addressing customer needs as the capabilities of AI are translated into the industrial world, offering a pathway for engineers to save precious time in research and spend more time on being creative in design, without massive, network-intensive models. “Right now, there is this rush to create larger and more comprehensive models. However, it may [just] be a temporary limitation of the technology,” Bassi suggested. “In fact, it is indeed possible that you don’t need the huge models to do specific tasks.” 

Artificial intelligence (AI) relies on vast amounts of data. Enterprises that take on AI projects, especially for large language models (LLMs) and generative AI (GenAI), need to capture large volumes of data for model training as well as to store outputs from AI-enabled systems. That data, however, is unlikely to be in a single system or location. Customers will draw on multiple data sources, including structured data in databases and often unstructured data. Some of these information sources will be on-premises and others in the cloud. To deal with AI’s hunger for data, system architects need to look at storage across storage area networks (SAN), network attached storage (NAS), and, potentially, object storage. In this article, we look at the pros and cons of block, file and object storage for AI projects and the challenges of finding the right blend for organisations. The current generation of AI projects are rarely, if ever, characterised by a single source of data. Instead, generative AI models draw on a wide range of data, much of it unstructured. This includes documents, images, audio and video and computer code, to name a few. Everything about generative AI is about understanding relationships. You have the source data still in your unstructured data, either file or object, and your vectorised data sitting on block Patrick Smith, Pure Storage When it comes to training LLMs, the more data sources the better. But, at the same time, enterprises link LLMs to their own data sources, either directly or through retrieval augmented generation (RAG) that improves the accuracy and relevance of results. That data might be documents but can include enterprise applications that hold data in a relational database. “A lot of AI is driven by unstructured data, so applications point at files, images, video, audio – all unstructured data,” says Patrick Smith, field chief technology officer EMEA at storage supplier Pure Storage. “But people also look at their production datasets and want to tie them to their generative AI projects.” This, he adds, includes adding vectorisation to databases, which is commonly supported by the main relational database suppliers, such as Oracle. For system architects who support AI projects, this raises the question of where best to store data. The simplest option would be to leave data sources as they are, but this is not always possible. This could be because data needs further processing, the AI application needs to be isolated from production systems, or current storage systems lack the throughput the AI application requires. In addition, vectorisation usually leads to large increases in data volumes – a 10 times increase is not untypical – and this puts more demands on production storage. This means that storage needs to be flexible and needs to be able to scale, and AI project data handling requirements differ during each stage. Training demands large volumes of raw data, inference – running the model in production – might not require as much data but needs higher throughput and minimal latency. Enterprises tend to keep the bulk of their unstructured data on file access NAS storage. NAS has the advantages of being relatively low cost and easier to manage and scale than alternatives such as direct-attached storage (DAS) or block access SAN storage. Structured data is more likely to be block storage. Usually this will be on a SAN, although direct attached storage might be sufficient for smaller AI projects. Here, achieving the best performance – in terms of IOPS and throughput from the storage array – offsets the greater complexity of NAS. Enterprise production systems, such as enterprise resource planning (ERP) and customer relationship management (CRM), will use SAN or DAS to store their data in database files. So, in practice, data for AI is likely to be drawn data from SAN and NAS environments. “AI data can be stored either in NAS or SAN. It’s all about the way the AI tools want or need to access the data,” says Bruce Kornfeld, chief product officer at StorMagic. “You can store AI data on a SAN, but AI tools won’t typically read the blocks. They’ll use a type of file access protocol to get to the block data.” It is not necessarily the case that one protocol will better than the other. It depends very much on the nature of the data sources and on the output of the AI system For a primarily document or image-based AI system, NAS might be fast enough. For an application such as autonomous driving or surveillance, systems might use a SAN or even high-speed local storage. Again, data architects will also need to distinguish between training and inference phases of their projects and consider whether the overhead of moving data between storage systems outweighs performance benefits, especially in training. This has led some organisations to look at object storage as a way of unifying data sources for AI. Object storage is increasingly in use with enterprises, and not just in cloud storage – on-premise object stores are gaining market share too. Object has some advantages for AI, not least its flat structure and global name space, (relatively) low management overheads, ease of expansion and low cost. Performance, however, has not been a strength for object storage. This has tended to make it more suited to tasks such as archiving than applications that demand low latency and high levels of data throughput. Suppliers are working to close the performance gap, however. Pure Storage and NetApp sell storage systems that can handle file and object and, in some cases, block too. These include Pure’s FlashBlade, and hardware that runs NetApp’s OnTap storage operating system. These technologies give storage managers the flexibility to use the best data formats, without creating silos tied to specific hardware. Others, such as Hammerspace, with its Hyperscale NAS, aim to squeeze additional performance out of equipment that runs the network file system (NFS). This, they argue, prevents bottlenecks where storage fails to keep up with data-hungry graphics processing units (GPUs). But until better-performing object storage systems become more widely available, or more enterprises move to universal storage platforms, AI is likely to use NAS, SAN, object and even DAS in combination. That said, the balance between the elements is likely to change during the lifetime of an AI project, and as AI tools and their applications evolve. At Pure, Smith has seen requests for new hardware for unstructured data, while block and vector database requirements are being met for most customers on existing hardware. “Everything about generative AI is about understanding relationships,” he says. “You have the source data still in your unstructured data, either file or object, and your vectorised data sitting on block.” Read more about AI and storage Storage technology explained: AI and data storage: In this guide, we examine the data storage needs of artificial intelligence, the demands it places on data storage, the suitability of cloud and object storage for AI, and key AI storage products. Storage technology explained: Vector databases at the core of AI: We look at the use of vector data in AI and how vector databases work, plus vector embedding, the challenges for storage of vector data and the key suppliers of vector database products.

Flyalone - Adobe News Labour puts Humphrey AI to work for council admin A tool built on the government’s Humphrey AI toolset is being piloted by 25 councils to take notes during meetings Published: 23 May 2025 15:45 The UK government has announced that its artificial intelligence (AI) suite, Humphrey, is being trialled by a number of local councils. Its AI tool, Minute, takes notes in meetings, and was recently used in one chaired by prime minister Keir Starmer. Part of Humphrey, the package of AI tools built to help civil servants deliver for ministers and the public more effectively, uses generative AI to turn meetings into notes, and provides tools for correcting summaries. The government found that early tests using Minute showed that officials saved an hour of admin per one-hour meeting. The Department for Science, Innovation and Technology (DSIT) said Minute can help speed up actions after planning meetings, allowing officers to focus on the task at hand, rather than paperwork, and make informed decisions to get homes built. It’s currently being trailed by 25 local councils. Among the ways it’s being used is to help streamline burdensome admin tasks in the planning process as part of the government’s plans to build 1.5 million homes by 2030. Lords minister for housing and local government Sharon Taylor said: “Local councils are on the frontline of housing delivery, and we’re backing them with cutting-edge AI technology like Minute so officers can spend less time buried in admin and more time helping to get Britain building. “This is alongside our landmark reforms to deliver 1.5 million homes, including the Planning and Infrastructure Bill, which will get working people and families into secure homes and boost economic growth right across the country,” she said. Read more stories about public sector AI Humphrey AI tool powers Scottish Parliament consultation: AI-powered Consult tool has helped the Scottish Parliament to organise feedback from a public consultation into themes. Major obstacles facing Labour’s AI opportunity action plan: Skills, data held in legacy tech and a lack of leadership are among the areas discussed during a recent Public Accounts Committee session. Minute can also be used to take notes in meetings between social care workers and their supervisors, allowing workers to focus on offering more support instead of being bogged down by bureaucracy.   The Minute trial ties in with a broader government initiative to help local councils use technology to improve essential services they are responsible for delivering to local residents. To fulfil one of the actions in the 50-point AI Opportunities Plan of Action, which was published in January, the government has also introduced an AI Knowledge Hub for sharing examples of how local councils are using technology so others can learn from them – such as an AI assistant that speeds up the reporting of fly-tipping and graffiti in central London. In 2024, a Local Government Association (LGA) survey found that the majority of councils who took part in the poll (85%) were using or exploring how they would use AI. The areas where most respondents had realised benefits from using AI were staff productivity (35%), service efficiencies (32%) and cost savings (22%). However, the LGA reported that the five biggest barriers to deploying AI identified by respondents were a lack of funding (64%), a lack of staff capabilities (53%), a lack of staff capacity (50%), a lack of sufficient governance and a lack of clear use cases (41% each). The government’s own State of digital government review, published earlier this year, reported that each of the 320 local authorities in England negotiate technology contracts with big tech companies independently – when many are buying exactly the same tools – making this spending much less effective. The trials with AI-based tools built on Humphrey and the AI Knowledge Hub represent an attempt by the government to reduce the barriers to deploying AI across the public sector. AI and digital government minister Feryal Clark said: “From parking permits and planning permission, local councils handle some of the services that impact our daily lives most. For too long, they have been left to fend for themselves when keeping up with rapid innovations in AI and digital technology – when we know it has huge potential to help solve many of the challenges they face. Clark said the government was going to work with local councils to help them buy and build the technology they need to deliver Labour’s Plan for Change and support their local communities more effectively.  In The Current Issue: UK critical systems at risk from ‘digital divide’ created by AI threats UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal Standard Chartered grounds AI ambitions in data governance Download Current Issue SAP Sapphire 2025: Developers take centre stage as AI integration deepens – CW Developer Network Microsoft entices developers to build more Windows AI apps – Cliff Saran's Enterprise blog View All Blogs

Tryfonov - stock.adobe.com Opinion Microsoft's ICC email block reignites European data sovereignty concerns Why Microsoft's rhetoric on protecting European users from US government actions does not quite ring true By Owen Sayers, Secon Solutions Published: 23 May 2025 During his recent visit to Brussels, Microsoft chief Brad Smith committed his company to defending European interests from ‘geopolitical volatility’, including the impact of potential US administration interventions. Suggesting that Microsoft is ‘critically dependent on sustaining the trust of customers, countries, and government across Europe’, anyone leaving his session with EU leaders should have reasonably felt buoyed up by his words; but might also have sensibly awaited evidence of the commitments being applied in practice before relying upon them. If so, the news that the International Criminal Court (ICC) chief prosecutor and his staff have had their Microsoft email and services cancelled in direct response to US government sanctions might come as an unwelcome reality check. According to media reports, ICC chief prosecutor Karim Khan had his Microsoft email and other services suspended after the US applied sanctions in February to all ICC staff in response to their investigations into key Israeli politicians. The circumstances of the situation that gave rise to those sanctions are outside the scope of this article, and largely irrelevant to the problems these service suspensions indicate, however. Regardless of the ‘why’, what the service suspensions demonstrate is that Microsoft has the means (and when it comes down to it also possess the will) to do the US government’s bidding and disrupt services to any party deemed to be unacceptable. This is almost exactly contrary to the assurances Brad Smith so very recently gave. The disconnection of prosecutor Khan is a mouse-click heard around the world, and will undoubtedly give anyone using or currently considering the adoption of Microsoft cloud technologies pause for thought. By disconnecting the ICC staff in this way, Microsoft has done themselves some serious damage, and how much may take some time yet to become clear. Immediately after the disconnection became public, the Dutch government and public bodies are reported to have accelerated their examination of non-Microsoft and EU-located alternative services. Meanwhile, several suppliers have indicated an uptick in requests for backup of key data to protect against possible Microsoft disconnections. Press coverage in Germany suggests these concerns are rippling out to them also, whilst the Nordics and France have long made clear that they see a future that is distinctly less Azure in colour. The likelihood or otherwise of further disconnections is unclear, and for most users it should be considered very unlikely that Microsoft will start switching off services for no good reason. With 25% of Microsoft’s global revenues coming from European customers, it is unlikely to act rashly to damage that market, and can generally be counted on to be sensible and not commit commercial suicide – so most customers should not be worried. Nonetheless much of the damage to the confidence of public sector bodies might well have already been done. Governments like to be in control of their own destiny and that extends to digital services and data. When a key supplier they have relied upon for many years shows themselves to be subject to the whims and foibles of a foreign government – friendly or otherwise – most public sector buyers intuitively know it’s time to find an alternative provider “just-in-case”. Having a plan B option is just common sense. The big problem for Microsoft is that in the IT sector “just-in-case” or plan B options, often become strategic plan A directions of travel. And a trickle of departures can quite soon become a flood. Governments are herd animals – when one turns they all tend to follow. I’m not by any measure suggesting we are going to see an overnight exodus. Even if that was technically feasible (which it isn’t in most cases), these organisations are a bit concerned, not panicked. However, these previously affirmed Microsoft user groups are now openly talking about the need for alternatives to the Redmond cloud provider, and that should have Microsoft worried. Concerns that US hyperscalers might be subjected to pressure from US authorities to disclose information have existed for some time but have been broadly assuaged by repeated promises and commitments from Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft that they would resist such requests and protect their customers. When it has come to the acid test, however, many clearly feel that Microsoft has failed, and that instead of protecting the ICC as a key pillar of the global legal community, instead acted as an instrument of US policy. To restore his own email access, prosecutor Khan reportedly turned to Proton Mail, the Swiss end-to-end encrypted mail service beloved of whistleblowers and other digital refugees. Proton Mail operate under its own constraints and obligations to disclose information to the Swiss government on demand, but this is limited to IP address info, rather than email payloads, which it is generally accepted they cannot access. In doing so it’s likely that Mr Khan has had to forgo some user functionality and ease of use – but he may feel that’s a small price to pay to protect his office and role from US government influence. That might be a choice others have to make in the months and years to come, since regardless of their choice of cloud provider, the lesson here is that we cannot always trust them to rigorously and strongly protect our data or our services, despite what they may say, or how often they do so. In this case, Microsoft’s actions sadly speak a lot louder than Mr Smith’s words. Read more about Microsoft Microsoft’s hold on government IT is under scrutiny, following a disclosure to a Scottish policing body that saw the software giant advise that it cannot guarantee data sovereignty in its cloud-based Microsoft 365 suite Documents show Microsoft’s lawyers admitted to Scottish policing bodies that the company cannot guarantee sensitive law enforcement data will remain in the UK, despite long-standing public claims to the contrary In The Current Issue: UK critical systems at risk from ‘digital divide’ created by AI threats UK at risk of Russian cyber and physical attacks as Ukraine seeks peace deal Standard Chartered grounds AI ambitions in data governance Download Current Issue SAP Sapphire 2025: Developers take centre stage as AI integration deepens – CW Developer Network Microsoft entices developers to build more Windows AI apps – Cliff Saran's Enterprise blog View All Blogs

Saudi Arabia’s (KSA’s) attempt to turn from one of the least to most developed data markets in the world has advanced with measures it and the US have taken to encourage investors to build artificial intelligence (AI) datacentres in the country. KSA came closer to finalising plans to treat foreign computer systems as “data embassies”, reassuring firms their customer data would be safely stored in the authoritarian Gulf monarchy. Meanwhile, the US scrapped export controls on its most advanced AI chips, which had threatened to stop KSA from ever realising its plan to become a global leader in AI. Those legal preparations bore fruit this week before either was actually enacted, when Nvidia, whose advanced AI chips are the subject of US export controls, said it had done a deal to ship 18,000 of them to the Saudi state-owned Public Investment Fund. The chips were the first stage in a plan to install “several hundred thousand” Nvidia Grace Blackwell AI chips in five years, consuming 500MW of energy. Political analysts and industry insiders said, before KSA’s plans unfurled this week, that its proposed Global AI Hub Law would allow KSA to get banned AI chips that both it and foreign firms would need to build AI systems in the country. The draft law offers to give foreign computer systems embassy status, so their operators answered only to the laws of their home nations. It would forbid the Saudi state from intruding. KSA concluded a public consultation on the law the day after an Investment Summit, at which US president Donald Trump and Saudi crown prince Mohammed bin Salman Al Saud signed a broad economic partnership and presided over $600bn of trade deals, the White House said in a statement. They had done $300bn of deals when the conference opened, and aspired to $1tn, the prince told the conference on Tuesday. The deals encompassed defence, energy, tech and health. The audacity of KSA’s ambition was made apparent by data that in February, according to Computer Weekly analysis, showed how among 20 of the most notable data markets in Europe, the Middle East and Africa (EMEA), Saudi capital Riyadh had the second-least of all operational, planned and unfinished datacentres, above only Athens. With 125MW of computing capacity then planned in Riyadh, it was barely 5% of the forecast size of EMEA market leader London, and not 15% of the size of its rival and neighbour, the United Arab Emirates, according to numbers published by commercial estate agent Cushman & Wakefield. The largest datacentre investment deal apparent, among those announced at the Forum, was Saudi firm DataVolt, investing $20bn in the US. Read more about US and Saudi agreements On Monday, the US scrapped the AI Diffusion Rule, by which former president Joe Biden had blocked exports of powerful AI chips to all but a handful of countries because, US AI tzar David Sacks told the conference, it stopped US technology proliferating around the world and stifled strategic partners such as KSA, when it was supposed to hinder AI development in only a few countries. The US had decided instead to model AI policy on Silicon Valley’s software ecosystems, where firms became dominant by publishing application programming interfaces (APIs) that others could use to build on their technology. “They’re able to build these ecosystems without even having any lawyers involved,” said Sacks. “There’s no need for a contract. You just publish an API. In a similar way, the US needs to encourage the world to build on our tech stack. “President Trump said ‘the US has to win the AI race’. How do we win the AI race? We have to build the biggest partner ecosystem. We need our friends like the Kingdom of Saudi Arabia, and other strategic partners and allies, to build on our tech. “We want our technology to spread,” he said. “We want people to use it. We want to become the standard.” KSA’s attempt, meanwhile, to encourage foreign firms to build AI datacentres in the country by allowing their home nations to retain sovereignty over their data was widely commended as a strategic masterstroke. “It’s still an immature market, but the opportunity is huge,” said Stephen Beard, a real estate deal-maker for Knight Frank in Dubai. KSA could be a top-seven datacentre market in a decade. His firm estimated US cloud computing firms had recently committed to $9bn of investment there by 2027. Knight Frank alone was handling $7bn of datacentre deals for firms attracted by the local market opportunity, in a country with 20% lower power costs than the UK, a large, growing population and a non-democratic government able to digitise rapidly without the inconvenience of parliamentary process. President Trump commended KSA’s ruling family for that in a speech in Riyadh this week. “The AI Hub law is optically a fantastic move,” said Beard. “It should go some way to appeasing investors’ concerns. But we are talking about Saudi Arabia. Who decides the law in Saudi Arabia? Any developer looks for a higher return because of the macro risks.” But computer firms would invest there to serve KSA. The idea of KSA becoming a “super-hub” was flawed. Munir Suboh, a lawyer at Taylor Wessing in Riyadh, said the law would give KSA an “unprecedented advantage” over other countries which hesitate to cede sovereignty over foreign facilities. Contrast Saudi Arabia's attempt to make life easier for foreign investors with Europe’s regulatory preoccupation with imposing safety standards. “Traditionally, cross-border data transfers require compliance with multiple data localisation regulations, especially in data-heavy industries,” said Oliver Subhedar, a commercial dispute lawyer with Burlingtons. KSA is seeking a comparative advantage over other states by regulating datacentres themselves.” KSA would slash the cost of risk and compliance for multinationals that ordinarily had to accommodate a host of different regulations around the world, said Jade Masri, managing director of investment advisory R Consultancy in Dubai. That would cut capital costs for investors. “Hyperscalers need this law to import data into KSA to run large language models and generate meaningful AI,” said Amrik Sangha, a consultant with Gateley in Dubai. But KSA needed to address the question of “grey” fibre optic cables that would carry foreign data transfers “without monitoring”, he said. Grey, or “dark”, cables are private, point-to-point communications lines not reliant on local connections. Notwithstanding the unexpected US U-turn, Juliana Rordorf, Middle East director for political consultancy Albright Stonebridge Group, said the law might influence the global debate about data localisation, as well as AI export controls. Neighbouring Bahrain has had a data embassy law since 2018, while UAE, whose datacentre market and planned construction dwarfs that of KSA, recently made bilateral data embassy agreements with France and Italy. Such a law has even been mooted as a way to encourage investors deterred by Europe’s onerous data protection rules, having been pioneered in Estonia, and aped in Monaco, as a means of securing government backup datacentres in Luxembourg, because they otherwise had nowhere to put them safely.