Q1. Could you start by giving us a brief overview of your professional background, particularly focusing on your expertise in the industry?

With over 20 years  of experience, I have established myself as a global cybersecurity executive focused on building secure business ecosystems and resilient digital strategies. As Associate Vice President and EMEA Head of Cybersecurity & GRC Services at LTM, I am responsible for P&L and lead customer advocacy across the region.

Previously, I spent over six years at HCL Technologies as Senior Director for the UK, Europe, and Africa, driving the Cybersecurity & GRC business. In these leadership roles, I have become an industry thought leader and trusted advisor to enterprise clients and investors navigating complex risk landscapes. I am also committed to ecosystem growth, actively mentoring startups to help the next generation of innovators build secure foundations from the outset.

Q2. We see major platforms pushing 'platformization.' In EMEA, are you seeing companies actually decommission legacy vendors, or are they just layering new costs on top of their existing stack?

The short answer is that MEI enterprises are facing what I call a platform paradox. While there is a strong focus on platform simplification, the decommissioning of legacy vendors is lagging behind. Major players like ServiceNow, Palo Alto, and Zscaler are acquiring smaller companies to create comprehensive security platforms, but customers—especially large, Tier 1 organizations—have already deeply customized these off-the-shelf solutions to meet their unique needs. As a result, even when these organizations want to migrate to modern platforms or adopt AI-driven solutions, their legacy systems are so entrenched that migration is extremely challenging.

Rather than true vendor replacement, what we're seeing in 2026 is cost layering. The complexity of existing ecosystems forces CIOs and CISOs into a “double spend” scenario: for the next few years, they must invest in new platforms to simplify their environment while maintaining legacy systems to ensure business continuity. Rip-and-replace is simply not feasible given how critical these older platforms remain.

A related challenge is the rising “AI cost.” Many organizations are pursuing AI-augmented platforms, but AI has yet to fully replace legacy systems. Even with aggressive plans, large enterprises might decommission only about 95% of their legacy estate over two or three years, and the remaining systems and business processes are often too complex to migrate to new platforms.

From a regional perspective, the UK is prioritizing security consolidation, with strong pushes from both government and industry. Meanwhile, countries like France are moving toward greater digital sovereignty, preferring local European platforms over existing OEMs. These regional dynamics are shaping how organizations approach platformization and legacy system management across EMEA.

Q3. Are cyber insurance premiums in EMEA now so high—or the coverage so restrictive—that customers are diverting their 'insurance budget' into direct defense and resilience services instead?

The perception that cyber insurance premiums are rising sharply is actually a misconception. Data from EMEA shows that premiums have decreased by an average of 11–13%. This decline is due to two main factors. First, since 2020, the number of cyber insurance providers has grown significantly, increasing competition and balancing supply and demand. Second, government initiatives and campaigns have encouraged both large enterprises and SMBs to improve their security posture, resulting in more favorable risk assessments and lower premiums. For larger organizations, increased investment in security and defense systems has enabled them to demonstrate greater cyber resilience, thereby further reducing insurance premiums.

For small and medium-sized businesses (SMBs), there has been significant government support and numerous campaigns to strengthen cybersecurity. In the UK, initiatives like Cyber Essentials have become mandatory for SMBs, helping to drive down insurance premiums. Regulatory measures such as the NIS2 Directive, DORA, and the UK Cyber Security and Resilience Bills have also been adopted in various countries, further encouraging organizations to improve their cyber awareness and compliance.

As a result, cyber insurance premiums have decreased. The money organizations invest in enhancing their cyber defense or IT resilience has led directly to lower premiums—a clear return on investment. This creates a win-win situation: companies that allocate more budget to cyber defense not only strengthen their posture but also benefit from reduced insurance costs. Therefore, the idea that cyber budgets are increasing simply due to rising insurance costs is a misconception.

Q4. With the surge in Agentic AI, what percentage of the company revenue is coming from securing the autonomous workflows, and is this a structural growth engine or a temporary 'clean-up' phase?

This is an important question—whether this is a structural growth engine or simply a temporary cleanup phase. In reality, cleanup is necessary to enable true structural change and create a sustainable growth engine. Referring to it as just a temporary cleanup phase is not entirely accurate.

Market surveys and discussions with CIOs and CISOs indicate that 10–15% of cybersecurity budgets are currently allocated to autonomous workflows and AI systems, which is the industry average. In sectors like BFSI and insurance—where IT and security are mission-critical—this allocation can reach 35–45%. Retail and manufacturing typically remain at the lower end but are eager to adopt AI to drive efficiency and reduce costs. BFSI organizations have been early adopters, often allocating a higher percentage.

The discussion is not about a temporary cleanup, but rather about two parallel shifts: integrating AI into cybersecurity and restructuring organizations to maximize its benefits. By leveraging AI, companies can reduce human errors, optimize cybersecurity spending, and potentially lower cyber insurance premiums. While AI can decrease labor costs by automating certain tasks, human expertise remains essential in the cyber defense chain.

Crucially, successful AI adoption demands a fundamental change in organizational structure. Teams that have traditionally operated in silos must collaborate more closely, and outdated processes must be redesigned. CIOs and CISOs increasingly recognize that this is a long-term, structural transformation—not a short-term fix. By 2026, more organizations are expected to make these changes, positioning themselves for sustainable growth through AI.

Q5. Which tier of European banks is most 'under-budgeted' for the mandated DORA resilience testing, and when do you expect the biggest wave of 'emergency spend' to hit?

This is a straightforward answer: tier 2 and tier 3 banks—those that are regional or local in their operations—are the most under-budgeted for mandated DORA resilience testing. For example, a bank operating solely in Greece or Cyprus lacks the scale to absorb the full costs of regulatory compliance. In contrast, global tier 1 banks have the size and resources to manage these regulatory costs more easily. The main challenge lies with tier-2 and tier-3 institutions operating on a European or very local scale.

With regulations such as NIS2 and the EU AI Act coming into force since June and being adopted as law across countries, there is a wave of compliance activity. From the second quarter of this year, and likely into the next quarter, we are seeing an increase in requests and requirements to meet these new standards. I expect the biggest surge in 'emergency spend' will occur in Q4 2026 and Q1 2027—as deadlines approach, similar to the last-minute rush seen with GDPR. The market trend suggests the current surge will peak over the next two quarters, as many organizations accelerate their efforts to comply with regulatory and audit requirements.

Q6. What is the 'hidden' gap in the global supply chain that could cause a systemic financial shock to the EMEA markets in the next 18 months?

If we had discussed this a month ago, the answer would have been different. However, the current geopolitical situation has shifted the landscape. From an IT spending perspective, there is no direct impact because no major IT-specific event has occurred. However, rising commodity prices, surging inflation, and increasing oil prices are creating new pressures. As a result, many organizations are halting or slowing investments in enterprise security and restructuring.

This represents a systemic shock to the EMEA markets. Geopolitical instability is causing a business shock for companies across the region, particularly for IT and security leaders. Budgets were approved when oil was around $76 per barrel, but prices have now climbed to $115–$116. This global supply chain shock is forcing EMEA markets to reconsider their strategies.

Budgets set late last year are now under strain. As Q1 began, many organizations abruptly put projects on hold. Initiatives in early phases have been paused, and mid-stage projects are being slowed or having their scope reduced. Instead of rolling out solutions organization-wide, companies are now reaching milestones and then pacing further in, spending more on critical projects required for regulatory or significant financial reasons.

Overall, the situation has changed dramatically in the last month, causing the largest shock to EMEA markets in recent memory and impacting companies globally.

Q7. If you were an investor looking at companies within the space, what critical question would you pose to their senior management?

My focus is cybersecurity and IT, so I approach this question from that perspective. As an investor, the key questions I ask senior management are: What specific use case are you solving, and why can't it be addressed by existing companies in the market?

My concern comes from having experienced the dot-com bubble, when investors rushed into any company with a dot-com in its name, often without understanding the underlying use case or infrastructure. Many of those companies lacked the necessary ecosystem—slow internet speeds, low digital adoption, and limited online shopping meant even great ideas struggled to succeed.

In the current AI era, I ask organizations: What problem are you solving, and is the ecosystem mature enough to support your solution over the next five years? It's not just about having a good idea; it's about whether the broader environment is ready. You might solve a problem today, but is the market large enough for your solution to grow?

Another critical aspect is differentiation. What is your company doing that larger competitors or established players aren't? For example, when companies like Claude release a new model, it can impact the share prices of others—sometimes causing significant market shifts. There have been cases where a small AI-powered marketing company was thriving, but once a major player like Gemini or Claude launched a competing product, the startup couldn't survive.

Therefore, I would ask: How will your business remain sustainable if a tech giant offers a similar solution for free? What makes your product uniquely defensible? Also, what measurable impact or efficiency does your solution provide, and who is your target customer—SMBs, enterprises, or another segment?

These are the critical questions I would pose to senior leadership when evaluating companies in this space.