Red Carding the Auditor: Winning the Game of Pragmatic Security
Track 1 – 2:00pm
Name: John Scott Company: Wildpark Security Consultancy Leum Dunn is the Head of Information Security at Pencil AI
Bio
John Scott is the owner of Wildpark Security Consultancy – an organisation which aims to advise and support people in the security awareness, behaviour and culture change space with their programmes to drive lasting security culture change in their organisations. He has previously worked for a Human Risk Management Platform as their Lead Security Researcher, and at the Bank of England running their security culture change programme for 7 years. He is also a Certified Instructor for the SANS Institute, delivering training on managing human risk and security culture change. John has worked with clients from all over the world, and has spoken on security related topics at conferences in the UK, the USA, the Middle East, and Europe. For 35 years John has worked as an IT trainer, helping people to get the best use out of often confusing interfaces and software. He loves applying lessons from other disciplines to security, and is allergic to the term “People are the weakest link”. Leum Dunn is the Head of Information Security at Pencil AI, where he tries to keep generative AI creative, useful, and less likely to feature in a post-incident slide deck. Before Pencil, Leum worked across betting, gaming and UK critical infrastructure-adjacent environments, giving him a deep professional respect for useful controls, clear ownership, and the phrase “that sounds like a future incident report”. Leum was named one of the UK’s CSO30 winners in 2025, confirming that “professionally anxious” is, apparently, a career path. He is mainly interested in practical security over security theatre: honest conversations, controls people might actually follow, and finding the least painful way to stop product features turning into security incidents. Outside work, Leum is powered by tea, drives an old van, listens to jazz noir, and plays bass guitar (badly).
Talk Abstract
We talk a lot about Red Team and Blue Team in cyber security, but why does it feel like the referee – Compliance and Audit – is playing against us both?
Join two security veterans – one dyed in the wool techie, one bleeding heart liberal behaviouralist, as we unite forces against a common enemy – the security questionnaire!
In 30 minutes, using a Red and Yellow Card system, we’ll use humour and experience to dissect why 90-day password rotations, AI bans, ‘Weakest Link’ training and other “requirements” are the real foul plays of 2026. And show you some strategic tips to making sure you’re moving from checkbox security to real world defensive resilience.
Intended Audience
Anyone interested in learning more about taking a strategic approach to security
How NSFW is this talk?
(How spicy is your talk in chilli's?)
Low heat – no NSFW necessary.