In the IT channel, it is easy to talk about security in the abstract. But at XMA, we don’t just recommend security architectures, we live them. As a major IT solutions provider managing critical infrastructure for UK government bodies and large enterprises, we also must be on top of our cyber resilience.  

To be a true strategic Technology Partner, we must practice what we preach. We sat down with Charlotte King, XMA Group’s Head of IT Security & Compliance, to discuss the reality of defending a modern organisation. From the rise of AI-driven phishing to the dangers of the “silver bullet” mindset, here is the view from the inside. 

Section 1: The View from the Inside 

Q: As Head of InfoSec for a major IT solutions provider, you see a broad spectrum of threats. Moving beyond the buzzwords, what are the specific, high-risk trends keeping you up at night right now? 

Charlotte King: Firstly, our prevention controls – are they actually working? It’s not enough to have shiny tools, we need to constantly test and tune them to keep attackers out. This is not a “one and done” exercise. It keeps us on our toes every single day. 

Supply chain attacks are a real headache, and we have seen several big ones this year. We rely on suppliers for hardware and software, so if they’re compromised, so are we, and this affects our valued customers. Downtime or breaches in the supply chain can ripple right through our environment and soon become the critical task of the day. 

Phishing is relentless. Email remains a favourite attack vector, and the sophistication of these attacks is only increasing with AI. Finally, our staff – are we doing enough to train and support them? Are our technical teams prepared and well enough resourced to cope with the “business as usual” work and then the swerve balls that can come from suppliers, customers, or our industry partners? 

Q: We manage critical infrastructure for customers across the UK, including government bodies. How do we approach our own security to ensure we remain resilient against supply chain attacks? 

CK: We do a vast number of things to help with this. We certify and align to recognised security standards and frameworks. You can’t be an IT company these days without having these external validations of your policies and controls. We have just completed the re-cert for ISO 27001:2022 and have Cyber Essentials Plus next week. 

The audit cycle helps us to be continuously aware of possible weaknesses so we can fix and strengthen them. For us, security isn’t static, it’s not a goal or a destination, it’s our everyday. We’re always assessing our people, processes, and technology, reviewing how we can make it better, stronger, more resilient or efficient. We look at how these multiple layers of security can ensure that if one fails, others stand in the way. 

We have recently made big improvements to our supply chain onboarding. We don’t just trust our suppliers blindly, we vet them thoroughly. 

Section 2: The Human Firewall 

Q: Technology is only half the battle. How do you approach security culture at XMA to ensure staff are an active line of defence rather than a vulnerability? 

CK: Technology and processes are only half the battle. We have all sorts of people here at XMA, from technical teams to sales, and the usual back-office support staff too. We have robust staff security training, and we run ongoing simulated phishing campaigns and monthly bulletins to help keep security in everyone’s mind. 

This month our bulletin was for Black Friday and Christmas scams, helping keep our staff safe in and outside of work. I would like to think we also have an approachable security and compliance team. We make it easy for staff to ask questions and report issues. We are also looking at a Security Champions programme to help further embed security advocates in every department. 

Q: Phishing remains a primary trigger for security breaches. With the rise of AI-generated content, attacks are becoming harder to spot. What specific “tells” should organisations teach their staff to look for in 2026? 

CK: You’re right, and in fact, AI is making it easier for attackers to craft convincing messages. As a business, we have a strong online presence, so finding who works here isn’t difficult. So, it comes down to our staff to be careful with emails, whilst knowing much of it will be caught by our tools and filters. 

Check URLs and domains carefully. Hover before you click! Watch for odd language or tone. AI can mimic, but it’s not always colloquially perfect. Scam psychology is to provide a sense of Scarcity, Urgency, Authority, or FOMO (Fear Of Missing Out). If the email has that, you don’t recognise the sender, or it seems a bit off, use the easy reporting mechanisms we have at XMA which make it simple for staff to flag suspicious emails. 

Q: With the ease of using AI tools, Shadow IT is a growing governance nightmare. How can IT Directors and business owners identify unapproved applications without halting productivity? 

CK: This is always a balance: to permit staff to access tools or applications that allow them to innovate, whilst being secure and well-governed. We publish a clear applications catalogue for staff to use as a first point of call. 

If the application we already have doesn’t meet their needs, we make it easy for staff to find and request approved tools, which then goes through a due diligence process. This allows some flexibility for niche needs whilst meeting security standards. Admin rights are locked down so staff can’t install software without authorisation. 

Q: Many organisations have security policies that sit in a drawer and are rarely read. How can businesses create policies that employees actually follow, rather than work around? 

CK: At XMA we have one clear, concise user agreement, signed annually. Keeping it short, simple, and in plain language means staff are more likely to engage with it. We track compliance of this overarching policy, and it forms a key part of our security foundation. Generally, if a workflow is built into technology (perhaps the triage of a suspicious email) that’s better than a dusty process document. 

Section 3: Our Vendor-Agnostic Take 

Q: Vendors often promise a single tool will solve all security problems. Why is this mindset dangerous, and what is the reality of building a layered defence? 

CK: Every department has different needs. What works for procurement might not work for sales, so you have to create a layered defence to protect all systems, people, and physical assets. Single tools can fail. Relying on one solution is risky and not resilient. 

Layered defence is key. Using specialist tools that work together, supporting your people and processes, means you can protect your business even if one security system stops working. We’ve seen big security vendors hit by ransomware, configuration changes impacting uptime, and global hyperscalers suffering significant downtime. No security vendor is immune to some kind of failure, so we need to spread our bets insightfully across tools and technology to keep the wheels of commerce turning for our stakeholders. 

Q: If a customer (whether an SMB owner or a Public Sector compliance officer) could make one immediate change today to improve their security posture, what should it be? 

CK: Enable Multi-Factor Authentication (MFA) everywhere you can. It’s one of the simplest, most effective ways to block attackers. This is for all areas: social media, work applications, shopping portals. Call out suppliers that don’t have MFA on their applications. Oh, and mandate a corporate password manager too. 

Need a Strategic Partner who understands the reality of cyber threats? 

At XMA, we don’t just sell technology, we use it to secure our own business every day. Contact your XMA Account Manager or talk to us at enquiries@xma.co.uk to discuss how we can help you build a resilient, layered defence.