Scott Manson worked in technology before the millennium, which qualifies him as an industry veteran. His is a 26-year career that includes stints at McAfee, Verizon, as well as an initial spell at Cisco between 2010 and 2018. Manson returned to Cisco in 2022 and is now its Director for Cyber Security and Resilience for the UK and Ireland.
Longevity allows him to take a considered view. How does he observe the changes in the IT industry – and cybersecurity and resilience in particular – over the last quarter of a century? Manson recalls a time when people barely knew that viruses existed on computers. Compare that to today, he says, and cybersecurity is now part of a wider risk management conversation. “It’s moved from something that was about operational cadence and optimisation to being a board-level discussion,” says Manson.
On a similar theme, he notes how every organisation’s digital footprint has grown bigger and bigger, exposing each to greater risk. “Customers are so much more reliant on digital markets, on digitisation. As soon as they attach something to an IP backbone … then there’s a threat,” he explains. “The footprint of the attack zone is greater, and so we’ve got to move faster to try to cover it. Not only are attackers more sophisticated, but there are more things for those threat actors to go after.”
Despite constant change, Manson believes ransomware, a relatively old form of cyber attack, remains the number one threat factor. He says the “proliferation and the explosion” of ransomware is being accompanied by a growing level of complexity. “The sophistication and frequency of attacks make it harder for customers to defend against.” Without a single silver bullet, companies need to add “lots of layers of defence to be able to frustrate the attacker.” Meanwhile, ransomware is being augmented by artificial intelligence (AI). Manson describes the impact of AI as “huge”, noting how bad actors are using it not only to increase the volume of attacks but also to develop new ways of getting into corporate networks. “While we have AI to help us defend, they also have AI to help them attack.”
So who’s winning? Surprisingly, given the high-profile cyber attacks that have marked out 2025 – including those on Marks & Spencer, the Co-op, and Jaguar Land Rover – Manson offers an optimistic response. “I think we’re winning at the moment because you tend only to hear [about cybersecurity] when there’s a huge outage.” Behind the scenes, he insists, there is a less often told story of attacks being averted and of a concerted effort to consolidate the resilience of businesses across the economy. “We’re still on a mission to try to fix and plug the gaps that do exist, but I do think we’re winning.”
Manson is similarly positive about zero trust as a methodology for ensuring greater digital protection. “What I love about zero trust is that it’s a framework and a model. It’s not a widget. It’s a philosophy, and there are controls baked into the heart of that philosophy. And then there are regulatory templates, such as NIST 2.0 and Cyber Essentials, that give us the guidelines, the parameters to work within.
“I love zero trust because it’s based on something we can measure. It’s based on commonality.” He acknowledges that it can be implemented badly and that, in turn, can create inefficiencies if there’s an imbalance between security and autonomy. “Security is very much like salt in your diet,” says Manson. “You can have too much or you can have too little … but zero trust can certainly help a customer if they don’t quite know where to start.”
Before working in the IT industry, Manson was a professional rugby player. “A bad one,” he says with a note of self-deprecation that appears more than once in our conversation. His sporting career overlapped with his time at Newcastle University in the mid to late 1990s. He was part of the Scotland U21 squad and played for West Hartlepool RFC during the club’s most recent season in the Premiership from 1998 to 1999. “We were the worst team in the league, got beat every game,” he says before adding defiantly: “But I got to play in the Premiership.” (Records suggest that although the club did lose 22 of 26 games, heroically they managed three wins and a draw.)
It was during that season he got to play against England regular Jeremy Guscott. “He was my favourite. He scored three tries past me in one game – that’s my claim to fame.” Injury put a premature end to Manson’s professional sporting ambitions, although he continues to play socially, turning out for various charity matches.
The through line from sport to business has been explored many times, but the rugby to cyber resilience journey perhaps a little less so. What can the former teach us about the latter? “You get knocked down, you get back up again,” Manson says. “It’s a famous adage, but it’s also true. We know we’re going to have setbacks in cybersecurity, and there are going to be difficult decisions to take. Are we going to pay the ransom? Are we going to invest in keeping the lights on in the event of an attack? Are we going to face into the problem or face away from it?”
“There’s a lot of synergy with all sports and business, and this is one. You can ignore weaknesses, but then you’re going to get found out in the next game or at some point further down the line. That’s the analogy for me – investing in making sure that you’re going to be better for the next incident, for the next game.”
Manson and I are talking ahead of a Tech Monitor / Cisco executive roundtable called Building a Resilient Future: Strategies and Tactics. I ask him what he hopes to learn from the senior IT leaders who will be attending. Above all else, he says he wants to validate what he hears in the market. “Sometimes we can get caught up as vendors and analysts in echo chambers of our own chat and our own marketing blurb. It’s about going back to the people that matter, the customers, to understand what they are seeing. Have they seen advances that maybe we’ve missed? How is AI playing a role for them?”
And what of those strategies and tactics promised in the event’s title? Manson provides a flavour of his thinking. Education and training are an important part of the mix, he says. So too is the ability to take pragmatic decisions about what is important to protect. He calls it a “prioritisation matrix” and urges senior IT and security leaders to consider which of the digital services that could be infiltrated are the non-negotiables. “If Armageddon happened, and you are looking at a minimal viable company,” says Manson, “what digital services would need to be running in order for you to trade, keep the lights on, and make sure you don’t go out of business?”
This article is a part of a partnership with Cisco and is published ahead of a Tech Monitor / Cisco executive roundtable – ‘Building a Resilient Future: Strategies and Tactics’ – taking place on 2 October 2025. More information about the event can be found here.
