In this episode of Trust.ID Talk: The Digital Certificate and Identity Security Podcast, host Michelle Davidson is joined by Giles Thornton, Head of Information Security at The Premier League, to explore why security teams feel like they’re constantly firefighting and how to break free. Giles shares insights into security perfectionism and compliance overload, and how security leaders can manage a lack of strategic breathing room driving burnout across the industry.

What You’ll Learn:

How to balance security perfectionism with practical implementation
Why compliance shouldn't be confused with security, and how to move beyond checkbox exercises to meaningful risk management
The importance of brutal prioritization in security leadership
How to effectively automate security operations while maintaining human oversight and trust
Why building human relationships and trust networks is crucial for modern security programs
The emerging challenges of AI governance and quantum encryption, and how to prepare for future security landscapes

Giles is a seasoned cybersecurity executive with vast experience in strategic security leadership and risk management. With a background in military service and enterprise security, he brings a unique perspective to addressing modern cybersecurity challenges. Currently working in a forward-leaning tech environment, Giles specializes in developing practical security strategies that balance compliance requirements with real-world security effectiveness.

If you enjoyed this episode, make sure to subscribe, rate, and review on Apple Podcasts, Spotify, and YouTube Podcasts, instructions on how to do this are here.

YouTube Chapters:

[00:00] Intro
[00:43] The Culture of “Never Enough Security”
[01:42] Do Breaches Stem from Lack of Strategy?
[03:44] Perfect vs. Good
[08:01] Burnout and Cybersecurity Career Path
[10:01] From Firefighting to Proactive Security
[11:44] Automation and AI: Hype vs. Reality
[12:58] Building Digital Trust
[15:38] The Power of “So What?”
[17:56] The 47-Day TLS Shift
[28:21] Top Concerns: AI and Quantum
[33:20] The Nudge Theory in Cybersecurity Training
[35:36] The Myth of Eliminating Risk
[37:25] Tech Giles Can’t Live Without

Episode Resources:

Giles Thornton on LinkedIn
The Premier League Website

Key Takeaways:

[01:42] Do Breaches Stem from Lack of Strategy?

Most breaches boil down to a lack of strategy and the unavoidable human element. While businesses often stay stuck in tactical firefighting mode just to “keep the lights on,” this short-term mindset leaves them exposed. Taking even a brief tactical pause to align security plans with business goals can prevent countless risks, but it requires courage, discipline, and leadership to prioritize long-term strategy over immediate pressures.

[10:01] From Firefighting to Proactive Security

Moving from constant firefighting to a proactive security strategy starts with brutal prioritization and bringing your whole organization along for the ride. That means being honest about what your team can realistically handle, setting clear expectations with executives, and refusing to juggle every risk at once. Without this discipline, you’ll either burn out or kick today’s problems down the road for “future you” to deal with.

[33:20] The Nudge Theory in Cybersecurity Training

Cybersecurity awareness isn’t built on long, one-size-fits-all compliance training; it’s about short, targeted nudges that fit the person, the role, and the situation. By breaking training down into tiny, specific prompts, teams are more likely to make the right choices, avoid mistakes, and actually enjoy a smoother user experience. The lesson? Keep it brief, relevant, and proactive, because prevention beats “we told you so” every time.

Quotes:

“Security's quite often a game of not being the slowest person in the race. Just start running and doing some security puts you ahead of the vast majority of others.”
“Compliance has its own function and purpose, but thinking that you have effectively applied risk management because you've complied with the tick list is not the same thing.”
“You need to review the risk and take reasonable action. Making people maintain a 100% rate for compliance purposes is a way for burnout.”
“The human relationship aspect of security is quite often overlooked. There's a real requirement in security to be perceived as confident, competent and to put that persona out to the business.”