Grace Cassy, Co-Founder of CyLon discusses the balance between social security and individual freedoms as well as the grey zone of cyber-attacks.
I’m Grace Cassy, an early-stage technology investor with a background that began in UK Government.
I spent the first decade of my career as a diplomat, serving both overseas and in the UK – including several years as Foreign Policy Private Secretary to Tony Blair during his time as Prime Minister.
My early work was rooted in foreign policy and national security, but for the past 15 years I’ve focused on the technology sector, investing in early-stage deep tech companies.
Much of my work has centred on cybersecurity, as well as adjacent fields such as AI, counter-fraud and defence.
I co-founded CyLon, which began as an accelerator supporting emerging cybersecurity startups and evolved into a dedicated early-stage investment platform.
More recently, I’ve been working closely with Ten Eleven Ventures, a US-based cybersecurity specialist investor with a strong track record of supporting European security companies.
Bringing together my backgrounds in national security and technology, in 2024 I was appointed by the Defence Secretary as an external reviewer for the Strategic Defence Review, published in June 2025.
Our work examined the full spectrum of UK defence capabilities and set out recommendations to ensure the system is fit for the future and able to meet emerging threats.
It was really a combination of things. I was genuinely pleased to see filmmakers taking an interest in this topic, because cybersecurity is often viewed as something hidden away – not particularly well understood outside the industry.
Those who work in the field know it deeply, of course, but for the wider public it can seem abstract or distant.
And yet it touches every part of our lives.
The idea of a full-length documentary focused on cybersecurity immediately appealed to me.
I thought it was a fantastic opportunity to shine a light on why this subject matters to everyone – to help explain what cybersecurity means and to bring together perspectives from government, industry, academia and beyond.
Showing how these different parts of society can collaborate to strengthen our collective security felt important.
It was simply great to see people taking such genuine interest in the issue.
It also felt like a crucial moment to be highlighting cybersecurity risks. In recent years we’ve seen a surge in cyber-breaches – many of them increasingly high-profile – alongside growing activity from adversaries.
The pace and prominence of these threats are only accelerating.
So, it seemed timely to contribute to a project that could raise awareness, spark discussion and hopefully encourage people to take cybersecurity more seriously.
I think this really comes down to trust and transparency.
When people understand why data is being collected or why certain systems are being monitored – and when they grasp the cybersecurity reasons behind it – they can better appreciate the societal benefits that come from strong information security.
That said, there’s always a trade-off between privacy, individual freedom and collective security.
Privacy is, of course, closely related but slightly distinct from cybersecurity.
In the case of cybersecurity specifically, what matters most is clarity and accountability.
People need to know what’s being protected, what data is being collected, which systems are being monitored and crucially, how oversight works.
It’s essential that those running cybersecurity programmes are held accountable, whether through regulation, company policy or legal frameworks.
If there’s genuine trust and transparency in how these systems operate, people are far more likely to feel confident that their freedoms are being respected rather than compromised.
To many people, it might sound a bit old-fashioned to suggest writing plans down on paper – especially when digital transformation has been underway for so many years with most organisations being predominantly digital.
But the NCSC has recently reiterated the importance of keeping recovery plans in physical form and with good reason.
We’ve seen just how quickly things can go wrong – and how challenging it can be to recover if everything is stored only in digital format.
It’s really a timely reminder that sometimes the simplest, most traditional advice still holds true.
Having your recovery plan, key contact details and critical response steps printed and stored safely in a physical format just makes sense.
If the worst does happen, having those resources readily accessible could make all the difference in how quickly you and your organisation are able to bounce back.
In the UK Strategic Defence Review, we examined the growing reality that, alongside traditional kinetic threats, there are also threats operating below the threshold of armed conflict in the so-called ‘grey zone’ which has become increasingly active in recent years.
Threats such as ransomware, intellectual property theft and other forms of intrusion are fundamentally different from traditional, kinetic attacks for several reasons.
In the traditional military domain, physical attacks between nations are typically visible and geographically bounded.
You can see a missile travel from one place to another and there are physical limits to its range and impact.
Cyber-threats, by contrast, are almost the opposite: They are largely invisible, borderless and global in reach.
A single exploit can spread internationally within seconds, often undetected and can be extremely difficult to attribute.
That lack of visibility and clear attribution makes responding to cyber incidents far more complex.
With a kinetic strike, it’s usually clear who carried it out and from where.
In cyberspace, determining responsibility can take time and that uncertainty creates opportunities for confusion, misinterpretation and the spread of misinformation or disinformation.
Yet the consequences can be every bit as serious as a physical attack.
Cyber operations can disable critical infrastructure, shut down power grids or water systems and paralyse a country’s ability to deliver emergency services by disrupting utilities or digital systems.
The effects can be profound, even if they are harder to observe or contain.
This also makes deterrence far more challenging.
Traditional deterrence relies on a clear understanding of an adversary’s capabilities and the predictable consequences of escalation.
In cyberspace, where attribution is blurred and actions are often covert, that clarity is lost – leading to a more confused picture and increasing the risk of miscalculation.
For all these reasons, the ‘grey zone’ in which cyberattacks occur is a particularly dangerous space – one where escalation can happen quickly and unpredictably, sometimes even without the actors fully intending it.
Some of the high-profile cyberattacks we’ve seen in recent months here in the UK, most notably those affecting Marks & Spencer and Jaguar Land Rover, have highlighted just how damaging these incidents can be for businesses.
The impact goes far beyond immediate operational disruption; there are serious reputational consequences and wider effects on customers, suppliers and employees.
In Jaguar Land Rover’s case, the effects were visible at a national level, with early signs of an impact on exports and even GDP.
These incidents have reinforced a point that many business leaders are increasingly recognising that cybersecurity is not just an IT issue to be handled in a back-office function.
It’s a core business risk – one that belongs firmly on the boardroom agenda.
A serious attack can affect not only a company’s financial health and reputation but also the stability of the sector it operates in and even the broader economy.
That’s why I always encourage the board leaders I work alongside to think not only about prevention but also about resilience – how their organisation would recover if an attack did occur.
The reality is that cyber-crime is growing rapidly alongside state-backed threats and cybercriminals are largely indiscriminate.
They don’t just target the obvious institutions like large banks; they go after any organisation where they think they can succeed.
Even companies that have invested heavily in defences can still fall victim.
So, resilience really is critical. You can no longer simply ‘build a higher wall’ and assume that’s enough.
Instead, organisations need to ensure their systems, processes and people are prepared to respond and recover quickly.
Building that resilience, both technical and organisational, is now one of the most important responsibilities for any board leader.
This article was originally published in the December edition of Security Journal UK. To read your FREE digital edition, clickhere.
