Menu

ScotlandIS

building, supporting and enabling the digital technology ecosystem

  • 0
    • Join Today

    Cyber Pulse: Amanda Stewart, Illuminate Technology

    By updatesPosted on Posted in Member News, ScotlandISCyber, Case Study

    Our Cyber Pulse blogs highlight member voices on cyber security. Join this conversation with Amanda Stewart, CEO/CTO, Illuminate Technology.

    Illuminate IT, supports SMEs and charities across Scotland to boost productivity, security, and tech confidence. Specialising in cloud solutions, cyber protection, and cost-effective IT systems.

    Amanda champions diversity in tech and works to make technology accessible, secure, and stress-free. She is a strong advocate for public awareness around data sharing and digital safety.

    How did you get started in cyber security and what has kept you in the field?

    I came into cyber security the way a lot of people in my generation did, through IT support, back when the big shift was moving organisations off mainframes and into the new Windows desktops and servers. From there I spent time in both corporate and SME environments, and it became really obvious to me that smaller organisations were being asked to take on the same risks as big enterprises, but without the budgets, teams, or headspace to manage it properly. That’s a big part of why I founded Illuminate in 2007 – I wanted to build an outsourced IT department that genuinely feels like part of the organisations we support, not a supplier who appears only when something breaks.

    What’s kept me in cyber is simple: it matters. Cybercrime doesn’t just affect systems it affects people, services, reputations, and in the third sector it can impact the very communities those organisations exist to support. My focus has always been fighting cybercrime through practical controls and education – things like tabletop exercises, building a security culture, and helping teams understand risk. And I still love the learning. I’m someone who keeps studying and evolving, including achieving CISSP because the threat landscape changes constantly, and I think we owe it to clients to stay sharp and stay curious.

    The Current Landscape

    What is one cyber security challenge or trend you are currently seeing in your sector?

    AI is accelerating both sides of the cyber equation, it’s brilliant for productivity and defence, but it’s also opening new gaps inside organisations faster than most people realise. Many organisations are sleepwalking into a GDPR nightmare.

    How is this issue showing up in practice for your organisation or clients?

    This is showing up for our clients because AI is being adopted informally (Shadow AI) before organisations have put the guardrails in place, so people end up feeding AI the wrong kind of information, often without realising it, while access permissions, data quality, and oversight aren’t ready; that’s why we keep seeing AI becoming a fast track to GDPR risk unless policies, awareness, and controls are put in first.

    Response & Lessons Learned

    How are you or your team responding to this challenge?

    We’re packaging this up for clients as an AI Adoption Toolkit that helps them move quickly without sleepwalking into risk: it starts with Board awareness, a clear AI usage policy that sets expectations around privacy, security, environmental impacts, ethical use and accountability and continues to staff training and practical guardrails that are easy to remember and apply day-to-day, so teams define the problem, measure success, have human checks, and know what data is allowed before they automate anything.

    What is one insight or lesson you have learned that others could benefit from?

    One lesson I’d share is: make responsible AI use easy for staff, not just written down. The organisations that stay safest aren’t the ones with the longest policy, they’re the ones that give staff simple, memorable guardrails that people can apply under pressure.

    What is a common mistake or misconception organisations have when dealing with this issue?

    A common mistake is assuming AI is just a productivity tool rather than a data-processing and access-control problem, so organisations let staff experiment in public AI tools without a policy, training, or clear boundaries, and don’t realise people may paste confidential or personal data in “just to summarise it,” which turns AI into fast route to GDPR exposure.

    Leadership Perspective

    From a leadership standpoint, what should executives and technical teams be aligned on when it comes to cyber security?

    Cyber security is business risk, not an IT project, executives need to own the risk posture and trade-offs (what you will and won’t accept), make sure accountability is explicit, and back it with policy and resources, while technical teams translate into practical controls you can evidence and repeat. Both sides should be aligned on what “good” looks like (clear governance, roles and oversight), how you’ll measure progress in a way the board understands, and how you’ll respond under pressure, because when something happens, you don’t want a debate, you want a rehearsed playbook and calm decision-making. And lastly, leadership has to model the culture you want: encourage reporting, remove blame, and make the simple habits non-negotiable. Culture still beats technology, and attackers know humans are the shortcut.

    What is one small but meaningful action organisations can take today to improve their security posture?

    Set the tone that reporting is rewarded, not punished, make it known that you’d rather hear about ten false alarms than one unreported mistake, talk openly about near-misses, and model the behaviour you want (pause, check, verify, and speak up). When leaders do that, people stop hiding things, phishing gets reported faster, and your technical controls actually get a chance to work because culture beats technology, and it starts with leadership behaviour.

    Looking Ahead

    What emerging threat, technology or trend should organisations be paying attention
    to over the next 6–12 months?

    Over the next 6–12 months, organisations should be paying closest attention to identity-first attacks that bypass MFA by stealing a trusted session. Adversary-in-the-middle phishing is now designed to capture session cookies/tokens so attackers can get in and stay in, even after passwords change unless sessions/tokens are properly revoked.

    Is there something in cyber security you think is currently under- or overestimated?

    We underestimate the boring resilience basics, like whether backups have been tested to restore until the day we need them.

    Some organisations overestimate good old anti-virus, things have moved on and its simply not enough anymore and hasn’t been for 20 years.

    Quick Fire

    Favourite cyber tool right now: Huntress

    One resource you recommend (book, podcast, report): NCSC Cyber Action Toolkit for small businesses, it’s a great starting point: https://cybertoolkit.service.ncsc.gov.uk/

    Someone in the industry to follow: I’d recommend GTIA’s ISAO Cyber Hub for Actionable threat intelligence.

    Final Thought

    What is one thing you wish every organisation understood about cyber security?

    Cyber security should feel like confidence, not fear. The goal isn’t perfection; it’s reducing the basic holes hygiene attackers rely on and building a team that spots problems early and knows exactly what to do next.

    Scroll to top
    X