In the latest episode of our podcast "All Things Cyber," hosts Robin and Steph sit down with David Smith, national cyber defense practitioner who’s spent years working with governments and critical national infrastructure organizations across the Balkans, responding to real incidents and building cyber capacity from the ground up.

Their conversation covers what securing critical national infrastructure looks like from the inside. They get into real incidents in Albania and Montenegro, the difference between protecting an enterprise and protecting a nation, and why most security programs are still getting the sequence wrong.

This was one of the most grounded conversations we've recorded, with a field practitioner's honest view of what it takes to secure a nation. What follows is a summary of their insightful conversation.

How cybersecurity evolved from firewall logs to supply chain intelligence

David started his career scrolling through firewall logs manually, catching illicit behavior on corporate networks before security conferences even existed. His point is that the practitioners who build security and technology understand something that tool-first approaches miss:  

You need to know how systems fit together before you can protect them.

That framing runs through everything else in the conversation.

‍

What is critical national infrastructure? And why it's not just a bigger enterprise

CNI security isn’t enterprise security at scale. David breaks down why, from IT/OT convergence in water, energy, and transport systems, to the political complexity of governments where each ministry has its own board, its own procurement rules, and sometimes its own legal reason to operate entirely outside the central IT model.

The key difference he keeps coming back to: in enterprise, a breach costs you customers and shareholders. In government, it can cost people their lives.

The Tirana cyberattack and the school registrations nobody could process

This is the story that stuck with me most. Iranian threat actors attacked the municipality of Tirana, Albania (equivalent to the Greater London Authority) and started wiping servers. The immediate technical picture was one thing, but what actually happened on the ground was another.

Public wifi went down. Police lost coordination. Traffic cameras went dark. Water bills couldn't be processed. And it happened to be the two-week window when parents could register their children for kindergarten. The system was down. Families were genuinely worried their children would miss the window entirely.

‍None of those systems were the target. All of them were on the same dependency chain that nobody had mapped.

Montenegro: when a cyberattack closes schools without touching a single school system

Montenegro's national cyberattack is the cleaner illustration of the same problem. Schools across the country had to close, not because any education system was compromised, but because the schools couldn't pay their electricity bills. The billing infrastructure was down. In the summer heat, the classrooms were too hot for children.

This is about tertiary effects and unmapped dependencies. A chain of consequences that started nowhere near where it ended up.

Heathrow: the most critical system is never the obvious one

David designed one iteration of the SOC at Heathrow airport. The asset the security team was most focused on? Not air traffic control. Not payments. The baggage system: old, mechanical, automated, and completely load-bearing. When it stops, the airport stops.

The lesson generalizes to every organization: the thing that matters most is rarely the thing that looks most important on a network diagram.

Geopolitics as a threat vector: why Albania has been attacked 40 times in three years

This part of the conversation reframes how most enterprise security teams think about geopolitical risk. Albania has been attacked relentlessly by Iranian threat actors because of a single political decision made years ago: a camp of Iranian dissidents re-homed there by the Americans. That's the reason for 40 attacks in three years.

Different countries attract different threat actors for different reasons. And if your suppliers operate in those geographies, that risk travels through the supply chain whether your questionnaire process acknowledges it or not.

Misconfiguration is the door: what the data shows

Steph brings this back to what ThingsRecon sees in real infrastructure scans. The dominant attack vector isn't sophisticated zero-days. It's misconfiguration: systems deployed by people who understood the business requirement but not the security implication.

APIs exposed by default settings nobody changed. Subdomains pointing at infrastructure nobody remembered. And the barrier to finding those doors is lower than it has ever been: you don't need to know how to code. You need curiosity and the right question.

The vulnerability window: why migrations are the riskiest moment

Every infrastructure transformation opens a window. Between state A and state B, systems are partially configured, partially live, partially exposed. An engineer goes home for the evening. The server isn't live yet. It's already visible on the internet.

David tells the story of a law firm that forgot to put authentication on an OWA migration overnight. It cost them £6.5 million.

Pen tests measure before and after. Nobody is watching the window between them.

The three-step framework: visibility, remediation, detection, in that order

This is David's practical framework for every government or organization he advises, regardless of maturity level. Visibility first: map what you actually have, not what's documented.  

Remediation and hardening second: fix what you found, and build the governance to make sure fixing things is someone's actual job. Detection and response third: only once your baseline is complete does detection become genuinely useful.

Most organizations skip straight to step three and their detection capability operates on the wrong picture.

Compliance is the floor, not the ceiling

NIS2, DORA, ISO 27001, SOC 2... these frameworks matter. They establish a baseline, create accountability, and give immature organizations somewhere to begin. But David's line on this is the one worth saving:

"Compliance is kind of there for the people who want to check boxes and get licences to do things. But if you want to do real security, you have to have morals."

Robin's version is just as direct: being compliant doesn't mean the risk isn't there. Compliance gives you a snapshot. Your exposure keeps moving.

Why this conversation matters beyond the government audience

The supply chain visibility problem David describes in government — the inability to fully map what is connected to what, the undocumented dependencies, the tertiary effects nobody planned for — is structurally identical to what we see in enterprise environments every week.

The difference is the consequences. In enterprise, a supply chain failure costs revenue and reputation. In government, it closes schools, stops ambulances, and in the worst case, costs lives. Same blind spot, different stakes.

The full conversation is worth your time

This episode is the story of a practitioner who has spent 17 years on the frontline of national cyber defense, talking about what he has seen, what works, and what most security programs are still getting wrong.

Watch the full episode of All Things Cyber here →

And if you want to see what your own digital supply chain actually looks like (not the documented version, the real one) run a Digital Proximity scan.

‍