Zero Trust is one of the most marketed concepts in cybersecurity. It’s also one of the most misunderstood. If you’ve sat through enough vendor presentations, you’ve heard it positioned as a product — something you buy, deploy, and check off the maturity model. The reality is different, and the gap between the marketing narrative and…
Third-party risk has been a fixture of security program conversations for years. Most organizations with a mature GRC function have a vendor risk management process — tiering, assessments, questionnaires, contractual requirements. The process exists. The problem is that the scale and nature of supply chain attacks have outpaced what those processes were built to handle.…
Summer is operationally the most complicated season for security teams, and it’s rarely discussed that way. The conversation tends to focus on threat actors and external risks. The more immediate problem is internal: interns onboarding with broader access than they need, senior staff on extended PTO, temporary employees hired for seasonal peaks, and an organizational…
If your organization has been tracking state privacy legislation as a “watch and monitor” item, that posture is overdue for a change. Twenty states now have comprehensive consumer privacy laws in effect. Three more — Connecticut, Arkansas, and Utah — have significant updates or new provisions taking effect July 1, 2026. That’s thirty days from…
Ransomware response has been a standard component of incident response planning for nearly a decade. Most organizations with a mature security program have a ransomware playbook — escalation paths, isolation procedures, backup recovery processes, and a decision framework around payment. The problem is that the environment those playbooks were written for has changed significantly, and…
For years, CISA served as a meaningful resource for organizations outside the enterprise security tier — threat intelligence sharing, incident response support, vulnerability advisories, regional coordination, and cybersecurity assessments available at no cost to critical infrastructure operators and public sector entities. That resource base has eroded significantly, and the organizations that haven’t adjusted their programs…
Most organizations have mature processes for managing human identities. Onboarding, offboarding, access reviews, least privilege — these are established practices, even if execution is inconsistent. The problem is that human identities are no longer the majority of what’s accessing your systems. Service accounts, API keys, OAuth tokens, automation scripts, and now AI agents — non-human…
The Cyber Incident Reporting for Critical Infrastructure Act has been in a holding pattern since CISA missed its original October 2025 deadline. The final rule is now expected in May 2026. If you’ve been treating CIRCIA as a future problem, that window is closing fast. RSA This post isn’t about what CIRCIA says in theory.…
The AI governance conversation has been running in the background for most organizations — something to monitor, something to address eventually, something for legal to sort out. That posture has an expiration date, and for many businesses, it’s August 2026. The EU AI Act’s major provisions go fully into effect on August 2, 2026. Organizations…
The conflict between the United States and Iran that began on February 28, 2026 moved into the cyber domain almost immediately. If you’ve been watching it as a geopolitical story and not a security operations story, it’s time to adjust your perspective. This isn’t abstract nation-state activity happening at the edges of critical infrastructure. On…