RISK & CYBERSECURITY

It’s not often that a force appears that totally re-orients everything in security. This is what we are facing with AI.  12 months ago I had an incrementalist view of the cybersecurity impact of AI. Specifically, that it will be very significant but things will change progressively and we’ll adapt to adversarial use while also using it to improve defenses.  Now, I’m coming to a view that this will have a bigger negative impact than even our worst assumptions. But at the same

The DORA AI Capabilities Model (DevOps Research and Asssesment, not the EU Digital Operational Resilience Act) report is well worth a read not just to get a perspective from the developer community but to look at the many security implications it uncovers. This post is a summary of the explicit findings and some of broader implications from reading between the lines of the report. 1. Data Protection and Access Control A primary security concern is ensuring AI tools respect e

The most read posts in 2025 coalesced around the concept that successful cybersecurity is fundamentally a function of business leadership, strategic design, and sustainable execution . The unifying themes across the top posts emphasize shifting security from an artisanal, reactive craft to an industrial-scale, proactive capability focused on building scalable, self-reinforcing systems (flywheels). Transformation requires leaders to manage stakeholder expectations carefully, p

This is an update to a post from 2001 which I’m revisiting in part because some things have changed, but also because (surprisingly) much...