All Posts

The boardroom buzzword of 2026 is no longer just "AI,” it’s Agentic AI. We are moving rapidly past standard chatbots into an era of autonomous agents. These are digital "Mini-Me's" capable of breaking free from strict scripting, executing multi-step workflows, and interacting directly with corporate systems. For a legacy enterprise, the promise is intoxicating: a hyper-efficient workforce of tireless digital avatars automating away advanced commodity work, freeing humans to b

The headlines out of Detroit on May 11th were familiar but carried a new, sharper edge: General Motors is laying off 500 to 600 IT professionals. In a vacuum, this looks like standard corporate belt-tightening in a slowing market. But look closer, and you’ll see the first major "organ transplant" of the AI era. GM isn't just cutting costs; they are attempting to swap legacy skill sets for AI-native ones. While I salute the move as a pragmatic first step, there is a massive ri

If you ask ten CISOs how they measure their cybersecurity program, nine of them will point to a framework, likely the NIST Cybersecurity Framework (CSF) 2.0. They will show you a maturity score, a color-coded heatmap, and a chart comparing their program to industry peers. While that is a good starting point, it is far from the whole picture. Relying solely on maturity frameworks creates a false sense of security. Maturity only answers one question: Are we doing the right thin

When you look at the current data on digital transformation and AI adoption, the statistics are staggering: anywhere from 70% to 95% of these massive corporate initiatives fail to deliver their intended value. As a security leader, I am actually proud to say one thing up front: Security is not holding these projects back. In fact, modern security acts as an enabler for transformation. The real roadblocks are entirely operational, cultural, and strategic. If your organization

In the early days of "Information Assurance," the role was a technical chess match. Today, it is a theater of weaponized conflict. As a veteran who has served as CISO for five Fortune 500 companies, I’ve watched this role evolve into a high-stakes combat mission. But a troubling trend is emerging: the very leaders who have the "alligator skin," the ones who have survived the breaches and the boardrooms, are saying "enough." They aren't just leaving their jobs; they are gradua

As a security practitioner, it can be hard to see a light at the end of the tunnel right now. We are watching the threat landscape evolve at a blistering pace, and it often feels like the bad guys are constantly two steps ahead. But with Anthropic’s recent announcement of Claude Mythos Preview and the formation of Project Glasswing, I actually find myself genuinely excited. We are standing at a pivotal crossroads in global cybersecurity, and what we are seeing is just the tip

In the rush to adopt agentic AI, the industry has reached a collective, comfortable consensus: we will keep a “Human-in-the-Loop” (HITL). We treat this human gatekeeper as the ultimate fail safe, the adult in the room who will catch the hallucination, block the prompt injection, and stop the rogue API call. But as a CISO looking at the intersection of machine speed and human psychology, I’m convinced we are being sold a dangerous form of security theater. We are treating the

I want to play Devil's Advocate for a minute. If you read the latest industry articles or listen to the loudest voices in the room, there is a constant, almost dogmatic drumbeat: The CISO must report directly to the CEO. But after a career spent reporting across the entire C-suite, from the CIO and COO to the CFO, and General Counsel. I recently presented on a HMG Advisory Board meeting on the topic. I'll give you my personal experience on why that direct reporting line is n

A playbook for escaping the weeds, empowering your leaders, and building a high-retention security culture. It is incredibly common to see CISOs get trapped in the weeds. They spend their days reviewing SIEM alerts, approving minor architecture changes, and acting as the final escalation point for every operational hiccup. But a CISO who lives in the tactical day-to-day cannot do their actual job. A successful CISO must be a strategist, a relationship builder, and, frankly, a

If you pay attention to the headlines, the tech and cybersecurity industries are facing a massive talent shortage. Yet, if you talk to students at university career fairs, you hear a completely different story: an impenetrable wall of rejection, silent employers, and a seemingly nonexistent entry-level job market. So, what is actually going on? The truth is, we are facing an "entry-level paradox." As an industry, we created a structural bottleneck that is locking out new grad

A recent CSOonline article by Evan Schuman brought a sobering statistic to light: 69% of CISOs are open to leaving their roles , with many looking to exit the publicly traded enterprise space entirely. According to the IANS Research and Artico Search survey cited in the piece, security leaders are exhausted by "role design failure,” carrying outsized responsibility without the budget or authority to match. The CSOonline piece correctly identifies the panic, but if you ask vet

No Employee Left Behind will Fail We are standing at the edge of a technological precipice that makes the shift from on-premise to cloud look like a minor upgrade. The era of "Chatbot AI", where we ask a bot to write an email or summarize a PDF, is ending. We are entering the era of Agentic AI : digital employees that don't just talk, but act . Consider a simple, high-value use case: Invoicing. In the old world, a human reviews an invoice against a contract. In the Generativ

From the Boardroom to the Battleground. No professional sports team takes the field without practice. They don’t just read the playbook; they run the drills until the movement is instinctual. They build muscle memory . Yet, in cybersecurity, we often expect our organizations to perform perfectly during a crisis with nothing more than a paper plan and a once-a-year generic drill. I’ve run tabletop exercises (TTX) across various organizations, from technical deep dives to board

It started with a question in the boardroom, one of those questions that stops the room cold. A board member looked at me and asked, "How are adversaries using 'genetic' AI against us, and what are we doing to combat it?" He meant Agentic AI , but the slip of the tongue was almost poetic. "Genetic" implies evolution, something built into the DNA of the threat. And he was right. The threat landscape has evolved. We are no longer fighting static scripts; we are fighting autonom

How to Shift the Board Conversation from "Target Scores" to Strategic Resilience Early in my tenure at a previous organization, I found myself in a familiar cycle. We had just finished an annual risk assessment. Naturally, the Board asked the question that every Director is conditioned to ask: "Okay, we are at a 2.5 today. What is the target score for next year? Should we be a 3.5? A 4.0?" They were treating cybersecurity maturity like a sales forecast, pick a number, hit the

How we moved the Board from asking "Are we safe?" to understanding "How we are managed." At a previous organization, I walked into a boardroom that was on edge. We were just emerging from the pandemic, which meant our reliance on VPNs and remote infrastructure was at an all-time high. Simultaneously, the headlines were dominated by the "boogeymen" of the industry: the Equifax breach was still fresh, the chaos of Log4j was unfolding, and a constant stream of VPN zero-days was

The Day the Infrastructure Turned: A CISO's Post-Mortem of the Cuba Siege In the world of cyber resilience, there is a distinct difference between a "security event" and a "material crisis." As a CISO, you live with the quiet knowledge that it isn't a matter of if, but when. My first major encounter with a material ransomware event was against the Cuba ransomware variant (linked to the Russian-aligned Tropical Scorpius group). It was an incident that didn't just test our tec

In late 2022, during the Global Resilience Federation (GRF) Summit , a group of us from the Consumer Packaged Goods CPG) sector formed a working group to confront a shared reality. While our peers in Finance or Tech were managing digital assets, we were managing a physical-digital hybrid: a sprawling ecosystem where a cyber incident at a tier-one logistics provider or a "mom-and-pop" tomato farmer could equally halt our operations. By 2022, 85% of businesses viewed Third-Pa