<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>RANT Community</title>
	<atom:link href="https://rantcommunity.com/feed/" rel="self" type="application/rss+xml" />
	<link>https://rantcommunity.com/</link>
	<description>Better Cyber Security Through Shared Opinions</description>
	<lastBuildDate>Wed, 15 Jul 2026 11:14:13 +0000</lastBuildDate>
	<language>en-GB</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0.1</generator>

<image>
	<url>https://rantcommunity.com/wp-content/uploads/2023/09/cropped-favicon-32x32.png</url>
	<title>RANT Community</title>
	<link>https://rantcommunity.com/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>AI Security: Control, Chaos, or Catch-Up?</title>
		<link>https://rantcommunity.com/resources/ai-security-control-chaos-or-catch-up/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Mon, 13 Jul 2026 08:17:22 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Cybanetix/Noma]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3114</guid>

					<description><![CDATA[<p>AI is moving from personal experimentation to enterprise-wide adoption at pace. However, security strategies are reportedly struggling to keep up.</p>
<p>The post <a href="https://rantcommunity.com/resources/ai-security-control-chaos-or-catch-up/">AI Security: Control, Chaos, or Catch-Up?</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>AI is moving from personal experimentation to enterprise-wide adoption at pace. However, security strategies are reportedly struggling to keep up.</p>
<p>At a recent roundtable held in Manchester on the hottest day of the year, attendees were asked why they had come along, and the responses reflected the wide range of concerns organisations currently have around AI:</p>
<ul>
<li>See use of AI across estates, do assurance and help people understand risks</li>
<li>Squeeze AI into everything, consider what to give access to</li>
<li>Everyone wants to use AI, but have optimistic dread</li>
<li>We are implementing it</li>
<li>Worried AI will replace jobs; my job is to make sure there is assurance</li>
<li>Concerned about what employees and contractors do with AI</li>
<li>How can I use AI for what I do, while managing, protecting and defending against AI threats?</li>
<li>How everyone else approaches AI adoption and deals with access requests</li>
</ul>
<p>Opening the discussion, Merlin Gillespie, director at Cybanetix, said there is a vested interest in securing technology, which is difficult enough, while also developing policies that encourage innovation. Meanwhile, Tim Gibbs, director of sales for EMEA at Noma Security, said he was relatively new to the security space but had spoken to hundreds of organisations about AI adoption and the security challenges they face every day. &#8220;We strive to keep up with the agents of change,&#8221; he said.</p>
<p>He noted that AI adoption continues to rise, although organisations are at very different stages of maturity. Some are well advanced, while others are only beginning their AI journey, yet all are faced with managing hundreds, if not thousands, of AI agents.</p>
<p>Chair Rob Black asked the table where they were with AI adoption. One attendee said they were trying to &#8220;wrap guardrails&#8221; around AI while running at &#8220;1,000mph&#8221;, while others commented that they did not want to stifle innovation but instead wanted to understand how to control AI while continuing to use the models available.</p>
<p>Others observed that some organisations simply &#8220;want to be the first to do everything and implement it&#8221;, while another attendee questioned who is responsible when AI does something unexpected.</p>
<p>The discussion centred on the theme that AI is moving from experimentation to enterprise-wide adoption at pace, but security strategies are struggling to keep up, with many organisations still grappling with what that means in practice.</p>
<h4><strong>Restrict and Manage Risk</strong></h4>
<p>Moving the discussion on, Black asked how organisations can define and manage their risk appetite without simply restricting AI altogether.</p>
<p>The conversation quickly turned to how AI is being used, whether internally or externally, and the implications of what external tools can ingest and what internal tools may inadvertently disclose. One attendee described AI as &#8220;the Wild West&#8221;, suggesting that some organisations are willing to be first movers, while others are happy to accept the associated risks.</p>
<p>Another attendee argued that business leaders are under pressure but are not necessarily discussing AI strategically. Instead, CIOs and CTOs are expected to improve productivity, while CISOs are expected to remain cautious, restrictive and sensible.</p>
<p>Others noted that developers are already downloading and training models, with several admitting to using tools such as Claude and Gemini. One attendee explained that AI had already helped respond to client audit requests and could &#8220;chop time from the process&#8221;.</p>
<p>The discussion highlighted a familiar dilemma: restrict AI and risk falling behind, or open the floodgates and attempt to retrofit controls later. Alongside this are the practical challenges of preventing sensitive data leakage, securing AI models themselves and enforcing policy-driven controls.</p>
<p>This is why there needs to be a broader conversation about the real challenges behind AI security in modern enterprises, cutting through market noise to explore practical approaches that enable organisations to use public AI securely.</p>
<p>Another attendee argued that organisations should learn from history. They pointed out that industries have successfully introduced controls around mobile banking, cloud computing and internet usage, so there is no need to overcomplicate AI governance. Instead, organisations should build on the controls and lessons that already exist.</p>
<p>Gillespie added that the pace of change has accelerated dramatically over the past five years and that AI is now approaching a tipping point. Organisations can almost guarantee they are using AI every day, yet the speed of adoption remains difficult to measure.</p>
<p>Others described AI as &#8220;more of a black box&#8221;, questioning what happens inside the models and whether they can truly be trusted.</p>
<h4><strong>How Do You Use It?</strong></h4>
<p>Asked by Black how organisations are using AI today, one attendee said behavioural AI can monitor business activity, identify anomalies and alert users. AI can then summarise those alerts, providing context around what constitutes normal behaviour.</p>
<p>Another attendee said AI can provide an overview of key information and help pull together sources, allowing users to generate an initial statement or draft much more quickly. However, everyone agreed that there must always be a human element involved.</p>
<p>On the subject of trust, Black asked where attendees were in their AI journey. One participant said they had no inherent trust in AI and instead approached it with a &#8220;zero trust&#8221; mindset, reviewing and understanding each tool before deployment. Without properly assessing and accepting the risks, they argued, users would inevitably find ways around the controls.</p>
<p>Another attendee said the situation is made more complicated because every AI platform is different, with no standardised set of effective controls that organisations can consistently apply.</p>
<p>Others noted that mapping AI outputs back to existing security controls requires considerable time and effort. While AI can often complete tasks faster than an individual, it is only trustworthy when organisations understand how it arrived at its conclusions and can validate the results.</p>
<p>Another attendee said AI often falls down on explainability. Organisations need to be able to ask why an AI made a particular decision and determine whether its reasoning can be trusted. AI models require tuning, and anyone expecting immediate results should instead expect improvements over several months.</p>
<p>Ultimately, one attendee concluded that organisations should embrace AI and innovate with it, but treat anyone using generative AI as if they were a developer.</p>
<h4><strong>Who Owns AI?</strong></h4>
<p>In the final section, Black asked who is driving AI adoption within organisations.</p>
<p>The discussion focused on how organisations are structuring ownership, including whether responsibility for AI security should sit with the CISO or whether new roles, such as Chief AI Officer, are beginning to emerge.</p>
<p>One attendee said the pressure comes from two directions: CEOs looking to improve workflows and software developers eager to adopt AI as quickly as possible.</p>
<p>Another argued that organisations should first identify where AI genuinely delivers efficiencies and assess whether it is appropriate for each team. They also stressed the importance of understanding where AI provides value, where it does not, and communicating those decisions in business language.</p>
<p>Others said organisations must determine who the users are, how AI will improve their work and why it should be used in the first place. One attendee suggested that many boards see AI as a panacea, failing to understand its limitations and associated risks. Instead, there is an expectation that AI will simply make everything better, and organisations are often expected to deliver on that belief.</p>
<p>Concluding the discussion, Gillespie said there is ultimately a question of trust: organisations need to get more value out of AI than they put into it, while ensuring a human remains involved. He admitted that &#8220;the world moves on&#8221; and described this as &#8220;the most interesting time in the technology landscape&#8221;. Regardless of whether AI proves to be wholly good or bad, he said, it is certainly interesting.</p>
<p>Gibbs said he had listened closely to the discussion around leveraging AI within the SOC, particularly the points raised around trust, data security and the rise of agentic AI. He stressed that he was not dismissing the technology, but organisations need to understand which AI agents are legitimate, what capabilities they have and how they are being used.</p>
<blockquote><p>&#8220;The only thing is no one knows where we&#8217;re going,&#8221; he said. Although he personally vets everything AI produces, he concluded that it is &#8220;fantastic&#8221; and that he &#8220;cannot live without it&#8221;.</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/ai-security-control-chaos-or-catch-up/">AI Security: Control, Chaos, or Catch-Up?</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Impatient Leaders And Troublesome Priests: Why Security Leaders Really Worry About AI</title>
		<link>https://rantcommunity.com/resources/impatient-leaders-and-troublesome-priests-why-security-leaders-really-worry-about-ai/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Sat, 11 Jul 2026 08:01:43 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Cisco]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3103</guid>

					<description><![CDATA[<p>It was billed as a conversation about how, notwithstanding the pace of adoption of so-called &#8220;AI&#8221; systems, the fundamentals of</p>
<p>The post <a href="https://rantcommunity.com/resources/impatient-leaders-and-troublesome-priests-why-security-leaders-really-worry-about-ai/">Impatient Leaders And Troublesome Priests: Why Security Leaders Really Worry About AI</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>It was billed as a conversation about how, notwithstanding the pace of adoption of so-called &#8220;AI&#8221; systems, the fundamentals of cybersecurity haven&#8217;t changed all that much. So those of us attending a RANT roundtable in London, sponsored by Cisco, had perhaps been expecting a few time-served examples, war stories or talking points that dug fairly deeply into the past to emerge during the evening. But we were expecting that past to be rather more recent than turned out to be the case.</p>
<p>One veteran security leader at the table thought it was important to go back beyond not just the growth of cloud computing, the work-from-home revolution kick-started by COVID, or even the birth of digital networks entirely. No: there are things that haven&#8217;t changed since at least the year 1170, when one senior executive who viewed their job as being to warn those at the top of the enterprise of when too much risk was being accepted paid the ultimate price.</p>
<blockquote><p>&#8220;In Canterbury Cathedral there&#8217;s a shrine to Thomas Becket,&#8221; our beleaguered CISO friend said, initially to some bemusement around the room. &#8220;He told the king &#8211; his C-suite &#8211; that something wasn&#8217;t a good thing to do. Then the king said, &#8216;Can someone please get rid of him&#8217;? so a bunch of knights martyred him. And that&#8217;s what&#8217;s happening to security people.&#8221;</p></blockquote>
<p>Tellingly, while many around the table smiled, perhaps in recognition that the analogy was rather extreme &#8211; after all, we&#8217;ve not heard of any security leaders being hacked to death on the orders of their CEOs (well, not yet, anyway) &#8211; nobody took issue with the basic truth outlined. When it comes to generative AI, the kings of the business &#8211; the executives, the board, the elites at the top of the organisation &#8211; are gung-ho for these new tools to be deployed within the organisation, so place implied or sometimes explicit pressure on the senior leadership who report to them to get things moving, and fast. But when the security specialists point out the risks involved, and advocate for taking time to get the deployment right so they can ensure that the business can remain as secure as possible &#8211; or, failing that, to at least be demonstrably resilient when the eventual attacks hit &#8211; the kings just don&#8217;t want to know.</p>
<blockquote><p>&#8220;The C-suite are saying, &#8216;I&#8217;ve read about all this in the FT or Forbes&#8217;,&#8221; our student of the medieval world continued. &#8220;It&#8217;s FOMO,&#8221; they added, demonstrating their linguistic and conceptual agility by switching from 12th century history to 21st century vernacular in a heartbeat. &#8220;A huge amount of FOMO from executives. There are senior members of management who are going backwards.&#8221;</p></blockquote>
<h4><strong>When Will We Learn</strong></h4>
<p>This contribution came nearer the end of the discussion than the start, but &#8211; despite how striking and unexpected the imagery may have been &#8211; it tapped in to one of the key themes of the evening. That was that the pace of adoption of AI is not being matched by growth in maturity of organisations when it comes to understanding and managing the risks that potentially transformative new technologies introduce. And, while nobody in the room seemed to have made a conscious decision to pile in on Microsoft, a lot of this part of the discussion came out in the form of complaints about the software giant&#8217;s chatbot, Copilot.</p>
<blockquote><p>&#8220;I have friends,&#8221; one leader with a particular animus against this particular Redmond product recalled, &#8220;who say that Microsoft gives you access to the Foot Gun &#8211; Copilot; then they give you a bulletproof shield, called Purview, to stop yourself shooting yourself in the foot.&#8221;</p></blockquote>
<p>It is, many attendees acknowledged, a powerful tool. &#8220;Prior to Copilot, finding information was difficult &#8211; but now, if you want to find something on your own corporate environment, Copilot will find it,&#8221; one leader said. But, many also agreed, it will find things that, on balance, you would probably prefer that no tool could.</p>
<blockquote><p>&#8220;We&#8217;ve enabled Copilot for corporate access &#8211; [it can access] Sharepoint, emails and so on,&#8221; one senior security leader said. &#8220;But we realised that, in Sharepoint, it&#8217;ll have access to&#8230;&#8221; They paused, working out how best to explain the situation.</p>
<p>&#8220;My boss, the CTO, asked Copilot, &#8216;What&#8217;s the salary for everyone in the C-suite?&#8217;, and they got it,&#8221; they said. &#8220;We&#8217;re now looking at a technology where you create a digital twin &#8211; you get your own personal assistant living in the cloud. It copies all the documents you&#8217;ve access to in Sharepoint. We can put in restrictions on Sharepoint , but the twin can bypass them. It takes one copy of everything you&#8217;ve got access to. We all know that the attacker just has to be right once, and we have to be right all the time &#8211; but we now have to be right all the time on multiple fronts. If it was easy we&#8217;d do it ourselves and there&#8217;d be no risk &#8211; but the balance of power has shifted.&#8221;</p></blockquote>
<h4><strong>Profits Paradise</strong></h4>
<p>Optimism has been expressed that generative AI will help defenders, and to a degree this sentiment was shared by attendees during the discussion &#8211; despite the view expressed by one CISO that AI &#8220;is like a four-year-old child: all it wants to do is please&#8221;. But the focus was very much on the risks that these technologies are adding to the enterprise. And, in large part, these risks are mounting because of the pressure being exerted by business leaders on the rest of the staff to leverage the productivity gains and work-speed improvements LLMs appear to offer.</p>
<blockquote><p>&#8220;I&#8217;m hearing you say that Copilot is the problem,&#8221; Cisco&#8217;s global security technologist, Ant Ducker, said. &#8220;But we&#8217;re also being asked to be creative with AI. Is <em>that</em> the problem? [Business leaders say] &#8216;Here&#8217;s Copilot &#8211; we&#8217;re not going to give you any definitions, we&#8217;re asking you to figure out how to use it.&#8217; Shouldn&#8217;t the business be saying, &#8216;Here are the things you should be looking to use it for, to increase productivity&#8217;?&#8221;</p>
<p>&#8220;We&#8217;re playful animals, and we learn by playing,&#8221; one security leader replied. &#8220;You don&#8217;t read documentation or worry about obeying rules &#8211; you just play with it.&#8221;</p></blockquote>
<p>Fortunately, there are a few businesses where limits are imposed amid what otherwise appears to be a headlong dash toward AI adoption. But even in those organisations, security leaders are being put under pressure to do more, and do it faster.</p>
<blockquote><p>&#8220;We&#8217;ve got a very well-defined process for cloud services and new emergent technologies,&#8221; one CISO said. &#8220;Our average time from the business saying &#8216;I want to use this new service&#8217; to getting something in production is probably a couple of weeks. But for anything involving AI&#8230;? Copilot took us 18 months. We needed to put a harness around the harness &#8211; we have to put controls around it, and figure out how to make sure that all the regulations and expectations are met if we&#8217;re going to let it into the wild and have our population use it.&#8221;</p></blockquote>
<h4><strong>It&#8217;s A Gamble</strong></h4>
<p>This talk of an additional harness raised some questions around the guardrails supposedly built into Copilot, and other LLMs, and to what extent they are effective or reliable (general consensus: not very). All of this means that internal policies and controls become ever more vital &#8211; as does having a maturity within the organisation when it comes to considering risk.</p>
<blockquote><p>&#8220;We all seek to gain advantage,&#8221; one security leader said. &#8220;We&#8217;re all risk advisors. And certainly, in my experience, that means a whole host of different risks, including risk to life. We do a layered approach: it&#8217;s not risk removal, it&#8217;s risk reduction. And this is down to the CEO. This is what we need to realise &#8211; what and who we are. We&#8217;re risk advisors in a risk environment, and what we do is risk reduction, not risk removal.&#8221;</p></blockquote>
<p>There was agreement with this point of view, but also some additional nuance that another leader wanted to inject into the conversation. Most risks, they argued, could be mitigated with some element of care around introduction of the new product, service or tool. The additional risk with generative AI tools seems to come, they argued, from the pace at which business leaders want to introduce them, and the circumvention of normal processes that meeting these aggressive timetables requires.</p>
<blockquote><p>&#8220;I&#8217;ve worked in a hazardous environment,&#8221; they said, &#8220;and when you&#8217;re working in an environment where there&#8217;s extremely high risk, the idea that you&#8217;d go along with vibecoding, or would say &#8216;Well, there&#8217;s going to be vulnerabilities, we might as well just go with it&#8217;&#8230;&#8221; They stopped and shook their head at the sheer folly of such a notion. &#8220;No, that&#8217;s a really bad idea. You need to choose an environment &#8211; sandboxing or whatever &#8211; where you have an ability to control things and test things.</p>
<p>&#8220;This is the worst thing about AI being pushed in so fast,&#8221; they continued. &#8220;Dev environments have been around a long time, but at the moment they&#8217;re being short-cut. Things go straight into production.&#8221;</p></blockquote>
<h4><strong>Heavy Mental</strong></h4>
<p>Ultimately, everyone seemed to agree, the only thing that&#8217;s changed thanks to LLMs is the pace with which everything happens. That covers not just the alacrity that senior corporate management seems to have for deploying the technology, but the speed with which it can wreak havoc in businesses that have failed to prepare for its arrival.</p>
<blockquote><p>&#8220;I deal with simulation &#8211; redteaming, threat intel,&#8221; another senior practitioner said. Throughout their time in this role, they pointed out, &#8220;none of that has ever touched a vulnerability &#8211; it&#8217;s always touched a human. Can I find the human who can get me in to whatever it is I&#8217;m trying to get? With AI, now we&#8217;re going at speed. We all need to be cognisant. In organisations we&#8217;re going to see a lot of collateral damage. As people who convey risk, we need to convey it in a balanced way.&#8221;</p>
<p>&#8220;We need a central management pane &#8211; one pane of glass to manage everything,&#8221; Cisco&#8217;s Ducker suggested. &#8220;And in that place, that&#8217;s where we use AI for good. We create an army of agents that are network security specialists, identity specialists: we can monitor what&#8217;s happening across all the domains in our infrastructure, and we can collaborate. Rather than having four teams using their own UI [user interface], they&#8217;re all running from a dynamically generated UI.&#8221;</p></blockquote>
<p>These capabilities, Ducker said &#8211; almost apologetically, as, he stressed, the company were not hosting the conversation as an opportunity to push a product or service, but to hear from senior practitioners about the challenges they were facing and how they were tackling them &#8211; fall within the bounds of the Hybrid Mesh Firewall concept that Cisco have adopted. A term coined in 2024 by Gartner, it &#8220;describes a central management pane that can manage a consistent security policy across multiple platforms,&#8221; he added. Cisco&#8217;s implementation of it goes further, &#8220;using the network as security fabric, and blending different kinds of security and enforcement capabilities right across the stack.&#8221;</p>
<blockquote><p>&#8220;Listening to this, we still get back to &#8211; if you get the fundamentals right, you&#8217;re in a really, really good position,&#8221; one of the attendees said. &#8220;That hasn&#8217;t changed since the Orange Book,&#8221; they added, referring to the U.S. Department of Defense&#8217;s Trusted Computer System Evaluation Criteria standard, published in 1983. &#8220;Although it does look scary, I&#8217;m starting to think more and more &#8211; what does it change?&#8221;</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/impatient-leaders-and-troublesome-priests-why-security-leaders-really-worry-about-ai/">Impatient Leaders And Troublesome Priests: Why Security Leaders Really Worry About AI</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Respond/React: Resilience And Recovery Dominate RANT&#8217;s Ransomware Roundtable</title>
		<link>https://rantcommunity.com/resources/respond-react-resilience-and-recovery-dominate-rants-ransomware-roundtable/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Fri, 10 Jul 2026 08:51:34 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Halcyon]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3099</guid>

					<description><![CDATA[<p>&#8220;I don&#8217;t want to dismiss prevention,&#8221; one CISO said early during a RANT roundtable hosted by Halcyon in London in</p>
<p>The post <a href="https://rantcommunity.com/resources/respond-react-resilience-and-recovery-dominate-rants-ransomware-roundtable/">Respond/React: Resilience And Recovery Dominate RANT&#8217;s Ransomware Roundtable</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<blockquote><p>&#8220;I don&#8217;t want to dismiss prevention,&#8221; one CISO said early during a RANT roundtable hosted by Halcyon in London in early June, convened to discuss responses to the deepening ransomware epidemic. &#8220;But the biggest thing to focus on is recovery.&#8221;</p></blockquote>
<p>The sentiment proved to be something of a lodestar for the evening, as a group of senior cybersecurity leaders and practitioners dug deep into the topic of ransomware response &#8211; with resilience clearly front of mind for businesses of all shapes, sizes and sectors. A high-level delegation from Halcyon &#8211; including director of solution architecture Ross Asquith, regional director of enterprise sales Chris Lewis, and the director of the firm&#8217;s Ransomware Research Centre, the former FBI cyber division deputy assistant director Cynthia Kaiser &#8211; contributed occasionally, but for the most part sat back and listened as those on the front line of these digital battles traded war stories and drilled down into the detail of how best to configure companies to tackle the ever-changing and existential threat of a complete loss of access to data and networks.</p>
<h4><strong>Step Into The Realm</strong></h4>
<p>An early topic for discussion turned out &#8211; perhaps surprisingly &#8211; to be hardware. There were two reasons for this. Many large enterprises &#8211; and probably quite a few smaller ones &#8211; will have built around and on top of predecessor systems, as the business has evolved over time, needing to retain existing capacity and capability while acquiring new tools and technologies. This means that the business will have some degree of reliance on old and partially obsolete systems &#8211; and staff who mainly work with newer tools may lack awareness of them, never mind the skills to solve problems that may crop up inside them. Second, ransomware by its very nature poses questions about hardware inside the enterprise: if an attacker can move laterally and paralyse all systems, then not only do backups need to be offline or airgapped from the network: but any attempt at restoring services after a successful attack could make greater demands on IT capacity. Then there&#8217;s the investigative element.</p>
<blockquote><p>&#8220;If we suffered a ransomware incident, and we needed to keep all the encrypted servers for forensic analysis, do we have the hardware to keep the encrypted stuff and restore somewhere else?&#8221; the CISO who&#8217;d rated recovery as the prime concern said. The business, he suggested, might even require a separate, mirrored, hardware laydown, ready to spin up a new network using backups, allowing the contaminated systems to be pored over. This question had preoccupied their enterprise, they said &#8211; and that had been helpful. &#8220;For us, that spurred more investment, and a lot of changes in how we did things,&#8221; they said. &#8220;Would we have capacity to restore all the servers again, while keeping what was there?&#8221;</p>
<p>&#8220;In terms of ransomware, I&#8217;ve prioritised identifying the really old legacy stuff, that we have no ability to redo,&#8221; another CISO said. &#8220;I read the reports on the British Library hack, and the biggest thing was the legacy systems. They had bespoke code that was old and out of date. They could recover a lot of the modern systems, but it was those old code bases they couldn&#8217;t fix. So we have a lot of backup procedures. Ransomware is not our main problem &#8211; but the responses to those main problems will fit ransomware.&#8221;</p></blockquote>
<h4><strong>You Got Me</strong></h4>
<p>These questions, of course, presuppose that the enterprise has correctly identified what constitutes its key critical systems.</p>
<blockquote><p>&#8220;Technical recovery is pretty straightforward, but identifying the three pieces of tech that would hurt you the most&#8230;? That may not be,&#8221; one senior security leader suggested. &#8220;DNS isn&#8217;t going to make your top three &#8211; but if it isn&#8217;t there, everything dies.&#8221;</p>
<p>&#8220;We looked at what was the minimum viable product that keeps us trading,&#8221; another CISO said. &#8220;What are those products? What are the interdependencies? And which ones have to come back up first?&#8221;</p></blockquote>
<p>An important point, all agreed, given that certain services will rely on other, underlying, capabilities, and so will not operate correctly if restarted in the wrong sequence.</p>
<p>And then there&#8217;s the nature of such analyses. It&#8217;s all well and good knowing what&#8217;s important to the business, understanding the sequence for re-establishing the service, and having these processes and procedures mapped out and promulgated around the workforce: but if people aren&#8217;t well practiced in carrying out these often complicated tasks, and are practiced at doing so under the kind of pressure that would attend a real incident, true resiliency will be impossible to achieve.</p>
<blockquote><p>&#8220;There&#8217;s no point just having it on paper,&#8221; one veteran security staffer said. &#8220;How many times a year do you test? And do you always test the same people? You shouldn&#8217;t.&#8221; Their business, they said, runs tests several times per year, using different staff, to see if they can recover the business from the documentation that exists. If they can&#8217;t do it, the exercise is marked as a fail, and would need to be re-run.</p>
<p>&#8220;That scares me,&#8221; another leader admitted. &#8220;I&#8217;m down to one person on a lot of key systems. I know that the person who knows how to get it all back up is Mike &#8211; but if Mike&#8217;s not there, how do we do it?&#8221;</p></blockquote>
<h4><strong>Double Trouble</strong></h4>
<p>As had been previously touched on, sometimes, resiliency will mean having a completely separate alternative ready to go if the worst comes to pass. This need not be as prohibitively expensive as permanently maintaining a complete replica of the existing systems.</p>
<blockquote><p>&#8220;We have a waterproof case with a phone in it and a flash key. We&#8217;ve worked out, on our business-continuity plan, that that&#8217;s what we need,&#8221; one pragmatic CISO said. &#8220;We&#8217;re having to put in whole systems on standby &#8211; full email, and other systems, that we can switch to &#8211; because with the cloud, the extraction cost of data is massive; that won&#8217;t work for us as we can&#8217;t afford it.&#8221;</p></blockquote>
<p>That CISO&#8217;s enterprise had reached this conclusion after realising that, due to specific concerns with the nature of the threat they were exposed to, and how their business was organised and its data stored, a strategy built around even the most frequent and diligently executed of backups simply would not work. There are dangers in relying on backups, particularly as ransomware groups evolve their tactics and procedures. One recent example Halcyon had dealt with proved instructive, where a patient adversary used a company&#8217;s well-implemented backup strategy against it.</p>
<blockquote><p>&#8220;This blew my mind &#8211; and it takes a lot to shock me,&#8221; Kaiser said. &#8220;We&#8217;ve seen an actor recently who sat on a network for 31 days. They gained access to the systems, and saw that the backups were done on a 31-day cycle &#8211; cancelled the backup services, waited, then attacked. And the organisation didn&#8217;t know.&#8221;</p>
<p>&#8220;We had to develop an out-of-band &#8211; out of current systems &#8211; means of comms and co-ordination to bring every office up to a standard where they can operate,&#8221; another security manager said. &#8220;It&#8217;s meant putting in almost a full shadow IT, because there&#8217;s no other way we&#8217;ve currently found, within our budget. We&#8217;ve contracted for shadow IT services we can put data into.&#8221;</p></blockquote>
<p>While this option, as they explained, was adopted for budgetary reasons, it is still by no means a low-cost solution. It will only work if all the necessary staff are trained and ready; and achieving and maintaining that level of readiness places significant demands on internal resources.</p>
<h4><strong>Dynamite!</strong></h4>
<p>An interesting side-discussion blew up around insurance &#8211; with some leaders arguing it was a pointless waste of money, impossible to be sure that coverage would work until after an attack, and that being the worst time to find out that some loophole or other had been found in the coverage; while others strongly advocated for the forensic capability and expertise that cyberinsurance providers are able to deploy, at no cost to the business, in the aftermath of an attack. But another topic that provoked lively exchanges was on when, and to what extent, ransomware attacks could stray from being a threat to businesses, and into territory where states may start to think about designating them as terrorism.</p>
<blockquote><p>&#8220;All ransomware is a crime, and some of it is terrorism,&#8221; Kaiser said. &#8220;In U.S. law, and the definitions there, we believe it would meet the threshold for terrorism if ransomware was targeting a hospital.&#8221;</p></blockquote>
<p>But designating ransomware as terrorism &#8211; even if it was something that cybersecurity leaders were in a position to do; which, of course, they are not &#8211; is by no means a straightforwardly beneficial proposition. As Kaiser noted, doing so might well provoke attack groups to &#8220;change their calculus.&#8221;</p>
<p>If a ransomware attack on a particular industry or sector were to be considered terrorism, and the individuals who carried it out were to be charged with that crime, perhaps the efforts put in to identifying and apprehending suspects would be intensified, cross-border law-enforcement collaboration might be given a higher priority, and the penalties for those caught and tried would be significantly increased. But it is unlikely that a threat actor would respond to that by ceasing operations completely: more likely, they would redirect their efforts onto sectors where an attack would not be considered terrorism. So while there would be clear social benefits, there would also be considerable costs &#8211; which would fall on businesses operating outside critical services and infrastructure.</p>
<p>Additionally, as other attendees argued, the detail of any such designation would be key &#8211; both for any deterrent effect to prove meaningful, and to ensure that increased risk outside critical sectors wouldn&#8217;t end up having knock-on effects that were just as disruptive.</p>
<blockquote><p>&#8220;We&#8217;ve designated more and more operators as being &#8216;essential services&#8217;,&#8221; one security leader said, referring to consideration given to what constitutes critical national infrastructure in the UK.</p>
<p>&#8220;There used to be a line that was clear &#8211; &#8216;We are CNI, you aren&#8217;t,&#8217;,&#8221; another leader said. &#8220;Smaller organisations would wonder, &#8216;Why would anybody attack us?'&#8221;</p></blockquote>
<p>The answer, a third leader suggested, was pretty obvious:</p>
<blockquote><p>&#8220;If you&#8217;re very well hardened, the attackers go a level down.&#8221;</p></blockquote>
<p>Then risk there may well be greater, even if the initial reward in cash terms for the ransomware gangs is going to be smaller. But one of the big changes Kaiser says Halcyon are seeing is that threat actors are targeting small and medium-sized firms more often than they once were &#8211; four times as many SMEs are getting hit now compared to large businesses, she said. And if a sub-supplier to a CNI entity gets taken down, the ripple effects on their CNI customer could be just as damaging as if the critical industry had been targeted in the first place.</p>
<h4><strong>Livin&#8217; In A New World</strong></h4>
<p>If the considerations that need to be assessed before a nation decides to designate ransomware attacks as terrorism are complicated, so too are the decisions each of us make in how we talk about the topic. One CISO spoke about how their enterprise has benefitted hugely from having internal presentations made by a few brave souls whose companies were hit by ransomware, and who have chosen to share their experiences with others as a means to &#8211; hopefully &#8211; helping ensure what happened to them is not repeated elsewhere. That kind of behaviour should be considered heroic: yet, as the CISO noted, so often the response towards victims of ransomware is very different. &#8220;When people get mugged, everyone is sympathetic,&#8221; they pointed out. &#8220;But when you get hit by ransomware, they&#8217;re not.&#8221;</p>
<blockquote><p>&#8220;It&#8217;s important to treat victims as victims,&#8221; Kaiser agreed, her years in law-enforcement adding considerable weight to the observation. &#8220;It&#8217;s a really hard conversation, though,&#8221; she continued. &#8220;Some boards and C-suites ignore security advice &#8211; so perhaps it&#8217;s a reasonable feeling in those cases. We know adversaries are relentless, so if they want to get in, they will do eventually. But it&#8217;s up to us to hold people responsible if they haven&#8217;t done the easy things.&#8221;</p></blockquote>
<p>Other leaders recognised that the tone of these conversations is very important, and can make a big difference &#8211; not just to managing relationships in the supply chain, but to achieving the best possible security for the business itself.</p>
<blockquote><p>&#8220;We&#8217;ve spoken to our vendors on resilience quite a lot, and we keep saying we don&#8217;t want to blame anyone, but that we want to know what happened so we can fix it and prevent it happening again,&#8221; another security leader said. &#8220;With suppliers, this usually is OK: but if their business culture is different, it may not roll down the rest of the supply chain the way you would want it to.&#8221;</p></blockquote>
<p>Use of language is important, too. Returning to the conundrum of whether or not to designate ransomware as a form of terrorism, one CISO noted that, particularly in sectors such as healthcare or social services, terrorism may be received as &#8220;an angry, noisy word&#8221; which would perhaps end up closing conversations rather than causing people outside the SOC to think more about their physical and digital security.</p>
<blockquote><p>&#8220;It&#8217;s very similar in the U.S.,&#8221; Kaiser acknowledged. &#8220;If I start talking about threat actors as terrorists, some people think it absolves them from doing better. We should dissuade ransomware groups from targeting life-critical entities, but it&#8217;s impossible to separate physical risk from cyber risk. To me, you have to make sure that if you&#8217;re using these words, it&#8217;s not going to allow anyone to think it lets them off from doing the basics.&#8221;</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/respond-react-resilience-and-recovery-dominate-rants-ransomware-roundtable/">Respond/React: Resilience And Recovery Dominate RANT&#8217;s Ransomware Roundtable</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Supplier risk management can be “mind bogglingly” complicated: where do we go from here?</title>
		<link>https://rantcommunity.com/resources/supplier-risk-management-can-be-mind-bogglingly-complicated-where-do-we-go-from-here/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Thu, 09 Jul 2026 09:35:25 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Diligent]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3111</guid>

					<description><![CDATA[<p>“Who still relies on spreadsheets to manage their suppliers? Who only performs third-party risk management once a year? And who</p>
<p>The post <a href="https://rantcommunity.com/resources/supplier-risk-management-can-be-mind-bogglingly-complicated-where-do-we-go-from-here/">Supplier risk management can be “mind bogglingly” complicated: where do we go from here?</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<blockquote><p>“Who still relies on spreadsheets to manage their suppliers? Who only performs third-party risk management once a year? And who finds it challenging to engage business stakeholders throughout the process?”</p></blockquote>
<p>These three questions from Diligent’s Jelle Groenendaal, Co-founder of the firm’s 3rdRisk business, elicited raised hands and nods all round during another fascinating RANT roundtable. No one likes managing suppliers. But it’s an increasingly critical endeavour. An <a href="https://www.bluevoyant.com/resources/the-state-of-supply-chain-defense-2025">estimated</a> 97% of global organisations experienced at least one supply chain breach in 2025  up from 81% the prior year.</p>
<h4><strong>Managing nuclear-grade risk</strong></h4>
<p>The stakes don’t come much higher than the supply chain of a nuclear submarine. That’s the world that guest speaker Helen Quinlan, Head of Cyber Risk at BAE Systems, lives in. She admitted that it can be “mind bogglingly” complex.</p>
<blockquote><p>“We have a large and complex supply chain. One of the main complexities is around the continuous monitoring of suppliers,” she said. It would be a matter of national security if the ownership of a key supplier was transferred to a hostile nation, for example, Quinlan explained.</p></blockquote>
<p>It’s not just about the ownership of vendor partners but also access to critical services that security leaders must consider when evaluating suppliers, suggested another attendee.</p>
<blockquote><p>“There’s a lot more geopolitical instability than we’ve had in my lifetime; so every company from a resilience perspective has an interest in considering what happens if a critical service or resource or component is suddenly denied for geopolitical reasons,” he argued. “The supply chain plays a significant part in an organisation’s resilience.”</p></blockquote>
<p>The security leaders around the table shared various approaches to TPRM. One said he builds disclosure rules regarding “material changes” into contracts &#8211; which meant that, when a legal supplier was hit by ransomware, they had to disclose.</p>
<p>Another advocated “defence in depth”, including questionnaires, continuous monitoring, contractual clauses and incident response testing. Diligent GRC Sales Director, Tom Ryan, added that sentiment analysis is useful because scorecard-based systems often don’t pick up the reality of what’s happening inside a supplier.</p>
<blockquote><p>“Everything looked really good, but our AI monitoring found employees complaining about the culture, about the practices of their information security team, on a forum,” he explained of one customer engagement. “That’s not what the company is showing to the world.”</p></blockquote>
<p>Another CISO sat around the table bemoaned the “scorecard complacency” of many organisations. “Scorecards look wonderfully green until you cut through and they’re red in the middle,” he said.</p>
<p>Most attendees agreed that questionnaires should just be the starting point; a first stage in a multi-layered TPRM process. But they can be made more insightful with the additional of AI tooling to analyse not just the answers themselves but also how questions were answered to flag risk indicators.</p>
<blockquote><p>“It’s not perfect, but if you’re able to capture the data there are ways to be able to spot indications of misinformation and fake evidence,” said one CISO.</p></blockquote>
<h4><strong>Get out of the cupboard and talk to the business</strong></h4>
<p>Engagement was a recurring theme on the night &#8211; both in terms of communicating with the business and reaching out to suppliers. One security leader complained that his suppliers are mainly “one-man bands” with limited cyber awareness, which makes it difficult to gain true visibility into risk. Another, who works in manufacturing, said it’s also challenging to engage when faced with a culture of “I know how to run my factory”.</p>
<p>A third CISO argued that collaboration with business leaders internally is essential.</p>
<blockquote><p> “You can’t do it if you’re locked in a cupboard all day. They’re the only ones who can assess how critical a supplier is,” he said.</p></blockquote>
<p>However, sometimes suppliers are so big that they refuse to engage with questionnaire-led TPRM efforts. Several security leaders bemoaned the larger SaaS players that simply direct such requests to their “trust centre”. “It’s hard to get the nuanced answers I need this way,” said one. Another suggested “It’s not necessarily the big [SaaS] suppliers I worry about, it’s the next tier down.”</p>
<h4><strong>Testing times for risk managers</strong></h4>
<p>However, if the big SaaS players don’t answer, you can always work out a backup plan, suggested one senior security leader, explaining that IR tabletop and real-time simulation exercises are often offered as part of their engagement. Among other things, this can help find the gaps between what a supplier expects a partner will do during an incident and vice versa, one attendee said.</p>
<p>However, another bemoaned tabletop exercises featuring overzealous participants with a “Tom Clancy complex” that try to create impossible series of events to wargame. This ultimately undermines business confidence in the exercise, he argued, adding: “It has to be within the realms of possibility. It has to have value.”</p>
<p>Another said that, partly for these reasons, the security team clearly establishes up front an important rule: “Don’t challenge the scenario, take it as real.”</p>
<p>Yet most seemed to approve of the idea of incident response testing as a way to lower third-party risk.</p>
<blockquote><p>“The problem is we’re never going to solve this problem because we’ll never have anything other than an opaque boundary with our suppliers. It comes down to trust, and the fact is we trust our suppliers far too much,” argued one CISO. “When we’re looking at our resilience, we don’t look at the ‘what-ifs’ and contingencies that we need to be able to deal with enough, particularly for the minimum viable business.”</p></blockquote>
<h4><strong>Getting the board on board</strong></h4>
<p>Perhaps most important to effective TPRM is getting engagement from senior management, because if the board isn’t on board, money simply will not be made available for these initiatives. BAE Systems’ Quinlan asked how those around the table approach this.</p>
<p>One lesson that emerged from the discussion is that visibility must be the first step to driving this type of engagement. “We see near misses every other day,” shared one CISO. “We collect a lot of data which goes up to the board, so they are throwing money at it.”</p>
<p>Another argued that regulators make it important for the board, as does “brand reputation and “how seriously the entity takes its business”. A £30m bank that “can’t afford to go down” is more likely to have a boards receptive to TPRM as a critical exercise than smaller players, he suggested.</p>
<p>However, this isn’t always easy in larger conglomerates. One complained of “mixed signals” from the corporate group leadership and at the individual company level.</p>
<blockquote><p>“At a group level it’s a huge focus. But the people that are paying for it on the ground say ‘we know it’s really important, but we don’t have any money’,” he explained.</p></blockquote>
<p>The good news is that tooling is improving to the point where AI can do much of the heavy lifting for teams, concluded Diligent’s Groenendaal. The right tools can remove the pain of spreadsheets, help risk leaders engage business executives through things like customised chatbots, and benefit from a “continuous multi-disciplinary overview of risk”, he said.</p>
<blockquote><p>“I’ve worked with many systems myself and they’re all boring. You feel like you’re going back to the 90s,” he added. “But with AI there are so many things we can improve.”</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/supplier-risk-management-can-be-mind-bogglingly-complicated-where-do-we-go-from-here/">Supplier risk management can be “mind bogglingly” complicated: where do we go from here?</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Risky Business: How To Avoid Paying The Security Price For Not Understanding Your Users</title>
		<link>https://rantcommunity.com/resources/risky-business-how-to-avoid-paying-the-security-price-for-not-understanding-your-users/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Thu, 09 Jul 2026 08:43:43 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Mimecast]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3096</guid>

					<description><![CDATA[<p>By now it shouldn&#8217;t surprise us, but it still needs to be said: cybersecurity really isn&#8217;t about technology. Inevitably, and</p>
<p>The post <a href="https://rantcommunity.com/resources/risky-business-how-to-avoid-paying-the-security-price-for-not-understanding-your-users/">Risky Business: How To Avoid Paying The Security Price For Not Understanding Your Users</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>By now it shouldn&#8217;t surprise us, but it still needs to be said: cybersecurity really isn&#8217;t about technology.</p>
<p>Inevitably, and quite correctly, vast arrays of technology are brought to bear on security modern businesses, their valuable data and systems, and their functions and financial viability. And of course, the systems that contain the vulnerabilities and weaknesses that attackers seek to exploit are technologies in and of themselves. So the ways many of these problems arise, and the ways in which they get solved, involve technology intimately and necessarily. But at the heart of every business, every system, and every security incident, there are people &#8211; and it is their capabilities, motivations, mindsets and split-second decisions that make all the difference.</p>
<p>A RANT roundtable held in London, and convened by the email-security-provider-turned-risk-reduction-specialist Mimecast, found a high-level group of CISOs, BISOs and senior cybersecurity practitioners sharing thoughts, ideas and experiences around human risk. It was noted at the outset by both Alastair Dickson, Mimecast&#8217;s enterprise sales director, and Jhetan Gaijar, the firm&#8217;s field CTO for the EMEA region, that even in the few weeks between the discussion topic being circulated to RANT community members and the event taking place, ideas had shifted: instead of businesses concentrating on risky users, more seemed to be focusing on the risks posed by non-human identities, particularly agents created by or with generative AI systems.</p>
<p>Yet even with that idea flagged up at the start, the attendees spent the vast majority of the roundtable talking about humans rather than agents. For many, the question about who their riskiest users are was fairly straightforward to answer &#8211; even if doing anything to limit that risk would be incredibly difficult, again for reasons that are usually very little to do with technology and largely based around personality, seniority and interpersonal politics.</p>
<h4><strong>The Dream Is Always The Same</strong></h4>
<blockquote><p>&#8220;I know who my riskiest user is,&#8221; one CISO said without hesitation. &#8220;He&#8217;s very clever, very bright &#8211; speaks in binary. He turned off MS Defender because he didn&#8217;t think he needed it, and was running all kinds of software. He can never remember his password, so he&#8217;s got it written on a yellow sticky note on his workstation, and he&#8217;s texted it to his wife just in case. He&#8217;s an admin.&#8221;</p>
<p>&#8220;We have a similar situation,&#8221; another senior leader said. &#8220;Our cyber team are very clever and very technical, and they think the rules don&#8217;t apply to them. They&#8217;re that good, that they reckon they&#8217;d never fall for anything. But by the very nature of the work they do, they&#8217;re a much greater risk to the organisation.&#8221;</p>
<p>&#8220;When the average person clicks on something, it causes a headache,&#8221; a third embattled security leader agreed. &#8220;But in an organisation of thousands of people, if you&#8217;ve 10 super-admins with God-level privileges and one of them clicks on something, then you&#8217;re in a world of pain.&#8221;</p></blockquote>
<p>Dealing with the threat posed by the expert user can be tricky. It&#8217;s certainly not a problem that can be solved by the business investing in a new tool or technology &#8211; though you may only find out that the threat exists by deploying some software that will surface the combination of high-level privilege and disdain for established enterprise-wide usage rules. Ultimately, the only way to successfully address this involves having a difficult conversation with the individual in question, and then keeping them under a watchful eye thereafter.</p>
<blockquote><p>&#8220;That guy was given a written warning,&#8221; the CISO with the sticky-note-writing colleague recalled. &#8220;We weren&#8217;t officious, and he understood so there was no need to get nasty. His manager explained why he had to follow the rules too. But it&#8217;s very hard, across an organisation, where different IT admins are doing their own thing, to have a completely locked-down system. Privileges migrate over time; there&#8217;s shadow IT. People aren&#8217;t careless. But understanding every variable is not really viable.&#8221;</p></blockquote>
<h4><strong>After The Fall</strong></h4>
<p>If a business has managed to rein in the &#8220;it won&#8217;t affect us&#8221; behaviour among its admins and cybersecurity teams, there&#8217;s another category of user who are likely giving headaches to the security leadership: the board and the senior executives. In their case, this is because their intimate knowledge of &#8211; and largely unfettered access to &#8211; all of the enterprise&#8217;s crown-jewels data is accompanied by a tight timetable and a high salary; and, often, these are connected to a significantly enlarged ego.</p>
<blockquote><p>&#8220;The cyber teams often feel like they&#8217;re the experts, so they won&#8217;t get caught out,&#8221; one CISO moaned, &#8220;and the board and the execs don&#8217;t do the training because it takes up too much time. It&#8217;s like they think the rules don&#8217;t apply to them.&#8221;</p></blockquote>
<p>This combination means, all too often, that board members or high-level executives are unwilling to lower themselves to do the drudge work vital to keep the business secure, and believe, like the admins, that they can pull rank when it comes to personal behaviours &#8211; because their value to the business shouldn&#8217;t be restrained by all that security red tape. Unhelpfully for the security teams, their identities are usually plastered all over the public website and the financial pages of the news media, so the risk of them being targeted by a phishing campaign is higher than the average lower-level drone.</p>
<blockquote><p>&#8220;At a previous organisation I worked in, the CFO failed a phishing test,&#8221; one security leader recalled. &#8220;He&#8217;d turned off Defender because he found it was a pain. It&#8217;s often that very privileged user who thinks differently and bypasses the controls who becomes the biggest risk.&#8221;</p></blockquote>
<p>Other attendees chimed in with examples from their businesses where senior corporate leaders had either been caught by a phishing simulation, or had clicked on a link in an actual phishing email. Encouragingly, some of them had chosen to &#8220;out&#8221; themselves within the business afterwards &#8211; using their mistake as a teachable moment, reminding the rest of the business that this can happen to anyone, and encouraging the entire workforce to be on their guard. But still&#8230;</p>
<h4><strong>In The Air Tonight</strong></h4>
<p>Of course, after an exchange of tales of woe, the talk turned to how &#8211; if at all &#8211; such problems could be contained, minimised, or even, possibly, eradicated. For all that a high-profile staffer issuing a company wide mea-culpa can help focus the wider workforce&#8217;s attention for a while, that doesn&#8217;t count as solving the problem: as one CISO noted wearily after their company had scored a perfect zero click-rate in a company-wide phishing exercise following an uncomfortable incident, the one they carried out a few weeks later saw rates back up around 20%.</p>
<p>This is where the discussion hit upon the theme that came to define it: dialogue. The challenge, several leaders all agreed, is not so much about getting those click rates down, it&#8217;s about understanding why people click in the first place. If you can do that, there&#8217;s a chance you can build an environment and a culture within your workplace where people won&#8217;t click, because they&#8217;re no longer put in a position where doing so is even slightly tempting.</p>
<blockquote><p>&#8220;I&#8217;ll go and talk to people who&#8217;ve clicked, and I&#8217;ll ask, &#8216;Why are you doing that?&#8217;,&#8221; one leader said. &#8220;If it&#8217;s because they have to go from one account to another, then OK &#8211; I get that. It&#8217;s not my job to make their job more difficult&#8230;&#8221;</p>
<p>&#8220;It is!&#8221; another CISO interrupted, jocularly but pointedly. &#8220;Because the consequence for you when they do something stupid is months of hard work.&#8221;</p>
<p>&#8220;The reality is that pretty much everyone in the organisation will make a mistake at some time,&#8221; another security leader said. &#8220;Humans live incredibly complex lives, and get themselves into all kinds of muddles. Even in an ordinary life, people are subject to a lot of stresses, and can easily get caught out by a timely &#8211; or, for them, mis-timed &#8211; social-engineering attack that gets them when their defences are at their weakest.&#8221;</p></blockquote>
<p>Tackling this problem can be conceptually challenging, and perhaps difficult for businesses to implement within a hierarchical and strictly role-based corporate structure (is it really security&#8217;s job? Is it HR? IT?). But in those companies where it has been tried, the effects can range from the healthy to the transformational.</p>
<blockquote><p>&#8220;In our company&#8217;s history, nobody had ever talked to the user,&#8221; one CISO said. &#8220;We put out two queries every day to our users, and they have to answer them. We found that some users don&#8217;t even have the ability to do certain things on certain browsers, and the things we were asking them to do weren&#8217;t compatible with how they work.&#8221;</p></blockquote>
<h4><strong>The Pump</strong></h4>
<p>And then there are the businesses where the instinctive behaviour is less about receiving than it is about transmitting: where, when employees are heard from, they&#8217;re hopefully reporting back with news of enhanced productivity and big wins &#8211; not being canvassed about new problems the enterprise has to allocate additional resources to fixing.</p>
<p>And it is here where the dread spectre of generative AI looms largest. Not only are these powerful tools in the hands of adversaries who are using them to help craft ever-more convincing phishing emails or to carry out more successful social-engineering attacks, but business leaders are obsessed with them to the point of pushing their adoption via some not-entirely-helpful new corporate initiatives.</p>
<p>One senior security leader described a situation that has come about in their company, where staff are given a target of a minimum number of tasks they should carry out per day that involve use of an AI tool. They made the point that, whatever the benefits the company will see from greater use of genAI, such a policy adds risk.</p>
<blockquote><p>&#8220;Everyone&#8217;s trying to do things just to put ticks in boxes,&#8221; they said. &#8220;If I get an email that says, &#8216;Your scheduled Copilot task has just run&#8217;, and I click on it, then great! That&#8217;s just upped my score. But it was a phishing email &#8211; oh, you just got phished.&#8221;</p>
<p>&#8220;There are psychological characteristics that mean people are being rational and wanting to be productive, and those are the things attackers exploit,&#8221; Mimecast&#8217;s Gaijar noted. &#8220;One thing we&#8217;re not indexing properly is that AI is accelerating that. Not from a technology perspective &#8211; now I&#8217;m worrying about whether I&#8217;m being more productive than my colleague. I have to be at least as productive, if not more so, in order to keep up. So all those cycles are speeding up.&#8221;</p></blockquote>
<p>Gaijar went on to outline one way in which some of these competing imperatives could be balanced, though it would not be without significant challenges for businesses based in all but a handful of the world&#8217;s nations.</p>
<blockquote><p>&#8220;The problem is, email was intrinsically designed as an open standard,&#8221; he said. &#8220;There are a variety of technologies that can give you a high degree of confidence [that an email is legitimate] but that doesn&#8217;t help if the sender&#8217;s account has been taken over. One area we&#8217;re looking at is called intent-based analysis: we&#8217;ll try to look at what the intent is that lies behind an email. But implementing that doesn&#8217;t raise a technical problem: it&#8217;s a privacy problem &#8211; because, in order to do that, I have to read your email.&#8221;</p></blockquote>
<p>In the mean time, attendees seemed to agree, one of the best things that security teams can do is to open, and maintain, ongoing and blame-free dialogue with the users. Understanding why they do what they do will help to minimise the number of times where they engage in risky behaviours. And if the users feel that the security teams are actively trying to help, and are encouraged to understand why different security measures are necessary, there is less likelihood they will adopt covert workarounds.</p>
<p>The post <a href="https://rantcommunity.com/resources/risky-business-how-to-avoid-paying-the-security-price-for-not-understanding-your-users/">Risky Business: How To Avoid Paying The Security Price For Not Understanding Your Users</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>The Ever-Changing Moods Of Cybersecurity: Why Mapping Attack Paths Is Vital, But Problematic</title>
		<link>https://rantcommunity.com/resources/the-ever-changing-moods-of-cybersecurity-why-mapping-attack-paths-is-vital-but-problematic/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Wed, 08 Jul 2026 08:32:41 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[SpecterOps]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3092</guid>

					<description><![CDATA[<p>The typical RANT roundtable is, in the best possible way, something of a free-for-all when it comes to cybersecurity leaders</p>
<p>The post <a href="https://rantcommunity.com/resources/the-ever-changing-moods-of-cybersecurity-why-mapping-attack-paths-is-vital-but-problematic/">The Ever-Changing Moods Of Cybersecurity: Why Mapping Attack Paths Is Vital, But Problematic</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>The typical RANT roundtable is, in the best possible way, something of a free-for-all when it comes to cybersecurity leaders sharing their experiences and expressing their opinions. But one of the best things about these high-level conclaves of network defence excellence is that, once in a while, the assembled experts can surprise you.</p>
<p>So it was in Edinburgh recently, when a room full of senior cybersecurity practitioners gathered &#8211; alongside members of staff from event sponsors SpecterOps &#8211; to discuss attack-path mapping. Credit for the orderly way the ensuing discussion proceeded must go, in the main, to RANT&#8217;s guest host for the evening &#8211; Harry McLaren, head of cyber defence at Tesco &#8211; who had clearly mapped out his own path through the discussion beforehand, ensuring each and every expert at the table had an opportunity to contribute. But in part, too, the topic seemed to demand a well-planned and logically structured approach: not least because, with attendees coming from a wide range of industries and representing companies of differing sizes, structures and marketplaces, it was only by creating space within which subtle differences could be explored that each person present could learn something from their peers.</p>
<h4><strong>Money-Go-Round</strong></h4>
<p>After introductory remarks from SpecterOps&#8217; director for Europe, the Middle East and Africa, Tony Sheldrake &#8211; who outlined the firm&#8217;s concept of identifying and neutralising &#8220;choke points&#8221;, the nodes within the digital estate where the majority of attacks need to pass through in order to succeed &#8211; and the company&#8217;s solution architect, Kay Daskalakis &#8211; who noted that attackers &#8220;don&#8217;t have to go down the noisy roads; they don&#8217;t have to compromise anything, use any exploits. There is no perimeter &#8211; that&#8217;s a misconception&#8221; &#8211; McLaren kicked the discussion off with a thoughtful outline of the point and the purpose of attack-path mapping. Anyone wondering why they should bother with what might, at first glance, look like a somewhat academic or self-sustaining exercise should consider how closely aligned it is with so many other parts of the security professional&#8217;s remit, he argued.</p>
<p>&#8220;What is the ultimate purpose of many of our roles? To help businesses manage risk,&#8221; he said. &#8220;Fundamentally, that&#8217;s about taking action to bring risk into tolerance. Being threat-led helps us do that. And to be threat-led you have to understand the adversary, and how they understand you. Then you need to understand yourself, your attack surface &#8211; all the things that make up your business in the digital world, and in OT and IT. And then the state of your controls: the things that are there to interact with your adversaries.</p>
<blockquote><p>&#8220;This is all theoretical, and none of this is easy,&#8221; he continued, &#8220;It&#8217;s not a new concept, but it matters now more then ever because of prioritisation. As professionals, the one thing we can do is sort our to-do list. We can&#8217;t flood dev teams with hundreds of vulnerabilities; we can&#8217;t check for compliance across every endpoint. So understanding the reality of our environments becomes the means by which we can prioritise. Attack path mapping is all about prioritisation: Where can I make the smallest investment that has the biggest impact? Choke points are the same concept. You want to stop them early, but not at high cost or with high friction. When we&#8217;re talking about choke points and attack paths, it&#8217;s identifying the biggest bang for the buck &#8211; which baskets to put your eggs in. Nine out of 10 Red Teams would take this path, 10 out of 10 adversaries use it, and we just took it off the board.&#8221;</p></blockquote>
<p>McLaren ended his round-up by posing a question to those around the table: does attack mapping matter to you, and if not, how do you prioritise?</p>
<h4><strong>Walls Come Tumbling Down!</strong></h4>
<blockquote><p>&#8220;It feels, from my perspective, that it&#8217;s a good time to bring in solutions like this,&#8221; one CISO said, referring both to attack-path mapping in general and SpecterOps&#8217; Bloodhound Enterprise system in particular. This was the case, they said, given conceptual changes such as the very welcome &#8220;push from the NCSC to describe this as &#8216;cyber resilience&#8217;, not &#8216;cyber security&#8217; &#8211; that we need to use &#8216;resilience&#8217; because we&#8217;re talking about constant attacks.&#8221;</p></blockquote>
<p>As the discussion progressed, the consensus that mapping attack paths was a sensible and useful thing to do was never questioned. However, not every business is necessarily ready &#8211; or able &#8211; to take what can feel like quite so significant a step. Sheldrake had explained that Bloodhound Enterprise can carry out its initial mapping exercise and identify potential attack pathways within as little as 30 minutes, often flagging up hundreds of thousands of pathways. McLaren had pointed out that this can be a huge help when it comes to prioritising security work within the business, but even so, the sheer scale of the likely results poses problems to security teams who are already finding it impossible to deal with the incidents the enterprise is currently facing.</p>
<p>&#8220;Attack-mapping is on the to-do list perennially &#8211; but it either means bringing someone in, at a cost; or getting people to do it who are already doing other things,&#8221; one security leader said. &#8220;Sometimes we know where the big weaknesses are. The buzz phrase is &#8216;identity is the new perimeter&#8217;, and it&#8217;s kind of true: we know that&#8217;s a priority, so we&#8217;re working on it.</p>
<blockquote><p>&#8220;I&#8217;d love to drill the Blue Team every month, but they&#8217;re always on incidents,&#8221; this leader continued. &#8220;We had more incidents in March than in the whole of last year. AI has helped attacks explode, but the agents on the defensive side aren&#8217;t there yet. Defence is always behind, but what do we do when we know [attackers] have access to tools we don&#8217;t know about yet? That&#8217;s the world that&#8217;s coming. We expected to have vulnerability scanning at scale, and it&#8217;s about to happen &#8211; but we&#8217;re not ready for it.&#8221;</p></blockquote>
<h4><strong>Shout To The Top</strong></h4>
<p>Despite the appreciation of the huge help attack-path mapping can deliver, some other attendees flagged up problems that carrying it out could cause.</p>
<p>One CISO &#8211; their organisation&#8217;s sole cybersecurity practitioner &#8211; was finding that the board were being of great help, and had responded to mapping already done with great willingness and a ready supply of resources: &#8220;They know what the crown jewels are, but they&#8217;ve never known what paths can get there,&#8221; they said. &#8220;It&#8217;s a terrifying place to be! But it&#8217;s in the forefront of my organisation&#8217;s thinking.&#8221; Others argued that it would be difficult, perhaps impossible, to map when, where and how data may be being moved around inside the business through processes and tools that security teams didn&#8217;t have detailed insight into. Another leader argued that &#8220;traditional attack paths don&#8217;t apply&#8221; in their business, because of the nature of the business, and that their primary present concern was third-party and software supply-chain attacks.</p>
<p>Another concern was raised over the effect an attack-path mapping exercise may have on people inside the business, and their attitudes to risk going forward &#8211; particularly the board.</p>
<blockquote><p>&#8220;We did attack-path identification six months ago with a vendor,&#8221; one leader recalled, &#8220;and the downside is the false sense of assurance. For a week or two, the Red Team tried to get in, and they couldn&#8217;t &#8211; so the CEO took huge assurance from that. But a persistent attacker wouldn&#8217;t give up after two weeks. So it&#8217;s not a really relevant metric to judge yourself by.&#8221;</p></blockquote>
<p>This leader also raised a second concern, which spoke to the point raised earlier by one of the other attendees.</p>
<blockquote><p>&#8220;In terms of our crown jewels, we don&#8217;t really know where they are,&#8221; they said. &#8220;We&#8217;ve got data here, a system there &#8211; we know they&#8217;re important, but are they <em>that</em> important? It&#8217;s difficult to arrange your defences appropriately.&#8221;</p></blockquote>
<p>Another concern was raised by a CISO whose board have fully bought in to the security mission. In a way, it seemed related to the questions posed around the scale of discoveries uncovered by a mapping exercise: what if all that they reveal is a problem too vast to tackle?</p>
<blockquote><p>&#8220;Our c-suite have been really supportive of Red Teams and tabletops, to the extent that they&#8217;re happy to be targeted by social engineering,&#8221; they said. &#8220;When you see the level that the Red Team goes to&#8230; in one case, they identified a particular executive was into support for the armed forces, they found an event in that space, got in touch with the executive and asked them to speak at the event. It&#8217;s so targeted. Being realistic means saying that they&#8217;re going to get in. And when you get to that level of targeting, and it becomes automatable, then that human line of defence has gone.&#8221;</p></blockquote>
<h4><strong>The Whole Point Of No Return</strong></h4>
<p>As the discussion circled the table, these questions of scale kept bubbling back to the surface. It was clear that, while everyone agreed that it&#8217;s better to know where the potential problem may lie &#8211; and everyone in the room fully understood the choke-point concept, and how identifying a key node through which an attacker has to pass, and denying them the ability to do that, would dramatically reduce the number of pathways left open to them &#8211; surfacing a huge number of what the board would surely view as new security risks would be problematic given the personalities and the interpersonal dynamics at play inside their companies. This was an argument SpecterOps had heard before, and they have found instances where businesses have been able to adopt a different mindset which can help reframe the discussions at board level.</p>
<blockquote><p>&#8220;Getting visibility into the sheer amount of attack pathways generally helps to prioritise attack path mapping as a project,&#8221; Sheldrake said. &#8220;And that then helps you sell that up the chain, and build it into a business case. Generally it&#8217;s hundreds of thousands, and sometimes we&#8217;ve found billions. At the end of the trial you&#8217;ve then got that &#8216;Oh shit&#8217; realisation: &#8216;We&#8217;ve found all this, we&#8217;ve got to get other teams in; who&#8217;s going to own it and who&#8217;s going to do the remediation?&#8217; But it certainly helps you to build an internal business case around the risk.&#8221;</p></blockquote>
<p>As if implicitly using the same methodology to flag up a related challenge, another senior security leader identified a different pathway by which a similarly daunting amount of work could be surfaced in the enterprise &#8211; and noted the difficulties that come with that.</p>
<blockquote><p>&#8220;We had a new CISO join at the beginning of last year,&#8221; they said, &#8220;and the first thing they wanted to do was a Red Team exercise. We&#8217;re still remediating! It gave us a massive list, which we prioritised, and then followed that with a risk assessment. But we&#8217;re still flooded with requests. A lot&#8217;s been done, but there&#8217;s a lot still to be done. Many of the records were very vague &#8211; we didn&#8217;t get the detail that we&#8217;d hoped to see. It&#8217;s going to be next year, realistically, before we can re-test.&#8221;</p>
<p>&#8220;It&#8217;s about appropriate defence in depth as well,&#8221; another CISO argued. &#8220;Assuming something is going to happen, how do you contain it and respond? You&#8217;ve got network segmentation; you can remove privileges; you can have just-in-time access &#8211; but it&#8217;s getting visibility of what&#8217;s the biggest risk, and knowing what you have to tackle first. That&#8217;s probably where the focus has to be.&#8221;</p>
<p>&#8220;Nothing&#8217;s new here,&#8221; said one of the other attendees. &#8220;We were having these discussions 20 years ago. All that&#8217;s changed is the pace. I really like the idea of the tool &#8211; it could make my life easier. But it isn&#8217;t going to fix anything. It&#8217;ll show you what needs to be done, which will help. But you&#8217;ve got to be doing the basics to reap the rewards of using tools like this.&#8221;</p>
<p>&#8220;I agree,&#8221; McLaren said. &#8220;Fundamental security best practices have always been the thing to solve first.&#8221;</p></blockquote>
<h4><strong>The World Must Come Together</strong></h4>
<p>A RANT roundtable always ends with a summing-up from the host, and from the sponsor &#8211; but, just as this evening had proceeded rather differently to the norm, so the final contribution from Daskalakis stepped beyond what RANT&#8217;s &#8220;frequent flyer&#8221; attendees might have expected. After explaining that he&#8217;d had to rein himself in for the duration to make sure he was able to listen to, absorb and fully understand all the points being raised, Daskalakis opened with an admission.</p>
<p>&#8220;This has, honestly, been like therapy,&#8221; he said. &#8220;For far too long we&#8217;ve focused on protecting the attack surface outside the organisation, and the outcome is the conversation we&#8217;ve had tonight &#8211; which is problems, problems, problems, rather than solutions. But then the conversation shifts naturally.</p>
<blockquote><p>&#8220;In different environments of different organisations in different verticals, in any industry &#8211; it doesn&#8217;t matter: it&#8217;s the same story,&#8221; he continued. &#8220;If you have AD [active directory], you are pre-compromised. Let me explain what I mean. There are structural and defensive impositions of AD that made it a fantastic solution for the &#8217;90s. But attackers don&#8217;t care about the entry point &#8211; they care about the reach of the account. There are unlimited options. &#8216;One attack path is all that I need &#8211; then I&#8217;m moving from the perimeter to the calendar of the CEO&#8217;.&#8221;</p></blockquote>
<p>And, he noted, when attackers are willing to buy credentials from disgruntled or cash-strapped employees &#8211; and when they are then able to identify and use pathways to move inside the business which weren&#8217;t envisaged by network defenders &#8211; the challenges only multiply. And while defence in depth can be helped by prioritisation, even that doesn&#8217;t go far enough. The challenge, ultimately, he argued, is to try to think like an attacker.</p>
<blockquote><p>&#8220;I&#8217;m sure you all play around, you&#8217;re curious; you see things, you sign up for a subscription,&#8221; he said. &#8220;Attackers are not different. That&#8217;s the problem we&#8217;re facing. We&#8217;re facing people who look like everyone around this table. We need to be safe. Increasing difficulty doesn&#8217;t work &#8211; if it worked, we&#8217;d have solved the problem. Ninety percent of attacks are identity related. Why are we focused so much on networks, on assets? Every attack I&#8217;ve seen was identity based. If we focus there then we may not end this problem, but we can at least be more resilient.&#8221;</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/the-ever-changing-moods-of-cybersecurity-why-mapping-attack-paths-is-vital-but-problematic/">The Ever-Changing Moods Of Cybersecurity: Why Mapping Attack Paths Is Vital, But Problematic</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Network visibility and control in a chaotic world: why defence in depth rules</title>
		<link>https://rantcommunity.com/resources/network-visibility-and-control-in-a-chaotic-world-why-defence-in-depth-rules/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Tue, 07 Jul 2026 09:27:01 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[CheckPoint]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3089</guid>

					<description><![CDATA[<p>How do you secure a network you can’t fully see &#8211; with insecure SaaS apps, error-prone humans and AI everywhere?</p>
<p>The post <a href="https://rantcommunity.com/resources/network-visibility-and-control-in-a-chaotic-world-why-defence-in-depth-rules/">Network visibility and control in a chaotic world: why defence in depth rules</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>How do you secure a network you can’t fully see &#8211; with insecure SaaS apps, error-prone humans and AI everywhere? Well-funded adversaries have the advantage of surprise and an expansive, porous attack surface for them to take aim at. Against this backdrop, maintaining a resilient cyber posture while enabling seamless flexible working for employees might seem like an impossible task.</p>
<p>Well, not quite, according to the security leaders gathered for a lively RANT roundtable, hosted by Check Point. The event surfaced some useful strategies for managing network security in a fragmented and increasingly AI-driven world.</p>
<h4>Outside-in or inside-out?</h4>
<p>Check Point’s Global CISO, Deryck Mitchelson, kicked things off by comparing the threat landscape of 30+ years ago with the one today. Check Point was founded in the early 90s with a mission to “protect the internet” via its security appliances.</p>
<blockquote><p>“Today, we need to understand what we’re exposed to. AI has changed it all,” Mitchelson argued. “Real-time threats that need a real-time response is where we are now.”</p></blockquote>
<p>The first step to managing risk is understanding where all of your assets are, attendees noted. They were also in agreement that this is almost impossible to do &#8211; especially across IT and OT environments.</p>
<p>One complained that their CMDB is “all over the place”, but still maintained it as vital for many activities, including rationalisation. “If you don’t have a good asset management, you’re at a low bar on where to begin,” she said.</p>
<p>Another shared that asset management has “always been chaotic”, especially thanks to M&amp;A activity. “As soon as you get it together it blows up again,” he said. “But the danger is, if you sit on your hands until it’s done, you won’t get anything done.”</p>
<p>A useful way to start is to focus on what threat actors might be able to see from outside the network. A BISO around the table claimed this will help organisations save time and money and prioritise their defensive efforts. Another agreed. “No CISO knows what their network looks like,” he argued. “So look at what’s vulnerable first then you can start working from the inside out.”</p>
<p>Another option is to focus on what threat actors are actually interested in. One security leader explained that he prioritises according to threat intelligence about where and how the organisation is most likely to get hit &#8211; and “uses that as a steer”.</p>
<blockquote><p>“It has worked to some level, but stumbles in SaaS,” he admitted. “We don’t know where they’re going to go next with SaaS.”</p></blockquote>
<h4>Levelling the playing field</h4>
<p>The challenge, articulated by another attendee, is that threat actors are increasingly better resourced and &#8211; as always &#8211; they have the advantage of surprise. “It’s a problem as old as time,” said another. “They only need to get it right once.”</p>
<p>Check Point’s Mitchelson concurred, arguing that AI phishing services are available on the cybercrime underground for as little as $100. One way to level the playing field is to focus as much as possible on resilience and recovery &#8211; keeping the business running even throughout an intrusion, said another security leader.</p>
<blockquote><p>“Deal with what you know,” he said. “We can’t spend the money the attackers are spending. We’ll always have fewer resources, so my philosophy is not to stop them, but to continue operating.”</p></blockquote>
<p>This can actually take the pressure off teams and free up valuable resources, he said. “It means more money, time and brainpower for the other stuff.”</p>
<h4>The (insider) risk that keeps on giving</h4>
<p>However, these efforts will be all for naught if organisations can’t manage the threat from within, attendees agreed. One complained about employees unwittingly sharing PII and IP with public AI models. “If it’s free, you’re the product,” he fumed.</p>
<p>AI assistants can also expose organisations to risk if overused by DevOps teams without sufficient guardrails. One security leader at an app developer said her team is being forced to “rebuild the factory” by inserting security into critical processes. “We can’t manually triage risks anymore,” she explained. “We have to find [issues] and help fix in an automated way.”</p>
<p>While AI misuse could be put down to user error or negligence there are also more malicious insider threats to consider.</p>
<blockquote><p>“We assume that they’re always a disgruntled employee, but a lot of people aren’t,” said one security leader. “It could happen at any point in their tenure. We try to understand normal behaviour to alert on anomalies. But some of the worst incidents happen with just one email.”</p></blockquote>
<p>Another shared the ingenuity of one malicious insider who exfiltrated data outside of the organisation by copying and pasting it into LinkedIn messages to send to themselves. Check Point’s Mitchelson argued that the security industry should be doing more to support customers with behavioural security. “We need to be asking more of our security vendors: can you do more to detect these anomalies?” he said.</p>
<h4>Turn it up to Eleven</h4>
<p>The elephant in the room, as always during these events, was AI. “Agents are a new attack surface” which can be manipulated by both technical means and social engineering, warned CISO. AI is fuelling “accelerated risk discovery” that turns threats “up to 11”, claimed another.</p>
<p>The backlash appears to have begun. Several attendees said they were actively eschewing SaaS tools with AI built in. One described the level of AI governance among vendors as “shocking”. Another bemoaned: “There’s no role-based access controls, no visibility and no ability to backup and restore in the event that something goes wrong.”</p>
<p>The answer for many is to build layered defences. There’s value in this approach even as powerful new models like Mythos rewrite the rules for attackers and defenders.</p>
<blockquote><p>“You need segmentation, you need identity and access management. You need to ensure your PAM is secure. All the layers need to be in place, and the effect is if one fails you can rely on the others,” she argued.</p></blockquote>
<p>Another CISO agreed. “It’s about making things as hard as possible [for adversaries],” he said. “You can’t remove the risk, just reduce it.”</p>
<p>Whatever happens, “preventative, real-time and behavioural” approaches to cybersecurity will stand network defenders in good stead, Mitchelson concluded. It should be some comfort that, amid tremendous technological change, the old ways are the best.</p>
<p>The post <a href="https://rantcommunity.com/resources/network-visibility-and-control-in-a-chaotic-world-why-defence-in-depth-rules/">Network visibility and control in a chaotic world: why defence in depth rules</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>There are no fixes, only mitigations: Minimising exposure in a world of risk</title>
		<link>https://rantcommunity.com/resources/there-are-no-fixes-only-mitigations-minimising-exposure-in-a-world-of-risk/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 09:50:22 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[CheckPoint]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3107</guid>

					<description><![CDATA[<p>Vulnerability and exposure management have never been easy. But are they about to become impossible? When Anthropic released details of</p>
<p>The post <a href="https://rantcommunity.com/resources/there-are-no-fixes-only-mitigations-minimising-exposure-in-a-world-of-risk/">There are no fixes, only mitigations: Minimising exposure in a world of risk</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>Vulnerability and exposure management have never been easy. But are they about to become impossible? When Anthropic released details of its awesomely powered Mythos model back in April, CISOs recoiled in horror. Now they’ve had time to digest what comes next, are they any more hopeful?</p>
<p>A lively RANT roundtable hosted by Check Point proved that there will be no easy path forward. But with a relentless focus on visibility, context and remediation, there may be an opportunity to level the playing field with adversaries.</p>
<p>Check Point Head of Product, Ophir Bleiberg, summed up the core challenge nicely.</p>
<blockquote><p>“How do you minimise the time from exposure to mitigation, because you can’t patch everything? We’ve come to realise it’s not a purely technical problem, it’s an organisational problem. Everyone has a different goal and visibility.”</p></blockquote>
<p>That provoked a combination of exasperation and fatalism from the assembled crowd of cybersecurity leaders. Many agreed that siloed, incomplete data and uncoordinated SOC, vulnerability and infrastructure teams are making the problem worse than it needs to be.</p>
<blockquote><p>“Mythos will create even more noise,” one despaired. “How do we understand the true attack paths that will hit us?  How do we stop them getting to the crown jewels, because we can’t patch in time?”</p></blockquote>
<h4><strong>The CMDB as friend and foe </strong></h4>
<p>Most agreed that visibility is the critical first step: understanding what assets there are in the enterprise in the first place. But none had any success stories to share.</p>
<blockquote><p>“Vulnerability management or external attack surface management is increasingly difficult because of the way most organisations work these days,” said one CISO. “The [true attack surface] will always be unknown because everyone is concentrating just on what they know. How do you contextualise all that information to help you prioritise?”</p></blockquote>
<p>Another agreed, adding that BYOD is making the problem worse &#8211; particularly devices owned by executives.</p>
<p>The CMDB should be a single source of truth for assets in the enterprise, and an ally in the fight against vulnerability exploitation. But there was heated debate over whether it’s fit for purpose in most organisations. One security leader argued that it’s impossible for the CMDB to ever truly reflect the full complement of IT assets in the enterprise. Another fired back that companies like RunZero can fingerprint every device in an organisation, so it is theoretically possible to identify “what they are, where they are and what they’re doing.”</p>
<p>However, the CMDB can also be a source of weakness if hackers go after it, suggested another attendee, who leads red team exercises at his organisation. “We all want a CMDB we can rely on, but we also need to look at it as an Achilles heel,” he warned.</p>
<h4><strong>You own it. No, you own it</strong></h4>
<p>Disagreements over who owns which asset and which risks to prioritise also contribute to inertia over vulnerability management, attendees argued. Many laid the blame on their peers.  “I’ve never met a CISO whose idea of what’s critical is aligned to what the business thinks is critical,” said one.</p>
<blockquote><p>“We’re just not good at translating the potential impact of small things on the business,” said another. “An exposure management tool could help us to articulate and translate that risk.”</p></blockquote>
<p>Another blamed the business users who buy kit, often without IT’s approval, and expect the security team to take care of it. “Some people look after their systems like their own children, but some don’t. And people tend to move around, which also creates issues,” he argued.</p>
<p>IT is often left picking up the pieces left by careless users, another shared. Systems are put into production “riddled with vulnerabilities” which can’t be patched because taking them offline would cause “risk to life”. So the whole thing “becomes a SOC problem”, he argued.</p>
<blockquote><p>“There is a good process which people can follow. But we have an operational tempo of ‘get it done’. So we have to react to that,” he explained. “That’s how networks become messy. They’re added to over the years. You just have to adapt. I tell people attackers will always get through.”</p></blockquote>
<h4><strong>Mind the remediation gap</strong></h4>
<p>The evening eventually came full circle, with guest speaker Rob Black asking the assembled crew to share their remediation tips. Not many had practical advice &#8211; hinting at the intractability of the challenge. “There are no fixes, only mitigations,” despaired one.</p>
<blockquote><p>“If I can’t find a device owner, I go to the CIO and tell him to either empower me to turn it off or explain that he has to accept the risk,” explained another CISO. “When you do that people get very uncomfortable very quickly. So you need the right policy and governance in place first.”</p></blockquote>
<p>However, he was immediately shot down by another attendee. “CIOs want to move fast so they’re never going to support you,” he argued. “They don’t want to wait around for security.”</p>
<p>One CISO suggested that many of his peers are “going about this the wrong way” in trying to protect everything. “Get to know your core systems,” he advised. “It’s not easy, but if you focus on these, it becomes an easier problem to solve than ‘let’s protect everything.’”</p>
<p>Another agreed. “We’re never going to win against Mythos. Things will continue to get worse,” he argued. “We need to accept we can’t protect everything, and prioritise and segment. Put controls around it. Accept the risk will not be zero. But never go into a conversation with the board saying you’ve solved the problem, because you haven’t. Have a conversation about risk appetite.”</p>
<p>A third attendee pointed to resilience as the best approach. “It’s not a technology problem it’s an influence problem. We have to look at the most important business services and have a way to recover quickly if they go down,” he said.</p>
<p>It was down to Check Point’s Bleiberg to sum up a memorable evening.</p>
<blockquote><p>“In the short-term, Mythos will create hell. But in the long term I’m more optimistic,” he said. “Mythos will level the playing field. The number of CVEs will do down. Technology is making it easier for the right people to collaborate in the right way.”</p></blockquote>
<p>The post <a href="https://rantcommunity.com/resources/there-are-no-fixes-only-mitigations-minimising-exposure-in-a-world-of-risk/">There are no fixes, only mitigations: Minimising exposure in a world of risk</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Broken Identity Creates Unmanaged Spaces &#8211; Managing the Dark Matter</title>
		<link>https://rantcommunity.com/resources/broken-identity-creates-unmanaged-spaces-managing-the-dark-matter/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Mon, 06 Jul 2026 09:19:11 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[Orchid]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3066</guid>

					<description><![CDATA[<p>The identity security space has been broken for years, largely because organisations overestimate how well they understand their application landscape.</p>
<p>The post <a href="https://rantcommunity.com/resources/broken-identity-creates-unmanaged-spaces-managing-the-dark-matter/">Broken Identity Creates Unmanaged Spaces &#8211; Managing the Dark Matter</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>The identity security space has been broken for years, largely because organisations overestimate how well they understand their application landscape. Gaps between perception and reality give rise to “identity dark matter”: unknown applications, orphaned accounts, and unmanaged identities operating with unclear privileges and behaviours.</p>
<p>These blind spots create fertile ground for risk, especially as discovery and onboarding processes can take years while exposure quietly increases.</p>
<p>Vulnerabilities also thrive where teams believe their environments are under control, but activity at the application layer tells a different story. Incomplete logging and unknown applications connecting to identity providers can quietly scrape data or introduce attack paths without detection. This friction between assumed visibility and actual behaviour is where attackers often gain a foothold.</p>
<p>At the same time, identity is no longer just an access problem; it underpins productivity, resilience, and business continuity &#8211; pressures that are only intensifying with the rise of agentic AI systems that act autonomously based on identity context.</p>
<p>High-profile incidents in 2025 highlighted the consequences of failing to rethink identity. Without a clearer, more accurate view, organisations will struggle to safely build, deploy, and operate modern systems. This discussion focuses on how to repair the broken identity model and equip security leaders with a more realistic and actionable understanding of identity.</p>
<p>In a week when it was disclosed that AI agents are driving a 76% increase in non-human identities, a discussion was held on whether the broken identity space can be repaired, or whether it is a case of finding a clearer, more grounded view of identity that better supports security leaders.</p>
<h4>Non-Humans and Agents</h4>
<p>In the opening comments, panellists spoke about the renewed focus on non-human identities (NHIs) and their growing importance. Matt from Orchid noted that identity is a common challenge for all organisations, and the rise of agentic systems only increases complexity.</p>
<p>Ben from Orchid explained that, after more than a decade in the identity space, he is now working on a platform that supports identity governance, risk, and compliance, while also helping organisations address audit challenges. He described the “death of visibility” as closely tied to identity, which is a “constantly changing” and increasingly complex domain.</p>
<p>The chair highlighted that organisations follow different identity journeys. Many begin with Active Directory, with non-human accounts and agents accumulating over time. This sprawl includes tools such as Copilot, where accounts may be created without central oversight. As these systems allow users significant freedom, visibility becomes extremely limited. While some tools attempt to consolidate identities, the challenge remains: how do you “control the uncontrollable,” and how do you respond once an incident has already occurred?</p>
<h4>Time to Identify Identities</h4>
<p>As the discussion progressed, one panellist noted that guest accounts can hold significant permissions, including access to SharePoint and other advanced capabilities, yet organisations often lack the time to properly review these risks. This creates a growing attack surface, particularly when supplier integrations are not fully understood and AI access is enabled without sufficient awareness.</p>
<p>On the question of controlling the uncontrollable, one attendee argued that complete visibility is unrealistic. Instead, organisations should aim for high-confidence coverage (e.g. above 95%) and rely on constant monitoring. Shadow accounts, continuous system evolution, and new products make this an ongoing challenge. A full 360-degree view of both legacy and modern applications is essential to maintaining control.</p>
<p>Others noted that the problem worsens as more agents are introduced, making identity management increasingly difficult. To regain control, organisations must prioritise what matters most and focus on the areas of greatest impact.</p>
<p>Another contributor added that while improved visibility is possible through better controls, organisations must also be able to clearly articulate gaps in control to boards and regulators &#8211; and defend their position reasonably.</p>
<p>Ben from Orchid agreed: you cannot control what you do not know exists. He referenced Articles 9 and 13 of the EU AI Act, which require risk management systems for high-risk AI and mandate sufficient transparency so users can interpret system outputs.</p>
<h4>The Greatest Challenge</h4>
<p>A recent survey highlighted identity as the top challenge among respondents. Referencing Orchid CEO Roy Katmor, one speaker suggested that identity is not broken, but incomplete. He argued that the only way to achieve true visibility is through observability, including the use of agents capable of deep analysis.</p>
<p>The chair posed a hypothetical question: if you could see everything, what would you do next? This shifted the conversation toward attacker priorities. Adversaries are increasingly targeting tokens rather than passwords, prompting questions around which applications are most critical, who holds domain administrator privileges, and how frequently permissions are reviewed.</p>
<p>Participants also discussed alerting strategies, noting the difficulty of identifying genuinely suspicious behaviour among large volumes of alerts. The key challenge is understanding which identities have excessive permissions and where they are being applied. The chair asked what meaningful alerts would look like once full visibility is achieved, particularly in scenarios where identities are at risk of takeover.</p>
<h4>Zero Trust</h4>
<p>The concept of zero trust prompted debate. One attendee argued that it is not a practical strategy, claiming that once an alert reaches the SIEM, “it’s already too late.” Others disagreed, suggesting that zero trust is both practical and necessary, as it introduces greater granularity and layered controls.</p>
<p>While defence-in-depth and behavioural detection improve security, participants acknowledged that no approach offers complete protection. Zero trust was ultimately described as a logical extension of modern security, enabling continuous verification across multiple layers.</p>
<p>Ben from Orchid added that data security posture management tools also require access and governance. He emphasised the importance of first achieving visibility, followed by analysis. By correlating identities with entitlements, organisations can better understand privileged and dormant accounts—what he referred to as “dark matter” and shadow IT.</p>
<h4>Closing Comments</h4>
<p>In closing, the chair emphasised that visibility and control are essential for managing identity effectively. Organisations must prioritise what matters most and focus on actionable insights. Even when large volumes of data are available, the ability to distil that information is key to improving governance and visibility.</p>
<p>A final comment from Ben from Orchid highlighted the importance of connected systems, enabling organisations to view all identities within an environment, understand their permissions, and analyse their historical activity &#8211; providing a clearer picture of how identities operate within the organisation.</p>
<p>Ultimately, organisations that confront identity blind spots head-on &#8211; by prioritising visibility, continuous monitoring, and realistic control frameworks &#8211; will be far better positioned to manage risk in an increasingly complex, AI-driven landscape.</p>
<p>The post <a href="https://rantcommunity.com/resources/broken-identity-creates-unmanaged-spaces-managing-the-dark-matter/">Broken Identity Creates Unmanaged Spaces &#8211; Managing the Dark Matter</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Confronting the Agentic AI Risk in Supply Chains</title>
		<link>https://rantcommunity.com/resources/confronting-the-agentic-ai-risk-in-supply-chains/</link>
		
		<dc:creator><![CDATA[Galena]]></dc:creator>
		<pubDate>Tue, 30 Jun 2026 12:07:46 +0000</pubDate>
				<category><![CDATA[Resources]]></category>
		<category><![CDATA[BlueVoyant]]></category>
		<guid isPermaLink="false">https://rantcommunity.com/?p=3062</guid>

					<description><![CDATA[<p>Incidents over the years have revealed common weaknesses around third parties, as supply chain risks have become one of the</p>
<p>The post <a href="https://rantcommunity.com/resources/confronting-the-agentic-ai-risk-in-supply-chains/">Confronting the Agentic AI Risk in Supply Chains</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></description>
										<content:encoded><![CDATA[<p>Incidents over the years have revealed common weaknesses around third parties, as supply chain risks have become one of the most critical challenges for cyber security leaders.</p>
<p>There is a struggle to fully comprehend and integrate third-party cyber risk visibility into a broader risk management strategy, and there appears to be a growing gap that leaves organisations vulnerable to disruption and unprepared when unforeseen risks crystallise across supply chain networks.</p>
<p>This integration requires what is being called ‘operational resilience’. The <a href="https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/operational-resilience-sop">Bank of England describes</a> this as ensuring businesses are able to prevent disruption by adapting systems and processes to continue providing services and functions in the event of an incident; return to normal operations promptly once a disruption is over; and learn and evolve from both incidents and near misses.</p>
<p>In particular, the Bank of England says there are four areas that are core factors of operational resilience:</p>
<ul>
<li>Governance</li>
<li>Operational risk management</li>
<li>Business continuity planning</li>
<li>Management of outsourced relationships</li>
</ul>
<p>This sort of action requires a proactive approach to cyber security and risk management and, in particular, includes maintaining a curated inventory of approved suppliers and technologies. This involves understanding the origins of risks across the supply chain, assessing the nodes within the supply chain and how widely they spread, and evaluating response times and business impacts.</p>
<h4><strong>Shaping Complexity</strong></h4>
<p>In a recent roundtable discussion sponsored by BlueVoyant, the subject of operational resilience was examined, specifically how modern cyber security risk is increasingly shaped by the complexity of supply chains, limited visibility across ecosystems, and the accelerating impact of AI.</p>
<p>Opening the discussion, Tom Moore, director of digital forensics and incident response at BlueVoyant, noted a clear trend of threat actors becoming more adaptive, targeting not just organisations directly, but the broader ecosystem around them.</p>
<p>As companies embed external features, integrate partners, and rely on extended supply chains, they often fail to fully understand the implications. This creates hidden weaknesses that attackers are quick to exploit. In particular, as threat actors adapt and look for weaknesses in partner supply chains, there is a “whole raft of ecosystem extensions”, while the implications of external features are often neither understood nor considered.</p>
<p>He claimed that a key issue is visibility: many organisations simply do not know which suppliers have privileged access, which vendors rely on vulnerable software or hardware, or how long third parties have had access to their environments.</p>
<h4><strong>Deepened Significantly</strong></h4>
<p>The complexity of supply chains has also deepened significantly. Organisations rely not just on third parties, but on fourth, fifth, and even further-removed providers. Open-source components are embedded in commercial applications, SaaS platforms are built on other SaaS platforms, and infrastructure may be owned by entirely separate entities. This layered dependency model makes comprehensive oversight extremely difficult.</p>
<p>Moore argued that the traditional idea of a secure “castle” no longer applies. Instead, organisations operate more like interconnected airports, dependent on multiple external entities, each with its own policies and security standards.</p>
<p>The challenge is that responsibility becomes blurred; risks can propagate across systems before anyone recognises there is a problem. In such an environment, a single compromised supplier can provide attackers with access to multiple organisations at once.</p>
<h4><strong>Relationships and Processes</strong></h4>
<p>Moving into the wider discussion, the chair emphasised three areas of focus within operational resilience: building symbiotic relationships with suppliers, understanding how AI is changing processes, and identifying the nodes along the supply chain.</p>
<p>The chair said there is inherent tension in supplier relationships. While organisations depend on partners to succeed, there is often reluctance to share security information because of competitive concerns. Regulators, however, are pushing for stricter standards, creating friction between collaboration and compliance.</p>
<p>The panellists said that the role of the security and risk professional is to identify partners across the supply chain and “get them to be open with us”, so there is less need to keep a close watch on their activities. Another panellist added that a level of discovery is still necessary, as most organisations only “think” they understand their external connections.</p>
<p>One panellist said there is a “responsibility to keep subsidiaries safe” and that if you do not know what a supplier is doing, then it should not be considered part of your main business model.</p>
<p>Tom Moore illustrated the issue with a manufacturing analogy: even when an organisation understands its direct components, critical dependencies may exist several layers further down the chain. If a single subcomponent supplier fails, the entire system can be disrupted.</p>
<p>While this is not a new problem, the pace of modern digital ecosystems makes it far more difficult to manage.</p>
<p>Despite these challenges, there are practical steps organisations can take. Attack surface management and continuous monitoring of suppliers can help assess risk posture.</p>
<p>Industry collaboration, such as through information sharing and analysis centres (ISACs), can also improve shared understanding, said Holly Steele, senior vice-president of EMEA and UK at BlueVoyant, who acknowledged that there is potential to do more. She said that ISACs can do more to bring suppliers together.</p>
<h4><strong>Agents in the Mix</strong></h4>
<p>The subject of agentic AI was also prominent, as attackers can now operate with unprecedented speed and scale, using AI to automate reconnaissance, refine attack strategies, and learn continuously from interactions.</p>
<p>Tom Moore said that what once took weeks can now take minutes, effectively giving threat actors a 24/7 research team. This shifts the critical question from “Are we vulnerable?” to “How quickly will someone discover that vulnerability?”</p>
<p>At the same time, AI presents opportunities for defenders. Agentic AI systems can respond to alerts, automate actions, and establish behavioural baselines that would be impossible to manage manually. However, organisations are still struggling to integrate AI effectively into their security operations, often lagging behind attackers in adoption.</p>
<p>Ultimately, the most resilient organisations are not those that avoid incidents entirely, but those that are prepared to respond effectively. This requires strong communication, both internally and with suppliers, a clear understanding of data value, and a demonstrable grasp of the ecosystem in which they operate.</p>
<h4><strong>Final Thoughts</strong></h4>
<p>In conclusion, the chair recommended the use of attack surface management and the continuous monitoring of suppliers to understand their risk posture. They also recommended grouping vendors by sector and treating them as critical infrastructure, depending on the regulators to which they are subject.</p>
<p>Tom Moore recommended sharing common challenges and themes so that everyone understands which risks are emerging as a result of tabletop exercises. He also advised surfacing common themes and running simulations that are relevant to your business.</p>
<p>Holly Steele suggested reviewing the contracts held with suppliers, as everything comes back to visibility and what those agreements permit suppliers to access within a network. “Bring everyone to the party, but stop navel-gazing and look elsewhere and externally,” she said.</p>
<p>The central takeaway is clear: organisations must move beyond inward-looking security practices and develop a comprehensive, outward-facing view of their supply chains.</p>
<p>Only by improving visibility, embracing collaboration, and preparing for inevitable disruption can they hope to manage risk in an increasingly interconnected and AI-driven world.</p>
<p>The post <a href="https://rantcommunity.com/resources/confronting-the-agentic-ai-risk-in-supply-chains/">Confronting the Agentic AI Risk in Supply Chains</a> appeared first on <a href="https://rantcommunity.com">RANT Community</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
