Table of Contents
- CISOs Finally Get a Seat at the Board’s Table — But There’s a Catch
- Are Web Browsers With Integrated Chatbots A Paradigm Shift – Or Just Privacy And Security Disast…
- The true power of a security-first culture | Opinion
- The 10 biggest issues CISOs and cyber teams face today
- US Appeals Court lowers burden of proof for data breach lawsuits
- 70% of CISOs say internal conflicts more damaging than cyberattacks
- The great AI reset: CIOs pivot from pilots to business value
- Two New Web Application Risk Categories Added to OWASP Top 10
- CISOs’ security priorities reveal an augmented cyber agenda
- CISOs must prove the business value of cyber — the right metrics can help
- Cybersecurity 2026: 6 Forecasts and a Blueprint for the Year Ahead
- Cybersecurity worries have grown and confidence has wavered in 2025
- Kroah-Hartman: Linux Kernel Maintainer on CRA Open Source Impact
- Google Brain founder Andrew Ng thinks you should still learn to code – here’s why
- India’s new data privacy rules turn privacy compliance into an engineering challenge
- Cyber resilience is the new competitive advantage
CISOs Finally Get a Seat at the Board’s Table — But There’s a Catch
Diana Kelley
Dark Reading
In recent years, the role of security and privacy in corporate discussions has evolved significantly, particularly with the rise of AI
Initially, security updates were often sidelined during board meetings, but now executives at all levels prioritize discussions on AI risk
While this presents an opportunity for security leaders to assert their influence, it also brings substantial risks including vulnerabilities and compliance challenges associated with AI technologies
To navigate this landscape, collaboration with internal teams and external experts is crucial
Organizations must prioritize integrating security into AI projects early and adapt their risk frameworks to address the new dynamics of AI
The call for security leaders is to facilitate innovation while ensuring safety and compliance
Important items to note:
– Security discussions are increasingly prioritized in corporate settings due to AI’s prominence.
– Security leaders now have a greater opportunity to influence strategic decisions.
– Emerging AI vulnerabilities include prompt injection attacks, data leakage, and model poisoning.
– Industry standards and tools for managing AI risks are still developing.
– Collaboration with product, engineering, legal, compliance, and data science teams is essential.
– Utilizing external expertise can help fill knowledge gaps related to AI threats.
– Organizations should evolve risk frameworks to address unique challenges in AI.
– Security leaders should focus on enabling innovation safely and building trust within their organizations.
Link: https://www.darkreading.com/cybersecurity-operations/cisos-finally-get-seat-board-table
Are Web Browsers With Integrated Chatbots A Paradigm Shift – Or Just Privacy And Security Disast…
I’m-sorry,-Dave,-I’m-afraid-I-can’t-undo-that dept
Tech Dirt
OpenAI has introduced ChatGPT Atlas, a new web browser that integrates generative AI capabilities
This follows a trend among tech companies to incorporate AI chatbots into their browsers, aiming to redefine user interaction with the web
Sam Altman mentions that AI represents a significant opportunity to rethink browsers, which are critical in the digital landscape
Atlas features browser memories, allowing ChatGPT to remember user interactions for improved suggestions, and an agent mode that helps users complete tasks more efficiently
However, there are substantial privacy and security risks associated with these features
Critics like AI expert Simon Willison have expressed concerns about the risks involved, suggesting caution until thorough security reviews are conducted.
– OpenAI’s ChatGPT Atlas signifies a shift in web browsing through AI integration.
– Multiple tech companies (e.g., Microsoft, Google, Opera) are adopting AI chatbot features in browsers.
– Browser memories offer personalized assistance but raise privacy concerns.
– Users retain control over what is remembered, but may overlook privacy settings.
– Agent mode allows for task completion but has significant security implications.
– OpenAI has implemented safeguards but acknowledges that risks still exist.
– Experts recommend caution and thorough security evaluations for these new tools.
– The potential for misuse and privacy violations is a critical concern in the adoption of such technologies.
Link: https://www.techdirt.com/2025/10/27/are-web-browsers-with-integrated-chatbots-a-paradigm-shift-or-just-privacy-and-security-disasters-waiting-to-happen/
The true power of a security-first culture | Opinion
Richard H & Cameron C
Crypto News
The digital asset industry faces significant security challenges, with breaches often arising from traditional web vulnerabilities rather than blockchain-specific flaws
Building a security-first organizational culture is crucial
This includes strong leadership, dedicated incident response teams, effective phishing training, and promoting personal digital safety for employees
Research indicates that security-related investments can reduce breach costs and enhance corporate resilience
A culture of security encourages accountability among staff and fosters a proactive approach to risk management
Initiatives such as formal incident responses, intelligence-informed training, and personal security investments create a vigilant and responsive organizational environment
Overall, a strong security culture is essential, as it facilitates trust and resilience against evolving threats
Key points to note include:
– Security breaches in the crypto industry often result from web2 vulnerabilities, highlighting the need for a comprehensive security culture.
– Leadership and team structure are vital for effective incident response; a cross-departmental Computer Security Incident Response Team (CSIRT) is important.
– Phishing training should be adaptive and informed by real-time threats, and security awareness should be integrated into organizational practices.
– Monthly security sessions can help keep staff engaged with emerging threats and technologies.
– Positive reinforcement and peer accountability can improve adherence to security protocols.
– Supporting employees’ personal security enhances overall organizational security and builds trust.
– A proactive security culture can reduce breach costs and foster resilience in the digital asset landscape.
Link: https://crypto.news/the-true-power-of-a-security-first-culture-opinion/
Mary K. Pratt
CSO Online
Security leaders are grappling with an increasingly complex and stressful environment characterized by rising AI-enabled threats, budget constraints, and the need to adapt to new technologies
According to the ISACA 2025 State of Cybersecurity report, 66% of CISOs report heightened stress compared to five years ago
Key issues include securing AI infrastructure, escalating attacks, data protection, an evolving threat landscape, budget limitations, employee training against sophisticated scams, quantum computing challenges, priority setting, and aligning risk management with business objectives
Important items to note include:
– Emergence of AI risks: 60% of CISOs consider generative AI a threat; AI security governance is improving (47% involvement).
– Increasing AI-enabled attacks: 80% of CISOs list AI-driven cyberattacks as a major concern; response readiness must accelerate.
– Data protection challenges: 67% prioritize information governance; concerns about AI-generated data security.
– Expanding threat landscape: The attack surface is larger and more interconnected due to AI and organized cybercrime.
– Budget constraints: Security spending is rising, but not at a rate that matches rising threats; cost-cutting measures are being implemented.
– Employee training: There’s a push for frequent simulated phishing exercises to enhance awareness against sophisticated scams.
– Quantum computing implications: Security leaders must plan for encryption vulnerabilities posed by future quantum threats.
– Competing priorities: CISOs are challenged with managing multiple urgent issues with limited resources.
– Importance of risk understanding: Aligning cybersecurity strategies with business risk tolerance is crucial, and boardroom support is declining.
Link: https://www.csoonline.com/article/4077442/the-10-biggest-issues-cisos-and-cyber-teams-face-today-2.html
Evan Schuman
CSO Online
The 4th Circuit Court’s recent ruling has significant implications for data breach litigation, shifting how damages are evaluated
The court determined that merely publishing stolen data on the dark web can be enough to prove potential harm, which eases the path for plaintiffs to sue breached organizations
This decision changes the previous standard where proving actual damage was a requirement
Now, if data is found on the dark web, it implies a higher risk for identity fraud, impacting how Chief Information Security Officers (CISOs) should manage risk and respond to breaches.
– The ruling relaxes requirements for plaintiffs to prove damages in data breach cases, particularly when data is published on the dark web.
– It emphasizes the importance of monitoring the dark web for leaked data as part of risk management.
– The court differentiated between data sensitivity, highlighting that driver’s license information, while public, can still lead to harm if it appears on the dark web.
– CISOs are encouraged to document data breaches meticulously, noting what information is made public.
– The ruling may increase litigation exposure for companies, as even public data could lead to lawsuits if it is associated with dark web activity.
– There is a new focus on the “publication versus theft” dynamic, raising concerns that attackers might exploit this shift to extort companies by threatening further exposure of sensitive data.
– Companies must reevaluate their cybersecurity policies and risk assessments in light of this ruling to better protect themselves from potential lawsuits.
Link: https://www.csoonline.com/article/4082749/us-appeals-court-lowers-burden-of-proof-for-data-breach-lawsuits.html
Evan Schuman
CSO Online
The report highlights that 70% of security executives believe that internal conflicts, such as CISO-CEO tension and communication gaps, can exacerbate problems during a cyber crisis more than the cyberattack itself
Analysts stress that these issues stem from misalignment in the perception of cybersecurity’s role in business
To improve relationships between CISOs and other executives, it is crucial for CISOs to communicate the value of cybersecurity in terms of supporting business goals, such as revenue retention, rather than as a cost burden
Recommendations for CISOs include focusing on business needs, emphasizing customer-driven security requirements, and leveraging existing tensions to foster diverse input for better solutions
Key points to note:
– 70% of security executives see internal conflicts as problematic during crises.
– CISO-CEO tensions and unclear authority are identified as major issues in incident response.
– Misalignment in perception of cybersecurity as a cost versus a value add hinders collaboration.
– CISOs should communicate how security initiatives contribute to revenue and customer retention.
– Emphasizing customer demands can help demonstrate the necessity of security measures.
– Different executive perspectives can be beneficial and foster a more comprehensive approach.
– CISOs should prioritize business objectives and frame cybersecurity within that context.
Link: https://www.csoonline.com/article/4079876/70-of-cisos-say-internal-conflicts-more-damaging-than-cyberattacks.html
Beth Stackpole
CIO
IT leaders are shifting focus from experimental AI projects to a governance-based approach to ensure that AI initiatives deliver tangible business value
TIAA has limited its AI deployments to six essential use cases, emphasizing a steady approach over flashy solutions
A report from MIT indicates that while U.S. businesses have significantly invested in generative AI, a small percentage leads to notable revenue increases, often due to the wrong use cases and integration issues
Companies are also addressing concerns related to AI model biases and user trust
Governance frameworks, metrics, and change management practices are becoming essential for successful AI integration across enterprises, with firms like Regeneron and Webster Bank establishing robust governance committees
Tractor Supply Co. focuses on leading with organizational challenges rather than technology and emphasizes safe experimentation
Effective metrics are crucial for assessing AI projects from inception, ensuring long-term alignment with business objectives and accountability.
– Many businesses are refocusing AI strategies to prioritize governance and metrics over relentless experimentation.
– TIAA emphasizes solving core business problems rather than pursuing flashy AI use cases.
– A significant investment in generative AI has yielded minimal revenue growth, highlighting the importance of selecting the right use cases.
– Companies are confronting trust issues and potential job loss fears among employees.
– Governance structures are being implemented to manage risks associated with AI technologies.
– Webster Bank employs a “three-legged stool” strategy for governance and AI project evaluation.
– Change management is crucial for integrating AI, addressing workforce anxieties, and ensuring employee engagement.
– Safe experimentation is encouraged within organizations to foster innovation while managing risk and aligning with business goals.
Link: https://www.cio.com/article/4080608/the-great-ai-reset-cios-pivot-from-pilots-to-business-value.html
Two New Web Application Risk Categories Added to OWASP Top 10
Ionut Arghire
The OWASP has released a revised draft of its Top 10 list of critical web application security risks for 2025, now open for public comments until November 20) The updated list includes two new categories and a new order, with “Broken Access Control” remaining the top risk. “Security Misconfiguration” moved up to second place, followed by “Software Supply Chain Failures.” Notably, “Mishandling of Exceptional Conditions” is a new addition at the tenth position
The list reflects updated methodologies, focusing on root causes of vulnerabilities and incorporating a broader range of Common Weakness Enumerations (CWEs) for analysis
Important Items to Note:
– “Broken Access Control” remains the top risk on the list.
– “Security Misconfiguration” has risen to the second position from fifth.
– “Software Supply Chain Failures” expands on “Vulnerable and Outdated Components.”
– New category “Mishandling of Exceptional Conditions” at tenth place, covering error handling issues.
– The revised methodology allowed for analyzing a wider set of CWEs (589 compared to 30 in 2017).
– OWASP used data from testing applications and community surveys to determine the list’s composition.
– Exploitability and impact scores were calculated using CVE data, affecting the selection of categories.
– Comments on the draft are accepted until November 20, 2023, for final adjustments before release.
Link: https://www.securityweek.com/two-new-web-application-risk-categories-added-to-owasp-top-10/
Esther Shein
CSO Online
CISOs are expanding cyber capabilities using AI while adapting to increased responsibilities
The complexity of selecting security solutions is rising, with 76% of CISOs finding it harder to identify the right tools
Major challenges include budget constraints, employee training, and addressing AI-related risks
Key focus areas are data protection, cloud security, and simplifying IT infrastructure
The adoption of AI in security tools is accelerating; over half of security leaders plan to enhance AI capabilities in response to concerns about AI-enabled cyberattacks
Meanwhile, budgets are expected to remain stable, and many organizations are outsourcing security functions to managed service providers for better support
Engagement with boards is increasing, highlighting the growing recognition of cybersecurity’s importance.
– Increasing responsibilities for CISOs leading to complex security solution choices.
– 76% of CISOs report challenges in selecting appropriate security solutions.
– Cyber threats related to AI are a major concern, with 38% worrying about AI-enabled ransomware.
– 57% of organizations struggled to identify the root cause of security incidents last year.
– Focus areas: data protection (48%), cloud security (45%), and IT infrastructure simplification (39%).
– 73% of security leaders are considering AI security solutions, with 58% planning to increase AI-related spending.
– Concerns about AI-facilitated attacks driving demand for AI in threat detection and automation.
– 90% of respondents plan to outsource security functions to managed service providers.
– Engagement with boards regarding cybersecurity has increased, with 95% of CISOs regularly communicating with board members.
– Security budgets are expected to stabilize, with 55% expecting no change and 43% anticipating increases.
Link: https://www.csoonline.com/article/4074969/cisos-security-priorities-reveal-an-augmented-cyber-agenda.html
Eb Radcliff
CSO Online
CISOs face ongoing challenges in demonstrating the value of their cybersecurity programs to business leaders, who often view cybersecurity as a cost rather than a business value driver
The difficulty lies in translating technical metrics into terms that resonate with executives
Many organizations lack a proper enterprise risk management (ERM) function, complicating the CISO’s ability to align cybersecurity metrics with business priorities
Effective communication and understanding business priorities are vital for CISOs, who need to shift their focus from technical statistics to business elements such as financial exposure and risk appetite
Recent trends indicate that board members are increasingly focused on how cybersecurity investments protect business interests rather than technical details
Best practices emerging from these discussions point to the necessity of using business-oriented metrics and effective communication strategies.
– Importance of aligning cybersecurity metrics with business priorities.
– Establishing a foundational ERM program to better communicate risk.
– Better integration of cybersecurity within organizational structures outside of IT.
– Shift from technical metrics to business metrics (e.g., financial exposure, risk appetite).
– Need for cybersecurity leaders to foster relationships with business leaders for alignment.
– Growing board interest in understanding how cybersecurity investments reduce financial and operational risks.
– Use of data-driven models to show potential financial exposure and ROI from security investments.
– Recommendations for choosing key performance indicators (KPIs) that resonate with business needs.
– Importance of concise reporting that highlights threats and their potential impacts on the business.
– Recognition of the board’s preference for benchmarking against industry peers.
Link: https://www.csoonline.com/article/4083604/why-cybersecurity-leaders-find-important-to-prove-the-business-value-of-cyber.html
Cybersecurity 2026: 6 Forecasts and a Blueprint for the Year Ahead
Chuck Brooks
Forbes
The cybersecurity landscape by 2026 will be heavily influenced by advancements in AI, quantum computing, and the proliferation of connected devices, creating unprecedented challenges for companies
Organizations can no longer just prepare for breaches; they must anticipate them and plan for effective responses
Six key forecasts highlight the evolving threats, emphasizing the need for proactive adaptation in cybersecurity strategies.
– AI will be used by both attackers and defenders, necessitating a new perspective on its role within security architecture.
– Quantum computing poses risks to current encryption methods, requiring a shift to post-quantum cryptography as vulnerabilities surface.
– The rise of deepfakes and synthetic media will complicate identity verification and trust, urging companies to implement continuous identity authentication.
– The expansion of IoT and edge devices will increase attack surfaces, necessitating robust device management and zero-trust security models.
– Cybercrime will evolve into organized corporate-like entities, requiring businesses to treat cybersecurity as a strategic priority and to understand the business models of their adversaries.
– A cultural shift within organizations is critical, with cybersecurity needing to be integrated into overall business strategy rather than being viewed as a cost center
Important items to note include:
– Transition AI from a tool to an integral element of security architecture.
– Conduct a crypto inventory and adopt post-quantum cryptographic measures.
– Implement ongoing identity authentication and anomaly detection for media.
– Focus on secure device lifecycle management and zero-trust security at the device level.
– Adapt thinking about threat actors to view them as business entities, and incorporate business continuity in incident response plans.
– Enhance the role of the CISO and embed cybersecurity into company culture, ensuring it is regarded as a fundamental element of business strategy.
Link: https://www.forbes.com/sites/chuckbrooks/2025/11/10/cybersecurity-2026-6-forecasts-and-a-blueprint-for-the-year-ahead/
Cybersecurity worries have grown and confidence has wavered in 2025
Andrea Fox
Health Care IT News
The 2025 Travelers Risk Index survey reveals concerning trends in cybersecurity within healthcare organizations, highlighting inadequate preparedness despite recognition of the risks
Many providers lack essential cybersecurity practices, with only a small percentage employing key measures such as multifactor authentication and incident response plans
Although the majority acknowledge the importance of robust cybersecurity measures, there remains a significant gap in implementation and confidence in their effectiveness
Furthermore, fears of not being prepared for cyberattacks are increasing among healthcare leaders
Key points to note include:
– Many healthcare decision-makers feel inadequately equipped to prevent cyber incidents despite believing they have sufficient cybersecurity controls (51% uncertain about best practices).
– A lack of fundamental cybersecurity measures is prevalent: 62% lack a post-breach team, 51% do not utilize endpoint detection tools, and 46% lack an incident response plan.
– Only 67% of participants reported using multifactor authentication, leaving 37% without it for remote access.
– Concerns about ransomware and regulatory compliance are rising; nearly two-thirds worry about their ability to recover from attacks.
– Overall reported breaches have increased, with 25% of organizations affected and 60% facing multiple incidents.
– A decline in cyber insurance coverage from 70% to 65% reflects worries about recovery capabilities.
– Recommendations for improvement include implementing multifactor authentication, using endpoint detection, systematic data backups, and having a well-defined incident response plan.
Link: https://www.healthcareitnews.com/news/cybersecurity-worries-grew-and-confidence-wavered-2025
Kroah-Hartman: Linux Kernel Maintainer on CRA Open Source Impact
Steven J. Vaughan-Nichols
The New Stack.io
Technology companies are becoming aware of the EU’s Cyber Resilience Act (CRA), which sets stringent cybersecurity regulations for digital products sold in the EU
The Act brings clarity and improved security measures, particularly affecting commercial software developers while largely exempting individual open source developers
The CRA mandates secure design and updates, assigns responsibilities to manufacturers and stewards, and aims to improve transparency in software security
Developers are encouraged not to panic as compliance requirements primarily affect commercial product codes incorporated in the EU market.
– The CRA establishes unified cybersecurity standards for digital products in the EU, effective December 10, 2024, with mandatory compliance beginning December 11, 2027.
– Manufacturers are primarily responsible for compliance, including managing software vulnerabilities and maintaining Software Bills of Materials (SBOMs).
– Stewards of open source projects have lighter responsibilities focused on cybersecurity policies and vulnerability disclosure.
– Individual developers of non-commercial software are largely exempt but should remain aware of potential implications if their code is used commercially.
– Open source projects should resist compliance demands being shifted onto them by manufacturers.
– The Open Source Security Foundation is creating resources to aid the open source community in navigating the CRA.
– The CRA is anticipated to raise the standards of software security, benefiting both commercial and open-source software ecosystems.
Link: https://thenewstack.io/kroah-hartman-linux-kernel-maintainer-on-cra-open-source-impact/
Google Brain founder Andrew Ng thinks you should still learn to code – here’s why
Radhika Rajkumar
ZD Net
The second annual AI Dev summit in New York highlighted the evolving role of AI in software development, emphasizing the importance of coding skills for all professionals, not just engineers
Andrew Ng, a leading figure in AI, discussed the impact of AI on job markets, the necessity for computer science education to adapt to modern demands, and the growing need for generalist skills among developers
He called attention to public fears surrounding AI and advocated for transparency and effective governance in AI development rather than stringent regulations.
– AI coding assistants are changing the landscape of entry-level jobs for graduates.
– Ng believes everyone should learn basic coding skills, likening it to understanding math.
– Product management skills are becoming essential for developers to keep pace with AI efficiencies.
– He argues that universities should update their curricula to train graduates on AI integration.
– Public perception of AI is fraught with fear and misunderstanding, which developers can help address.
– Ng is critical of excessive regulation but supports transparency measures for large AI companies.
– Emerging roles for developers will focus on concept generation and understanding human needs, essential for guiding AI applications.
Link: https://www.zdnet.com/article/google-brain-founder-andrew-ng-thinks-you-should-still-learn-to-code-heres-why/
Prasanth Aby Thomas
CSO Online
India’s Digital Personal Data Protection (DPDP) Rules, 2025 emphasize robust data governance, requiring digital platforms to alter their handling of personal data
The rules necessitate explicit user consent, parental verification for minors, and fixed timelines for data retention
Significant Data Fiduciaries must perform annual assessments and audits and comply with stringent algorithm oversight
Compliance is expected within 12 to 18 months, pushing enterprises to revamp systems for consent management and data processing
Organizations face increased operational complexities due to evolving regulations, necessitating dynamic data inventories and collaboration between compliance and IT teams
Architectural changes like encryption and tokenization will be vital for compliance.
– Emphasis on user consent and verifiable parental consent for processing children’s data.
– Introduces requirements for Significant Data Fiduciaries for assessments and audits.
– Staggered compliance timelines (12 to 18 months for operational requirements).
– Necessity for automated consent verification and data mapping tools.
– Shift from documentation compliance to continuous governance.
– Increased operational complexity and cost for data-heavy enterprises.
– Call for dynamic data inventories and automated workflows for consent withdrawal.
– Required architectural changes to ensure compliance (encryption, tokenization).
– Centralized consent orchestration and segregated personal data zones emphasized.
– Challenges posed by the sheer volume of personal information generated by users.
Link: https://www.csoonline.com/article/4090967/indias-new-data-privacy-rules-turn-privacy-compliance-into-an-engineering-challenge.html
Cyber resilience is the new competitive advantage
Peter Maquera
Inquirer.net
Cyber threats are increasingly imminent in the Philippines, with the country ranked 20th globally in cyber activity impact according to the 2025 Microsoft Digital Defense Report
Filipino enterprises face multiple risks including ransomware, extortion, and data theft, which disrupt operations and harm reputation
The rise of AI in cyberattacks compounds these challenges, as attackers can automate their methods to exploit vulnerabilities
Despite the urgency, cybersecurity is often under-prioritized and disconnected from business strategy, leading to vulnerabilities exacerbated by legacy systems and inadequate employee training
Key areas for improvement for Filipino enterprises include:
– Identity protection is crucial as attackers target credentials and permissions, necessitating strong defenses for employee and workload identities.
– Enhanced visibility and automation are necessary to detect early indicators of compromise and respond effectively to threats, especially in diverse cloud environments.
– Collaboration between public and private sectors can improve threat intelligence sharing and enhance recovery speed from incidents.
– Cybersecurity should be integral to all innovations, not an afterthought, positioning security as pivotal to trust and business growth
Leadership commitment is critical to elevate cybersecurity as a strategic priority within organizations, including regular risk assessments and training
Partnering with experts like Microsoft can provide access to vital intelligence and tailored solutions, emphasizing that resilience in cybersecurity is essential for business continuity and customer trust in a digital economy.
Link: https://business.inquirer.net/558573/cyber-resilience-is-the-new-competitive-advantage