{"id":5351,"date":"2026-06-28T16:38:35","date_gmt":"2026-06-28T21:38:35","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5351"},"modified":"2026-06-28T16:38:35","modified_gmt":"2026-06-28T21:38:35","slug":"the-ciso-brief-june-28-2026","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/?p=5351","title":{"rendered":"The CISO Brief \u2014 June 28, 2026"},"content":{"rendered":"<style>\n.single .entry-title,\n.single .entry-header .entry-title,\n.single .post-title,\n.single header.entry-header h1,\n.single h1.entry-title,\n.single .page-title,\n.post-template-default h1.entry-title,\n.post-template-default .entry-header,\narticle .entry-header,\narticle .entry-title { display: none !important; }\n.single .entry-header { margin: 0 !important; padding: 0 !important; }\n.single .entry-content { margin-top: 0 !important; padding-top: 0 !important; }\n<\/style>\n<table role=\"presentation\" class=\"wrapper\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" width=\"100%\">\n<tr>\n<td align=\"center\">\n<table role=\"presentation\" class=\"container\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\" width=\"680\">\n<p>        <!-- Banner --><\/p>\n<tr>\n<td class=\"banner\">\n<p class=\"date\" style=\"color:#ffffff !important;\">June 28, 2026 &middot; Weekly Edition<\/p>\n<h1 style=\"color:#ffffff !important;\">The CISO Brief<\/h1>\n<p class=\"tagline\" style=\"color:#ffffff !important;\">Strategic intelligence for security leaders \u2014 board reporting, regulatory shifts, AI governance, and the changing economics of the CISO seat.<\/p>\n<\/td>\n<\/tr>\n<p>        <!-- At a glance --><\/p>\n<tr>\n<td class=\"content\">\n<h2>At a glance<\/h2>\n<p>This week the regulatory perimeter moved on three fronts at once, and it moved fast. The White House set firm post-quantum cryptography deadlines by executive order, putting a clock on cryptographic migration that boards can no longer treat as a someday problem. In parallel, the UK government delivered an unambiguous message \u2014 cyber resilience starts in the boardroom \u2014 pushing accountability up to directors rather than leaving it parked with the security team. And a proposed US law would make AI risk reporting a legal obligation, converting what has been a governance best practice into a potential statutory duty. Read together, these three signals describe a year in which the things CISOs have been advised to do are becoming the things they are required to do.<\/p>\n<p>Against that regulatory backdrop, the threat framing sharpened. The Five Eyes alliance issued a joint warning that AI-fueled threats \u2014 including frontier-model misuse \u2014 need urgent action, and explicitly framed it for leadership rather than practitioners. ReliaQuest&#8217;s data reinforces the warning from the attacker side: AI is making attacks cheaper, faster, and more covert. The cyber-insurance market is reading the same room, tightening its guardrails as risk evolves, which means renewals are once again becoming controls audits rather than price negotiations. Layered on top is a fast-moving cluster on the AI-coding economy and CIO leadership \u2014 the hidden cost of AI coding tools, the emerging office power struggle over AI token budgets, the rewire-or-rebuild decision, and the harder question of how to measure AI productivity and ROI beyond raw token consumption.<\/p>\n<p>Two structural items round out the week. First, the role itself is being reframed: a piece argues your CISO is becoming a safety architect whether they know it or not, and a Cambridge report warns that the growing scope of the CISO role poses its own organizational risk. Second, the open-source security ecosystem produced a notable institution \u2014 after the Fable 5 ban, Anthropic and 19 organizations launched Akrites, an open-source vulnerability-coordination body. Add a stalled White House state-infrastructure initiative, fresh ransomware data showing growth in Europe and beyond, new CISA SASE guidance for zero trust, and sector-specific warnings for education and museums, and the through-line is clear: accountability is being formalized, the economics are being repriced, and the institutions are being rebuilt.<\/p>\n<p>            <!-- Topic map --><\/p>\n<div class=\"topic-map\">\n              <img decoding=\"async\" src=\"https:\/\/www.cybersecurityinstitute.com\/blog\/wp-content\/uploads\/2026\/06\/topic-map-ciso-2026-06-28.png\" alt=\"Topic map of this week's CISO Brief themes\"><\/p>\n<p class=\"caption\">This week&#8217;s topic map \u2014 the regulation wave (post-quantum EO, UK boardroom resilience, AI risk-reporting bill), the Five Eyes AI-threat warning, cyber-insurance and ransomware economics, the AI-coding and CIO-leadership cluster, and the new Akrites open-source coordination body.<\/p>\n<\/p><\/div>\n<p>            <!-- Article index --><\/p>\n<h2>Article index<\/h2>\n<h3>Cluster 1 \u2014 The regulation wave<\/h3>\n<div class=\"cluster-intro\">Three regulatory signals landed in the same week and all push accountability upward: post-quantum deadlines set by executive order, the UK locating cyber resilience in the boardroom, and a US bill that would make AI risk reporting a legal duty. Insurance guardrails, a stalled state-infrastructure initiative, and new CISA SASE guidance fill out the policy picture.<\/div>\n<ul class=\"index-list\">\n<li>1. Trump sets post-quantum cryptography deadlines (EO 14412) \u2014 Cybersecurity Dive<\/li>\n<li>2. UK government: cyber resilience starts in the boardroom \u2014 Intelligent CISO<\/li>\n<li>3. Proposed US law would make AI risk reporting a legal obligation \u2014 CSO Online<\/li>\n<li>4. As cyber risk evolves, the insurance industry tightens guardrails \u2014 Cybersecurity Dive<\/li>\n<li>5. White House state-infrastructure cybersecurity initiative stalled \u2014 Cybersecurity Dive<\/li>\n<\/ul>\n<h3>Cluster 2 \u2014 The AI threat landscape<\/h3>\n<div class=\"cluster-intro\">The Five Eyes alliance escalated to a leadership-level warning on AI-fueled threats and frontier-model misuse, with industry data confirming AI is lowering the cost and raising the stealth of attacks \u2014 while trust in automated AI vulnerability scanning has collapsed. The Akrites launch is the institutional response from the open-source community.<\/div>\n<ul class=\"index-list\">\n<li>6. Five Eyes warn AI-fueled threats need urgent action \u2014 Cybersecurity Dive<\/li>\n<li>7. AI is making attacks cheaper, faster and more covert (ReliaQuest) \u2014 Infosecurity Magazine<\/li>\n<li>8. Trust in automated AI vulnerability scanning collapses to 9% \u2014 Infosecurity Magazine<\/li>\n<li>9. After Fable 5 ban, Anthropic + 19 orgs launch open-source security body (Akrites) \u2014 The New Stack<\/li>\n<li>10. AWS, Microsoft, Google agree the session is the new unit of compute \u2014 The New Stack<\/li>\n<\/ul>\n<h3>Cluster 3 \u2014 The AI-coding economy &amp; CIO leadership<\/h3>\n<div class=\"cluster-intro\">A tightly linked cluster on what AI is doing to engineering work and to the CIO&#8217;s decisions: the hidden cost of AI coding, the looming fight over AI token budgets, the rewire-or-rebuild call, deconstructing which decisions are actually automatable, rebalancing oversight against innovation, and measuring AI ROI past raw token spend.<\/div>\n<ul class=\"index-list\">\n<li>11. The hidden cost of AI coding: workplace paralysis \u2014 Business Insider<\/li>\n<li>12. The next office power struggle: AI tokens \u2014 Business Insider<\/li>\n<li>13. Rewire or rebuild? The AI decision every CIO needs to get right \u2014 CIO.com<\/li>\n<li>14. Deconstructing the automatable decision \u2014 CIO.com<\/li>\n<li>15. CIOs rethink the balance between AI oversight and innovation \u2014 CIO.com<\/li>\n<li>16. How to measure AI productivity and ROI beyond tokenmaxxing \u2014 Open Data Science<\/li>\n<li>17. Two CEOs on why security and AI readiness belong together \u2014 Help Net Security<\/li>\n<\/ul>\n<h3>Cluster 4 \u2014 Ransomware, breaches &amp; sector risk<\/h3>\n<div class=\"cluster-intro\">The breach data this week is mixed but pointed: ransomware grew in 2025 even as traditional breaches fell, with a major increase targeting Europe specifically. Sector guidance arrived for education after a Canvas breach, and UK MPs warned that museums are exposed.<\/div>\n<ul class=\"index-list\">\n<li>18. Ransomware attacks grew in 2025 as traditional breaches fell (Bitsight) \u2014 Cybersecurity Dive<\/li>\n<li>19. Major increase in ransomware attacks targeting Europe \u2014 Infosecurity Magazine<\/li>\n<li>20. CMC releases analysis &amp; guidance for education sector after Canvas breach \u2014 Infosecurity Magazine<\/li>\n<li>21. UK museums face cybersecurity risks, MPs warn \u2014 Infosecurity Magazine<\/li>\n<\/ul>\n<h3>Cluster 5 \u2014 The CISO seat is being redefined<\/h3>\n<div class=\"cluster-intro\">Two pieces on the shape of the role itself: the argument that the CISO is quietly becoming a safety architect, and a Cambridge report warning that the role&#8217;s expanding scope is itself becoming a corporate risk.<\/div>\n<ul class=\"index-list\">\n<li>22. Your CISO is becoming a safety architect (whether they know it or not) \u2014 SC Media<\/li>\n<\/ul>\n<h3>Cluster 6 \u2014 Foundational: leadership, governance &amp; resilience<\/h3>\n<div class=\"cluster-intro\">The working library this week: how CIOs and CISOs lead together, the credit-rating consequences of weak AI governance, the inevitability of critical-infrastructure disruption per CISA&#8217;s acting chief, the Munich Re view on insurance scrutiny, the AI-adoption\/incident correlation, the Cambridge warning on CISO role risk, and the new CISA SASE-for-zero-trust guidance.<\/div>\n<ul class=\"index-list\">\n<li>23. Turning tension into collaboration: how CIOs and CISOs can lead together \u2014 Cybersecurity Dive (Gartner)<\/li>\n<li>24. Without strong governance, companies put credit ratings at risk in AI era (S&amp;P) \u2014 Cybersecurity Dive<\/li>\n<li>25. Major critical-infrastructure disruptions are inevitable, acting CISA chief says \u2014 Cybersecurity Dive<\/li>\n<li>26. Cyber-insurance policyholders face heavier underwriting scrutiny (Munich Re) \u2014 Cybersecurity Dive<\/li>\n<li>27. AI adoption correlates with incident frequency \u2014 governance gap (Jamf) \u2014 Cybersecurity Dive<\/li>\n<li>28. Report: growing CISO role poses risks for companies (Cambridge) \u2014 Univ. of Cambridge JBS<\/li>\n<li>29. New CISA guide helps agencies adopt SASE for zero trust \u2014 Infosecurity Magazine<\/li>\n<\/ul>\n<p>            <!-- Detailed write-ups --><\/p>\n<h2>Detailed write-ups<\/h2>\n<div class=\"article\">\n<h4>1. Trump sets post-quantum cryptography deadlines (EO 14412)<\/h4>\n<p class=\"meta\">Cybersecurity Dive &middot; June 23, 2026<\/p>\n<p>An executive order setting firm post-quantum cryptography deadlines converts cryptographic migration from a long-horizon research conversation into a dated obligation. For CISOs, the immediate consequence is that &#8220;harvest now, decrypt later&#8221; exposure \u2014 adversaries collecting encrypted traffic today to break once a cryptographically relevant quantum computer exists \u2014 now has a federal timeline against which your own migration plan will be measured. The practical first move is a cryptographic inventory: knowing where and how your organization uses asymmetric cryptography, in which systems, and with which third parties, is the prerequisite to any migration plan. Even organizations outside the federal scope should treat the EO deadlines as the external benchmark auditors and boards will reference, because federal cryptographic timelines historically become the de facto industry standard.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.cybersecuritydive.com\/news\/quantum-cryptography-white-house-executive-order\/823530\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cybersecuritydive.com\/news\/quantum-cryptography-white-house-executive-order\/823530\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybersecurity Dive<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>2. UK government: cyber resilience starts in the boardroom<\/h4>\n<p class=\"meta\">Intelligent CISO &middot; June 24, 2026<\/p>\n<p>The UK government has sent a deliberate message that cyber resilience is a boardroom responsibility, not a function to be delegated downward and forgotten until an incident. For CISOs, this is the policy tailwind that makes board engagement easier to demand rather than request \u2014 when the government locates accountability with directors, the CISO&#8217;s ask for board time and decision authority stops being a personal campaign and becomes alignment with regulatory expectation. The strategic read is to use this framing to formalize the board&#8217;s role in cyber-risk decisions: documented risk appetite, named accountability, and a reporting cadence the directors own. The organizations that get ahead of this treat board-level cyber accountability as a governance structure to build now, not a liability to discover later.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.intelligentciso.com\/2026\/06\/24\/the-uk-government-has-sent-a-clear-message-cyber-resilience-starts-in-the-boardroom\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.intelligentciso.com\/2026\/06\/24\/the-uk-government-has-sent-a-clear-message-cyber-resilience-starts-in-the-boardroom\/\" style=\"color:#1d4ed8;text-decoration:none;\">Intelligent CISO<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>3. Proposed US law would make AI risk reporting a legal obligation<\/h4>\n<p class=\"meta\">CSO Online &middot; June 24, 2026<\/p>\n<p>A proposed US law would turn AI risk reporting from a governance best practice into a legal obligation \u2014 a shift that, if enacted, would materially change the liability calculus around AI deployment. The significance for CISOs is that statutory reporting duties create documentary requirements and personal-liability exposure that voluntary frameworks do not: once a disclosure is legally mandated, the failure to make it, or the making of an inaccurate one, becomes an enforceable failing rather than a missed best practice. The prudent response is to build AI risk-reporting capability now, on the assumption that the requirement is coming in some form \u2014 inventory of AI systems, documented risk assessments, and a reporting process that can withstand legal scrutiny. Reading this alongside the post-quantum EO and the UK boardroom message, the pattern is unmistakable: the soft expectations of recent years are hardening into hard duties.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.csoonline.com\/article\/4189908\/proposed-us-law-would-make-ai-risk-reporting-a-legal-obligation.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.csoonline.com\/article\/4189908\/proposed-us-law-would-make-ai-risk-reporting-a-legal-obligation.html\" style=\"color:#1d4ed8;text-decoration:none;\">CSO Online<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>4. Five Eyes warn AI-fueled threats need urgent action<\/h4>\n<p class=\"meta\">Cybersecurity Dive &middot; June 23, 2026<\/p>\n<p>A joint Five Eyes warning that AI-fueled threats \u2014 including the misuse of frontier models \u2014 require urgent action is the kind of intelligence-community signal that belongs directly in board reporting. When the security services of five allied nations align on a public warning framed for leadership rather than practitioners, it carries weight that a vendor threat report does not, and it gives a CISO an authoritative reference point for resource conversations. The practical takeaway is that frontier-model misuse is no longer a speculative future risk; the alliance is telling boards it is a present one. For security leaders, the move is to translate the warning into a concrete posture question \u2014 where could AI-accelerated attacks hit us first, and what would slow them \u2014 rather than letting it sit as ambient alarm. Pair it with the ReliaQuest data below for the operational mechanics behind the warning.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.cybersecuritydive.com\/news\/ai-cyberattacks-five-eyes-frontier-models-warning\/823526\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cybersecuritydive.com\/news\/ai-cyberattacks-five-eyes-frontier-models-warning\/823526\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybersecurity Dive<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>5. AI is making attacks cheaper, faster and more covert<\/h4>\n<p class=\"meta\">Infosecurity Magazine &middot; June 24, 2026<\/p>\n<p>ReliaQuest&#8217;s analysis supplies the operational detail behind the Five Eyes warning: AI is lowering the cost of attacks, compressing the time from access to impact, and making intrusions more covert. For a CISO, the &#8220;cheaper&#8221; line matters most strategically \u2014 when the marginal cost of a competent attack drops, the population of viable attackers expands, and organizations that were previously below the threshold of being worth targeting move into range. The &#8220;faster&#8221; and &#8220;more covert&#8221; dimensions then attack the defender&#8217;s core advantage: detection and response time. The implication for the security program is that controls optimized for a slower, costlier adversary may be calibrated to a threat model that no longer holds, and that mean-time-to-detect is now competing against an attacker who has accelerated. This is the data to cite when arguing that detection investment cannot stand still.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.infosecurity-magazine.com\/news\/ai-attacks-cheaper-faster-covert\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/ai-attacks-cheaper-faster-covert\/\" style=\"color:#1d4ed8;text-decoration:none;\">Infosecurity Magazine<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>6. After Fable 5 ban, Anthropic + 19 orgs launch open-source security body (Akrites)<\/h4>\n<p class=\"meta\">The New Stack &middot; June 2026<\/p>\n<p>Following the Fable 5 ban, Anthropic and 19 organizations have launched Akrites, an open-source vulnerability-coordination body \u2014 a genuinely institutional response to the coordination problem that the open-source supply chain has long struggled with. For CISOs, the significance is less about any single vulnerability and more about the emergence of a shared mechanism for disclosure and remediation across the OSS ecosystem that most enterprise software depends on. A coordination body backed by a frontier-model developer and nineteen organizations signals that vulnerability coordination is being treated as critical infrastructure for the software supply chain, not a volunteer side project. The watch item is governance: whether Akrites becomes a durable, trusted clearinghouse or another body competing for the same maintainers&#8217; attention will determine how much weight a CISO can place on it in supply-chain risk planning.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/thenewstack.io\/akrites-open-source-vulnerability-coordination\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/thenewstack.io\/akrites-open-source-vulnerability-coordination\/\" style=\"color:#1d4ed8;text-decoration:none;\">The New Stack<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>7. As cyber risk evolves, the insurance industry tightens guardrails<\/h4>\n<p class=\"meta\">Cybersecurity Dive &middot; June 25, 2026<\/p>\n<p>As cyber risk evolves, the insurance industry is tightening its guardrails \u2014 narrowing coverage, sharpening underwriting questions, and raising the bar on the controls a policyholder must demonstrate. For CISOs, the practical consequence is that the renewal conversation is once again becoming a controls audit rather than a price negotiation: the questions an underwriter asks about MFA enforcement, backup integrity, and incident response are increasingly the same questions a denied claim will later hinge on. The strategic read is to treat the insurer&#8217;s evolving requirements as a free external benchmark of what &#8220;reasonable security&#8221; looks like in the current threat environment, and to close the gaps before renewal rather than discover them at claim time. A policy that looks affordable can still be thin where it matters, and the carve-outs are where attention belongs.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.cybersecuritydive.com\/news\/cyber-risk-insurance-industry-guardrails\/823762\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cybersecuritydive.com\/news\/cyber-risk-insurance-industry-guardrails\/823762\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybersecurity Dive<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>8. The next office power struggle: AI tokens<\/h4>\n<p class=\"meta\">Business Insider &middot; June 2026<\/p>\n<p>Business Insider frames an emerging organizational tension: AI token budgets are becoming a new axis of office power, with usage caps and spending limits shaping who can do what. For CISOs and the leaders they work alongside, this matters because token economics are quietly becoming a governance surface \u2014 when access to AI capability is rationed by budget, employees route around the limits, which is precisely how shadow AI proliferates. The strategic implication is that AI cost controls and AI security controls are converging: a token budget that is too tight pushes power users toward unsanctioned tools, while one set without governance invites uncontrolled data flows. The leaders managing this well are treating token allocation as a policy question with security consequences, not merely a line-item cost to minimize. Read alongside the hidden-cost-of-AI-coding piece for the human side of the same shift.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.businessinsider.com\/ai-token-economy-spending-workplace-budgets-usage-caps-software-engineer-2026-6\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.businessinsider.com\/ai-token-economy-spending-workplace-budgets-usage-caps-software-engineer-2026-6\" style=\"color:#1d4ed8;text-decoration:none;\">Business Insider<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>9. Rewire or rebuild? The AI decision every CIO needs to get right<\/h4>\n<p class=\"meta\">CIO.com &middot; June 2026<\/p>\n<p>The rewire-or-rebuild question \u2014 whether to graft AI capability onto existing systems or rebuild around it \u2014 is the architecture decision that will shape an organization&#8217;s risk posture for years, and it is one the CISO should be in the room for. The security stakes are real: rewiring tends to layer AI onto systems that were never designed with model behavior, data flows, or agent identity in mind, while rebuilding offers the chance to design governance in but carries migration and continuity risk. For CISOs, the contribution is to make the security implications of each path explicit before the decision is made rather than inheriting them afterward. The piece is worth reading not for a verdict but for the framing it gives a security leader to insert risk considerations into a decision that is too often treated as purely a technology-strategy call.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.cio.com\/article\/4187993\/rewire-or-rebuild-the-ai-decision-every-cio-needs-to-get-right.html\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cio.com\/article\/4187993\/rewire-or-rebuild-the-ai-decision-every-cio-needs-to-get-right.html\" style=\"color:#1d4ed8;text-decoration:none;\">CIO.com<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>10. Your CISO is becoming a safety architect (whether they know it or not)<\/h4>\n<p class=\"meta\">SC Media &middot; June 25, 2026<\/p>\n<p>This perspective piece argues that the CISO role is quietly expanding into safety architecture \u2014 responsibility not just for confidentiality, integrity, and availability, but for the safe behavior of AI systems that can take consequential actions. The framing is worth taking seriously because it names a scope creep that is already happening: as organizations deploy agents and AI-driven automation, the question of whether a system will behave safely is landing on the security leader&#8217;s desk by default, often without the mandate or resources to match. For CISOs, the strategic value is in making the expansion explicit rather than absorbing it silently \u2014 if the role now includes AI safety, that should be reflected in remit, budget, and reporting lines. Read with the Cambridge report on CISO role risk for the organizational counterpoint: an expanding role without matching authority is itself a liability.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.scworld.com\/perspective\/your-ciso-is-becoming-a-safety-architect-whether-they-know-it-or-not\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.scworld.com\/perspective\/your-ciso-is-becoming-a-safety-architect-whether-they-know-it-or-not\" style=\"color:#1d4ed8;text-decoration:none;\">SC Media<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>11. Report: growing CISO role poses risks for companies (Cambridge)<\/h4>\n<p class=\"meta\">University of Cambridge JBS &middot; June 2026<\/p>\n<p>A University of Cambridge Judge Business School report makes a counterintuitive but important argument: the expanding scope of the CISO role poses its own risk to companies. The logic is organizational rather than technical \u2014 when a single role accumulates responsibility for security, AI safety, compliance, resilience, and increasingly board-level risk translation, the concentration creates single-point-of-failure dynamics, role overload, and accountability that outpaces actual authority. For boards and CISOs alike, the finding is a prompt to examine whether the role&#8217;s remit has grown beyond what one person and one team can credibly own, and whether responsibilities should be distributed or the role&#8217;s authority and resourcing expanded to match its scope. It is the structural counterweight to the &#8220;safety architect&#8221; piece: more responsibility without more mandate is not promotion, it is exposure.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.jbs.cam.ac.uk\/2026\/report-growing-ciso-role-poses-risks-for-companies\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.jbs.cam.ac.uk\/2026\/report-growing-ciso-role-poses-risks-for-companies\/\" style=\"color:#1d4ed8;text-decoration:none;\">University of Cambridge JBS<\/a><\/p>\n<\/p><\/div>\n<div class=\"article\">\n<h4>12. Ransomware attacks grew in 2025 as traditional breaches fell<\/h4>\n<p class=\"meta\">Cybersecurity Dive &middot; June 24, 2026<\/p>\n<p>Bitsight data shows ransomware attacks grew through 2025 even as traditional data breaches declined \u2014 a divergence worth carrying into board risk discussions because it signals where attacker economics are concentrating. The strategic read is that adversaries are favoring the model with the most reliable payout: encryption-and-extortion against operational systems rather than quiet data exfiltration. For CISOs, that reweights priorities toward the controls that blunt ransomware specifically \u2014 backup integrity and tested recovery, segmentation that limits blast radius, and rapid detection of the lateral movement that precedes encryption. The falling traditional-breach line should not be read as improving security overall; it more likely reflects attackers reallocating effort to the higher-yield play. Pair it with the European ransomware-increase report below for the regional dimension of the same trend.<\/p>\n<p>              <a class=\"button\" href=\"https:\/\/www.cybersecuritydive.com\/news\/ransomware-data-breaches-ai-bitsight\/823649\/\">Read the article<\/a><\/p>\n<p style=\"font-size:13px;color:#6b7280;margin-top:6px;\">Sources: <a href=\"https:\/\/www.cybersecuritydive.com\/news\/ransomware-data-breaches-ai-bitsight\/823649\/\" style=\"color:#1d4ed8;text-decoration:none;\">Cybersecurity Dive<\/a><\/p>\n<\/p><\/div>\n<p>            <!-- Watch list --><\/p>\n<div class=\"watchlist\">\n<h2>On our watch list<\/h2>\n<ul>\n<li><strong>Post-quantum deadlines turning into audit questions.<\/strong> With the EO setting firm PQC timelines, watching how fast &#8220;are you aligned to the post-quantum migration schedule?&#8221; becomes a standard board and auditor question \u2014 and whether crypto-inventory tooling matures fast enough to answer it.<\/li>\n<li><strong>AI risk reporting moving from bill to law.<\/strong> The proposed US AI risk-reporting obligation is the leading indicator; watching whether it advances, what disclosure format it mandates, and how it interacts with the UK boardroom-resilience push and existing state AI laws.<\/li>\n<li><strong>Akrites credibility.<\/strong> The new Anthropic-backed open-source vulnerability-coordination body has institutional weight at launch; watching whether it earns durable trust as a clearinghouse or fragments the coordination landscape further \u2014 and how much enterprises can lean on it for supply-chain assurance.<\/li>\n<li><strong>Insurance guardrails resetting the controls baseline.<\/strong> As carriers tighten underwriting and widen exclusions, watching whether their evolving requirements become the de facto definition of &#8220;reasonable security&#8221; that regulators and litigants reference after an incident.<\/li>\n<\/ul><\/div>\n<\/td>\n<\/tr>\n<p>        <!-- Footer --><\/p>\n<tr>\n<td class=\"footer\">\n<p class=\"brand\">The CISO Brief<\/p>\n<p>A weekly intelligence bulletin from Security Radar LLC.<br \/>\n            Curated by Paul Davis &middot; <a href=\"mailto:paul.davis@security-radar.com\">paul.davis@security-radar.com<\/a><\/p>\n<p>&copy; 2026 Security Radar LLC. All rights reserved.<\/p>\n<p>Article titles and summaries are excerpted for review and commentary; all linked articles remain the copyright of their respective publishers and authors.<\/p>\n<p>*|LIST:ADDRESS|*<\/p>\n<p><a href=\"*|ARCHIVE|*\">View this email in your browser<\/a> &middot; <a href=\"*|UNSUB|*\">Unsubscribe<\/a><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>June 28, 2026 &middot; Weekly Edition The CISO Brief Strategic intelligence for security leaders \u2014 board reporting, regulatory shifts, AI governance, and the changing economics of the CISO seat. At a glance This week the regulatory perimeter moved on three fronts at once, and it moved fast. The White House&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,12,42],"tags":[],"class_list":["post-5351","post","type-post","status-publish","format-standard","hentry","category-editorial","category-regulations","category-security-industry-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5351"}],"version-history":[{"count":0,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/5351\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}