Quote for the day:
"To get a feel for the true essence of leadership, assume everyone who works for you is a volunteer." -- Kouzes and Posner
CISOs Are Now AI Guardians of the Enterprise
CISOs are managing risk, talent and digital resilience that underpins critical
business outcomes - a reality that demands new approaches to leadership and
execution. Security leaders are quantifying and communicating ROI to executive
leadership, developing the next generation of cybersecurity talent, and
responsibly deploying emerging technologies - including generative and agentic
AI ... While CISOs approach AI with cautious optimism, 86% fear agentic AI will
increase the sophistication of social engineering attacks and 82% worry it will
increase deployment speed and complexity of persistence mechanisms. "This is
happening primarily because AI accelerates existing weaknesses in how
organizations understand and control their data. The solution to both is not
more tools, but [to implement] a strong and well-understood data governance
model across the organization," said Kim Larsen, group CISO at Keepit. ...
Despite the rise of AI, CISOs know that human intelligence and judgement
supersede even the most intelligent tools, because of their ability to
understand context. Their primary strategies include upskilling current
workforces, hiring new full-time employees and engaging contractors, especially
for nuanced tasks like threat hunting. "AI risk management, cloud security
architecture, automation skills and the ability to secure AI-driven systems will
be far more valuable in senior cybersecurity hires in 2026 than they were three
years ago," said Latesh NairThe right way to architect modern web applications
A single modern SaaS platform often contains wildly different workloads.
Public-facing landing pages and documentation demand fast first contentful
paint, predictable SEO behavior, and aggressive caching. Authenticated
dashboards, on the other hand, may involve real-time data, complex client-side
interactions, and long-lived state where a server round trip for every UI change
would be unacceptable. Trying to force a single rendering strategy across all of
that introduces what many teams eventually recognize as architectural friction.
... Modern server-rendered applications behave very differently. The initial
HTML is often just a starting point. It is “hydrated,” enhanced, and kept alive
by client-side logic that takes over after the first render. The server no
longer owns the full interaction loop, but it hasn’t disappeared either. ...
Data volatility matters. Content that changes once a week behaves very
differently from real-time, personalized data streams. Performance budgets
matter too. In an e-commerce flow, a 100-millisecond delay can translate
directly into lost revenue. In an internal admin tool, the same delay may be
irrelevant. Operational reality plays a role as well. Some teams can comfortably
run and observe a fleet of SSR servers. Others are better served by static-first
or serverless approaches simply because that’s what their headcount and
expertise can support. ... When something breaks, the hardest part is often
figuring out where it broke. This is where staged architectures show a real
advantage.
Safeguarding biometric data through anonymization
Biometric anonymization refers to a range of approaches that remove Personally
Identifiable Information (PII) from biometric data so that an individual can no
longer be identified from the data alone. If, after anonymization, the retained
data or template can still perform its required function, then we have
successfully removed the risk of the identifiers being compromised. An
anonymized biometric template in the wrong hands then has no meaningful value,
as it can’t be used to identify the individual from whom it originated. As a
result, there is great interest in anonymization approaches that can meet the
needs of different business applications. ... While biometrics deliver
significant value across a wide range of use cases, safeguarding data privacy
and meeting regulatory obligations remain top priorities for most organizations.
Biometric anonymization can help reduce risk by limiting the exposure of
sensitive personal data. Taken together, anonymization approaches address
different dimensions of risk – from inference and reporting exposure to
vulnerabilities at the template level. They are not one-size-fits-all solutions.
Organizations must evaluate which method aligns with their functional
requirements, risk tolerance, and compliance obligations, while ensuring that
only the minimum necessary personal data is retained for the intended purpose.
Anonymization is no longer a peripheral consideration.
Security leaders must regain control of vendor risk, says Vanta’s risk and compliance director
The rise of AI technologies has made vendor networks increasingly harder to manage. Shadow supply chains (untracked vendor networks), fast-moving subcontracting, model updates, data-sharing and embedded tooling all compound the complexities. Particularly for large enterprises with a network of tens of thousands of suppliers or more, traditional vendor management relying on legacy infrastructure and manual operations is no longer adequate. This is where the Cyber Security and Resilience Bill comes in, forcing a shift toward continuous monitoring which should match the speed of AI threats. ... By implementing evidence-led reporting templates, automated control validation, and continuous monitoring of supplier security posture, businesses can provide the board with real-time assurance, not point-in-time attestations. This approach demonstrates that systemic supplier risk is actively managed without diverting disproportionate time away from frontline threat detection and response. At an operational level, leaders shouldn’t wait for the bill to be finalised to find out who their ‘critical suppliers’ are. ... Upcoming changes to the bill will likely encourage tighter contractual obligations. Businesses should get ahead of this mandate and implement measures such as incident notification service-level agreements, rights-to-audit and evidence provisions, continuous monitoring, and Software bill of Materials.Inspiration And Aspiration: Why Feel-Good Leadership Rarely Changes Outcomes
Inspiration is fancy. It makes ideas feel noble, futures feel possible and
leadership feel virtuous—all without demanding immediate action or sacrifice. We
feel moved, aligned and temporarily elevated. It’s a dream we see others have
achieved through their actions. Aspiration is different. It is inconvenient.
It’s our own dream, our desire to see ourselves in a certain spot or a way in
the future. It requires disproportionate effort, new skills and a willingness to
confront the uncomfortable gap between who we are today and who we say we want
to become. ... That gap between intent and impact was uncomfortable. I told
myself "I can't" and then took a step back, which was the easiest thing to do.
What I realized is this: Aspiration without action becomes self-deception.
Inspiration without action becomes mere admiration. And leadership that relies
on either one eventually stagnates. Real change happens only when inspiration
and aspiration move together, dance together—not sequentially, not occasionally,
but in constant unison. ... Belief does not close gaps; capability and capacity
do. Until the distance between intention and reality is acknowledged, effort
will always be miscalculated. This gap should evoke and cement commitment,
rather than creating drag. One needs to be very careful at this stage, as most
people stop here. We may get inspired by mountaineers climbing Everest, but when
we do a mental assessment about ourselves, we assume we are incapable of the
task of bridging the gap, and we take a step back.
Most Organizations Plan Strategically. Few Manage It That Way
The report segments respondents into two categories: “Dynamic Planners,” characterized by frequent review cycles, cross-functional integration, high portfolio visibility, and active use of scenario planning; and “Plodders,” defined by siloed operations, infrequent reassessment, and limited real-time visibility into execution data. The performance difference between them is sharp enough to be operationally relevant. Eighty-one percent of Planners’ projects deliver measurable ROI or strategic value. Among Plodders, that figure is 45%. That’s a 36-point spread. That’s not measuring financial metrics; it’s about whether projects are doing what they were supposed to do. The survey also found that 30% of projects are not delivering meaningful ROI or strategic value. That leaves nearly one in three funded initiatives operating at levels ranging from marginal to counterproductive. ... Over a third of projects across the survey population are stopped early due to misalignment or insufficient ROI. The report treats this not as a problem to fix but as a sign of mature portfolio management. Chynoweth frames it in capital terms: “Cancellation is not failure. It’s disciplined capital allocation.” Most enterprises reward launch momentum, delivery against plan, and continuation of funded initiatives. Budget cycles create sunk-cost inertia. Career incentives favor project sponsors who ship, not those who cancel.Malicious insider threats outpace negligence in Australia
John Taylor, Mimecast's Field Chief Technical Officer for APAC, said
organisations are seeing more cases where insiders are used to bypass
established security controls. "We're seeing a concerning acceleration in
malicious insider threats across Australia. While negligence has traditionally
been the primary insider concern, intentional betrayal is now growing at a
faster rate. ..." The report described AI as a factor that can increase the
speed and scale of attacks, citing more convincing social engineering messages
and automated reconnaissance. It also raised the prospect of AI being used to
help recruit insiders. Taylor said older assumptions about a clear boundary
between internal and external users no longer match how organisations operate,
particularly with distributed workforces and widespread cloud adoption. ...
Governance and compliance over communications data emerged as another concern.
Mimecast found 91% of Australian organisations face challenges maintaining
governance and compliance across communications data, and 53% lack confidence in
quickly locating data to meet regulatory or legal requirements. These issues can
slow incident response by delaying investigations and limiting the ability to
reconstruct timelines across messaging platforms, email, and file stores. They
can also increase risk during regulatory inquiries when organisations must
produce relevant records quickly. Taylor said visibility is central to improving
governance, culture, and response.
AI fatigue is real and it’s time for leaders to close the organizational gap
AI has been pitched as the next great accelerant of productivity. But inside
many enterprises, teams are still recovering from years’ worth of transformation
programs—cloud migrations, ERP upgrades, data modernization. Adding AI to an
already overloaded change agenda can feel less like innovation and more like yet
another disruption to absorb. The result is a predictable backlash. Tools in the
industry are dismissed as “just another license”. Expectations are sky high;
lived experience is often underwhelming. And when the novelty wears off,
employees revert to old behavior fast. ... A pervasive misconception is that
adopting AI is mostly about selecting and deploying the right technology. But
tooling alone doesn’t redesign workflows. It doesn’t train employees. It doesn’t
embed new decision making patterns. Some of the highest spending organizations
are seeing the least value from AI precisely because investment has been
concentrated at the technology layer rather than the organizational one. Without
true operational change, AI tools risk becoming surface level enhancements
rather than business accelerators. ... AI is not a spectator sport. Employees
must understand how to use it, when to trust it, and how it adds value to their
role. Organizations that invest early in skills from prompting to automation
design will see dramatically higher adoption rates. The companies scaling
fastest are those that build internal capability, not dependency on a small
number of specialists.
Measuring What Matters in Large Language Model Performance
The study is timely, as LLM innovation increasingly targets skills and traits
that are difficult to benchmark. “There’s been a shift towards testing AI
systems for more complex capabilities like reasoning, helpfulness, and safety,
which are very hard to measure,” said Rocher. “We wanted to look at whether
evaluations are doing a good job capturing these sorts of skills.” Historically,
AI innovators focused on equipping programs with easy-to-measure skills, like
the ability to play chess and other strategy games. Today’s general-purpose
LLMs, including popular models like ChatGPT, feature more flexible, open-ended
strengths and traits. These attributes are notoriously difficult to
operationalize, or to define in a way that’s precise enough to work in AI
program measurement but broad enough to encompass the many different ways that
the attribute might show up in the real world. Reasoning is one such skill.
While most people are able to tell what counts as good or bad reasoning on a
case-by-case basis, it’s not easy to describe reasoning in general terms. ...
Towards this end, “Measuring what Matters” includes a set of guidelines to
promote precision, thoroughness, rigor, and transparency in benchmark
development. The first two recommendations, “define the phenomenon” and “measure
the phenomenon and only the phenomenon,” encourage benchmark authors to be
direct and specific as they define their target phenomena.
