Quote for the day:
"Practice chaos, not just success" -- Madelyn Villamizar
🎧 Listen to this digest on YouTube Music
▶ Play Audio DigestDuration: 24 mins • Perfect for listening on the go.
Healthcare leaders see a fatal cyber incident as inevitable
Healthcare practices face real vulnerabilities because they rely heavily on
outside partners for critical operations like electronic records, telehealth,
and billing. According to a recent industry report, most practices have
experienced operational disruptions stemming from these vendor relationships
over the past year. While healthcare leaders often trust these external
companies, many admit they do not closely monitor their network connections,
leaving systems exposed to targeted attacks. As the danger grows, a rising
number of healthcare executives believe a fatal cyber incident is inevitable
within the next five years. Despite this shared awareness, preparation remains
largely inadequate. Many organizations lack basic incident response plans and
continue to view cybersecurity simply as a technical expense rather than a
core leadership responsibility. To fix these vulnerabilities, successful
practices are changing their approach. They are moving security discussions
out of the IT department and directly into the boardroom. With stricter
compliance rules taking effect in 2026 and artificial intelligence becoming
common in daily routines, treating security, compliance, and operations as one
fully managed program is essential. Taking this steady, unified approach keeps
practices running smoothly, protects sensitive data, and ultimately ensures
patient safety remains the top priority.AI fraud drives banks toward biometric identity defenses
The banking sector is rapidly accelerating its investment in biometric
identity defenses as artificial intelligence-driven fraud, such as deepfakes
and synthetic identities, grows increasingly sophisticated. A recent industry
survey indicates that a vast majority of banking executives anticipate major
disruptions from artificial intelligence over the next few years, prompting 84
percent of them to boost their cybersecurity budgets specifically to address
these emerging threats. With fraud tactics evolving from simple credential
theft to complex attacks that bypass standard security cameras with
pre-generated media, traditional static defenses are no longer sufficient.
Consequently, industry leaders are shifting toward layered security approaches
that combine device analysis, behavioral risk scoring, and continuous
biometric verification. Currently, about one-third of banks use biometric
tools for access and payments, but nearly three-quarters plan to integrate
this technology within three years. Major financial institutions and security
vendors advocate for a proactive culture of vigilance, deploying adaptive
authentication tools that verify human identity across every interaction
point. Ultimately, securing financial systems now requires dynamic,
multi-faceted identity solutions to outpace the commercialization of fraud
services and protect consumers against modern synthetic identity theft.GRC is broken. FedRAMP 20x might fix it
Governance, risk, and compliance practices have gradually lost touch with
operational reality, often prioritizing documentation over actual security.
Many current compliance models rely on manual sampling and static evidence to
tell a flawless, polished story. This approach produces clean reports and
perfect policies, but it frequently fails to reflect the messy truth of an
organization's actual environment. Because the technology landscape has
evolved rapidly, these outdated assurance methods no longer provide meaningful
guarantees of trust or safety. The upcoming FedRAMP 20x framework represents a
necessary shift away from this storytelling approach. Instead of relying on
manual snapshots and curated samples, FedRAMP 20x pushes the industry toward a
model based on continuous validation and engineering principles. By leveraging
automation, direct system telemetry, APIs, and machine-readable evidence, the
framework aims to assess entire datasets rather than isolated parts. This
shift toward engineering-led compliance fundamentally changes how we measure
trust. It replaces static, paperwork-heavy exercises with dynamic, automated
insights that reflect the actual state of a system. Ultimately, FedRAMP 20x
grounds compliance in operational truth, ensuring that security assessments
reflect reality rather than just a well-crafted narrative.
Attestation in Cybersecurity: Types, Uses & Best Practices
Attestation in cybersecurity is a fundamental process that allows a system to
prove its integrity, configuration, and operational state to another entity.
By generating verifiable evidence, organizations can build trust across
distributed environments, software supply chains, and connected devices
without relying on blind faith. The process involves an attester that securely
collects system data, a verifier that evaluates this evidence against trusted
baselines, and a relying party that makes access decisions based on the
outcome. This approach is becoming critical for regulatory compliance, such as
the Cyber Resilience Act, which increasingly demands concrete proof of
security rather than basic self-reporting. To implement attestation
effectively, organizations should adopt a risk-based strategy that targets
critical assets and high-risk lifecycle stages. Best practices include
automating attestation within continuous integration and deployment pipelines,
using cryptographic signatures to prevent tampering, and requiring concrete
evidence like hardware-backed measurements rather than vague assumptions.
Furthermore, aligning attestation checks with software bills of materials and
vulnerability management provides a clearer picture of system health.
Ultimately, transitioning from manual self-attestation to automated,
verifiable proof helps organizations maintain rigorous security standards and
ensure components remain uncompromised from development to deployment.
Most cloud strategies are already out of date because they completely miss a
looming crisis in the software supply chain. Right now, companies are busy
moving away from major public cloud providers toward private or sovereign
clouds to cut costs and gain better control over their data. However, simply
changing where your servers live offers zero protection against a much larger
threat: artificial intelligence is now finding deep, complex vulnerabilities
in open-source software dependencies faster than human maintainers can ever
patch them. The traditional system of finding and fixing software bugs was
built for a slower era and is completely unprepared for this incoming volume
of automated threat discovery. Consequently, organizations must immediately
make supply chain security a core part of their cloud planning. This means
maintaining a precise, living inventory of all software components you use,
rather than treating it as a simple compliance checklist. Companies must also
press their vendors for clear backup plans when critical libraries go
unpatched. Finally, IT teams need to build the internal skills required to
copy and independently maintain abandoned projects to ensure their systems
remain secure when the wider ecosystem fails.
The Oracle Cloud Infrastructure Secret Management Service recently introduced
a cross-region replication feature, allowing customers to duplicate sensitive
data, like passwords and API keys, across multiple geographic locations for
robust disaster recovery. Developing this feature required thoughtful
engineering to ensure system resilience without compromising existing
functionality. To achieve this, the team implemented an asynchronous message
queue that separates source region operations from target region health. If a
target region experiences an outage, source region updates continue smoothly,
and replication tasks are safely queued for later retry. Furthermore, the
system processes separate messages for each target region, meaning a failure
in one location will not hinder replication to others. To protect the broader
fleet from localized issues, the team instituted API versioning, which
prevents target regions from accepting unrecognized schema changes. They also
structured the update flow to prevent unexpected software faults from
spreading across regions by ensuring updates are fully processed locally
before replication begins. Finally, to manage the complexities of distributed
systems, sequence numbers are used to discard stale, out-of-order updates,
ensuring replicas always maintain the most current state.
According to a recent Akkodis report, chief technology officers are growing
less confident in their ability to expand artificial intelligence across their
organizations. Confidence has dropped for the third consecutive year, falling
from eighty-two percent in 2024 to just forty-eight percent in 2026. While
many companies successfully run initial pilot programs, they struggle to
integrate these tools into existing operations. The main hurdles include
managing older computer systems, untangling disorganized data, and
establishing clear rules for oversight. Experts note that companies remain
stuck in the testing phase, incurring costs without seeing practical benefits.
Simply buying more software is not the answer; businesses must build a solid
foundation of reliable data and structured workflows. Currently, poor data
quality remains a significant barrier. When artificial intelligence relies on
messy or outdated records, it quickly amplifies mistakes across the
organization. Despite these growing pains, the overall goal of technology
investments is shifting. Instead of simply focusing on cutting costs or
improving speed, leaders are now using these tools to drive long-term growth
and create new products. Ultimately, expanding these systems requires reliable
data, transparent rules, and genuine trust from the employees who use them
daily.
Microsoft manages cybersecurity risk through a comprehensive, enterprise-wide
framework that blends structured governance, continuous lifecycle management,
and strict regulatory alignment. Central to this approach is the Cybersecurity
Governance Council, a cross-functional team led by the Chief Information
Security Officer, which meets twice weekly to assess emerging threats and
validate mitigation strategies. This model promotes a bidirectional flow of
information, ensuring that operational risks are elevated to senior leadership
and integrated into strategic enterprise decisions. The company employs a
four-stage risk management lifecycle: identification, assessment, mitigation,
and ongoing monitoring. Risks are logged into a centralized register
accessible to any employee or vendor with corporate access, fostering a
culture of proactive, democratized risk reporting. Domain experts then
evaluate these risks using structured criteria to assign ownership and track
remediation efforts. Furthermore, Microsoft actively aligns its practices with
global regulatory standards, including ISO 27001 and the NIST Cybersecurity
Framework, embedding compliance into its broader enterprise risk posture.
Ultimately, this scalable system goes beyond technical controls by empowering
individuals, enforcing clear accountability, and utilizing strategic
initiatives like the Secure Future Initiative to drive continuous improvement
across the organization.
Building trust with software developers is challenging but essential,
especially as artificial intelligence reshapes the technology landscape.
Sanjay Sarathy, an executive at Cloudinary, explains that developers are
naturally skeptical thinkers who evaluate tools critically. While they
enthusiastically adopt AI to improve their workflows, they rarely trust its
outputs blindly. To foster genuine allegiance, companies must view developer
trust as a foundational element rather than a secondary feature. One effective
strategy is offering meaningful free access to platforms, allowing developers
to experiment, recognize value, and build confidence before moving projects
into production. Additionally, providing technical support staffed by
knowledgeable peers is vital; developers respect support teams that understand
their specific language and challenges. As AI coding tools become more common,
organizations must also ensure their documentation and interfaces are easily
readable by AI models to minimize errors. Finally, clear and honest
communication is crucial. Companies should openly acknowledge the limitations
of their tools, avoid sudden changes to existing systems, and provide
reliable, backward-compatible updates. By delivering consistently and
respecting their time, companies can successfully earn the long-term trust and
loyalty of the developer community.
Microsoft is actively improving Windows to make it a more appealing platform
for software developers by introducing tools that bridge the gap between
Windows and Linux environments. A key addition is Coreutils for Windows, a
package that brings standard Unix command-line utilities directly into the
Windows ecosystem. This eliminates the frustrating context switching
developers often face when moving between Windows and Linux systems, allowing
Unix scripts and commands to run smoothly on a Windows machine. Additionally,
Microsoft released Windows Developer Config, a tool designed to rapidly set up
a fully functional development computer. Using automation scripts, it installs
essential tools like Git, Visual Studio Code, and programming language support
while also configuring the Windows Subsystem for Linux. This setup mirrors the
environment of cloud-hosted development boxes but runs locally, making it
highly practical for developers dealing with slow or unreliable network
connections. The configuration tool ensures consistency across devices, saving
teams time and preventing environment drift. Together, these updates
demonstrate a clear effort to streamline daily workflows, providing software
engineers with a comfortable, unified, and highly customizable environment
right out of the box.
Why your cloud strategy is already out of date
Most cloud strategies are already out of date because they completely miss a
looming crisis in the software supply chain. Right now, companies are busy
moving away from major public cloud providers toward private or sovereign
clouds to cut costs and gain better control over their data. However, simply
changing where your servers live offers zero protection against a much larger
threat: artificial intelligence is now finding deep, complex vulnerabilities
in open-source software dependencies faster than human maintainers can ever
patch them. The traditional system of finding and fixing software bugs was
built for a slower era and is completely unprepared for this incoming volume
of automated threat discovery. Consequently, organizations must immediately
make supply chain security a core part of their cloud planning. This means
maintaining a precise, living inventory of all software components you use,
rather than treating it as a simple compliance checklist. Companies must also
press their vendors for clear backup plans when critical libraries go
unpatched. Finally, IT teams need to build the internal skills required to
copy and independently maintain abandoned projects to ensure their systems
remain secure when the wider ecosystem fails.
Behind the Scenes: Building Cross-Region Replication into Secret Management Service
The Oracle Cloud Infrastructure Secret Management Service recently introduced
a cross-region replication feature, allowing customers to duplicate sensitive
data, like passwords and API keys, across multiple geographic locations for
robust disaster recovery. Developing this feature required thoughtful
engineering to ensure system resilience without compromising existing
functionality. To achieve this, the team implemented an asynchronous message
queue that separates source region operations from target region health. If a
target region experiences an outage, source region updates continue smoothly,
and replication tasks are safely queued for later retry. Furthermore, the
system processes separate messages for each target region, meaning a failure
in one location will not hinder replication to others. To protect the broader
fleet from localized issues, the team instituted API versioning, which
prevents target regions from accepting unrecognized schema changes. They also
structured the update flow to prevent unexpected software faults from
spreading across regions by ensuring updates are fully processed locally
before replication begins. Finally, to manage the complexities of distributed
systems, sequence numbers are used to discard stale, out-of-order updates,
ensuring replicas always maintain the most current state.
CTO Confidence in Scaling AI Falls for Third Straight Year
According to a recent Akkodis report, chief technology officers are growing
less confident in their ability to expand artificial intelligence across their
organizations. Confidence has dropped for the third consecutive year, falling
from eighty-two percent in 2024 to just forty-eight percent in 2026. While
many companies successfully run initial pilot programs, they struggle to
integrate these tools into existing operations. The main hurdles include
managing older computer systems, untangling disorganized data, and
establishing clear rules for oversight. Experts note that companies remain
stuck in the testing phase, incurring costs without seeing practical benefits.
Simply buying more software is not the answer; businesses must build a solid
foundation of reliable data and structured workflows. Currently, poor data
quality remains a significant barrier. When artificial intelligence relies on
messy or outdated records, it quickly amplifies mistakes across the
organization. Despite these growing pains, the overall goal of technology
investments is shifting. Instead of simply focusing on cutting costs or
improving speed, leaders are now using these tools to drive long-term growth
and create new products. Ultimately, expanding these systems requires reliable
data, transparent rules, and genuine trust from the employees who use them
daily.
How we approach cybersecurity risk management at Microsoft
Microsoft manages cybersecurity risk through a comprehensive, enterprise-wide
framework that blends structured governance, continuous lifecycle management,
and strict regulatory alignment. Central to this approach is the Cybersecurity
Governance Council, a cross-functional team led by the Chief Information
Security Officer, which meets twice weekly to assess emerging threats and
validate mitigation strategies. This model promotes a bidirectional flow of
information, ensuring that operational risks are elevated to senior leadership
and integrated into strategic enterprise decisions. The company employs a
four-stage risk management lifecycle: identification, assessment, mitigation,
and ongoing monitoring. Risks are logged into a centralized register
accessible to any employee or vendor with corporate access, fostering a
culture of proactive, democratized risk reporting. Domain experts then
evaluate these risks using structured criteria to assign ownership and track
remediation efforts. Furthermore, Microsoft actively aligns its practices with
global regulatory standards, including ISO 27001 and the NIST Cybersecurity
Framework, embedding compliance into its broader enterprise risk posture.
Ultimately, this scalable system goes beyond technical controls by empowering
individuals, enforcing clear accountability, and utilizing strategic
initiatives like the Secure Future Initiative to drive continuous improvement
across the organization.
Why developer trust is fragile (and how to build it)
Building trust with software developers is challenging but essential,
especially as artificial intelligence reshapes the technology landscape.
Sanjay Sarathy, an executive at Cloudinary, explains that developers are
naturally skeptical thinkers who evaluate tools critically. While they
enthusiastically adopt AI to improve their workflows, they rarely trust its
outputs blindly. To foster genuine allegiance, companies must view developer
trust as a foundational element rather than a secondary feature. One effective
strategy is offering meaningful free access to platforms, allowing developers
to experiment, recognize value, and build confidence before moving projects
into production. Additionally, providing technical support staffed by
knowledgeable peers is vital; developers respect support teams that understand
their specific language and challenges. As AI coding tools become more common,
organizations must also ensure their documentation and interfaces are easily
readable by AI models to minimize errors. Finally, clear and honest
communication is crucial. Companies should openly acknowledge the limitations
of their tools, avoid sudden changes to existing systems, and provide
reliable, backward-compatible updates. By delivering consistently and
respecting their time, companies can successfully earn the long-term trust and
loyalty of the developer community.
Making Windows a developer platform, again
Microsoft is actively improving Windows to make it a more appealing platform
for software developers by introducing tools that bridge the gap between
Windows and Linux environments. A key addition is Coreutils for Windows, a
package that brings standard Unix command-line utilities directly into the
Windows ecosystem. This eliminates the frustrating context switching
developers often face when moving between Windows and Linux systems, allowing
Unix scripts and commands to run smoothly on a Windows machine. Additionally,
Microsoft released Windows Developer Config, a tool designed to rapidly set up
a fully functional development computer. Using automation scripts, it installs
essential tools like Git, Visual Studio Code, and programming language support
while also configuring the Windows Subsystem for Linux. This setup mirrors the
environment of cloud-hosted development boxes but runs locally, making it
highly practical for developers dealing with slow or unreliable network
connections. The configuration tool ensures consistency across devices, saving
teams time and preventing environment drift. Together, these updates
demonstrate a clear effort to streamline daily workflows, providing software
engineers with a comfortable, unified, and highly customizable environment
right out of the box.
