Insight No. 1 — Fixing threat actor names
Microsoft and CrowdStrike announced that they’ll work together on the headache of multiple names for the same threat actors. But what matters most is who did it (if we know), what they accessed and what’s being done about it. That’s what customers, media and leadership want to hear. What if, in the heat of a live incident response, the only thing slowing you down was trying to decipher whether "Storm-0530" was a new group or just another name for something you already knew? We spend valuable cycles on threat actor branding, an exercise largely irrelevant to immediate crisis management. The focus should always be on actionable intelligence: understanding the breach, assessing the damage and rapidly restoring operations.
Insight No. 2 — AI legal ownership problem
We're barreling into an AI future, but many CISOs are overlooking the elephant in the room: legal ownership of AI-generated content. Data provenance was already a nightmare. With AI, it's a fantasy. While some Large Language Models (LLMs) attempt attribution, it's often incomplete or impractical. The real long-term threat isn't just where the data came from, but who legally owns it and its derivatives. Businesses are moving forward, blindly accepting these profound, unresolved liabilities.
Insight No. 3 — CVSS scores are lying
It’s time to call out the dirty little secret of vulnerability management: Your default Common Vulnerability Scoring System (CVSS) scores are lying to you. We’re drowning engineers in a deluge of "critical" Common Vulnerabilities and Exposures (CVEs) from direct, transitive and environmental dependencies that rarely pose a true threat. This isn't just inefficient; it's actively harming our security posture by obscuring what genuinely matters. Risk prioritization isn't a suggestion; it's the only path out of this mess. CVSS is merely a starting point, not the definitive answer.
