Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Fri, 05 Jun 2026 05:08:37 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>Hundreds of security leaders from across industries recently packed a ballroom in National Harbor, Md., to tackle a challenge some consider even more daunting than nation-state hackers or AI-fueled cyber threats: presenting to a company's board members so they understand and appreciate the formidable cybersecurity risks the organization faces.</p> <p>"How many of you get excited when your annual car insurance premiums come up for renewal?" said Sam Olyaei, a managing vice president at Gartner, during the session at the Gartner Security and Risk Management Summit 2026. "That is how the board has viewed cybersecurity. It's a regulatory thing. It's a checklist. It's an attestation."</p> <p>Ten years ago, according to Olyaei and Gartner analyst Tom Scholtz, only 25% of CISOs presented to their boards. A show of hands from session participants suggested nearly all do today. With <a href="https://www.techtarget.com/searchsecurity/feature/10-biggest-data-breaches-in-history-and-how-to-prevent-them">major data breaches</a> now often making headlines, the board's view of those presentations is also changing. According to Gartner, 93% of board members agree that cyber-risk poses a threat to shareholder value, while 98% believe threats will grow within the next two years. The challenge, according to Olyaei and Sholtz, is that executive boards don't share the same priorities as CISOs and rarely speak the same figurative language. &nbsp;&nbsp;&nbsp;</p> <section class="section main-article-chapter" data-menu-title="Know your audience"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Know your audience</h2> <p>CISOs in attendance shared that they struggle to translate the abundance of <a href="https://www.techtarget.com/searchdatamanagement/feature/Why-data-driven-operations-must-measure-data-culture">operational data</a> into narratives that resonate with their boards. That problem stems from a common disconnect, according to the Gartner analysts.</p> <p>"Many of the reports that I review are actually structured around cybersecurity, not around the business," Scholtz said. "When we talk about things in cybersecurity terms, we get very enthusiastic about it. My wife says, 'Normal people don’t get excited about that stuff.'"</p> <p>Know your audience and consider what they can easily digest, Olyaei added. Otherwise, important messages get lost in translation.</p> </section> <section class="section main-article-chapter" data-menu-title="Use financial reports as templates"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Use financial reports as templates</h2> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Many of the reports that I review are actually structured around cybersecurity, not around the business. </figure> <figcaption> <strong>Tom Scholtz</strong>Analyst, Gartner </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>CISOs should try using monthly or quarterly financial reports as templates for <a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-creating-a-cybersecurity-board-report">cybersecurity board reporting</a>, the Gartner analysts suggested. Finance is the lexicon of the board, and a cybersecurity report that follows that structure makes intuitive sense to corporate directors.</p> <p>Olyaei and Scholtz presented the following example:</p> <h3><br>Balance sheet: Cybersecurity program's current state</h3> <p>Analogous to a financial report's balance sheet, this section provides a point-in-time snapshot with easily digestible heat maps and logarithmic scales showing top cyber-risks and potential financial impact.</p> <p>Program status is presented as the <i>state of execution</i> against the approved strategy roadmap and the number of projects started, completed or overdue. The board sees the statuses of production-level agreements, such as patch cadence, incident containment time and incident remediation time. Through charts and graphics, this section also summarizes penetration tests, vulnerability assessments and audit findings.</p> <h3>Income statement: Cybersecurity business performance</h3> <p>Like a financial report's income statement shows macro changes in business performance, this section does the same for cybersecurity. It communicates expected financial losses or improvements due to threats, automation, process changes, the regulatory environment or external trends. &nbsp;</p> <h3>Cash flow statement: Cybersecurity resource allocation</h3> <p>This section shows cybersecurity resource efficiencies for a given period of time, serving the same purpose as a cash flow statement. It provides visibility into performance against the<a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-budget-justification-A-guide-for-CISOs"> cybersecurity budget</a>, tracking expenses for staff, services, hardware and software by functional category. Boards can see benchmarks and trends, such as the number of full-time security staff members or the percentage of IT budgets dedicated to security.</p> <h3>Narrative and notes</h3> <p>Finally, the narrative section allows the CISO to summarize findings, provide context, offer more information, surface new issues and make any requests of the board.</p> </section> <section class="section main-article-chapter" data-menu-title="Position yourself as a business leader"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Position yourself as a business leader</h2> <p>The Gartner analysts reminded conference attendees that a CISO, if lucky, will get only five to 10 minutes to present cybersecurity updates to the board.</p> <p>As a best practice, they recommended selecting a stable, minimum set of indicators and metrics for each section that stays consistent across reports. Every data point should tell its own unique story within the context of the report section, the analysts stressed. Upon drafting the framework, circulate it among key leadership stakeholders. <br><br>Sholtz said that CISOs can gauge the success of this new reporting model by whether it does the following:</p> <ul class="default-list"> <li>Generates positive responses and constructive feedback from the board.</li> <li>Gives the board the information needed to <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-board-level-cybersecurity-oversight">oversee cybersecurity</a> and make decisions more effectively.</li> <li>Reduces the number of awkward or stilted questions from board members.</li> <li>Increases support for proposed <a href="https://www.techtarget.com/searchsecurity/tip/How-to-calculate-cybersecurity-ROI-for-CEOs-and-boards">cybersecurity investments</a> and governance requests.</li> </ul> <p>"There's a challenge in CISOs being looked at as technical leaders -- being looked at as technology first, business second," Olyaei said. "One of the unintended consequences of this framework is that it also elevates the profile of CISOs as [business] leaders."</p> <p><i>Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.</i></p> </section> Cybersecurity board reports don't always land. At the Security and Risk Management Summit 2026, Gartner analysts suggested a novel way to communicate cyber-risk to corporate directors. https://cdn.ttgtmedia.com/rms/onlineimages/disaster_recovery_a78784722.jpg https://www.techtarget.com/searchsecurity/news/366643884/Lost-in-translation-Cybersecurity-board-reporting-for-CISOs Wed, 03 Jun 2026 23:50:00 GMT <p>In today's enterprise, some degree of cyber-risk exposure is inevitable. CISOs must use limited resources to <a href="https://www.techtarget.com/searchsecurity/tip/Enterprise-risk-management-should-inform-cyber-risk-strategies">strategically address the most significant risks</a>, in alignment with their organizations' <a href="https://www.techtarget.com/searchsecurity/feature/How-to-define-cyber-risk-appetite-as-a-security-leader">cyber-risk appetites</a>.</p> <p>The easiest and fastest -- but also least reliably accurate -- way to <a href="https://www.techtarget.com/searchsecurity/tip/5-ways-to-achieve-a-risk-based-security-strategy">assess relative cyber-risk</a> is qualitatively. A qualitative analysis uses subjective data, such as a rating of excellent, good, fair or poor; a rating from 1 to 5, where 1 is excellent and 5 is poor; or a rating of blue, green, yellow, orange or red, where blue is excellent and red is poor.</p> <p>Quantitative risk analysis is more challenging but also generally more substantive and useful than qualitative analysis. <a href="https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-benefits-and-best-practices">Cyber-risk quantification (CRQ)</a> requires data that reflects reality as closely as possible and is objectively accurate, if not precise. For example, if the precise but unknown value is 63%, a range -- say, between 60% and 70% -- is imprecise yet accurate.</p> <p>The <a href="https://www.techtarget.com/searchsecurity/tip/Using-the-FAIR-model-to-quantify-cyber-risk">Factor Analysis of Information Risk (FAIR) model</a> is a widely respected, mathematically based open standard for CRQ that enables CISOs to translate cyber-risk into financial risk. One of the <a href="https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-challenges-and-tools-that-can-help">biggest challenges of using the FAIR model</a>, however, is that its analytical output is only as good as its data inputs -- and finding accurate data to feed the model is not always easy or intuitive.</p> <section class="section main-article-chapter" data-menu-title="Don't aim for certainty -- aim for less uncertainty"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Don't aim for certainty -- aim for less uncertainty</h2> <p>According to the FAIR Institute, most FAIR analyses start with incomplete and imperfect data, which CISOs should not view as a barrier to success. Even without much or any empirical data, CRQ results can still be highly credible, useful and defensible -- if practitioners transparently and consistently document their sources, assumptions, estimations and confidence levels.</p> <p>The organization also <a target="_blank" href="https://www.fairinstitute.org/hubfs/FAIR%20CRM%20Body%20of%20Knowledge/FAIR%20Institute%20--%20Analysts%20Guide%20to%20Cyber%20Risk%20Data%20Sources%20(May%202025).pdf" rel="noopener">notes</a> that the goal of CRQ is not to predict the future with certainty, but "to reduce uncertainty to a level that supports informed decision-making." With that in mind, informed, calibrated estimates -- based on structured interviews with internal or external subject matter experts (SMEs), for example -- can be as useful as empirical data.</p> <p>In identifying data for a FAIR analysis, the goal is often to arrive at a reasonable range rather than a single data point. "There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity," CRQ expert Douglas Hubbard wrote in his book <i>How to Measure Anything: Finding the Value of "Intangibles" in Business.</i></p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity. </figure> <figcaption> <strong>Douglas Hubbard</strong>Owner, Hubbard Decision Research </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>In a FAIR Institute <a target="_blank" href="https://www.fairinstitute.org/blog/no-data-no-problem" rel="noopener">blog post</a>, Jack Jones, creator of the FAIR methodology, offered the following tips for estimating an accurate range:</p> <ul class="default-list"> <li>Start with an absurd estimate -- e.g, the person is likely taller than an inch and shorter than 10 feet.</li> <li>Use references and logical reasoning to continually narrow the range.</li> <li>Challenge your team's reasoning throughout the calibration process.</li> <li>Remember that the goal is accuracy, not precision.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Where to find data for a FAIR analysis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Where to find data for a FAIR analysis</h2> <p>Every risk calculation depends on the following fundamental pieces of data:</p> <ol class="default-list"> <li><b>The likelihood of an event occurring</b>. The FAIR model uses the term <i>loss event frequency</i>.</li> <li><b>The severity or impact of the event if it does occur. </b>The FAIR model uses the term <i>loss event magnitude</i>.</li> </ol> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">How the FAIR model works</h3> <p>While FAIR is conceptually straightforward, it is complex in practice. Practitioners can learn how to use the model themselves through the FAIR Institute's free training resources. Alternatively, they can partner with a vendor that offers FAIR CRQ capabilities, such as <a target="_blank" href="https://pages.safe.security/rs/691-VHU-261/images/SAFECRQ_Datasheet_2025.pdf?_gl=1*1p6z4y4*_gcl_au*MTg4OTg5MTEwMS4xNzgwMzUyMjA2" rel="noopener">Safe</a>, <a target="_blank" href="https://5234018.fs1.hubspotusercontent-na1.net/hubfs/5234018/WP%20Migration/Solution%20Briefs/Black%20Kite%20CRQ%20Solution%20Brief.pdf" rel="noopener">Black Kite</a> or <a target="_blank" href="https://www.cybersaint.io/cybersecurity/cyberstrong/solution-sheet" rel="noopener">CyberSaint</a>.</p> <p>Whether in a DIY Excel spreadsheet or a third-party SaaS platform, every FAIR analysis includes the following basic steps:</p> <p><b>1. Identify a risk scenario. </b>Establishes the relevant asset -- e.g., servers -- and threat -- e.g., malicious hackers. A risk scenario might also include attack vectors -- e.g., malware -- and possible outcomes -- e.g., system outage.</p> <p><b>2. Calculate loss event frequency.</b> Based on the likelihood of an event occurring during a given period and vulnerabilities that increase the likelihood.</p> <p><b>3. Evaluate loss event magnitude. </b>Establishes likely financial losses -- primary and secondary -- if a given event occurs.</p> <p><b>4.</b> <b>Calculate financial risk. </b>Multiplies loss event frequency by loss event magnitude to calculate overall risk to the business in dollars.</p> </div> </div> <h3>Where to find data for loss event frequency</h3> <p>Loss event frequency represents the number of times a disruptive operational event is likely to occur in a designated timeframe, typically a year.</p> <p>Practitioners can either estimate loss event frequency using empirical data or derive it by multiplying the following factors:</p> <ul class="default-list"> <li><b>Threat event frequency.</b> The statistical likelihood of an event. For example, the odds of a home in a particular ZIP code being robbed, based on recent crime data.</li> <li><b>Susceptibility. </b>Vulnerabilities that increase the event's likelihood. For example, how often residents of the home leave doors unlocked.</li> </ul> <p>The FAIR Institute suggests practitioners use the following data sources to inform loss event frequency, as well as its contributing factors, threat event frequency and susceptibility.</p> <p><b>Data sources for loss event frequency:</b></p> <p>Internal data sources:</p> <ul class="default-list"> <li>Incident response (<a href="https://www.techtarget.com/searchsecurity/definition/incident-response">IR</a>) logs from past security events.</li> <li>Security operations center logs detailing successful exploits.</li> <li>Historical loss event logs from risk registers or ticketing systems.</li> </ul> <p>External data sources:</p> <ul class="default-list"> <li>Industry-specific information sharing and analysis centers (ISACs).</li> <li>Verizon's annual <a target="_blank" href="https://www.verizon.com/business/resources/reports/dbir/" rel="noopener">Data Breach Investigations Report (DBIR)</a>.</li> <li>Sector-specific breach reports.</li> </ul> <p><i>Threat event frequency data sources: </i></p> <p>Internal data sources:</p> <ul class="default-list"> <li>Intrusion detection system and intrusion prevention system logs.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/SIEM-benefits-and-features-in-the-modern-SOC">Security information and event management</a> alerts.</li> <li>Auth logs.</li> <li>Firewall logs.</li> <li>Access records.</li> <li>Identity and access management systems.</li> <li>Internal threat profiling.</li> </ul> <p>External data sources:</p> <ul class="default-list"> <li>Threat intel feeds -- e.g., Mandiant, now part of Google; Recorded Future; and CrowdStrike.</li> <li>Verizon DBIR.</li> <li>Architecture models.</li> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-to-map-security-gaps-to-the-Mitre-ATTCK-framework">Mitre ATT&amp;CK mappings</a>.</li> <li>Threat profiling.</li> <li>Adversary behavior reports.</li> </ul> <p><i>Susceptibility data sources:</i></p> <p>Internal data sources:</p> <ul class="default-list"> <li>Red team results.</li> <li>Incident forensics.</li> <li>Pen test results.</li> <li>Patch management metrics.</li> <li>Vulnerability scan outputs.</li> <li>Third-party risk assessments.</li> </ul> <p>External data sources:</p> <ul class="default-list"> <li>Industry breach reports.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Mitre-ATTCK-framework-use-cases">Mitre ATT&amp;CK</a>.</li> <li>Threat intel feeds -- e.g., Mandiant; Recorded Future; and CrowdStrike.</li> <li>InfraGard bulletins.</li> <li>Industry-specific ISACs.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-implementing-a-cybersecurity-maturity-model">Security control maturity</a> benchmarks.</li> <li>Audit reports.</li> </ul> <h3>Where to find data for loss event magnitude</h3> <p>Loss event magnitude reflects the operational and financial effects of a given event. It might factor in both direct or primary losses, such as ransomware payments and lost productivity, and indirect or secondary losses, such as regulatory fines and reputational damage.</p> <p>The loss event magnitude value should be computed in financial terms -- e.g., lost revenue.</p> <p>The FAIR Institute suggests practitioners use the following data sources to inform loss event magnitude.</p> <p><b>Data sources for loss event magnitude:</b></p> <p>Internal data sources:</p> <ul class="default-list"> <li>Financial and accounting records related to past security incidents.</li> <li>Business impact assessments from <a href="https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools">business continuity planning</a>.</li> <li>IR case management or time-tracking records.</li> <li>Ticketing logs indicating resource hours and resolution times.</li> <li>Asset valuation.</li> <li>Impact logs.</li> <li>Legal case records and cost tracking.</li> <li>Compliance records.</li> <li>Legal settlements.</li> <li>Customer support communication logs.</li> <li>PR response history.</li> <li>PR and media spending.</li> <li>Customer churn models.</li> <li>Reputational damage assessments.</li> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-cyber-insurance-helped-with-breach-recovery-or-not">Insurance claims</a> documentation.</li> <li>SME interviews with PR, media, legal, finance and compliance leaders.</li> </ul> <p>External data sources:</p> <ul class="default-list"> <li>IBM's annual "<a target="_blank" href="https://www.ibm.com/reports/data-breach" rel="noopener">Cost of a Data Breach</a>" report.</li> <li>Cyentia's annual "<a target="_blank" href="https://www.cyentia.com/publication/iris2025/" rel="noopener">Information Risk Insights Study</a>."</li> <li>Ponemon Institute.</li> <li>FAIR Institute's "<a target="_blank" href="https://www.howmaterialisthathack.org/" rel="noopener">How Material Is That Hack</a>" website.</li> <li>Securities and Exchange Commission (SEC) disclosures.</li> <li>Crisis reports.</li> <li>Regulatory disclosures and enforcement databases -- e.g., General Data Protection Regulation and the SEC.</li> <li>Public breach databases.</li> <li>Breach follow-on reports from Cyentia, Deloitte and legal analysis firms.</li> <li>Industry loss studies from Ponemon, Cyentia and Forrester.</li> <li>Publicly disclosed fines or class-action settlements.</li> <li>Market research on brand impact and consumer trust.</li> <li>SME interviews with PR, crisis management, law and insurance firms.</li> </ul> <p><em>Alissa Irei is senior site editor of Informa TechTarget Security.</em></p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing. </i></p> </section> Cyber-risk quantification with FAIR can change the game for CISOs -- but sourcing enough accurate data for analysis can feel impossible. Learn how and where to find it. https://cdn.ttgtmedia.com/rms/onlineimages/strategy_a56806043.jpg https://www.techtarget.com/searchsecurity/tip/How-to-find-cyber-risk-data-sources-for-a-FAIR-analysis Wed, 03 Jun 2026 23:45:00 GMT <p>The Gartner Security &amp; Risk Management Summit gathers CISOs, business leaders and decision-makers with Gartner analysts to explore the current and future state of cybersecurity.</p> <p>This year's Summit is being held June 1-3, 2026, at the Gaylord National Resort and Convention Center in National Harbor, Md. Featuring 62 Gartner analysts and more than 110 research-driven sessions, attendees will learn the latest about application and data security, AI, cyber-risk and cyber-resilience, the evolving threat landscape, and leadership and personal effectiveness.</p> <p>The theme this year is "Smarter, faster, stronger ... together." To withstand the current cybersecurity storm, the community must come together to share insights that enable organizations to address mission-critical challenges quickly, efficiently and effectively.</p> <p>Informa TechTarget's editorial team will be on-site, reporting from the show. This guide gathers articles from TechTarget SearchSecurity, Dark Reading and Cybersecurity Dive to help readers adapt their cybersecurity strategies, with a little help from their friends.</p> Check out SearchSecurity's Gartner Security & Risk Management Summit guide for reports on notable presentations and sessions on the latest security topics. https://www.techtarget.com/searchsecurity/conference/Gartner-Security-and-Risk-Management-Summit Wed, 03 Jun 2026 23:30:00 GMT <p>Data security is a non-negotiable strategic imperative cloaked with business implications for risk management and competitive advantage.</p> <p>Organizations today face ever-increasing cybersecurity risks -- both internal and external. Safeguarding data against financial losses, regulatory penalties and reputational damage is not merely a technical issue; it is an enterprise priority.</p> <p>To that end, data encryption is a key component in <a href="https://www.techtarget.com/searchsecurity/tip/How-to-secure-AI-infrastructure-Best-practices">modern AI</a>, cloud and collaboration ecosystems.</p> <p>Data exists in three phases:</p> <ul class="default-list"> <li><b>Data at rest.</b> Data stored or saved on devices such as local computers, file servers or cloud storage. It is not actively in use or being moved.</li> <li><b>Data in use.</b> Data being processed, accessed or temporarily held in a system's memory or processors while operations are performed on it.</li> <li><b>Data in motion.</b> Data being transferred between locations, such as across networks, between devices or over the internet.</li> </ul> <p>Each phase requires different technologies and approaches to mitigate threats. Organizations that operationalize data security across all phases gain a measurable competitive advantage.</p> <section class="section main-article-chapter" data-menu-title="Aligning encryption with business goals and risk management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Aligning encryption with business goals and risk management</h2> <p>Executives must establish data encryption as a strategic control that delivers enterprise value. Organizations that adopt a risk-based encryption approach can identify and prioritize data according to its impact on business.</p> <p>CISOs and their teams should align data security with regulatory compliance -- e.g., <a href="https://www.techtarget.com/searchsecurity/tip/Data-sovereignty-compliance-challenges-and-best-practices">data sovereignty</a> laws and industry standards; customer trust and brand protection; and digital transformation initiatives, such as cloud, data sharing and AI.</p> <p>Governance must include clear executive ownership for data assets across business units. Mandate accountability for encryption key management and technical support.</p> <p><b>Executive insight:</b> <i>Protect data where it reduces material risk exposure.</i></p> </section> <section class="section main-article-chapter" data-menu-title="How to secure data at rest: Foundation of data protection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to secure data at rest: Foundation of data protection</h2> <p>Data at rest encompasses databases, cloud storage, endpoints, backups and other static data repositories. In today's distributed environments spanning regional data centers, edge computing and IoT, these locations can be very diverse.</p> <p>To protect stored data, prioritize the following five specific actions:</p> <ul class="default-list"> <li><b>Data discovery and classification.</b> Identify and label what matters most to the business. An organization cannot protect what it does not know about.</li> <li><b>Encryption strategies.</b> Determine whether full encryption -- encrypting all data -- or selective encryption -- encrypting only specific, sensitive data -- is best based on sensitivity and performance requirements. Endpoint systems in particular will require attention and support.</li> <li><b>Infrastructure security.</b> <a href="https://www.techtarget.com/searchsecurity/feature/Guide-to-cloud-security-management-and-best-practices">Secure cloud</a> and on-premises environments, including patching, monitoring, key management and physical security.</li> <li><b>Access governance.</b> Limit access based on roles and business needs, and implement MFA and <a href="https://www.techtarget.com/searchsecurity/feature/How-to-implement-zero-trust-security-from-people-who-did-it">zero-trust security</a> where possible.</li> <li><b>Human risk mitigation.</b> Conduct encryption training and awareness.</li> </ul> <p>An effective system to manage data encryption and secure storage offers several positive business outcomes, such as reduced breach likelihood, reduced breach impact, stronger compliance posture with reduced penalties and improved audit readiness.</p> </section> <section class="section main-article-chapter" data-menu-title="How to secure data in use: Protecting active data"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to secure data in use: Protecting active data</h2> <p>Data in use includes information that is being processed, accessed or analyzed by users and systems.</p> <p>Four leadership priorities exist to secure data in use:</p> <ul class="default-list"> <li><b>Access control and minimal privileges.</b> Configure fine-grained access controls that adhere to the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> to mitigate common data risks.</li> <li><b>Data minimization.</b> Use masking, tokenization and obfuscation to help hide data that users aren't authorized to access.</li> <li><b>Emerging technologies.</b> Use approaches such as confidential computing, secure enclaves and memory protection.</li> <li><b>Insider threat mitigation.</b> Establish <a href="https://www.techtarget.com/searchsecurity/feature/Insider-threat-vs-insider-risk-Whats-the-difference">user behavior and access patterns</a> using logging and data monitoring.</li> </ul> <p>Beneficial business outcomes include reduced insider risk from deliberate or accidental threats, safer analytics and AI adoption, and improved collaboration and data sharing.</p> </section> <section class="section main-article-chapter" data-menu-title="How to secure data in motion: Protecting data flows"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to secure data in motion: Protecting data flows</h2> <p>Data in motion includes information moving across on-premises, cloud and public networks. Data in transit can be intercepted, blocked or modified, posing a significant risk to critical business operations.</p> <p>Top leadership priorities for protecting data in motion include:</p> <ul class="default-list"> <li><b>End-to-end encryption.</b> Integrating data encryption across all connections, including the internal network, is essential. Key technologies include TLS, HTTPS, VPNs and secure tunnels.</li> <li><b>Network security architecture.</b> Establish zero-trust principles in network authentication and access control to mitigate impersonation and hijacking attacks.</li> <li><b>Third-party and supply chain risk management.</b> Secure data exchanges with partners and vendors. Set clear security requirements for all communications between these entities.</li> <li><b>Continuous monitoring.</b> Use <a href="https://www.techtarget.com/searchitoperations/The-definitive-guide-to-enterprise-IT-monitoring">monitoring tools</a> to detect anomalies in data movement that suggest misuse or an attack.</li> </ul> <p>Securing data in motion on all networks brings several crucial business benefits, including mitigation of data interception, modification and exfiltration; secure digital ecosystems and partnerships, and reduced data exposure in cloud environments.</p> </section> <section class="section main-article-chapter" data-menu-title="Visibility, metrics and KPIs for encryption effectiveness"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Visibility, metrics and KPIs for encryption effectiveness</h2> <p>Measuring success is crucial to justifying investments, maintaining auditability and satisfying compliance requirements.</p> <p>Key metrics for measuring encryption and data security performance include:</p> <ul class="default-list"> <li>Percent of data identified and classified.</li> <li>Percent of data encrypted in each phase -- data at rest, in use and in motion.</li> <li>Time to remediate encryption gaps.</li> <li>Key management incidents or failures.</li> <li>Mean time to detect and mean time to respond to data threats.</li> <li>Unauthorized access attempts blocked.</li> <li>Compliance audit success rates.</li> <li>Compliance audit failure rates.</li> <li>Third-party data compliance.</li> </ul> <p>These metrics directly tie to risk reduction and compliance outcomes, both of which are fundamental to an organization's data management strategy. CISOs should provide stakeholders with dashboards for easy visibility and reporting.</p> </section> <section class="section main-article-chapter" data-menu-title="Strategic recommendations and next steps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Strategic recommendations and next steps</h2> <p>Treat data security as a <a href="https://www.techtarget.com/searchsecurity/tip/Best-practices-for-board-level-cybersecurity-oversight">board-level requirement</a> with enterprise strategy implications. Establish a lifecycle-based security strategy that allocates resources according to data value and risk. To do this, first assess where critical data resides. Then, align encryption to risk and compliance goals. Finally, invest in the technologies, training and governance needed to protect data in all three phases.</p> <p>Organizations that act now will reduce risk, strengthen trust and enable secure growth as they secure data at rest, in use and in motion.</p> <p><i>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.</i></p> </section> Data is the lifeblood of modern commerce; securing it properly requires a top-level, strategic commitment that dovetails with risk management and competitive advantage. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Global-cyber-security-hero.jpg https://www.techtarget.com/searchsecurity/feature/Best-practices-to-secure-data-at-rest-in-use-and-in-motion Wed, 03 Jun 2026 19:45:00 GMT <p>The global AI regulatory landscape is fragmented and volatile. As a result, cybersecurity leaders must reconcile competing compliance requirements and safeguard organizational AI without creating roadblocks to the overall AI strategy's success.</p> <p>While the EU AI Act imposes a comprehensive, risk-based approach with severe penalties, China has implemented laws to balance AI advancements with control over societal behaviors. Other major markets, such as the U.S., have yet to produce unified guidance. In the absence of unified federal guardrails, states are creating a <a href="https://www.techtarget.com/searchenterpriseai/feature/A-state-by-state-guide-to-AI-laws-in-the-US">patchwork of requirements</a> with both common and conflicting demands.</p> <p>Cybersecurity leaders are confronting the reality of fulfilling these emerging, competing regulatory mandates even as AI adoption stretches the resources of their security programs. Most leaders report struggling to maintain visibility into embedded AI features deployed by vendors. Given the volume of AI tools and the speed of deployment, there is a significant degree of urgency to define appropriate cybersecurity controls for AI. Otherwise, organizations risk magnifying enterprise regulatory exposure and eroding any competitive advantage gained from AI adoption.</p> <p>To establish future-proof cybersecurity controls capable of satisfying diverse, nonstandardized regulatory mandates, cybersecurity leaders must take a thoughtful, strategic approach grounded in collaboration, <a target="_blank" href="https://www.gartner.com/en/cybersecurity/topics/cybersecurity-and-ai" rel="noopener">risk-based principles and resilience</a>.</p> <section class="section main-article-chapter" data-menu-title="Filter regulatory noise through internal partnerships"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Filter regulatory noise through internal partnerships</h2> <p>Cybersecurity leaders must move beyond reliance on static global policy trackers to determine their exposure to emerging AI regulations and policies. They must also work with internal groups that represent assurance, governance and legal functions to determine the applicability of specific mandates.</p> <p>Cybersecurity leaders should also consider relevant cybersecurity AI risk and the feasibility, cost and impact of potential controls. This requires aligning regulations with <a href="https://www.techtarget.com/searchcio/tip/How-compliance-provides-stakeholders-evidence-of-success">key stakeholders</a> to ensure cybersecurity-relevant components are embedded into the organization's AI governance structure.</p> </section> <section class="section main-article-chapter" data-menu-title="Ground AI strategy with risk-based principles"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Ground AI strategy with risk-based principles</h2> <p><a href="https://www.gartner.com/en/insights/generative-ai-for-business"></a>Traditional cybersecurity controls focus on mitigating harm to systems and data. With the rise of <a target="_blank" href="https://www.gartner.com/en/insights/generative-ai-for-business" rel="noopener">GenAI</a>&nbsp;and AI agents, cybersecurity leaders must guard against conventional confidentiality threats for enterprise AI, such as data breaches, data leakage, malware and insider threats, as well as new threats to the integrity of enterprise data that interacts with AI, such as hallucinations, inaccuracies and biases.</p> <p>Emerging AI regulations go beyond threats to organizational data and intellectual property. They also explicitly target threats to people's health, safety and liberty, demanding controls within the purview of the CISO. This is why cybersecurity leaders must build their compliance strategy on risk-based principles that lay the foundation for emerging laws and standards: safety, transparency, accountability, privacy and security.</p> <p>For example, a baseline focus on data transparency and integrity might require cybersecurity leaders to prioritize controls that not only protect the data ingested by AI systems, but also extend <a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">identity and access management</a> controls from the human workforce to machine identities. This ensures strong authentication and authorization for both the employee interacting with AI and any AI agent.</p> <p>Additionally, attempting to comply with every emerging regulation individually is a resource-intensive trap. Cybersecurity leaders must instead build a baseline compliance posture by aligning the principles underlying emerging AI regulations with efforts to close remaining gaps.</p> <p>Leaders can determine the baseline principles by categorizing cybersecurity risks into two categories:</p> <ul class="default-list"> <li>Harm to people: safety, bias, privacy.</li> <li>Harm to property: data integrity, intellectual property theft, availability.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity resilience for AI risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity resilience for AI risks</h2> <p>Regulatory resilience means demonstrating entirely new disaster and <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response planning</a> relevant to cybersecurity-relevant AI threats. Most organizations reported experiencing at least one deepfake attack that involved some form of social engineering or exploited existing automated processes.</p> <p>Cybersecurity compliance plans must include investments in AI runtime defenses, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises">tabletop exercises</a> and broader resilience plans. Additionally, cybersecurity leaders must demonstrate the antifragility needed to isolate, recover and adapt to AI-related cybersecurity incidents. These tactics will help define appropriate cybersecurity controls for AI, preventing the magnification of enterprise regulatory exposure while ensuring organizations get the most from their AI strategies.</p> <p><a href="https://www.gartner.com/en/experts/bernard-woo"><i>Bernard Woo</i></a><i> is a vice president analyst at Gartner, with a focus on data protection and privacy programs, as well as data discovery and data classification considerations. Woo and other Gartner analysts will present the latest insights for security and risk management leaders at the Gartner Security &amp; Risk Management Summits, taking place June 1-3 in</i><a href="https://www.gartner.com/en/conferences/na/security-risk-management-us"><i> </i></a><a target="_top" href="https://www.gartner.com/en/conferences/na/security-risk-management-us"><i>National Harbor, Md</i></a>.<i>, July 22-24 in</i><a href="https://www.gartner.com/en/conferences/apac/security-risk-management-japan"><i> </i></a><a target="_blank" href="https://www.gartner.com/en/conferences/apac/security-risk-management-japan" rel="noopener"><i>Tokyo</i></a><i>, August 4-5 in</i><a href="https://www.gartner.com/en/conferences/la/security-risk-management-brazil"><i> </i></a><a target="_blank" href="https://www.gartner.com/en/conferences/la/security-risk-management-brazil" rel="noopener"><i>Sao Paulo</i></a><i> and September 22-24 in</i><a href="https://www.gartner.com/en/conferences/emea/security-risk-management-uk"><i> </i></a><a target="_blank" href="https://www.gartner.com/en/conferences/emea/security-risk-management-uk" rel="noopener"><i>London</i></a><i>. Follow news and updates from the conferences on </i><a target="_blank" href="https://x.com/Gartner_inc" rel="noopener"><i>X</i></a><i> and </i><a target="_blank" href="https://www.linkedin.com/showcase/gartner-for-it-leaders" rel="noopener"><i>LinkedIn</i></a><i> using #GartnerSEC.</i></p> </section> With so many competing compliance requirements related to AI, how could any CISO comply with all of them? Learn how to reconcile your AI strategy with the regulatory landscape. https://cdn.ttgtmedia.com/rms/onlineimages/legal_g1152162547.jpg https://www.techtarget.com/searchsecurity/opinion/How-to-prepare-security-controls-for-future-AI-regulations Tue, 02 Jun 2026 11:43:00 GMT <p>For years, federal cybersecurity policy has primarily focused on protecting government systems and critical infrastructure. Executive Order 14390: "Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens" signals a broader shift in emphasis. Signed on March 6, 2026, the order reframes cybercrime not only as a national security threat, but also as an economic and societal threat that directly affects citizens, businesses and the digital ecosystem on which they depend.</p> <p>The executive order lands amid escalating <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-and-protect-against-ransomware">ransomware campaigns</a>, AI-enabled fraud schemes, large-scale <a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">phishing operations</a> and financially motivated attacks linked to <a href="https://www.techtarget.com/searchsecurity/feature/What-executives-must-know-about-nation-state-threat-actors">transnational criminal organizations</a>. Unlike earlier cybersecurity directives that focused heavily on federal modernization, critical infrastructure protection and software supply chain security, EO 14390 emphasizes operational disruption of cybercriminal networks, victim restitution and expanded coordination between government agencies and the private sector.</p> <p>For enterprise security leaders, the order does not immediately impose a new regulatory framework. However, it signals the direction of federal cyber policy, with greater emphasis on private-sector accountability, expanded information sharing, increased scrutiny of enterprise cyber practices and stronger expectations for cooperation with government-led cyberdefense initiatives.</p> <p>Skadden, Arps, Slate, Meagher &amp; Flom LLP, <a target="_blank" href="https://www.skadden.com/insights/publications/2026/03/white-house-announces-cybercrime-executive-order" rel="noopener">in its legal analysis of EO 14390</a>, said that it "is further indication that the Trump administration intends to broaden the role of the private sector in the government's offense-oriented approach to cyberthreats."</p> <p>In practical terms, the order raises an important question for businesses. Is cybersecurity still just an IT risk, or is it becoming a broader legal, operational and governance obligation tied directly to national resilience?</p> <section class="section main-article-chapter" data-menu-title="A sign of the times"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A sign of the times</h2> <p>The order was issued as the federal government confronted a sharp rise in cyber-enabled fraud and online criminal groups targeting Americans. The administration specifically identified ransomware, <a href="https://www.techtarget.com/searchsecurity/tip/10-common-types-of-malware-attacks-and-how-to-prevent-them">malware</a>, phishing, impersonation scams, sextortion schemes and financial fraud as major threats increasingly tied to foreign-based criminal networks.</p> <p>EO 14390 directs multiple federal agencies -- including the Departments of Homeland Security, Treasury, Justice, State and Defense -- to review existing operational and regulatory frameworks within 60 days and produce a coordinated action plan within 120 days to identify, disrupt and dismantle cybercriminal organizations. The order also calls for expanded threat intelligence sharing, enhanced cooperation with state and local governments, increased law enforcement coordination, the development of a victim restoration program using seized criminal assets and international diplomatic pressure against nations that tolerate cybercrime operations.</p> <p>What distinguishes EO 14390 from previous federal cyber directives is its operational focus on cyber-enabled financial crime and fraud ecosystems rather than purely defensive cybersecurity modernization. This matters for enterprises because the federal government increasingly views private-sector organizations not merely as victims of cybercrime, but as active participants in national cyberdefense.</p> </section> <section class="section main-article-chapter" data-menu-title="Increased public-private collaboration"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Increased public-private collaboration</h2> <p>One of the most immediate implications for enterprises is deeper collaboration with federal agencies. The order directs agencies to strengthen coordination through an operational cell, intelligence-sharing initiatives and resilience-building programs. For CISOs, this could translate into expanded expectations around sharing indicators of compromise, participating in sector-specific information-sharing groups, cooperating during federal investigations and providing telemetry or incident data to agencies such as CISA or the FBI.</p> <p>Many organizations already engage in these activities voluntarily through Information Sharing and Analysis Centers (ISACs) or public-private partnerships. EO 14390 could accelerate movement toward a more structured expectation of participation, particularly among companies operating in finance, healthcare, telecommunications, retail and critical infrastructure sectors.</p> <p>Security teams should expect federal agencies to become more proactive in seeking collaboration during active cyberincidents, particularly when attacks appear tied to broader criminal campaigns.</p> </section> <section class="section main-article-chapter" data-menu-title="The good news"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The good news</h2> <p>From an enterprise perspective, the executive order could offer several potential advantages:</p> <ul class="default-list"> <li><b>Faster incident response. </b>Improved coordination between government agencies and the private sector could accelerate threat identification and disruption. Organizations could gain earlier access to actionable intelligence regarding ransomware groups, fraud campaigns and emerging attack techniques.</li> <li><b>Stronger ecosystem security. </b>A more coordinated national cyberdefense posture can help reduce systemic risk across industries. Since supply chain attacks increasingly affect multiple organizations simultaneously, collective defense mechanisms benefit everyone.</li> <li><b>Greater cybersecurity investment. </b>For CISOs struggling to secure budget approval, the policy environment could become more favorable. Federal emphasis on cyber-resilience gives security leaders stronger leverage when advocating for modernized security architecture, backup and recovery, <a href="https://www.techtarget.com/searchsecurity/answer/What-are-some-of-the-top-identity-and-access-management-risks">identity and access management</a> improvements, detection and response tooling, <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">security awareness programs</a>, third-party risk management and more.</li> <li><b>Expanded cyber workforce development</b><b>.</b> The order's focus on training and resilience-building could help address ongoing cybersecurity talent shortages through expanded certification and workforce initiatives.</li> <li><b>Elevated executive awareness.</b> Perhaps most importantly, EO 14390 further elevates cybersecurity as a boardroom issue. CISOs could find it easier to obtain executive attention, funding and cross-functional support.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="The bad news"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The bad news</h2> <p>At the same time, enterprises should be realistic about the potential downsides of the executive order:</p> <ul class="default-list"> <li><b>More federal scrutiny.</b> Expanded collaboration with government agencies can introduce concerns around data privacy, customer trust, legal privilege, investigative exposure and <a href="https://www.techtarget.com/searchdatamanagement/feature/Data-sovereignty-expands-beyond-compliance-boundaries">cross-border data handling</a>. For CISOs, this raises the importance of demonstrable governance. Regulators and litigators increasingly require evidence that organizations maintain modern security controls.</li> <li><b>Incident reporting.</b> EO 14390 reinforces a broader federal trend toward faster and more comprehensive incident reporting. While the order does not directly impose new <a href="https://www.techtarget.com/searchsecurity/feature/How-to-develop-a-data-breach-response-plan-5-steps">breach notification</a> timelines, it reflects growing federal interest in obtaining visibility into cybercrime activity affecting both citizens and businesses.</li> <li><b>Resource strain.</b> Threat sharing, incident coordination and compliance efforts require personnel and infrastructure investments. Smaller organizations could struggle to keep pace.</li> <li><b>Potential liability expansion.</b> As federal expectations rise, organizations that lag in <a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-implementing-a-cybersecurity-maturity-model">cybersecurity maturity</a> could face increased litigation and regulatory exposure following incidents. The order's proposed victim restoration program reflects a broader policy emphasis on accountability and recovery for cyber-related harm.</li> <li><b>Ambiguity around "reasonable" security.</b> Regulators often expect organizations to maintain "reasonable" cybersecurity without universally defining what that means in practice. CISOs could face increasing pressure to justify security decisions after incidents occur.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="What now?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What now?</h2> <p>For CISOs, the best response to EO 14390 is operational maturity. Organizations should focus on several immediate priorities:</p> <ul class="default-list"> <li><b>Strengthen incident response readiness</b>. Review and <a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-How-to-test-an-incident-response-plan">test incident response plans</a> regularly. Ensure executive leadership, legal teams, communications staff and technical responders understand escalation and reporting procedures.</li> <li><b>Improve threat intelligence integration.</b> Participate actively in ISACs, sector partnerships and government information-sharing initiatives. The ability to operationalize shared intelligence quickly will become increasingly valuable.</li> <li><b>Reassess data governance.</b> Evaluate how <a href="https://www.techtarget.com/searchcustomerexperience/answer/How-do-companies-protect-customer-data">customer data</a> is collected, stored, retained and protected. Fraud prevention and identity verification controls deserve renewed scrutiny.</li> <li><b>Increase board engagement</b><b>.</b> Boards should receive regular cyber-risk briefings that address operational exposure, business continuity implications and regulatory developments.</li> <li><b>Invest in workforce development.</b> Security talent shortages remain a major operational risk. Enterprises should continue expanding training, certification and retention programs while taking advantage of government-supported initiatives where available.</li> <li><b>Document security decisions.</b> Organizations should maintain clear records of risk assessments, security investments, policy decisions and remediation efforts.</li> </ul> <p>EO 14390 reflects an important evolution in U.S. cybersecurity policy. The federal government is no longer treating cybercrime solely as a law enforcement issue or a federal network protection challenge. Increasingly, policymakers view enterprise cybersecurity as part of broader national economic resilience and societal stability.</p> <p>For enterprises, this means cybersecurity is becoming more central to corporate governance, operational accountability and enterprise risk management. Wilson Sonsini Goodrich &amp; Rosati, <a target="_blank" href="https://www.wsgr.com/en/insights/president-trump-issues-a-cyber-strategy-for-america-and-an-executive-order-on-combating-cyber-enabled-crime.html" rel="noopener">in its legal analysis</a>, noted that while the order does not impose any obligations on private businesses, engagement with the federal cyber policy and rulemaking process will likely increase as the administration seeks private-sector input and continues to streamline cyber-related regulations.</p> <p><i>Richard Livingston is an editor with Informa TechTarget's SearchSecurity site, covering cybersecurity news, trends and analysis.</i></p> </section> Reframing cybercrime as a national security issue, EO 14390 could lead to stronger links between government and the private sector. Find out what it means for enterprise security. https://cdn.ttgtmedia.com/rms/onlineimages/map_globe_g1160498092.jpg https://www.techtarget.com/searchsecurity/feature/EO-14390-raises-stakes-for-enterprise-cybersecurity Fri, 29 May 2026 14:52:00 GMT <p>Organizations using Claude Mythos have discovered thousands of vulnerabilities in the first month of security testing under Project Glasswing, per an announcement from Anthropic last week.</p> <p>The project, initially announced on April 7, granted preview access of Mythos to about 50 organizations, including Apple, Google, JPMorgan Chase, the Linux Foundation and Microsoft. Anthropic said it felt compelled to <a href="https://www.techtarget.com/searchcio/feature/Weekly-news-roundup-Claude-Mythos-concerns-Muse-Spark-debut-and-US-infrastructure-disruption">limit the release</a> after seeing the model's ability to find previously undetected security weaknesses in some of the most widely used technologies.</p> <p>"Ultimately, Mythos-class models will enable developers to build far more secure software by catching bugs before they are deployed," Anthropic <a target="_blank" href="https://www.anthropic.com/research/glasswing-initial-update" rel="noopener">wrote</a> in its May 22 update. "But this interim period -- while vulnerabilities are being rapidly discovered and slowly patched -- presents new risks."</p> <p>Most of the participants in Project Glasswing each found hundreds of critical- or high-severity vulnerabilities in their software, Anthropic said. In all, the companies invited to use Mythos Preview have so far flagged more than 10,000 <a href="https://www.techtarget.com/searchsecurity/feature/Cybersecurity-in-the-age-of-AI-means-bigger-faster-threats">significant security flaws</a>.</p> <p>One example offered in the announcement was Cloudflare. The provider of content delivery networks and other internet services uncovered approximately 2,000 vulnerabilities in its products; of those, 400 were treated as high- or critical-severity.</p> <p>Anthropic <a target="_blank" href="https://www.anthropic.com/news/claude-opus-4-8" rel="noopener">said yesterday</a> that it intends to release Mythos "in the coming weeks."</p> <p>"This is definitely something that we all need to prepare for," said Jim Reavis, CEO of the Cloud Security Alliance (CSA), which published a <a target="_blank" href="https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosreadyv95.pdf" rel="noopener">strategy paper</a> in April about the Mythos risk. The CSA is also conducting a series of forums for CISOs to share ideas and observations about how Mythos and other frontier LLMs will change cybersecurity. Those changes will be significant, Reavis said, because they have to be.</p> <p>"We'll see a lot more vulnerabilities," Reavis said. "And as soon as you see a vulnerability or you see a vendor release a patch, an attacker will have a complete blueprint to immediately create an exploit out of that."</p> <p>To counter the AI threat, organizations need to take aggressive steps to automate security in the SOC, use agentic tools during <a href="https://www.techtarget.com/searchsecurity/definition/incident-response">incident response</a> activities and place even more focus on <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">least-privilege practices</a>, Reavis said. "We're all going to be working pretty hard for the next year or two."</p> <p>"It's interesting how fast it's moving," said Barry Mainz, CEO of Forescout, a cybersecurity vendor. "It's a shock to the industry, but a good shock."</p> <p>Security teams now better understand that defensive tactics such as threat containment and <a href="https://www.techtarget.com/searchsecurity/tip/Zero-trust-use-cases-highlight-both-its-benefits-and-misconceptions">zero-trust security</a> are crucial, Mainz said. <a href="https://www.techtarget.com/searchenterprisedesktop/definition/patch-management">Patch management</a> will still matter, he added, but patching won't be enough to defend against AI-driven attacks.</p> <p>While teams should expect a difficult period of adjustment and experimentation in the near-term, Mainz said cybersecurity will take a big leap forward as a result of the vulnerabilities being exposed by AI.</p> <p>"There's some definite opportunities [for improved practices]," Mainz said. "It's definitely shaking up the industry."</p> <p><i>Phil Sweeney is an industry editor and writer focused on cybersecurity topics.</i></p> Anthropic's Mythos Preview exposed 10,000-plus security flaws at tech giants in one month, revealing both opportunities and risks for the future of cybersecurity. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/news/366643606/First-month-of-Mythos-Preview-testing-exposes-10K-flaws Fri, 29 May 2026 12:35:00 GMT <p>In the Netflix thriller <i>Leave the World Behind, </i>a massive cyberattack plunges the U.S. into a complete electrical and technological blackout. While the scope and scale of the fictional attack are improbable, research suggests real-world malicious hackers are increasingly interested in causing physical harm.</p> <p>Cyberattacks with physical impact are still rare, with just 57 globally in 2025, according to Waterfall Security Solutions, a cybersecurity vendor headquartered in Rosh Ha'Ayin, Israel. But that might not always be the case, given a disturbing trend recently noted by Washington-based cybersecurity vendor Dragos.</p> <p>Once inside an operational technology environment, Dragos researchers revealed in the company's "2026 OT/ICS Cybersecurity Report," attackers are no longer just conducting reconnaissance, as has long been the norm in <a href="https://www.techtarget.com/searchsecurity/tip/Top-OT-threats-and-security-challenges">OT intrusions</a>. Multiple threat groups, independently and across geopolitical alignments, are now actively mapping control loops and learning how to disrupt physical processes. Their documented activities include accessing and manipulating engineering workstations and exfiltrating configuration files, alarm data and operational intelligence.</p> <p>"This is the removal of the last practical barrier between having access and being able to cause physical consequences," the Dragos researchers <a target="_blank" href="https://www.dragos.com/ot-cybersecurity-year-in-review" rel="noopener">wrote</a>. "It indicates that the teams behind these operations are being told to prepare to act, not just to maintain options."</p> <section class="section main-article-chapter" data-menu-title="A perfect storm"> <h2 class="section-title"><i class="icon" data-icon="1"></i>A perfect storm</h2> <p>Analysts said the shift in attacker behavior is troubling but unsurprising, given the confluence of <a target="_blank" href="https://www.darkreading.com/cybersecurity-operations/geopolitics-ai-cybersecurity-insights-rsac-2026" rel="noopener">geopolitical tensions</a>, widely available technical documentation, the democratization of attack toolkits and a decreasing price point for experimentation.</p> <p>The good news: Organized cybercrime groups typically have little interest in accessing OT and <a href="https://www.techtarget.com/searchsecurity/tip/Top-10-ICS-cybersecurity-threats-and-challenges">industrial control systems</a> (ICSes) to cause physical harm, said Forrester analyst Paddy Harrington. Rather, they want to make money, and hurting innocent people is inherently bad for business.</p> <p>"Blowing up a pipeline or an oil rig or taking down an operating room in healthcare -- because you can actually do that if you compromise the systems enough -- leaves a bad taste in everyone's mouth," Harrington said. "You're no longer this Robin Hood figure for taking down Jaguar Land Rover. You hurt people."</p> <p>In other words, there is a vast difference between run-of-the-mill cybercriminals and Netflix-style cyberterrorists. Even nation-state threat actors are likely constrained by the principle of mutually assured destruction, knowing that a targeted nation could respond in kind.</p> <p>The bad news: <a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">Generative AI could empower a host of attackers</a> with diverse personal or political motives and an appetite for destruction. Capabilities that were once largely limited to well-funded nation-state groups are now broadly accessible, said Gartner analyst Katell Thielemann.</p> <p>"My concern is that in the age of AI, where technical drawings and process manuals can be ingested at will from public sources, we may not just be dealing with attackers 'being told to prepare to act,'" per the Dragos report, Thielemann said. "Hacktivists or anyone determined enough, with any kind of motive, can learn about these control loops."</p> <p>Harrington noted that larger attack groups are already using open source models to build their own <a target="_blank" href="https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-models/" rel="noopener">LLMs focused specifically on cyberattacks</a>. "They can map out -- based on previous OT attacks, vulnerabilities and exploits -- exactly what they need to do," he said. "That, plus the whole geopolitical situation, is driving things faster than I think we've ever seen before."</p> </section> <section class="section main-article-chapter" data-menu-title="What OT threats mean for enterprise CISOs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What OT threats mean for enterprise CISOs</h2> <p>Most organizations have cyber-physical systems, whether they recognize it or not.</p> <p>"This is not just about OT/ICS in water utilities or process manufacturing," Thielemann warned. Rather, any environment where digital assets interact with the physical world, such as a typical office building, data center or warehouse, could become a target.</p> <p>Yet, even as threat actors seek to gain physical control of OT environments, enterprises remain largely ill-equipped to defend against them.</p> <p>"If attackers are learning about control loops, so should CISOs," Thielemann said. "If they are still defending with an IT-centric mindset and have not yet realized that their remit includes cyber-physical systems that need completely different security governance and tooling, they need to catch up -- fast."</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> If attackers are learning about control loops, so should CISOs. </figure> <figcaption> <strong>Katell Thielemann </strong>Analyst, Gartner </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Harrington agreed, suggesting <a href="https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-to-build-an-OT-cybersecurity-program">CISOs start by identifying entry points into their OT environments</a> -- edge devices, cloud connections, internet connections and internal IT/OT cross-connections -- and eliminating any that aren't operationally necessary. Then, he said, drop a firewall across each remaining connection to block threats that might enter the environment from third-party service providers, OEMs or IT.</p> <p>"Start doing <i>something</i>," Harrington urged. "So many OT environments don't have much of anything. All they're doing is asset discovery and relying on what they think is an air gap, which hasn't existed in the vast majority of environments for a long time."</p> <p>Harrington admitted he worries about worst-case-scenario cyberattacks on critical infrastructure, the stuff of nightmares and Netflix films. But he also finds the growing push to <a href="https://www.techtarget.com/searchsecurity/tip/Key-OT-security-best-practices">improve OT security</a> encouraging.</p> <p>"I'm just hoping it's fast enough."</p> <p><em>Alissa Irei is senior site editor of Informa TechTarget Security.</em></p> </section> Malicious hackers are no longer just snooping around OT systems, researchers warn. They're preparing to cause real-world damage. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Cyberattack-hacked-hero.jpg https://www.techtarget.com/searchsecurity/news/366643451/OT-attacks-shift-from-recon-to-physical-control-raising-stakes Wed, 27 May 2026 20:35:00 GMT <p>The recent debut of OpenAI's Daybreak means security leaders are waking up to a new reality: Artificial intelligence is no longer merely supporting cyberdefense but driving it.</p> <p>Accessible now to verified organizations and security teams, <a href="https://openai.com/daybreak/">Daybreak</a> combines OpenAI's GPT-5.5 models with its Codex Security system to embed automated, intelligent vulnerability discovery directly into operational workflows and across codebases, along with remediation guidance and patch generation and validation. The goal, according to OpenAI, is to speed up cyber defense and create software with continuous security baked in -- what it calls "resilient by design."</p> <p>OpenAI rival Anthropic announced a similar tool in <a href="https://www.techtarget.com/searchenterpriseai/news/366642478/Claude-Mythos-Preview-and-the-new-rules-of-cybersecurity">Claude Mythos Preview</a> earlier this year -- part of its Project Glasswing initiative -- but has so far strictly limited access to around 50 partner organizations.</p> <p>While experts say the <a href="https://www.techtarget.com/searchenterpriseai/tip/Evaluate-the-risks-and-benefits-of-AI-in-cybersecurity">benefits of integrating security and AI</a> are significant, some also have concerns about these models working <i>too</i> well -- uncovering a deluge of vulnerabilities that the typical organization is currently ill-equipped to address.</p> <p>"There's going to be a lot more strain on enterprises' vulnerability management programs because there will be many more new patches coming in that have to be tested, deployed and verified," Eric Parizo, founder, president and chief analyst at Cernivera Research, told TechTarget Security. "That's still a largely manual process for most organizations."</p> <p>Regularly taking applications offline for patching also becomes a business continuity issue, Parizo added. Other experts warned that information from integrated AI security tools should be validated by internal security teams to ensure accuracy. Another concern is that AI tools themselves have their own <a href="https://www.techtarget.com/searchenterpriseai/tip/How-to-manage-generative-AI-security-risks-in-the-enterprise">weaknesses and vulnerabilities</a>.</p> <p>"Using traditional cybersecurity practices such as defense-in-depth and least privilege will aid organizations in determining how best to deploy and operate these AI systems into their workflows," said Harold Booth, computer scientist at NIST. That might mean using authentication and authorization technologies to <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecuritys-agentic-AI-identity-crisis-and-how-to-fix-it">control what AI systems have access to</a>, he explained, or using containerization or other sandboxing approaches to restrict AI systems' impact.</p> <p>Analysts point to another significant operational issue: When a system such as OpenAI Daybreak discovers a vulnerability, tests the issue, and suggests and validates fixes, who is responsible for the results? Organizations will need human operators to oversee and own AI decisions.</p> <p>Beyond operational accountability, Parizo said platforms such as Daybreak also raise questions about data security, with the AI's access to enterprise software creating new third-party risks.</p> <p>These technical and operational considerations for security decision-makers come against a backdrop in which <a target="_blank" href="https://www.cybersecuritydive.com/news/frontier-ai-rapid-discovery-security-vulnerabilities/820258/" rel="noopener">both attackers and defenders are adopting AI</a>. Unfortunately, according to experts, attackers will likely have an early advantage as organizations work through how to manage and govern new AI-driven security platforms such as OpenAI Daybreak.</p> <p>"When something new and unproven comes out, no matter what it is, in the early going it almost always gives attackers an advantage, because defenders just perpetually have more on their plates. Attackers have one job: to cause havoc and steal stuff," Parizo said. "That's why I think this is quickly becoming the No. 1 issue CISOs have to think about, strategize for and budget for, the rest of this year and going forward."</p> <p><i>Craig Galbraith is the founder and owner of Galbraith Multimedia, an independent journalism company that provides writing, editing, video hosting, podcasting, onstage presentation and consulting services to the technology industry.</i></p> OpenAI Daybreak shows how AI reshapes vulnerability discovery. But AI-driven security tools raise accountability questions and fuel the AI arms race between defenders and attackers. https://cdn.ttgtmedia.com/rms/onlineimages/clock-time16.jpg https://www.techtarget.com/searchsecurity/news/366643546/For-CISOs-dawn-of-OpenAI-Daybreak-brings-good-and-bad-news Wed, 27 May 2026 16:58:00 GMT <p>Business email compromise attacks have become some of the most costly and damaging threats facing organizations today. BEC attacks differ from traditional phishing schemes in that they rely on highly targeted social engineering tactics that exploit human psychology rather than technical vulnerabilities. Such attacks can result in significant financial losses, legal repercussions and operational disruptions -- making it imperative for organizations to mitigate them.</p> <section class="section main-article-chapter" data-menu-title="Types of BEC attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Types of BEC attacks</h2> <p><a href="https://www.techtarget.com/whatis/definition/business-email-compromise-BEC-man-in-the-email-attack">BEC attacks</a> deceive victim employees into transferring money or sharing sensitive company data. These highly targeted attacks often involve extensive research by cybercriminals and the observation of organizational email correspondence to mimic legitimate users and successfully execute their exploits.</p> <p>Common BEC attack scenarios include:</p> <ul class="default-list"> <li><b>CEO/executive fraud.</b> Attackers impersonate a company executive and instruct the targeted staff to make urgent wire or other related financial transfers.</li> <li><b>Invoice alteration.</b> Cybercriminals pose as a trusted vendor or business partner, requesting that payments be redirected to attacker-controlled accounts.</li> <li><b>Legal impersonation. </b>Attackers pretend to be a member of the legal team handling confidential information and request the transfer of specific data.</li> <li><b>Payroll/HR impersonation. </b>Malicious actors impersonate executives or employees to request changes to payroll or W-2 information, moving funds to attacker-controlled accounts.</li> <li><b>Account takeover.</b> Attackers fully compromise legitimate user accounts through phishing or by gaining successful access with stolen credentials.</li> <li><b>Deepfakes. </b>Cybercriminals use <a href="https://www.techtarget.com/searchsecurity/tip/How-to-detect-deepfakes-manually-and-using-AI">AI-generated or voice-cloned messages</a> to create convincing requests from leadership.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Real-world examples of BEC attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Real-world examples of BEC attacks</h2> <p>Because they prey on human psychology, concepts of authority and workplace culture, BEC scams are highly effective. The following are just a few examples of how criminals have manipulated employees in recent years.</p> <h3>Meta and Google</h3> <p>Between 2013 and 2015, cybercriminal Evaldas Rimasauskas and his accomplices used a legitimate Taiwan-based hardware supplier, Quanta Computer, to conduct a BEC attack on <a target="_blank" href="https://www.npr.org/2019/03/25/706715377/man-pleads-guilty-to-phishing-scheme-that-fleeced-facebook-google-of-100-million" rel="noopener">Meta and Google</a>. The group created a fake business with the same name in Latvia and sent fraudulent invoices with forged contracts, letters, documents and other corporate seals to the accounts payable departments of Meta and Google, tricking employees. Google suffered a $23 million loss in 2013, and Meta took a $98 million hit in 2015. Both organizations recovered most or all of the funds stolen in the attack. Rimasauskas was sentenced to five years in prison and ordered to forfeit $50 million and pay $26 million in restitution.</p> <h3>Ubiquiti Networks</h3> <p>In 2015, threat actors impersonated employees at IT company Ubiquiti Networks and <a href="https://www.forbes.com/sites/nathanvardi/2016/02/08/how-a-tech-billionaires-company-misplaced-46-7-million-and-didnt-know-it/?sh=5532e91450b3" target="_blank" rel="noopener">sent fraudulent payment requests</a> to the finance department of a Hong Kong subsidiary. The BEC attack, which involved $46.7 million transferred in 14 wire transactions across 17 days to various attacker-controlled overseas accounts, initially went undetected. As of March 2021, Ubiquiti had recovered $18.6 million.</p> <h3>Fischer Advanced Composite Components AG</h3> <p>In 2016, <a href="https://www.reuters.com/article/technology/austrias-facc-hit-by-cyber-fraud-fires-ceo-idUSKCN0YG0ZF/" target="_blank" rel="noopener">attackers impersonated</a> Walter Stephan, then-CEO of Austrian aerospace parts manufacturer Fischer Advanced Composite Components AG. A spoofed email sent to a finance department employee, purportedly from Stephan, requested a €50 million transfer for a company acquisition. Once the attack was discovered, the company was able to stop a portion of the payment, but the €42 million already transferred to the attacker-controlled accounts remains unrecovered.</p> <h3>Save the Children</h3> <p>Internationally recognized humanitarian and nonprofit organization Save the Children <a href="https://www.bostonglobe.com/business/2018/12/12/hackers-fooled-save-children-into-sending-million-phony-account/KPnRi8xIbPGuhGZaFmlhRP/story.html" target="_blank" rel="noopener">faced a BEC attack</a> in 2017. Cybercriminals successfully compromised an employee's email account and used it to send fraudulent invoices and documents linked to a legitimate project in Asia. Save the Children lost approximately $1 million but recovered 90% of those funds through the foundation's insurance policy.</p> <h3>Toyota Boshoku Corporation</h3> <p>A major parts supplier and Toyota subsidiary was targeted by a BEC attack in 2019 when threat actors <a href="https://www.cpomagazine.com/cyber-security/toyota-subsidiary-loses-37-million-due-to-bec-scam/" target="_blank" rel="noopener">posed as a trusted business partner</a> and requested account updates from the finance and accounting departments. Attackers advised victim employees that this request needed to be handled urgently or parts production would be disrupted. The employees were tricked into wiring $37 million to an attacker-controlled foreign account. The recovery status of the funds is still unknown.</p> <h3>Government of Puerto Rico</h3> <p>In 2019, the Puerto Rican government was targeted by a BEC attack. Attackers <ins datetime="2026-05-20T16:30" cite="mailto:Livingston,%20Richard"><a href="https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/puerto-rico-loses-millions-in-email-scam" target="_blank" rel="noopener">compromised the email account</a></ins> of a finance employee at the Puerto Rico Employment Retirement System and used it to send fake emails requesting changes to bank account information for remittance payments to various government agencies. Employees at Puerto Rico Industrial Development Company and the Puerto Rico Tourism Company updated the payment information without verification. The attackers stole approximately $6.8 million from the Puerto Rico Industrial Development Company and $1.5 million from the Puerto Rico Tourism Company. Authorities were able to freeze $2.9 million in payments as soon as the attack was discovered.</p> <h3>City of Lexington, Kentucky</h3> <p>In 2022, city employees in Lexington, Kentucky, <a href="https://www.cnn.com/2022/08/29/politics/kentucky-4-million-cyber-theft/index.html" target="_blank" rel="noopener">received an email</a> from someone claiming to be from the Community Action Council, a local nonprofit housing organization, requesting an update to its bank account information. Employees did not follow proper verification procedures through alternative channels and processed the change, resulting in approximately $4 million in federal rent assistance and transitional housing money being sent across three wire transfers to fraudulent accounts. At least some funds were frozen quickly by financial institutions as soon as the fraud was detected.</p> <p>The collective losses from incidents like these total hundreds of millions of dollars, with many organizations unable to recover their stolen funds. What makes BEC attacks particularly dangerous is their reliance on exploiting human trust and organizational hierarchies rather than sophisticated technical hacking. As cybercriminals continue to refine their social engineering tactics and use emerging technologies such as AI-generated deepfakes, organizations must prioritize <ins datetime="2026-05-26T16:52" cite="mailto:Shea,%20Sharon"><a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">comprehensive employee training</a></ins>, implement verification procedures for financial transactions and foster a <ins datetime="2026-05-26T16:52" cite="mailto:Shea,%20Sharon"><a href="https://www.techtarget.com/searchsecurity/tip/5-tips-for-building-a-cybersecurity-culture-at-your-company">security-conscious culture</a></ins> where employees feel empowered to question suspicious requests regardless of the apparent source.</p> <p><em>Amanda Scheldt is a security content writer and former security research practitioner.</em></p> </section> From tech giants to nonprofits, no organization is immune to trust-eroding business email compromise attacks. Learn more about BEC scams and the fallout when employees get tricked. https://cdn.ttgtmedia.com/rms/onlineimages/keyboard_g1307915204.jpg https://www.techtarget.com/searchsecurity/feature/Inside-business-email-compromise-attack-Real-world-examples Wed, 27 May 2026 09:09:00 GMT <p>The threat landscape is undergoing rapid and unprecedented change, as reflected in the "Verizon 2026 Data Breach Investigations Report." For the first time in the report's 19-year history, vulnerability exploitation was the leading initial access vector, displacing credential abuse from the top spot. It was also the first year that researchers <a target="_blank" href="https://www.anthropic.com/news/disrupting-AI-espionage" rel="noopener">documented</a> an AI-executed state-sponsored attack, bringing the hypothetical and experimental into reality.</p> <p>But the more things change, the more they stay the same.</p> <p>"The 2026 edition of the DBIR invites you to consider the importance of the fundamentals of cybersecurity as the best way to brave all of this change," the <a target="_blank" href="https://www.verizon.com/business/resources/reports/dbir/" rel="noopener">report</a> reads. "A little cyber-stoicism, if you will."</p> <p>Simply put, the tried-and-true best practices security teams have relied on for years -- from visibility and patching to MFA and policies -- are key to winning the fight against cyberattackers.</p> <p>Below are six key takeaways from the 2026 DBIR for CISOs and their teams.</p> <section class="section main-article-chapter" data-menu-title="Vulnerability exploitation overtakes stolen credentials"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Vulnerability exploitation overtakes stolen credentials</h2> <p>Exploiting vulnerabilities became the most common method threat actors use to gain initial access to victims' networks -- accounting for 31% of attacks, up from 20% in 2024 -- displacing credential abuse as the longstanding leading vector.</p> <p>Organizations are clearly struggling to remediate flaws, with the DBIR reporting that only 26% of CISA's Known Exploited Vulnerabilities (KEVs) were fully remediated in 2025, down from 38% the previous year. To make matters worse, the report noted, median remediation time increased from 32 days to 43 days, perhaps in part because the median number of KEVs was 16 in 2025, up from 11 in 2024.</p> <p>Because the report's data set spans October 2024 through November 2025, it predates the release of Mythos, suggesting future reports could see even higher levels of vulnerability exploitation.</p> <p>Credential abuse dropped to 13% from 22%, partially attributed to the addition of pretexting as an initial access vector (more on that below).</p> <p><b>Vulnerability management and patching advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-a-better-vulnerability-management-program">How to build a better vulnerability management program</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Benefits-of-risk-based-vulnerability-management-over-legacy-VM">Benefits of risk-based vulnerability management over legacy vulnerability management</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/5-enterprise-patch-management-best-practices">Enterprise patch management best practices</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Security-patch-validation-and-verification">How to conduct security patch validation and verification</a></li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Bad news and good news on ransomware"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Bad news and good news on ransomware</h2> <p>Ransomware proved yet again that it's the threat that keeps on threatening. Nearly half of all incidents (48%) involved some form of ransomware, up from 44% in the previous reporting period.</p> <p>On the somewhat positive side, 69% of victims did not pay the ransom, and the median ransomware payment decreased from $150,000 to $139,875.</p> <p><b>Ransomware advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-and-protect-against-ransomware">How to prevent and protect against ransomware</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/Top-10-ransomware-targets-in-2021-and-beyond">Top ransomware targets by industry</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-remove-ransomware-step-by-step">How to remove ransomware: Step by step</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to">Ransomware payments: Considerations before paying</a></li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Shadow AI becomes a major insider risk"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Shadow AI becomes a major insider risk</h2> <p>Despite a slight year-over-year decline, use of noncorporate GenAI accounts on corporate devices remains widespread, with 67% of users still relying on them to access AI services. AI adoption among employees has accelerated: 45% are now regular users of AI tools, authorized or otherwise, compared with just 15% in 2024.</p> <p>Shadow AI was named the third most common nonmalicious insider risk detected in the DBIR's data loss prevention (DLP) data set, a 400% increase from 2024. The DBIR found users commonly leak source code, images and other structured data to GenAI models, and that 3.2% of DLP policy violations involve employees leaking intellectual property, such as research or technical documentation, to LLMs.</p> <p><b>AI security advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/Shadow-AI-How-CISOs-can-regain-control-in-2026">Shadow AI: How CISOs can regain control</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-craft-a-generative-AI-security-policy-that-works">How to craft an effective AI security policy for enterprises</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-AI-acceptable-use-policy-plus-template">How to create an AI acceptable use policy, plus template</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-secure-AI-infrastructure-Best-practices">How to secure AI infrastructure: Best practices</a></li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Third-party attacks account for almost half of all breaches"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Third-party attacks account for almost half of all breaches</h2> <p>Breaches involving third parties increased by 60%, accounting for 48% of all breaches in 2025 compared to 30% in 2024.</p> <p>The DBIR breaks supply chain breaches into three categories:</p> <ul class="default-list"> <li><b>Vendor in an organization's software supply chain.</b> The initial access vector was under the organization's control. This could be a vulnerability in a vendor's product, for example, the <a href="https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know">SolarWinds breach</a>.</li> <li><b>Vendor hosting an organization's data in its environment.</b> Initial access was against a vendor that stores the organization's data. For example, the <a href="https://www.techtarget.com/searchsecurity/news/366587176/Threat-actor-targeting-Snowflake-database-customers">Snowflake attack</a>.</li> <li><b>Vendor with a connection to an organization's environment.</b> Initial access is on the vendor, with lateral movement into the organization. For example, the <a href="https://www.techtarget.com/searchsecurity/feature/Lessons-learned-from-high-profile-data-breaches">Target breach</a>.</li> </ul> <p>The report noted that "at first glance, there doesn't appear to be anything that could have been done to prevent these from the victim organization's perspective," but closer analysis of the root causes of many incidents involving third parties boils down to "insecure authentication -- absence of MFA, improper credential rotation -- or lack of least privilege enforcement for users or service accounts."</p> <p><b>Third-party and supply chain security advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/Counter-third-party-risk-with-continuous-vendor-monitoring">Counter third-party risk with continuous vendor monitoring</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">How to build an effective third-party risk assessment framework</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-a-third-party-risk-management-policy">How to create a third-party risk management policy</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-manage-third-party-risk-in-the-cloud">How to manage third-party risk in the cloud</a></li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Social engineering tactics shift slightly"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Social engineering tactics shift slightly</h2> <p>While email phishing remains the social engineering vector of choice, many threat actors today target victims on their mobile devices -- and are possibly seeing greater success. The DBIR noted that mobile-centric voice- or text-based scams achieved a 40% higher click-through rate in phishing simulations than email-based campaigns. The report proposed that attackers are trying to circumvent traditional enterprise phishing defenses by infiltrating users' devices.</p> <p>Also, pretexting was separated from credential misuse in this year's DBIR, accounting for 6% of initial access vectors. While the same percentage as the previous report, the DBIR justified its addition as an initial access vector due to its use in high-profile ransomware breaches analyzed for the report.</p> <p>Phishing scams, the report explained, involve asynchronous social actions that result in a victim sharing credentials, downloading malicious files or clicking spoofed links, for example. Pretexting involves a synchronous component -- such as an attacker establishing a trusted relationship with the victim before manipulating them into sharing sensitive data or transferring money.</p> <p>"If there is someone on the other side of the proverbial line interacting with you to do something you shouldn't, that's pretexting," the report noted.</p> <p><b>Social engineering and phishing advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-to-avoid-and-prevent-social-engineering-attacks">How to avoid and prevent social engineering attacks</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-users">Phishing prevention: How to spot, stop and respond to scams</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-How-to-prevent-business-email-compromise">CISO's guide: How to prevent business email compromise</a></li> <li><a href="https://www.techtarget.com/searchmobilecomputing/tip/3-BYOD-security-risks-and-how-to-prevent-them">BYOD security risks and how to prevent them</a></li> </ul> </section> <section class="section main-article-chapter" data-menu-title="AI is changing how attackers attack"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI is changing how attackers attack</h2> <p>DBIR researchers collaborated with Anthropic to uncover how threat actors use AI platforms for malicious purposes. Classified against the Mitre ATT&amp;CK framework, DBIR and Anthropic researchers found that attackers used AI across 15 ATT&amp;CK techniques, with some using as many as 40 or 50.</p> <p>For example, threat actors use GenAI to develop malware, target victims, gain initial access and perform basic tasks such as file obfuscation or forensic cleanup. The researchers found that less than 2.5% of the AI-assisted actions involved uncommon techniques. In other words, attackers often use AI to automate and scale well-known techniques rather than create novel or rare attacks.</p> <p>"But who knows? Given the rate of change in AI capabilities, this assessment might be obsolete by the time this report is finally published," the report said.</p> <p>The report and its findings also precede the news surrounding Mythos and Glasswing, developments that could reshape how threat actors use AI.</p> <p><b>AI security advice</b></p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-AI-malware-works-and-how-to-defend-against-it">How AI malware works and how to defend against it</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">AI-powered attacks: What CISOs need to know now</a></li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Generative-AI-is-making-phishing-attacks-more-dangerous">How AI is making phishing attacks more dangerous</a></li> <li><a href="https://www.techtarget.com/searchsecurity/feature/Lessons-in-the-new-era-of-AI-enabled-cybercrime">Lessons in the new era of AI-enabled cybercrime</a></li> </ul> <p><em>Sharon Shea is executive editor of TechTarget Security.</em></p> </section> The 2026 DBIR -- practically required reading for CISOs -- identifies critical enterprise security trends, from exploit-driven breaches to shadow AI dangers and third-party risks. https://cdn.ttgtmedia.com/rms/onlineimages/clock-time14.jpg https://www.techtarget.com/searchsecurity/news/366643420/Verizon-DBIR-Key-takeaways-for-CISOs Fri, 22 May 2026 16:33:00 GMT <p>AI agents are proliferating across the enterprise, with use cases ranging from IT and security operations to legal and compliance tasks.</p> <p>Omdia, a division of Informa TechTarget, <a target="_blank" href="https://research.esg-global.com/reportaction/515202205/Marketing" rel="noopener">published</a> the results of a survey of 400 security leaders that showed the state of identity security for AI agents. There has been a lot of noise about AI agent security in the marketplace, and the data provided clarity around the importance of building a strong foundation of identity security to enable AI adoption.</p> <section class="section main-article-chapter" data-menu-title="Identity security and AI agents"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Identity security and AI agents</h2> <p>AI agents represent a dramatic expansion of the enterprise attack surface. There are multiple layers to any technology stack for AI agent security. For example, teams need AI security posture management to counter <a href="https://www.techtarget.com/searchsecurity/tip/How-data-poisoning-attacks-work">model poisoning</a> and <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">prompt injection attacks</a>, data security posture management to ensure the right data reaches the AI infrastructure, and data loss prevention and insider risk protection.</p> <p>Any AI agent security strategy needs to be built on a solid identity security foundation for AI agents to deliver management, security and governance.</p> <p>Identity teams have a unique perspective on AI agents. They already manage identity and access management (IAM) for human identities and <a href="https://www.techtarget.com/searchsecurity/tip/CISOs-guide-to-nonhuman-identity-security">nonhuman identities</a> (NHIs), and are now responsible for managing and securing AI agent identities. So, how can they build an effective program to manage those identities, too?</p> </section> <section class="section main-article-chapter" data-menu-title="AI agents: NHIs or something else?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI agents: NHIs or something else?</h2> <p>At first blush, an AI agent is another type of NHI, alongside service accounts, API keys and OAuth tokens. But dig deeper and they have significant differences.</p> <p>NHIs are mostly deterministic -- use input X, and consistently get output Y. And NHIs typically cannot make decisions and act. AI agents, on the other hand, are nondeterministic. Use input A, and you might get different outputs -- B1, B2 or B3 -- depending on the circumstances. AI agents work 24/7 and take whatever steps necessary -- within some guardrails -- to achieve their goals.</p> <p>Omdia research found that a slight majority of identity leaders consider AI agents a distinct category of identity rather than another type of NHI, and I expect that perception will grow over time.</p> </section> <section class="section main-article-chapter" data-menu-title="AI agent proliferation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI agent proliferation</h2> <p>The research found that AI agents are being deployed in nearly every function across the enterprise with a <a href="https://www.techtarget.com/searchenterpriseai/feature/Real-world-agentic-AI-examples-and-use-cases">variety of use cases</a>, from supporting IT ops to streamlining sales and marketing. AI agents are being prioritized for deployment in the cloud, in SaaS environments and on endpoints.</p> <p>Omdia asked identity security leaders how many distinct AI agent projects, workflows or deployments -- each involving a multitude of agents -- they were involved in. The answer was surprising: 22. The number of projects for midmarket companies (&lt;1000 employees) was slightly lower (16). But that is still a hefty number of projects, and identity teams will need consistent management, governance and identity security policies and processes to support them.</p> </section> <section class="section main-article-chapter" data-menu-title="The AI agent identity imperative: Enabling AI agent adoption"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The AI agent identity imperative: Enabling AI agent adoption</h2> <p>Identity teams have frequently had the undeserved reputation of being "Team No" within their organizations. The perception is that IAM teams slow down projects due to compliance, governance and identity security concerns.</p> <p>Identity teams now have an opportunity to be "Team Yes" and help accelerate AI agent projects through consistent, scalable management and governance. Laying down common IAM "railroad tracks" along which a multitude of AI agent projects can run will improve scalability, business velocity, security and compliance posture. Getting ahead of the problem now will help control against <a href="https://www.techtarget.com/searchsecurity/opinion/Identity-security-tool-sprawl-Origins-and-the-way-forward">tool fragmentation</a> in the future.</p> <p>Solving the identity security problem requires multiple core capabilities:</p> <ul class="default-list"> <li><b>Visibility </b>of agents across the enterprise. This includes cloud -- Amazon Bedrock, Google Gemini Enterprise Agent Platform (formerly Vertex AI), Microsoft Copilot Studio, etc.; SaaS -- Salesforce Agentforce, Workday agents, etc.; endpoints -- Cursor, Claude Code, copilots, etc.; and points in between. Visibility requires an inventory that includes human creators and owners, as well as observability to understand what agents are doing and whether they are drifting from their intended state.</li> <li><b>Fine-grained access controls </b>ensure agents are granted the minimum permissions required to perform their tasks. Policies need to be context-aware and adapt to factors such as task scope and risk level to reduce the risk of misuse and limit the incident blast radius.</li> <li><b>Governance</b> extends human <a href="https://www.techtarget.com/searchsecurity/definition/identity-governance-and-administration-IGA">identity governance and administration</a> to AI agents. It enforces policies around who or what can create, approve and manage agent identities and their entitlements. This aligns AI agent access with organizational policies, compliance requirements and risk management frameworks and helps control against agent drift.</li> <li><b>Lifecycle management</b> for agents, from creation and onboarding to modification and decommissioning. This avoids orphaned or stale identities from becoming security risks and enables teams to terminate anomalous behavior inconsistent with agent intent.</li> </ul> <p>This is a fast-moving space. The questions practitioners were asking six months ago are different from those they ask today.</p> <p>In addition to the above core capabilities, adjacent identity security capabilities will emerge over time and with experience. For example, <a href="https://www.techtarget.com/searchsecurity/definition/What-is-identity-threat-detection-and-response-ITDR">identity threat detection and response</a> and identity security posture management need to cover AI agents alongside existing human identities and NHIs. In addition, identity verification for the human owner of an AI agent will become increasingly important in an era of AI deepfakes. The list will grow.</p> <p>Established platform players -- including Cisco, CrowdStrike, Microsoft, Okta, Palo Alto Networks and CyberArk, Ping Identity, SailPoint and Saviynt -- are expanding their existing identity security offerings to cover AI agent identity security. Cloud service providers -- AWS, GCP and Azure -- are securing AI agent identities in their environments and beyond. There is also a host of new and emerging players, such as Aembit, Andromeda Security, AppViewX, Barndoor AI, BlueFlag Security, C1, Entro Security, Keycard, Natoma, Oasis Security, Silverfort, Token Security and Teleport.</p> <p>Adequately securing and managing AI agent identities will require multiple identity tools to accommodate diverse use cases. AI agents are evolving at an astounding pace. Identity security for AI agents is nascent and moving quickly, and identity issues and standards are still emerging.</p> <p>Enterprises need to take steps now to avoid having the search for perfection be the enemy of the good. That translates into understanding the risks associated with AI agents' identities and then beginning the journey to mitigate them, rather than falling into analysis paralysis.</p> <p>An existing vendor might have a strong enough tool today, or teams might need to explore an emerging player's offerings. CISOs and their teams should start by <a href="https://www.techtarget.com/searchenterpriseai/feature/Security-risks-in-agentic-AI-systems-and-how-to-evaluate-threats">assessing their organization's risks</a>, priorities and requirements. Then look for a tool or tools that work today and can grow as organizational needs evolve to maintain strong identity security for the AI agent fleet.</p> <p>It is an amazing time to work in identity; the dynamism makes your head spin! If you are a new technology player solving an interesting new identity or data security problem, or an innovative approach to an existing challenge, I would like to hear about it. You can reach me via LinkedIn.</p> <p><em>Todd Thiemann is a senior analyst covering identity access management and data security for Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.</em></p> <p><em>Omdia is a division of&nbsp;Informa TechTarget.&nbsp;Its analysts have business relationships with technology vendors.</em></p> </section> Identity teams can accelerate AI adoption with strong security foundations. But managing nondeterministic AI agents is different from securing human identities and traditional NHIs. https://cdn.ttgtmedia.com/rms/onlineimages/ai_g1183318665.jpg https://www.techtarget.com/searchsecurity/opinion/Identity-security-for-AI-agents-The-proliferation-challenge Fri, 22 May 2026 13:16:00 GMT <p> <!-- CONTENT COMPONENT :74294--></p> <p>Business impact analysis is key to developing an effective and comprehensive business continuity and disaster recovery plan.</p> <p>The business impact analysis (<a href="https://www.techtarget.com/searchstorage/definition/business-impact-analysis">BIA</a>) process involves identifying all potential threats and vulnerabilities to the business in the event of a disaster, accident, emergency or other unplanned circumstances. It also involves uncovering the most critical components of the business -- the systems, people and technology the business could not run without.</p> <p>This analysis often serves as the foundation for a business continuity and disaster recovery (BCDR) plan. A BCDR plan should back up and restore the essential functions of the business to keep it running and minimize disruptions, even in the face of a disaster. BIA helps identify those essential functions, quantify the effects of unplanned events and prioritize the components that must be replaced or recovered first.</p> <p>However, IT teams may not know where to start with a BIA project. What data should they collect? What tasks should they perform? How can they transform analysis into tactical execution? That's where a business impact analysis checklist comes into play.</p> <p>Below, learn why a checklist matters, how to prepare for BIA, what to include in a checklist and how to turn the insights into actionable next steps.</p> <section class="section main-article-chapter" data-menu-title="Why a business impact analysis checklist matters"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why a business impact analysis checklist matters</h2> <p>A business continuity checklist, while not mandatory, is incredibly valuable to the BIA process. The process can be complex, with many moving parts, especially as it often <a href="https://www.techtarget.com/searchdisasterrecovery/tutorial/Business-impact-analysis-questionnaire-template">involves gathering information</a> across an entire organization.</p> <p>The checklist must consider, and possibly interview or survey, every department, team and individual -- and even third-party partners and vendors. In addition, it must document every workflow, process and component that comprises the business's infrastructure.</p> <p>That's a lot of information to collect and organize, and missing one data point could mean overlooking a critical dependency during a disaster. A BIA checklist can help lay out all BIA steps in a simplified, easily digestible format. It can also help itemize every required task and align those tasks with their owners. This makes it easier to track progress at a high level and peer deeper into bottlenecks if progress stalls.</p> <p>It's not all about organization and clarity, though. A checklist can also showcase the strategy behind BIA.</p> <p>Many organizations are becoming outcome-driven, measuring success by impact. A BIA checklist can make it clear that everyone in the organization is involved and needs to do their part to protect the business and its people in any scenario. This underlines the strategy behind BIA, its effects and outcome.</p> <p>Finally, the current threat landscape is more complex and sophisticated than ever, in part due <a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">to AI-assisted cyberattacks</a>.</p> <p>But even as AI supercharges the efforts of bad actors, businesses also have to compete with increasing global and local <a href="https://www.techtarget.com/sustainability/tip/Build-a-comprehensive-supply-chain-traceability-checklist">supply chain vulnerabilities</a> and more frequent and extreme natural disasters due to the rising impacts of climate change. Inadequate BIA will only worsen the financial and operational consequences of an unplanned event.</p> <p>Organizations of all sizes across industries should invest in <a href="https://www.techtarget.com/searchdisasterrecovery/definition/disaster-recovery-plan">disaster recovery planning</a>, because it's not a matter of if a disaster will happen but when. Being prepared can help the company recover quickly and minimize the aftereffects, no matter the circumstance.</p> </section> <section class="section main-article-chapter" data-menu-title="Pre-BIA preparation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pre-BIA preparation</h2> <p>Before building a BIA checklist, teams should tackle the following tasks:</p> <ul class="default-list"> <li><b>Secure executive support.</b> BIA requires comprehensive exams of the organization, which require executive buy-in to support the initiative and ensure cooperation from all parties involved. Senior leadership can help identify those responsible for the BIA, oversee the report's progress and final results, and approve disaster recovery planning based on the BIA.</li> <li><b>Assemble a cross-functional team.</b> When senior leadership approves, they can help assemble a cross-functional team to gather all necessary data to support the BIA. This step helps avoid bottlenecks, encourages cooperation and builds the most accurate analysis possible.</li> <li><b>Define BIA scope and objectives.</b> A <a href="https://www.techtarget.com/searchdisasterrecovery/feature/Preparing-an-annual-schedule-of-business-continuity-activities">timeline and high-level goals</a> can drive a successful BIA execution and achieve the appropriate outcome. For some organizations, a BIA's purpose may be to lay a foundation for BCDR planning. For others, it may be an exercise to understand downtime's potential financial effects. Regardless, setting objectives and outlining the project's scope can align the team and ensure the process extracts the right insights.</li> <li><b>Gather baseline documentation.</b> Baseline documentation can help organize and outline complex, data-heavy data collection processes. This can streamline the analysis down the line. For example, the International Organization for Standardization provides a framework for the BIA process in <a href="https://www.techtarget.com/searchdisasterrecovery/definition/ISO-22317-International-Standards-Organization-22317">ISO/TS 22317</a>. This can be a good starting point to establish baseline documentation and a formal process to follow.</li> </ul> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/risk_assessment.png "> <img data-src="https://www.techtarget.com/rms/onlineImages/risk_assessment_mobile.png " class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/risk_assessment_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/risk_assessment.png 1280w" alt="Risk assessment chart " height="451" width="520"> <figcaption> <i class="icon pictures" data-icon="z"></i>A risk assessment determines likelihood of potential disasters to hit an organization. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="What to include in a business impact analysis checklist"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What to include in a business impact analysis checklist</h2> <p>Though the methodology and format of BIA checklists can differ, most cover the following steps:</p> <ul class="default-list"> <li><b>Identify critical business functions.</b> To start, map out the business's infrastructure. This can be done visually during this stage of planning to understand how the business functions and what functions are critical to operations at a high level. As the BIA progresses and more data is gathered, all essential business functions should be clearly and concisely documented in an organized, digestible format.</li> <li><b>Determine recovery time objectives (RTOs) and recovery point objectives (RPOs).</b> An <a href="https://www.techtarget.com/whatis/definition/recovery-time-objective-RTO">RTO</a> establishes the amount of time a system or process can be down for before irreparable business harm is caused. An <a href="https://www.techtarget.com/whatis/definition/recovery-point-objective-RPO">RPO</a> is similar, but specifically refers to business data and the maximum amount of data loss a business can afford to suffer. Both metrics can help <a href="https://www.techtarget.com/searchdisasterrecovery/tip/How-to-calculate-maximum-allowable-downtime">determine the business's maximum tolerable downtime</a> (MTD).</li> <li><b>Assess the operational and financial effects.</b> RTOs, RPOs and MTD metrics should directly inform the financial effects of unplanned events and business disruptions. Teams can then perform further data analysis and evaluation to assess the operational and financial effects of different disaster scenarios. The calculations should also consider the cost and recovery process.</li> <li><b>Identify resource requirements.</b> All resources required to remain operational should be documented. In this case, <i>resources</i> covers a broad spectrum, including human personnel, technical infrastructure, system components, materials and supplies, data backups, communication channels, and anything else critical to the business. The list should be exhaustive, but each resource should also be weighted based on priority.</li> <li><b>Document dependencies and single points of failure.</b> Once every resource requirement, critical business function and performance metric is outlined, teams should consider the business's infrastructure. What is the relationship between each resource and process? What technology supports certain workflows? What people are required to execute critical tasks? What <a href="https://www.techtarget.com/searchdatacenter/definition/Single-point-of-failure-SPOF">single points of failure</a> exist that, if the business were without, would cause total operational collapse? Charting out these dependencies and understanding the web of relationships that make up the business can directly inform BCDR planning.</li> <li><b>Conduct stakeholder interviews.</b> Institutional knowledge and role expertise should not be underestimated. Even with a thorough understanding of systems, it's possible to miss operational gaps unless key stakeholders are interviewed. Interviews can build a more comprehensive understanding of how certain processes work and how they affect the business.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Post-BIA analysis and validation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Post-BIA analysis and validation</h2> <p>Conducting a BIA is only part of the equation. To fully complete the BIA process, teams must perform a thorough analysis and evaluation.</p> <p>This should include the following steps:</p> <ul class="default-list"> <li><b>Analyze and prioritize findings.</b> Post-BIA, teams must explore the findings. If a previous BIA exists, compare the new results to the old findings to see what has changed and why. This can also identify anything that was overlooked. Then, establish actionable next steps based on the analysis and prioritize tasks by severity, impact and timeliness.</li> <li><b>Validate results.</b> Because BIA is meant to inform BCDR planning, the report must have accurate results and data. As such, teams should conduct data validation and statistical analysis to ensure the data is consistent, complete and falls within expected boundaries. <a href="https://www.techtarget.com/searchdatamanagement/tip/6-dimensions-of-data-quality-boost-data-performance">High-quality data</a> and validated BIA results can then drive strategic execution.</li> <li><b>Document and communicate.</b> Finally, document all findings and BIA process steps. Make the results easily accessible in the event of a disaster to help validate BCDR tasks. Given that BIA should occur at least annually, documenting the process steps can streamline future BIA efforts. Organizations can reuse and update these checklists year over year. They should also communicate all results to disaster planners, executive leadership and team leaders to align the whole organization on critical tasks, roles and responsibilities.</li> </ul> <p>With a BIA checklist, business leaders and BCDR planners can bridge the gap between strategic planning and tactical execution. This can help organizations identify critical business functions, quantify the potential effects of disruptions or unplanned events, and build data-driven recovery strategies that can translate into actionable next steps.</p> <p><em>Jacob Roundy is a freelance writer and editor with more than a decade of experience with specializing in a variety of technology topics, such as data centers, business intelligence, AI/ML, climate change and sustainability. His writing focuses on demystifying tech, tracking trends in the industry, and providing practical guidance to IT leaders and administrators.</em></p> </section> A business impact analysis is a critical part of disaster recovery planning. Avoid potential disruptions and smooth out the planning process with this BIA checklist. https://cdn.ttgtmedia.com/visuals/searchWinIT/IT_career_development/winit_article_004.jpg https://www.techtarget.com/searchdisasterrecovery/feature/A-business-impact-analysis-checklist-10-common-BIA-mistakes Thu, 21 May 2026 00:00:00 GMT <p>The role of the chief information security officer is pivotal -- and constantly evolving. Today's CISOs are responsible for all aspects of cybersecurity planning, prevention and management, and must also be attuned to the needs of the business.</p> <p>Increasingly, the job includes being a leader who helps their organization through a cyber crisis.</p> <section class="section main-article-chapter" data-menu-title="Cyber incident vs. cyber crisis"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber incident vs. cyber crisis</h2> <p>Enterprise cybersecurity teams might investigate hundreds or thousands of events in a typical day. Many events are harmless and don't require human intervention. Sometimes, however, an event becomes an incident. An <a href="https://www.techtarget.com/searchsecurity/feature/10-types-of-security-incidents-and-how-to-handle-them">incident is any event</a> that compromises systems or data, violates policies or otherwise poses risks to the organization.</p> <p>Many incidents are addressed by security teams or systems with minimal disruption or damage to the business. For example, if an employee clicks a phishing link that installs malware and the organization's antimalware detects and quarantines that malware, this is a security incident that doesn't further threaten the business.</p> <p>If an event is not easily mitigated or neutralized and begins to affect production systems, data, business performance and reputation, it becomes a cyber crisis.</p> <p>Common cyber crises involve data breaches, cloud outages, nation-state attacks, systems outages, infrastructure failures and natural disasters.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyber crisis management vs. incident response"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyber crisis management vs. incident response</h2> <p>Cyber crisis management is an organization's ability to effectively prepare for, respond to and recover from cyber incidents that impact operations, reputation, finances, personnel or security. It is a critical component of an organization's <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management strategy</a>.</p> <p><a href="https://www.techtarget.com/searchsecurity/definition/incident-response-team">Incident response</a> is also a part of risk management, but specifically deals with identifying, containing, eradicating and recovering from the cyber event.</p> <p>In other words, incident response involves handling the incident itself, while crisis management involves handling the business consequences of the incident. Incident response is more technical and operational, whereas crisis management is more strategic and organizational.</p> <p>The two are not mutually exclusive. Crisis management almost always includes incident response, but not every event handled by incident response is necessarily a cyber crisis.</p> </section> <section class="section main-article-chapter" data-menu-title="The CISO's responsibilities in crisis management"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The CISO's responsibilities in crisis management</h2> <p>In incident response, the CISO is in charge. In crisis management, the CISO is part of an executive leadership team handling the crisis.</p> <p>In their everyday job, the CISO oversees a team of professionals managing day-to-day cybersecurity activities, including prevention, detection, response, mitigation and recovery. The CISO provides broad leadership to the team, ensuring resource availability and communicating the state of cybersecurity readiness to senior leadership. The CISO also ensures compliance with legal and regulatory requirements; collaborates with other business leaders to protect systems, data and services; and facilitates <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecurity-employee-training-How-to-build-a-solid-plan">security awareness training for employees</a>.</p> <p>During a cyber crisis, the CISO transitions from an operational security leader to an enterprise risk executive. They must balance their technical capabilities with business needs and serve as a bridge between incident response teams, crisis management teams and executive leadership.</p> <h3>The CISO's role before a cyber crisis</h3> <p>CISOs are instrumental in identifying risks, threats and vulnerabilities that could escalate into cyber crises. As such, the CISO is a key member of the crisis management team, which also includes executive leaders and representatives from business continuity, disaster recovery, legal, compliance, HR and PR. External third parties can include incident response providers, cyber insurers and managed security service providers. CISOs help define the roles and responsibilities within the cyber crisis management team.</p> <p>The crisis management team creates the crisis management plan. CISOs should help define escalation criteria so security and IT teams can identify when an incident becomes a crisis and know how to communicate this to the crisis management team.</p> <div class="extra-info"> <div class="extra-info-inner"> <h3 class="splash-heading">Crisis management plan</h3> <p>CISOs should participate in developing the plan for responding to cyber crises. A plan should contain the following components:</p> <ul class="default-list"> <li><b>Policy.</b> Include the purpose, scope and objectives of the crisis management program and regulatory requirements to address.</li> <li><b>Strategy.</b> Define when an incident escalates into a crisis, how the organization will respond to various crises, crisis management team members and their roles and responsibilities, and the chain of command.</li> <li><b>Communications.</b> Define who to contact in the event of a crisis, both within and outside the organization, as well as the criteria for communicating.</li> <li><b>Procedures.</b> Include step-by-step activities for initial assessment, escalation to crisis, response and postmortem.</li> <li><b>Media management.</b> Define the company spokesperson during the crisis, outline activities for communicating with external media and specify any social media restrictions during the event.</li> <li><b>Complementary plans.</b> Identify how the cyber crisis management plan connects to incident response, cyber-resilience, business continuity and disaster recovery plans.</li> <li><b>Awareness and training.</b> Describe the training cyber crisis management team members have received and how employees are to operate during a crisis, to build a <a href="https://www.techtarget.com/searchsecurity/tip/5-tips-for-building-a-cybersecurity-culture-at-your-company">culture of cybersecurity awareness</a>.</li> <li><b>Exercising.</b> Test and validate the crisis management plan and associated playbooks.</li> <li><b>Review, audit and maintenance.</b> Periodically review the cyber crisis management plan and strategy, audit them to ensure compliance and proper operation, and continuously improve them to keep them up to date with the latest crisis, contacts and instructions.</li> </ul> </div> </div> <p>The crisis management plan should connect with other emergency plans, including <a href="https://www.techtarget.com/searchsecurity/feature/5-critical-steps-to-creating-an-effective-incident-response-plan">incident response</a>, cyber-resilience, <a href="https://www.techtarget.com/searchdisasterrecovery/definition/business-continuity-action-plan">business continuity</a> and <a href="https://www.techtarget.com/searchdisasterrecovery/tip/12-key-points-a-disaster-recovery-plan-checklist-must-include">disaster recovery plans</a>. CISOs also help create playbooks -- step-by-step plans that outline what to do in the event of a given crisis.</p> <p>Once the plan and playbooks are created, CISOs and the crisis management team should conduct cyber crisis exercises that test escalation procedures, communications plans, decision-making workflows, recovery and regulatory reporting, among other tasks. This involves conducting crisis simulations and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises">tabletop exercises</a>.</p> <p>CISOs also help prepare executive leadership and the board for a cyber crisis. For example, the CISO explains to executives how and why cyber crises occur and their potential impact, and discusses the organization's plan for responding.</p> <h3>The CISO's role during a cyber crisis</h3> <p>After an incident is escalated to a crisis, the CISO's cross-functional responsibilities begin.</p> <ul class="default-list"> <li><b>Support security teams.</b> With their technical background, CISOs lead incident response teams and activate the incident response plan, making response decisions, guiding containment activities and ensuring evidence preservation.</li> <li><b>Activate the crisis management team.</b> The CISO or other appointed party notifies the crisis management team and initiates the crisis response process. The CISO can help delegate responsibilities as laid out in the cyber crisis management plan.</li> <li><b>Evaluate business risk and impact.</b> CISOs take on a risk management role, evaluating business impact, assessing operational impact, and balancing security and business continuity measures.</li> <li><b>Communicate with executives.</b> CISOs and other crisis team leads brief executives and the board on the situation, its impact and response efforts.</li> <li><b>Assist legal and compliance teams.</b> CISOs work with legal and compliance teams to assess legal, regulatory and reputational risks; preserve evidence; and recommend when to involve external experts, regulators or law enforcement.</li> <li><b>Support communications and PR.</b> CISOs help PR teams manage internal communications with employees and other stakeholders, as well as external communications with customers, partners and the media. CISOs can help determine how to be transparent without sharing too much information, while also maintaining trust among employees and customers.</li> </ul> <p>CISOs must also consider the human element. A cyber crisis can be stressful and time-consuming. To reduce fatigue, CISOs should support leadership, fellow team members and employees throughout the process.</p> <h3>The CISO's role after a cyber crisis</h3> <p>Following a cyber crisis, the CISO and crisis management team lead restoration efforts. This includes prioritizing recovery, restoring systems, monitoring systems for residual risks and ensuring backups function as business returns to normal operations.</p> <p>CISOs continue to keep executive leadership apprised of the situation, explaining recovery efforts, timelines and operational impacts. Follow-ups include supporting regulatory investigations, addressing audit requests, supporting law enforcement and <a href="https://www.techtarget.com/searchdisasterrecovery/tip/5-tips-for-building-a-crisis-communication-plan">maintaining clear communications</a> with external parties.</p> <p>Post-mortem analysis and reporting are key CISO responsibilities. This involves creating an after-action report that includes root cause analysis, event timelines and recommendations for improvements. The post-mortem report should measure business impact and the effectiveness of recovery efforts.</p> <p>CISOs report these findings to executives, stakeholders and auditors. The report should include information on how the organization will improve its ability to prevent, detect, respond to and recover from future events -- for example, updating training, adopting new controls, implementing new tools, patching systems and updating existing procedures based on lessons learned. Specify whether teams will implement any improvements to the incident response and crisis response plans based on performance during the crisis.</p> </section> <section class="section main-article-chapter" data-menu-title="Pitfalls to avoid"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Pitfalls to avoid</h2> <p>When filling the dual role of technical manager and cyber crisis leader, CISOs can make the following common mistakes:</p> <ul class="default-list"> <li><b>Incomplete information.</b> Launching a response to a suspected crisis without sufficient detail can lead to problems such as unnecessary system outages or wasted effort. Gather and validate event data as quickly as possible, discussing it with the incident response team while refraining from speculation.</li> <li><b>Faulty communications.</b> Raising the crisis flag before an incident has been validated can reflect poorly on the CISO, leading to loss of confidence from senior management and possible regulatory compliance issues. The wrong message can also damage the organization's reputation. Carefully validate all communications with PR and legal, use business language and document all communications.</li> <li><b>Failure to delegate.</b> Failure to delegate key activities to team members can slow performance and increase the likelihood of mistakes. Delegate responsibilities early in the cyber crisis response process, and have confidence in the crisis management plan and playbooks.</li> <li><b>Neglecting legal and regulatory issues.</b> If the CISO fails to gather data to demonstrate compliance with specific regulations, the organization could face fines and litigation. CISOs must be aware of all legislative and regulatory requirements, gather relevant evidence to demonstrate compliance, and coordinate with internal and external entities.</li> <li><b>Documentation challenges.</b> In the middle of a crisis, it can be easy to forget to take notes on everything happening. These notes, however, are critical for postmortem, auditing and compliance. Designate a scribe to capture CISO insights and instructions during the event, take notes on the teams' activities and gather relevant system logs and event data.</li> </ul> </section> <section class="section main-article-chapter" data-menu-title="Taking care of business"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Taking care of business</h2> <p>In a cyber crisis, the successful CISO needs to operate as a technician, an executive and a level-headed leader. For any CISO navigating a crisis, the emotional intelligence and business acumen displayed are just as important as the malware's potential to compromise systems and data.</p> <p><i>Paul Kirvan is an independent consultant and technical writer. He has more than 35 years of experience in business continuity, disaster recovery, operational resilience, cybersecurity, governance, risk and compliance, </i><i>networking and IT auditing.</i></p> <p><em>Sharon Shea is executive editor of TechTarget Security.</em></p> </section> CISOs have a broad range of responsibilities. But when a crisis occurs, they become the de facto leader, entrusted with both technical and business outcomes. https://cdn.ttgtmedia.com/rms/onlineimages/disaster_recovery_a302880793.jpg https://www.techtarget.com/searchsecurity/tip/Taking-care-of-business-The-CISOs-role-in-a-cyber-crisis Wed, 20 May 2026 09:00:00 GMT <p>AI is reshaping the application landscape, seemingly overnight. A recent Google Cloud <a target="_blank" href="https://services.google.com/fh/files/misc/google_cloud_roi_of_ai_2025.pdf" rel="noopener">survey</a> of 3,466 senior business leaders found 77% of organizations are increasing spending on generative AI, with the vast majority already reporting ROI on at least one GenAI use case. More than half have also <a href="https://www.techtarget.com/searchenterpriseai/feature/Real-world-agentic-AI-examples-and-use-cases">deployed agentic AI</a>, and 39% have more than 10 AI agents in production. But while that momentum appears all but certain to continue, executives also reported AI adoption challenges and concerns -- with data privacy and security ranking at the top of the list.</p> <p>To mitigate AI's security, compliance and governance risks, CISOs need to understand what is happening in their organizations' AI systems. AI audit logs provide structured, comprehensive and granular records of every interaction and operational change in an AI system, from user inputs and AI outputs to model updates and system configuration changes. As AI deployments continue to explode in the enterprise, AI audit logs will be increasingly important tools for cybersecurity leaders.</p> <section class="section main-article-chapter" data-menu-title="Why AI audit logs matter"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why AI audit logs matter</h2> <p>AI logs provide CISOs with visibility into rapidly evolving AI-powered workflows, enabling them to ensure accountability and transparency, meet compliance requirements and stave off adversarial activities. This intelligence and insight will be even more crucial as enterprises deploy agentic AI that acts with limited human intervention.</p> <h3>Accountability and transparency</h3> <p>Detailed, immutable records of AI activity enable granular accountability and transparency -- showing, for example, whether governance guardrails are working as intended. This can go a long way toward building stakeholder trust and countering the wariness and skepticism associated with early-stage AI development and deployment.</p> <h3>Compliance</h3> <p>AI logs support regulatory compliance and adherence to corporate mandates by documenting activity chronologically. They are critical in meeting reporting requirements for global AI and data security regulations, such as the <a target="_blank" href="https://www.darkreading.com/cyber-risk/risk-strategies-drawn-from-the-eu-ai-act" rel="noopener">EU AI Act</a>, GDPR and HIPAA.</p> <p>For compliance use cases, AI audit logs must be immutable to prevent tampering, ensuring the integrity of the recorded data. The only changes allowed should be the appending of information as attachments.</p> <h3>Threat detection and response</h3> <p>To be useful for threat detection, <a href="https://www.techtarget.com/searchsecurity/definition/incident-response">incident response</a> and forensic investigations, AI log records must be both complete and searchable. AI audit log data can reveal any number of threats, including shadow AI, <a href="https://www.techtarget.com/searchsecurity/feature/Agentic-AIs-role-in-amplifying-and-creating-insider-risks">insider threats</a>, <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">prompt injection attacks</a>, data theft, data leakage and data poisoning.</p> </section> <section class="section main-article-chapter" data-menu-title="What AI audit logs should track"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What AI audit logs should track</h2> <p>To be effective, AI audit logs must record very specific and detailed information about AI system actions, interactions, context and conditions. This includes the following:</p> <ul class="default-list"> <li><b>User or agent ID.</b> Which user or <a href="https://www.techtarget.com/searchsecurity/tip/Cybersecuritys-agentic-AI-identity-crisis-and-how-to-fix-it">AI agent</a> initiated a given action.</li> <li><b>Model. </b>Model version and policy configurations, such as guardrails and security filters.</li> <li><b>Timestamps.</b> When a given action -- e.g., login, input, output or session termination -- occurred.</li> <li><b>Input. </b>Data that the user submitted to the model, such as prompts and queries.</li> <li><b>Model reasoning. </b>How the model made its decision, including relevant data, context, guardrails, policy rules and external resources.</li> <li><b>Resource access.</b> Data, systems and tools that the model accessed.</li> <li><b>Output.</b> Data that the AI produced.</li> <li><b>Additional actions.</b> Tool calls, handoffs among AI tools, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-craft-a-generative-AI-security-policy-that-works">policy enforcement</a>, errors and human operator intervention.</li> <li><b>Status.</b> Whether an action succeeded or failed.</li> </ul> <p>At the model level, organizations should also log parameters, training data, access permissions, API key use, deployments and updates. Additionally, logs should detail who made changes to the model and when.</p> <p><i>Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As a principal analyst at GlobalData, she covers managed security and cloud services.</i></p> </section> AI audit logs are rapidly becoming essential tools for enterprise CISOs. Here's what cybersecurity leaders need to track to mitigate risks. https://cdn.ttgtmedia.com/visuals/LeMagIT/hero_article/Cybersecurity_search_AdobeStock_1884692525-hero.jpg https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-about-AI-audit-logs Tue, 19 May 2026 21:37:00 GMT <p>Every modern organization must monitor its networks continuously and respond to suspicious or malicious activity quickly and effectively. Two basic options exist: an in-house security operations center or a managed detection and response service. Some organizations use both.</p> <p>Let's examine how SOC and MDR services compare and identify key considerations when choosing the best option for your organization.</p> <section class="section main-article-chapter" data-menu-title="SOC and MDR overview"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SOC and MDR overview</h2> <p>Traditionally, SOCs underpin how most companies manage security monitoring, detection and response. SOC analysts work shifts around the clock, seven days a week. These staffers are trained to <a href="https://www.techtarget.com/searchsecurity/tip/Why-security-alert-fatigue-matters-and-how-to-address-it">comb through alert messages</a> and identify red flags across the organization's systems. When analysts think an incident is likely or has occurred, they notify incident responders to handle it.</p> <p>SOCs are usually housed in dedicated, secure physical spaces because the information the analysts discuss could be highly sensitive, including details of vulnerabilities, exploits, <a href="https://www.techtarget.com/searchsecurity/feature/10-biggest-data-breaches-in-history-and-how-to-prevent-them">data breaches</a> and insider threats. SOCs provide analysts with various tools and dashboards they can use to keep up with the incredible volume of cybersecurity events.</p> <p>MDRs are third-party providers that act as SOCs for multiple clients. MDRs have one or more SOCs at their own facilities and dedicated analysts who remotely monitor customers' cybersecurity events and alerts for possible incidents.</p> </section> <section class="section main-article-chapter" data-menu-title="SOC and MDR comparison"> <h2 class="section-title"><i class="icon" data-icon="1"></i>SOC and MDR comparison</h2> <p>Although SOCs and MDR services monitor the same cybersecurity event data and look for the same kinds of activity, key differences exist, among them:</p> <ul class="default-list"> <li><b>Staffing and labor.</b> An in-house SOC usually needs to be staffed around-the-clock, even when the organization's offices aren't open, because digital services are online for customers 24/7 -- and those services can't go unmonitored. Labor costs for continuous monitoring and analysis can be quite high, especially for organizations with relatively low volumes of cybersecurity events where SOC staff might be underutilized. Using an MDR provider could be less expensive.</li> <li><b>Priorities.</b> An in-house SOC is concerned only with its own organization, whereas an MDR provider supports multiple organizations and won't necessarily prioritize one over another.</li> <li><b>Threat awareness. </b>An MDR provider is likely to be <a href="https://www.techtarget.com/searchsecurity/feature/Top-10-types-of-information-security-threats-for-IT-teams">aware of new threats</a> before in-house SOCs are. That's because the MDR provider has access to all its customers' data at all times, while an in-house SOC can only see its own data.</li> <li><b>Experience.</b> An MDR provider is likely to have more experienced analysts than an in-house SOC, and more of them.</li> <li><b>Personalization.</b> Analysts at an in-house SOC probably have a better understanding of the context for its organization's systems, networks, applications, data and other technology resources than MDR analysts.</li> </ul> <p>Some organizations use both an in-house SOC and an MDR provider, staffing their own SOCs during the week but relying on an MDR on weekends and holidays, for example.</p> </section> <section class="section main-article-chapter" data-menu-title="Decision considerations"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Decision considerations</h2> <p>Sometimes it's obvious whether an organization should have an in-house SOC or rely on an MDR service provider. But many cases aren't so clear-cut.</p> <p>CISOs and security leaders should ask the following key questions when considering whether to use an in-house SOC, an MDR service or a combination of both:</p> <h3>Costs and staffing</h3> <p>How much will it cost to build, staff and maintain an in-house SOC, recognizing that labor and training will account for the vast majority of costs in the long run? Estimate the analyst turnover rate and include that in cost estimates. Compare that to the costs of using an MDR service, keeping in mind that there will still be internal labor and training costs, as well as technology costs for integrating systems with the MDR provider.</p> <h3>Third-party risk</h3> <p>What are the cybersecurity, privacy and other legal and compliance implications of a third party having access to the organization's cybersecurity event data and other potentially sensitive information? Will it be feasible to <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-third-party-risk-assessment-framework">address those risks</a> satisfactorily?</p> <h3>Threat analysis</h3> <p>Overall, who is likely to do a better job of identifying potential threats, analyzing them to gather more information and acting quickly to safeguard the organization? In-house analysts have greater knowledge of the organization, while third-party analysts have greater knowledge of current threat trends.</p> <p><i>Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.</i></p> </section> Security operations centers and managed detection and response providers differ in how they manage threats. What's the best way to choose between a SOC and MDR service? https://cdn.ttgtmedia.com/rms/onlineimages/check_g1255870711.jpg https://www.techtarget.com/searchsecurity/tip/SOC-vs-MDR-What-CISOs-need-to-consider Mon, 18 May 2026 09:38:00 GMT <p>Following a massive cyberattack on its popular Canvas learning management system, education software provider Instructure said it had struck a deal with malicious hackers to recover its stolen data. Instructure did not disclose the terms of the deal, but experts say it likely included a significant ransomware payment, reigniting debate around <a href="https://www.techtarget.com/searchsecurity/tip/Should-companies-pay-ransomware-and-is-it-illegal-to">paying cybercriminals to end attacks</a>. While the FBI strongly discourages paying attackers, <a target="_blank" href="https://www.absolute.com/press-releases/new-research-cisos-ransomware-trends" rel="noopener">research</a> from Absolute Security found that more than half of CISOs -- 58% -- would consider doing so.</p> <section class="section main-article-chapter" data-menu-title="What happened in the Canvas cyberattack"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What happened in the Canvas cyberattack</h2> <p>According to Instructure, threat actors broke into its systems on both April 29 and May 7, leading to an outage in the company's Canvas ed tech platform, which thousands of schools worldwide use to manage assignments, course materials, messages and grades. The attack caused widespread disruption and exposed users' personally identifiable information, including names, email addresses, student ID numbers and confidential messages between students and teachers.</p> <p>Threat actor group ShinyHunters claimed responsibility for the attack, saying it stole 3.65 TB of Instructure's data, including information belonging to around 275 million users across almost 9,000 schools.</p> <p>On May 11, Instructure issued a <a target="_blank" href="https://www.instructure.com/incident_update" rel="noopener">public statement</a> saying it had reached an agreement with the attackers and that Canvas is now fully operational and safe to use.</p> </section> <section class="section main-article-chapter" data-menu-title="To pay or not to pay -- that is the question"> <h2 class="section-title"><i class="icon" data-icon="1"></i>To pay or not to pay -- that is the question</h2> <p>As part of the settlement, the threat actors reportedly returned Instructure's data, destroyed copies and promised not to further extort the company's customers. But <a href="https://www.techtarget.com/searchsecurity/feature/Ransomware-negotiation-Does-it-work-and-should-you-try-it">deals with malicious hackers</a> come with no guarantees, cautioned Michael Klein, senior director for preparedness and response at the Institute for Security and Technology.</p> <p>"You can't trust that a cybercriminal group is going to keep their word and not then go and extort all of the people downstream of that anyway," KIein <a target="_blank" href="https://www.cybersecuritydive.com/news/canvas-agreement-threat-actors--ransomware/820084/" rel="noopener">told K-12 Dive</a>, a TechTarget Security sister publication.</p> <p>Research suggests there is little honor among cyber thieves. A CrowdStrike <a target="_blank" href="https://go.crowdstrike.com/State-of-Ransomware-Survey.html" rel="noopener">survey</a> found 93% of victims who paid their attackers still had their data stolen, and 83% were attacked again.</p> <p>Despite such unfavorable odds, an organization might decide, based on business risk, that paying a ransom is worth it -- if it can't survive without the stolen data, for example, or if operational disruptions and reputational fallout will likely cost more than the ransom itself. In an attack on a hospital or other critical infrastructure, lives might even be at stake.</p> <p>The FBI and other law enforcement agencies strongly discourage paying ransomware operators, saying it encourages cybercrime and often leads to double- or <a href="https://www.techtarget.com/searchsecurity/definition/triple-extortion-ransomware">triple-extortion attacks</a>, in which threat actors return to make additional demands.</p> <p>While making ransomware payments is generally legal in the U.S., it is illegal to send money to certain nation-states and affiliated groups for any reason. The Treasury Department <a target="_blank" href="https://ofac.treasury.gov/media/912981/download?inline" rel="noopener">warned</a> in 2021 that making ransom payments that enrich sanctioned countries, groups or individuals could result in civil penalties.</p> </section> <section class="section main-article-chapter" data-menu-title="With further extortion attacks possible, FBI urges vigilance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>With further extortion attacks possible, FBI urges vigilance</h2> <p>In a May 15 <a target="_blank" href="https://www.facebook.com/photo?fbid=1396646075842288&amp;set=a.259053482934892" rel="noopener">statement</a>, the FBI urged educational institutions and end users to stay vigilant in the wake of the ShinyHunters attack, warning that they could see additional, related extortion attempts.</p> <p>"[ShinyHunters] actors' access to compromised sensitive data could allow them to craft highly sophisticated spearphishing campaigns using real-world context to deceive victims," the post said, adding that the group often employs campaigns of escalating harassment to pressure targets to pay. Tactics might include threatening emails, text messages, phone calls and, in some cases, <a target="_blank" href="https://www.darkreading.com/cyberattacks-data-breaches/swatting-latest-extortion-tactic-ransomware-attacks" rel="noopener">swatting</a>. Threat actors might also claim -- often falsely -- to have embarrassing or sensitive photos or videos of victims.</p> <p>The agency encouraged organizations and individuals to report suspicious messages to the FBI <a target="_blank" href="https://www.ic3.gov/" rel="noopener">Internet Crime Complaint Center</a> or their local FBI field offices.</p> <p><em>Alissa Irei is senior site editor of Informa TechTarget Security.</em></p> </section> Instructure struck a deal to recover its stolen data -- likely paying a hefty ransom. For CISOs, deciding whether to negotiate with cybercriminals should come down to business risk. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303249453.jpg https://www.techtarget.com/searchsecurity/news/366642963/Instructure-cyberattack-reignites-ransom-payment-debate Fri, 15 May 2026 18:15:00 GMT <p>Modern organizations invest heavily in SIEM systems to centralize security data across disparate platforms. They are an important cybersecurity component, yet still miss critical threats, often leaving organizations unaware and exposed. That leads to breaches, prolonged attacker dwell times and regulatory noncompliance.</p> <p>SIEM tools collect security logs from target systems, spot suspicious activity and help analysts investigate incidents. They also enable compliance reporting, threat hunting and, by detecting suspect events, help organizations respond more quickly to incidents.</p> <p>So, what's the problem? The core issue is a lack of strategic direction, which leads to inefficient and ineffective data collection. SIEM systems use rules to gather and correlate information, but in many organizations, these rules are outdated or unmanaged. The result is noisy, meaningless alerts and detection logic that doesn't align with business needs.</p> <p>A SIEM platform is more than a technical configuration -- it is a strategic control requiring continuous governance and tuning. And to remain effective, it is important to make SIEM rules behavior-based.</p> <section class="section main-article-chapter" data-menu-title="Why traditional SIEM rules fall short"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Why traditional SIEM rules fall short</h2> <p>Legacy rule design and default settings cannot keep pace with evolving attacker behavior and tools. Many organizations use SIEM settings that rely too heavily on legacy attack patterns and static indicators, such as known malicious IP addresses, malware signatures and domain names associated with past attacks. These indicators have a short shelf life, making them ineffective against modern threats, which are adaptive and novel.</p> <p>The resulting challenges include:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/Why-security-alert-fatigue-matters-and-how-to-address-it">Alert fatigue</a> and eventual talent drain from excessive false positives.</li> <li>Gaps in detecting modern, stealthy attacks, such as <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-living-off-the-land-attacks">living-off-the-land</a> and insider attacks.</li> <li>Lack of contextual awareness.</li> <li>Outdated threat assumptions and a false sense of security.</li> <li><a href="https://www.techtarget.com/searchsecurity/feature/Security-observability-vs-visibility-and-monitoring">Limited visibility</a> and data collection gaps.</li> </ul> <p>Organizational practices factor into these challenges, such as:</p> <ul class="default-list"> <li>Lack of continuous tuning to meet changing business practices and evolving threats. Rules are rarely reviewed or tuned after the initial deployment.</li> <li>Poor alignment among security controls and business risks, leading to all alerts being treated with the same priority regardless of asset value.</li> </ul> <p>SIEM rules are not inherently flawed, but without governance, they generate more noise than insight and leave organizations exposed to the very threats they are meant to detect.</p> </section> <section class="section main-article-chapter" data-menu-title="Shifting to behavior-based detection"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Shifting to behavior-based detection</h2> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Traditional rules ask: Is this bad? Behavior-based rules ask: Is this normal -- and if not, why? </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Transitioning SIEM rules into behavior-based analytics emphasizes what attackers do, not just what they use. The result is improved detection of unknown or novel threats.</p> <p>Behavior-based detection includes identifying:</p> <ul class="default-list"> <li>Unusual login patterns, such as those coming from different locations or outside a user's normal time of day.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/6-ways-to-prevent-privilege-escalation-attacks">Privilege escalation anomalies</a>, such as first-time access to tools or the creation of privileged admin accounts with immediate high-risk use.</li> <li>Suspicious <a href="https://www.techtarget.com/searchsecurity/tip/How-to-prevent-and-detect-lateral-movement-attacks">lateral movement</a>, such as a new account accessing multiple systems in rapid succession.</li> <li>Data access and exfiltration signals, such as large volumes of data accessed or transferred outside normal patterns.</li> <li>Network behavior anomalies, such as systems communicating with new external destinations.</li> </ul> <p>Traditional rules ask: Is this bad? Behavior-based rules ask: Is this normal -- and if not, why?</p> </section> <section class="section main-article-chapter" data-menu-title="Using Mitre ATT&amp;CK for strategic alignment"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Using Mitre ATT&amp;CK for strategic alignment</h2> <p>The <a href="https://www.techtarget.com/searchsecurity/definition/MITRE-ATTCK-framework">Mitre ATT&amp;CK framework</a> catalogs real-world cyberattack tactics and techniques based on observed adversary behavior. It is dynamic and realistic -- and far more effective than static, theoretical attack patterns. The framework is important because it provides a common language for security teams and leadership, aligns detection with how attackers operate and enables measurable visibility into security coverage and gaps.</p> <p>Adopting the ATT&amp;CK framework begins with mapping SIEM rules to ATT&amp;CK techniques. Align defensive detections with malicious actor <a target="_blank" href="https://attack.mitre.org/tactics/enterprise/" rel="noopener">tactics</a>, such as persistence, lateral movement and exfiltration, and ensure rules reflect how attackers actually operate, avoiding assumptions and legacy knowledge.</p> <p>CISOs and their teams can then use ATT&amp;CK to identify and prioritize gaps in SIEM rules. First, highlight techniques with little or no detection coverage. Then, focus resource investments on high-risk, high-impact attack paths.</p> <p>Next, use the framework to improve rules detection and quality by reducing redundant or low-value rules and strengthening coverage across the full attack lifecycle. It can also help support rule validation and testing. For example, <a href="https://www.techtarget.com/searchsecurity/tip/Mitre-ATTCK-framework-use-cases">use ATT&amp;CK</a> as a baseline for adversary emulation and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-build-an-effective-purple-team-playbook">purple team exercises</a>, and continuously test whether rules detect known techniques effectively.</p> <p>With Mitre ATT&amp;CK, cybersecurity teams can transition from reactive monitoring to a strategic, intelligence-driven model grounded in actual attacker behavior. To further support this model, establish AI-assisted anomaly detection, automated message enrichment using <a href="https://www.techtarget.com/searchsecurity/definition/SOAR">SOAR</a> and tuning-at-scale capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="The missing link: Continuous tuning and validation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The missing link: Continuous tuning and validation</h2> <p>The crucial point is that this model cannot remain static. It requires regular tuning and validation to stay effective. Managing SIEM rules cannot take a set-and-forget approach. To mitigate risks effectively and realize value from resource investments, organizations need strong rule management practices. These include regular analysis and tuning to identify and reduce noise; validation via simulated attacks, including purple teaming and adversary emulation; and measurable telemetry for analysis.</p> <p>Specific <a href="https://www.techtarget.com/searchsecurity/tip/The-best-incident-response-metrics-and-how-to-use-them">metrics include</a>:</p> <ul class="default-list"> <li>Detection rate.</li> <li>False positives.</li> <li>Time to respond.</li> <li>Reduction in dwell time.</li> <li>False positive rate.</li> <li>Mean time to detect and mean time to respond.</li> </ul> <p>Continuous validation ensures SIEM rules remain effective as threats evolve and the business structure changes. The organization can expect more efficient security operations center capabilities and increased confidence in detection capabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="Strategic recommendations for CISOs and IT leaders"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Strategic recommendations for CISOs and IT leaders</h2> <p>Use the following steps to develop an effective SIEM rule management strategy:</p> <ul class="default-list"> <li>Establish clear, cross-functional ownership of the operating model across SOC, threat intel and operations teams, enabling governance and accountability.</li> <li>Invest in behavior-based detection capabilities.</li> <li>Adopt frameworks, such as Mitre ATT&amp;CK, to improve visibility and alignment.</li> <li>Establish continuous improvement processes -- this is not a one-time project.</li> <li>Align SIEM outcomes with business risk and resilience goals.</li> </ul> <p>Effective, modern SIEM demands strategic leadership, not just tooling. The approach pays off by improving threat detection and response, yielding measurable benefits, including transforming noisy alerts to meaningful insights and static rules to adaptive detection.</p> <p>Do not permit outdated SIEM rules to dictate the organization's security posture. Take action now to develop a resilient, intelligence-driven detection capability.</p> <p><em>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to InformaTechTarget Editorial, The New Stack and CompTIA Blogs.</em></p> </section> Outdated SIEM rules can hamstring enterprises as they try to safeguard their operations. Use a proactive, strategic approach that's grounded in actual attack behavior instead. https://cdn.ttgtmedia.com/rms/onlineimages/folder-files07.jpg https://www.techtarget.com/searchsecurity/tip/Transform-SIEM-rules-with-behavior-based-threat-detection Wed, 13 May 2026 12:41:00 GMT <p>An incident response plan helps mitigate unexpected and potentially disruptive cybersecurity events. Testing that plan is very much like test-driving a new car. It's how a potential buyer confirms the experience lives up to the hype. Do all the features work as promised? Does it drive smoothly? Are there issues that could hinder the vehicle's performance and safety? These are things any conscientious driver would want to learn before driving off the lot.</p> <p>Test-driving an <a href="https://www.techtarget.com/searchsecurity/definition/incident-response">incident response</a> plan is equally important. It helps identify what in the plan works, what needs to be fixed, whether the resources are appropriate and if the <a href="https://www.techtarget.com/searchsecurity/definition/incident-response-team">incident response team</a> can handle their roles and responsibilities when a real cybersecurity incident strikes.</p> <section class="section main-article-chapter" data-menu-title="Methods to test an incident response plan"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Methods to test an incident response plan</h2> <p>Testing an incident response plan is not a one-size-fits-all proposition. Just as cybersecurity incidents take many forms, so do planning approaches.</p> <h3>Tabletop exercises</h3> <p>A popular option, <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-incident-response-tabletop-exercises">tabletop exercises</a> involve gathering members of the incident response team, on-site or virtually, with a designated facilitator who manages the operation. The facilitator defines a security scenario and participants discuss what they should do as the exercise unfolds, typically following the procedures outlined in the incident response plan and <a href="https://www.techtarget.com/searchsecurity/tip/How-to-create-an-incident-response-playbook">incident response playbooks</a>. Throughout the process, the team identifies responses and actions to protect data and systems. To help the team learn from the exercise, an after-action report examines what worked and what didn't.</p> <h3>Functional exercises</h3> <p>Taking the tabletop exercise model to the next level, functional exercises involve team members performing their duties as if a real event were unfolding. While no production systems are involved, functional exercises help participants test specific activities, such as <a href="https://www.techtarget.com/searchsecurity/tip/Incident-response-How-to-implement-a-communication-plan">communication during an event</a> or data recovery.</p> <h3>Full-scale simulations</h3> <p>To validate an incident response plan and determine whether team members can perform as needed, full-scale exercises launch seemingly real -- but simulated -- attacks on production systems. For instance, a simulation to test whether firewalls work properly would require teams to detect the attack and launch remediation activities. Setting up the exercise could require a suitable live test environment. To lend authenticity, internal leadership teams or external stakeholders might take part in the exercise.</p> <h3>Penetration testing and red team exercises</h3> <p>While <a href="https://www.techtarget.com/searchsecurity/tip/Pen-testing-guide-Types-steps-methodologies-and-frameworks">pen tests</a> are often performed independently to identify vulnerabilities in an enterprise security infrastructure, they can also be part of an incident response plan exercise. <a href="https://www.techtarget.com/searchsecurity/tip/Red-team-vs-blue-team-vs-purple-team-Whats-the-difference">Red team exercises</a> involve experienced ethical hackers who launch cyberattacks designed to exploit an organization's security ecosystem.</p> </section> <section class="section main-article-chapter" data-menu-title="Cyberattack scenarios"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cyberattack scenarios</h2> <p>Identifying one or more relevant scenarios for an incident response plan test is a critical activity. Following are some suggested scenarios:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts">Ransomware attacks</a>.</li> <li>Phishing attacks.</li> <li>Attacks that steal, destroy or corrupt data.</li> <li><a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS</a> attacks.</li> <li>Social engineering attacks.</li> <li>Power failures that shut down security systems.</li> <li>Fires in the data center.</li> <li>Gas or water leaks.</li> <li>Severe weather events that disrupt utility infrastructure.</li> <li>Loss of the internet.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Insider-threat-hunting-best-practices-and-tools">Insider attacks</a>, e.g., a disgruntled or rogue employee.</li> <li>Unauthorized shadow IT activities.</li> <li>Supply chain attacks.</li> <li>Cloud service misconfigurations.</li> <li>Industrial control system attacks.</li> <li>Breaches that disrupt physical security systems.</li> <li>Attacks that compromise regulatory compliance.</li> <li>Data leaks to the media.</li> <li>Advanced persistent threats.</li> <li>Viruses on end-user systems.</li> </ul> <p>Some scenarios simulate <a href="https://www.techtarget.com/searchsecurity/feature/10-types-of-security-incidents-and-how-to-handle-them">traditional security incidents</a> while others involve disruptions to infrastructure, support systems and data security. Consider combining multiple scenarios to deliver even more challenging tests.</p> </section> <section class="section main-article-chapter" data-menu-title="Steps to develop incident response plan tests"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Steps to develop incident response plan tests</h2> <p>Preparing for, executing and reviewing the outcomes of an incident response plan test can take significant time and effort, but will pay off during an actual security incident.</p> <ol class="default-list"> <li>Assess the existing incident response plan and determine which aspects of the plan to test -- for example, anomaly detection, incident containment, or backup or data recovery.</li> <li>Outline the test plan and identify test parameters, who to involve and necessary resources.</li> <li>Determine what criteria and metrics -- e.g., time to detect, time to respond, time to remediate -- declare the test a success. <a href="https://www.techtarget.com/searchsecurity/tip/The-best-incident-response-metrics-and-how-to-use-them">Clear evaluation metrics</a> will also inform the after-action report.</li> <li>Ask senior leadership to review the test to ensure objectives align with expectations.</li> <li>Prepare test scripts to facilitate the test, or invite cybersecurity vendors to contribute scripts.</li> <li>Ensure all resources -- e.g., network perimeter systems, anomaly detection and analysis -- work properly.</li> <li>Notify leadership and other departments -- especially in IT and business units that might be affected -- of the proposed incident response test.</li> <li>Discuss activities with all members of the test team in advance. Ensure each person knows their role and responsibilities.</li> <li>Conduct the test in an environment that will not affect production systems. If possible, schedule a dry run to uncover problems -- e.g., incorrect scripts or URLs -- that could affect success.</li> <li>Launch the test. Have the facilitator introduce the scenario, monitor progress and encourage participant discussions.</li> <li>Assign someone to take notes and track the time for test activities. Be prepared to pause or stop the test if activities and procedures do not proceed as planned.</li> <li>After completing the test and documenting results, conduct a debrief to gauge what worked, what didn't and any remediations required. If cybersecurity vendors participated, review test results to see how they can help resolve any issues.</li> <li>Prepare an after-action report for the test and submit it to management.</li> <li>Revise the incident response plan based on lessons learned from the test. If possible, conduct another test to see if the revised incident response plan and updated procedures result in a successful test.</li> </ol> </section> <section class="section main-article-chapter" data-menu-title="Potential planning gaps"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Potential planning gaps</h2> <p>While testing an incident response plan is a highly valuable exercise, it is no substitute for what security teams can expect during an authentic cybersecurity incident. In a real-world event, many things can go wrong. For example, team members who perform well during tests might not perform as well in a real attack. The incident response plan could also be flawed, requiring team members to quickly assess and adapt if documented responses do not align with the topics covered in testing.</p> <p>Preparation, however, is the best defense CISOs can mount in an expanding threat landscape. Testing an incident response plan, whether for cybersecurity or any other undesirable situation, is an essential way to increase the likelihood of enterprise survival in the wake of the unexpected.</p> <p><i>Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.</i></p> </section> Creating an incident response plan is only the beginning. Regular testing will help ensure it doesn't fall apart during a real cybersecurity event. https://cdn.ttgtmedia.com/rms/onlineimages/security_a303570139.jpg https://www.techtarget.com/searchsecurity/tip/CISOs-guide-How-to-test-an-incident-response-plan Wed, 13 May 2026 08:59:00 GMT <p>AI environments involve complex data pipelines, model-training infrastructure, APIs and third-party components, all of which introduce new security risks.</p> <p>Modern security techniques-- with and without AI -- recognize that traditional trusted-network approaches are inadequate. AI systems ingest new data, interact with users and integrate with other platforms, creating multiple entry points for attackers. A zero-trust model with continuous verification, strict access controls and ongoing monitoring offers a practical framework for protecting AI systems without slowing innovation.</p> <p>Read on to learn how to apply zero-trust principles to AI by securing data, models, workflows and people.</p> <section class="section main-article-chapter" data-menu-title="AI security risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>AI security risks</h2> <p>AI systems <a href="https://www.techtarget.com/searchsecurity/feature/AI-powered-attacks-What-CISOSs-need-to-know-now">create security challenges</a> that most traditional defenses do not address. Specific threats include the following:</p> <ul class="default-list"> <li><a href="https://www.techtarget.com/searchsecurity/tip/How-data-poisoning-attacks-work">Data poisoning</a> manipulates the training data to alter the model's behavior.</li> <li>Model theft involves attackers extracting proprietary models through APIs or compromised infrastructure.</li> <li><a href="https://www.techtarget.com/searchsecurity/tip/Types-of-prompt-injection-attacks-and-how-they-work">Prompt injection</a> and malicious inputs can include threat actors manipulating AI systems to reveal sensitive data or bypass safeguards.</li> <li>AI supply chain risks occur when attackers exploit vulnerabilities in third-party data sets, models and libraries.</li> <li>Sensitive data leakage involves confidential data exposed through AI outputs or logs.</li> </ul> <p>Because these risks affect every stage of the AI lifecycle, comprehensive security is essential.</p> </section> <section class="section main-article-chapter" data-menu-title="Building a zero-trust framework for AI"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Building a zero-trust framework for AI</h2> <p>To protect the entire AI lifecycle, it is essential to have an effective zero-trust framework that covers data ingestion, model training, model storage, deployment and inference, and ongoing monitoring.</p> <p>To succeed, focus the framework on three key areas: securing AI data pipelines, protecting models and AI infrastructure and continuously monitoring AI workflows.</p> <h3>Securing AI data pipelines</h3> <p><a href="https://www.techtarget.com/searchenterpriseai/tip/Tools-and-techniques-for-optimizing-AI-data-pipelines">Data pipelines</a> are one of the most valuable -- and vulnerable -- parts of AI systems. Untrusted or manipulated data can compromise the entire AI system, so CISOs should prioritize pipeline security. Protect these data sets before they enter training or inference workflows by:</p> <ul class="default-list"> <li>Verifying the origin and integrity of data sets.</li> <li>Tracking data lineage and provenance.</li> <li>Restricting who can access and modify data sets.</li> <li>Implementing automated validation to detect anomalies or poisoning attempts.</li> <li>Maintaining strict data set version control and access logs.</li> </ul> <h3>Protecting models and AI infrastructure</h3> <p>AI models often represent significant intellectual property and operational value. Treat models as high-value assets. Protect models by:</p> <ul class="default-list"> <li>Securing model registries with strong authentication.</li> <li>Encrypting models at rest and in transit.</li> <li>Limiting who can train, modify or deploy models.</li> <li>Restricting access to inference APIs.</li> <li>Implementing rate limits to reduce the risk of model extraction.</li> </ul> <p>Separating AI development, training and production environments can further reduce exposure and block attackers from <a href="https://www.techtarget.com/searchsecurity/tip/Common-lateral-movement-techniques-and-how-to-prevent-them">moving laterally</a> through the infrastructure.</p> <p>The overall goal is to help prevent model theft, tampering and unauthorized use.</p> <h3>Continuously monitoring AI workflows</h3> <p>Zero trust requires continuous verification rather than one-time authentication. Security teams must monitor the entire AI lifecycle; this includes monitoring training pipelines, model-deployment processes, query patterns, inference APIs and user interaction with AI systems. Indicators of compromise to look out for include unusual query volumes, abnormal output behavior, suspicious automation activity and signs of prompt-injection attempts.</p> <p>Teams should integrate AI telemetry into existing security monitoring platforms to detect and respond to threats faster.</p> </section> <section class="section main-article-chapter" data-menu-title="Reinforce zero trust with governance and security tools"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Reinforce zero trust with governance and security tools</h2> <p>AI security is about more than configuring a few settings and rotating log files. Controls must be supported by strong governance and specialized security tools. Security teams should deploy tools that provide visibility across the AI lifecycle, such as model-monitoring platforms, data-lineage tracking tools, AI risk management systems and prompt-injection detection. For the best visibility, coverage and consistency, integrate these tools with existing identity management and security monitoring systems.</p> <p>Equally important is <a href="https://www.techtarget.com/searchdatamanagement/tip/AI-data-governance-is-a-requirement-not-a-luxury">establishing governance policies</a> that define how to develop and deploy AI systems. Organizations should set standards for data set approval and validation, model testing and validation, deployment authorization and third-party AI integrations.</p> <p>Use <a href="https://www.techtarget.com/searchsecurity/tip/What-CISOs-need-to-know-about-AI-governance-frameworks">clear governance</a> to align AI initiatives with security, compliance and ethical commitments.</p> <p>In addition, train developers, data scientists and business users on security awareness to reduce human error and encourage <a href="https://www.techtarget.com/searchenterpriseai/feature/Responsible-AI-vs-ethical-AI-Whats-the-difference">responsible use of AI systems</a> across the organization.</p> <p>AI is already part of core business operations, but it introduces new and evolving security risks by expanding the attack surface. Adopt a zero-trust approach to protect AI systems by verifying every user, service and data source. By securing pipelines, protecting models and continuously monitoring AI activity, leaders can support innovation while maintaining strong security and governance.</p> <p><em>Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to TechTarget Editorial, The New Stack and CompTIA Blogs.</em></p> </section> As organizations embed AI into business systems, they also expand the attack surface. Applying zero trust to AI can help mitigate the risk. https://cdn.ttgtmedia.com/rms/onlineimages/ai_a373894778.jpg https://www.techtarget.com/searchsecurity/tip/How-to-implement-zero-trust-for-AI Tue, 12 May 2026 09:15:00 GMT 60 webmaster@techtarget.com