Feb 16 2026

Cyber Risk vs. Cybersecurity: Bridging Technical Protection and Business Impact

Category: Cyber maturity,Cyber resilience,cyber security,Risk Assessment,Security Risk Assessmentdisc7 @ 9:27 am

Cybersecurity and cyber risk are closely related, but they operate with different priorities and lenses. Cybersecurity is primarily concerned with defending systems, networks, and data from threats. It focuses on identifying vulnerabilities, applying controls, and fixing technical weaknesses. The central question in cybersecurity is often, “How do we remediate this issue to make the system more secure?” It is action-oriented and technical, aiming to reduce exposure through engineering and operational safeguards.

Cyber risk, in contrast, shifts the conversation from technical fixes to business consequences. It asks, “If this system fails or is compromised, what does that mean for the organization?” This perspective evaluates the likelihood of an event and its potential impact on finances, operations, compliance, and reputation. Not every vulnerability translates into significant business risk, and some of the most serious risks may stem from strategic or process gaps rather than isolated technical flaws. Cyber risk management therefore emphasizes context, prioritization, and tradeoffs, helping leaders decide where to invest resources and which risks are acceptable.

From my perspective, the distinction between cyber risk and cybersecurity represents a maturation of the field. Cybersecurity is essential as the execution arm — it provides the tools and controls that protect assets. Cyber risk is the decision framework that ensures those efforts align with business objectives. Organizations that focus only on cybersecurity can become trapped in an cycle of chasing vulnerabilities without clear prioritization. Conversely, a cyber risk approach connects technical findings to measurable business outcomes, enabling informed decisions at the executive level. The strongest programs integrate both: cybersecurity delivers protection, while cyber risk guides strategy, investment, and governance so the organization can operate confidently amid uncertainty.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: Cyber Risk vs. Cybersecurity

Jan 23 2026

When AI Turns Into an Autonomous Hacker: Rethinking Cyber Defense at Machine Speed

Category: AI,AI Guardrails,Cyber resilience,cyber security,Hackingdisc7 @ 8:09 am

“AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities”

  1. Bruce Schneier highlights a significant development: advanced AI models are now better at automatically finding and exploiting vulnerabilities on real networks, not just assisting humans in security tasks.
  2. In a notable evaluation, the Claude Sonnet 4.5 model successfully completed multi-stage attacks across dozens of hosts using standard, open-source tools — without the specialized toolkits previous AI needed.
  3. In one simulation, the model autonomously identified and exploited a public Common Vulnerabilities and Exposures (CVE) instance — similar to how the infamous Equifax breach worked — and exfiltrated all simulated personal data.
  4. What makes this more concerning is that the model wrote exploit code instantly instead of needing to search for or iterate on information. This shows AI’s increasing autonomous capability.
  5. The implication, Schneier explains, is that barriers to autonomous cyberattack workflows are falling quickly, meaning even moderately resourced attackers can use AI to automate exploitation processes.
  6. Because these AIs can operate without custom cyber toolkits and quickly recognize known vulnerabilities, traditional defenses that rely on the slow cycle of patching and response are less effective.
  7. Schneier underscores that this evolution reflects broader trends in cybersecurity: not only can AI help defenders find and patch issues faster, but it also lowers the cost and skill required for attackers to execute complex attacks.
  8. The rapid progression of these AI capabilities suggests a future where automatic exploitation isn’t just theoretical — it’s becoming practical and potentially widespread.
  9. While Schneier does not explore defensive strategies in depth in this brief post, the message is unmistakable: core security fundamentals—such as timely patching and disciplined vulnerability management—are more critical than ever. I’m confident we’ll see a far more detailed and structured analysis of these implications in a future book.
  10. This development should prompt organizations to rethink traditional workflows and controls, and to invest in strategies that assume attackers may have machine-speed capabilities.

💭 My Opinion

The fact that AI models like Claude Sonnet 4.5 can autonomously identify and exploit vulnerabilities using only common open-source tools marks a pivotal shift in the cybersecurity landscape. What was once a human-driven process requiring deep expertise is now slipping into automated workflows that amplify both speed and scale of attacks. This doesn’t mean all cyberattacks will be AI-driven tomorrow, but it dramatically lowers the barrier to entry for sophisticated attacks.

From a defensive standpoint, it underscores that reactive patch-and-pray security is no longer sufficient. Organizations need to adopt proactive, continuous security practices — including automated scanning, AI-enhanced threat modeling, and Zero Trust architectures — to stay ahead of attackers who may soon operate at machine timescales. This also reinforces the importance of security fundamentals like timely patching and vulnerability management as the first line of defense in a world where AI accelerates both offense and defense.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: Autonomous Hacker, Schneier

Jan 19 2026

Cyber Resilience by Design: Why the EU CRA Is a Leadership Test, Not Just a Regulation

Category: Cyber resilience,cyber security,Cyber Strategy,Information Securitydisc7 @ 8:52 am

The EU Cyber Resilience Act (CRA) marks a significant shift in how cybersecurity is viewed across digital products and services. Rather than treating security as a post-development compliance task, the Act emphasizes embedding cybersecurity into products from the design stage and maintaining it throughout their entire lifecycle. This approach reframes cyber resilience as an ongoing responsibility that blends technical safeguards with organizational discipline.

At its core, the CRA reinforces the idea that resilience is not achieved through tools alone. Secure-by-design principles require coordinated processes, clear ownership, and accountability across product development, operations, and incident response. By aligning with lifecycle thinking—similar to disaster recovery planning—the Act pushes organizations to anticipate failure, prepare for disruption, and recover quickly when incidents occur.

Leadership plays a decisive role in making this shift effective. True cyber resilience demands a top-down commitment where executives actively prioritize security in strategic planning and resource allocation. When leaders set expectations that security is integral to innovation, teams are empowered to build resilient systems without viewing cybersecurity as a barrier to progress.

When organizations treat cybersecurity as a business enabler rather than a cost center, the benefits extend beyond compliance. They gain stronger risk management, greater operational continuity, and increased trust from customers and partners. In this way, the EU CRA aligns closely with disaster recovery principles—prepare early, plan holistically, and lead decisively—to create sustainable cyber resilience in an increasingly complex digital landscape.

My opinion:

The EU Cyber Resilience Act is one of the most pragmatic cybersecurity regulations to date because it shifts the conversation from after-the-fact compliance to engineering discipline and leadership accountability. That change is long overdue. Cybersecurity failures rarely happen because controls were unknown—they happen because security was deprioritized during design, delivery, or scaling.

What I particularly agree with is the implicit alignment between cyber resilience and disaster recovery thinking. Both accept that failure is inevitable and focus instead on preparedness, impact reduction, and rapid recovery. This mindset is far more realistic than the traditional “prevent everything” security narrative, especially in complex software supply chains.

However, regulation alone will not create resilience. Organizations that approach the CRA as a documentation exercise will miss its real value. The winners will be those whose leadership genuinely internalizes security as a strategic capability—one that protects innovation, brand trust, and long-term revenue. In that sense, the CRA is less a technical mandate and more a leadership test.

Cyber Resilience Act

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: EU CRA

Jan 14 2026

Why a Cyberattack Didn’t Kill iRobot—But Exposed Why It Failed

Category: Cyber Attack,Cyber resiliencedisc7 @ 8:44 am

iRobot—the company behind Roomba? In December 2025, it filed for bankruptcy. While some initially blamed a cyberattack, the real story is far more nuanced and instructive.

The incident often cited traces back to February 2022, when Expeditors, a major global freight and logistics provider, suffered a ransomware attack. The company shut down critical systems for nearly three weeks. Because iRobot relied on Expeditors for outsourced logistics, its supply chain effectively came to a halt. Products were stuck in warehouses, retailer deliveries were delayed, and iRobot incurred roughly $900,000 in retailer chargebacks. The company later sued Expeditors for approximately $2.1 million, a case that dragged on into 2024.

However, when viewed in context, the cyber incident was financially insignificant compared to iRobot’s broader troubles. In 2022 alone, iRobot’s revenue dropped by $382 million. Between 2022 and 2024, total losses reached nearly $600 million. During this period, the company also took on around $200 million in debt while waiting for its proposed acquisition by Amazon—an acquisition that was ultimately blocked by regulators. On top of that, tariffs hit its Vietnam manufacturing operations.

The alleged cyber-related losses represented less than 1% of iRobot’s total financial damage. Notably, the bankruptcy filing itself does not even mention the cyberattack or the lawsuit against Expeditors.

What ultimately drove iRobot into bankruptcy was competitive and strategic failure. Chinese competitors such as Roborock entered the market with better-performing products at lower prices, rapidly eroding iRobot’s market share. With the Amazon deal collapsing and margins under pressure, the company simply could not recover.

The broader lesson is important. Third-party cyber incidents are real and can cause measurable harm—lost revenue, operational disruption, and legal costs. But cyber risk rarely destroys a healthy business on its own. Instead, it accelerates failure in organizations that are already structurally weak.

Cyber risk acts like a stress test. A resilient company can absorb a vendor outage and recover. A struggling company, facing the same disruption, may find that it exposes cracks that were already there.

That is why cyber resilience matters more than pure cyber prevention. It is about ensuring your organization can take a hit and continue operating. During vendor reviews, leaders should be asking hard questions: Do contracts include meaningful SLAs, liability caps, and indemnity clauses? Does cyber insurance cover business interruption caused by vendor outages? How concentrated is vendor risk—could one failure freeze operations? And have backup providers actually been tested under realistic conditions?

The most important question remains: if a critical vendor went offline for three weeks, could your organization absorb the impact—or would it push you past the breaking point?

My Opinion

Blaming iRobot’s collapse on a cyberattack is intellectually lazy. The Expeditors incident mattered, but it did not cause the bankruptcy. iRobot failed because of competitive pressure, strategic missteps, and overreliance on a deal that never closed. The cyber incident merely revealed how little margin for error the company had left.

For executives, the takeaway is clear: cyber risk is rarely the root cause of failure—it is the accelerant. Strong businesses treat cyber resilience as part of overall business resilience. Weak ones learn about it only after it’s too late.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: Cyber Resilience, iRobot

Jan 06 2026

The Best Cybersecurity Investment Strategy: Balance Fast Wins with Long-Term Resilience

Category: Cyber Investment,Cyber resilience,Cyber Strategy,Information Securitydisc7 @ 9:44 am

Cybersecurity Investment Strategy: Investing With Intent

One of the most common mistakes organizations make in cybersecurity is investing in tools and controls without a clear, outcome-driven strategy. Not every security investment delivers value at the same speed, and not all controls produce the same long-term impact. Without prioritization, teams often overspend on complex solutions while leaving foundational gaps exposed.

A smarter approach is to align security initiatives based on investment level versus time to results. This is where a Cybersecurity Investment Strategy Matrix becomes valuable—it helps leaders visualize which initiatives deliver immediate risk reduction and which ones compound value over time. The goal is to focus resources on what truly moves the needle for the business.

Some initiatives provide fast results but require higher investment. Capabilities like EDR/XDR, SIEM and SOAR platforms, incident response readiness, and next-generation firewalls can rapidly improve detection and response. These are often critical for organizations facing active threats or regulatory pressure, but they demand both financial and operational commitment.

Other controls deliver fast results with relatively low investment. Measures such as multi-factor authentication, password managers, security baselines, and basic network segmentation quickly reduce attack surface and prevent common breaches. These are often high-impact, low-friction wins that should be implemented early.

Certain investments are designed for long-term payoff and require significant investment. Zero Trust architectures, DevSecOps, CSPM, identity governance, and DLP programs strengthen security at scale and maturity, but they take time, cultural change, and sustained funding to deliver full value.

Finally, there are long-term, low-investment initiatives that quietly build resilience over time. Security awareness training, vulnerability management, penetration testing, security champions programs, strong documentation, meaningful KPIs, and open-source security tools all improve security posture steadily without heavy upfront costs.

A well-designed cybersecurity investment strategy balances quick wins with long-term capability building. The real question for leadership isn’t what tools to buy, but which three initiatives, if prioritized today, would reduce the most risk and support the business right now.

My opinion: the best cybersecurity investment strategy is a balanced, risk-driven mix of fast wins and long-term foundations, not an “all-in” bet on any single quadrant.

Here’s why:

  1. Start with fast results / low investment (mandatory baseline)
    This should be non-negotiable. Controls like MFA, security baselines, password managers, and basic network segmentation deliver immediate risk reduction at minimal cost. Skipping these while investing in advanced tools is one of the most common (and expensive) mistakes I see.
  2. Add 1–2 fast results / high investment controls (situational)
    Once the basics are in place, selectively invest in high-impact capabilities like EDR/XDR or incident response readiness—only if your threat profile, regulatory exposure, or business criticality justifies it. These tools are powerful, but without maturity, they become noisy and underutilized.
  3. Continuously build long-term / low investment foundations (quiet multiplier)
    Security awareness, vulnerability management, documentation, and KPIs don’t look flashy, but they compound over time. These initiatives increase ROI on every other control you deploy and reduce operational friction.
  4. Delay long-term / high investment initiatives until maturity exists
    Zero Trust, DevSecOps, DLP, and identity governance are excellent goals—but pursuing them too early often leads to stalled programs and wasted spend. These work best when governance, ownership, and basic hygiene are already solid.

Bottom line:
The best strategy is baseline first → targeted protection next → long-term maturity in parallel.
If I had to simplify it:

Fix what attackers exploit most today, while quietly building the capabilities that prevent tomorrow’s failures.

This approach aligns security spend with business risk, avoids tool sprawl, and delivers both immediate and sustained value.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.

Tags: Cybersecurity Investment Strategy

Dec 22 2025

Compliance Isn’t Security: Baseline Controls vs. Real-World Cyber Resilience

Category: Cyber resilience,Policies & Controls,Security Compliance,Security controlsdisc7 @ 9:56 am

“Compliance isn’t security” debate

1. The core claim: Many cybersecurity professionals assert that compliance isn’t security — meaning simply meeting the letter of a standard (e.g., ISO 27001, ISO 42001, PCI, HIPAA, NIS, GDPR, DORA, Cyber Essentials) doesn’t by itself guarantee that an organization can withstand, detect, or recover from real-world attacks. Compliance frameworks typically define minimum baselines rather than prove operational resilience.

2. Why people feel this way: Critics argue that compliance programs often become checkbox exercises, focusing on documentation and audit artifacts rather than actual protective capability. Organizations can score well on audits and still suffer breaches because compliance doesn’t necessarily measure effectiveness of controls in practice.

3. Compliance vs security definitions: Compliance is essentially a benchmark against a standard — an organization either meets or fails certain requirements. Security, by contrast, is about managing risk dynamically and defending systems against evolving threats and adversaries. These two missions are related but fundamentally different in objectives and measurement.

4. The “baseline floor” perspective: Some practitioners push back on the notion that compliance has no value at all. They see compliance as providing a baseline floor of capabilities — a starting set of repeatable, measurable controls that help standardize expectations and reduce obvious, basic gaps that attackers exploit.

5. Compliance as structure: From this view, compliance frameworks give organizations a common language and structure to start measuring security efforts, track improvements over time, and communicate with boards, regulators, and insurers. Without structure, purely ad hoc security efforts can lack consistency and visibility.

6. The danger of complacency: The biggest practical risk isn’t compliance per se — it’s when organizations confuse passing an audit with being secure. Treating compliance as an end goal can create a false sense of safety, diverting resources from more effective defensive activities into chasing artifacts rather than outcomes.

7. Evolving threats vs static standards: Another common critique is that compliance frameworks often lag behind real-world threat evolution. Regulatory requirements typically update slowly, whereas attackers innovate constantly. As a result, meeting compliance may not sufficiently address emergent or advanced threats.

8. Complementary roles: Many experienced practitioners conclude that the healthiest view is neither compliance alone nor security alone. Compliance ensures visibility, documentation, and minimum control presence. Security builds on that baseline with active risk management, threat detection, and response mechanisms — which are necessary for meaningful protection.

9. Practical takeaway: In practice, compliance can serve as a foundation or enabler for security, but it should not be mistaken for security itself. Strong security programs often use compliance as a scaffolding — then extend beyond it with continuous improvement, automation, detection, response, and risk-based prioritization.

My Opinion

The statement “compliance isn’t security” is useful as a warning against complacency but overly simplistic if taken on its own. Compliance is not the security program; it’s often the starting point. Compliance frameworks help establish maturity, measure baseline controls, and satisfy regulatory or contractual requirements — all of which are valuable in risk management. However, true security requires active defense, continuous adaptation, and operational effectiveness that goes well beyond checkbox compliance. In short: compliance supports security, but it does not replace it — and treating it as an end goal can create blind spots that attackers will exploit.

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Compliance ist't security

Jul 25 2025

Redefining Digital Sovereignty: Wire CEO Urges Europe to Build Resilient, Independent Tech Infrastructure

Category: Cyber resiliencedisc7 @ 9:48 am

1. In an interview published July 25, 2025, Help Net Security features Wire CEO Benjamin Schilz discussing Europe’s digital sovereignty and framing it as a central strategic goal, shifting the discussion from mere regulation to building independently resilient, European-centered technology infrastructure.

2. Schilz notes that despite past regulatory efforts like GDPR and Schrems II, data still flows across the Atlantic via fragile legal frameworks such as the U.S. CLOUD Act. He highlights Gaia‑X as a milestone project intended to create a federated, transparent European cloud ecosystem, though he emphasizes it’s still in early implementation phases.

3. He emphasizes that the EU AI Act offers regulatory traction and confirms Europe can enforce tech rules—but what’s critical now is building independence so digital infrastructure isn’t shaped by foreign powers. In his view, digital sovereignty is now about European resilience, not just privacy.

4. Open-source and decentralized technologies are highlighted as foundational to Europe’s strategic autonomy. By treating digital infrastructure like energy or water, Schilz argues Europe must support public‑interest tech built with transparency and local control. More than funding, he says Europe needs a “risk-on” environment that rewards ambition and scale.

5. According to Schilz, simply labeling platforms as sovereign—without guaranteeing compliance with EU legal frameworks—is deceptive marketing. True sovereignty requires vendors to commit to EU law, end‑to‑end encryption, data residency, and open standards. If a provider can override those with U.S. obligations, their sovereignty claims fall flat.

6. As concrete proof of impact, Schilz cites deployments of Wire in several German ministries (Interior, Education & Research, Health), showing how secure, sovereign messaging platforms can improve public‑sector efficiency and transparency.

7. Finally, he outlines the necessary criteria for EU‑based AI deployments: they must be hosted within the EU, encrypted end‑to‑end, built with open‑source models, and eliminate reliance on non‑EU jurisdictions. These measures, he says, are essential for maintaining control, trust, and compliance in a complex threat environment.

Perspective

Overall, Schilz offers a compelling vision of digital sovereignty that moves beyond abstract principles toward tangible infrastructure and governance choices. I agree that sovereignty isn’t achieved through legislation alone—it demands architecting systems around open‑source, encryption, interoperability, and EU‑jurisdictional commitments. These design choices are critical for trust and autonomy in an increasingly geopolitically charged tech landscape.

That said, the challenge remains daunting. Projects like Gaia‑X still face hurdles of scale and coordination, and Europe’s fragmented regulatory and investment environment may slow progress. As reported by the Financial Times, Europe continues to lag in venture capital, unified strategy, and industrial scale compared to U.S. and Chinese tech powers. Without robust funding mechanisms and a political consensus, even the best‑designed systems may struggle to reach global competitiveness.

In conclusion, Schilz’s framing—seeing digital sovereignty as resilience, not rhetoric—is both timely and necessary. But turning this vision into reality will require deep systemic reforms in procurement, investment, and culture, as well as sustained public‑private alignment. Europe has the pieces, but assembling them into a coherent strategic stack (as advocates call the “EuroStack”) remains the critical mission for its digital future

Digital Sovereignty: Protecting Your Crypto Assets Against Common Threats

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Digital Sovereignty

May 20 2025

Steal Now, Crack Later: The Urgency of Quantum-Safe Security

Category: Cyber resilience,Data encryptiondisc7 @ 8:29 am

The security of traditional encryption hinges on the computational difficulty of solving prime number-based mathematical problems. These problems are so complex that, with today’s computing power, deciphering encrypted data by brute force—often referred to as “killing it with iron” (KIWI)—is practically impossible. This foundational challenge has kept data secure for decades, relying not on randomness but on insurmountable workload requirements.

However, the landscape is changing rapidly with the emergence of quantum computing. Unlike classical machines, quantum computers are built for solving certain types of problems—like prime factorization—exponentially faster. This means encryption that’s currently unbreakable could soon become vulnerable. The concern isn’t theoretical; malicious actors are already collecting encrypted data, anticipating that future quantum capabilities will allow them to decrypt it later. This “steal now, crack later” approach makes today’s security obsolete in tomorrow’s quantum reality.

As quantum computing advances, the urgency to adopt quantum-safe cryptography increases. Traditional systems need to evolve quickly to defend against this new class of threats. Organizations must prepare now by evaluating whether their current cryptographic infrastructure can withstand quantum-enabled attacks. Failure to act could result in critical exposure when quantum machines become operational at scale.

Adaptability, compliance, and resilience are the new pillars of a secure, future-proof cybersecurity posture. This means not only upgrading encryption standards but also rethinking security architecture to ensure it can evolve with changing technologies. Organizations must consider how quickly and seamlessly they can shift to quantum-safe alternatives without disrupting business operations.

Importantly, the way organizations view cybersecurity must also evolve. Many still treat security as a cost center, a necessary but burdensome investment. With the rise of generative AI and quantum computing, security should instead be seen as a value creator—a foundational component of digital trust, innovation, and competitive advantage. This mindset shift is crucial to justify the investments needed to transition into a quantum-safe future.

Quantum computing is the next frontier. Sundar Pichai predicts that within 5 years, quantum will solve problems that classical computers can’t touch.

Feedback:
There is an urgent need for quantum-resilient security measures. The post successfully communicates technical risk without diving into complex math, which makes it accessible. My suggestion would be to expand slightly on practical next steps—like adopting post-quantum cryptographic algorithms (e.g., those recommended by NIST), running quantum-readiness assessments, and building awareness across leadership. Adding these elements would enhance the piece’s actionable value while reinforcing the central message.

The shift to quantum-safe standards will take several years, as the standards continue to mature and vendors gradually adopt the new technologies. It’s important to take a flexible approach and be ready to update or replace cryptographic components as needed. Adopting a hybrid strategy—combining classical and quantum-safe algorithms—can help maintain compliance with existing requirements while introducing protection against future quantum threats.

Quantum Computing and Information: A Scaffolding Approach

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Quantum computing

May 07 2025

Resilience at Risk: Overlooked Threats Every Leadership Team Should Know

Category: Cyber resilience,Information Security,Security Risk Assessmentdisc7 @ 8:58 am

They’re the quiet ones—the ones that will silently gut your continuity strategy while leadership watches the wrong fire.

1️⃣ Shadow SaaS Is Out of Control
Business units are adopting tools without IT oversight—no security, no backups, no DR.
It works… until it doesn’t. Then it becomes your problem.

2️⃣ RTOs Are Fiction, Not Strategy
“30 hours” looks good—until the CEO demands answers three hours in.
If your recovery needs a miracle, it’s not a plan. It’s a pending failure.

3️⃣ Resilience Theater Is Everywhere
Policies? Written. Boxes? Checked.
But when the real incident hits, no one knows what to do. You’ve got documentation, not readiness.

4️⃣ Hidden Dependencies Will Break You
APIs, scripts, microservices—no SLAs, no visibility, no accountability.
They fail quietly. Business halts. And no one saw it coming.

5️⃣ Continuity Teams Have Quiet Quit
Resilience professionals are exhausted, underfunded, and unheard.
Their silence isn’t safety—it’s burnout. And it’s dangerous.

🔶 Resilience doesn’t fail loudly. It erodes quietly.
CISOs and leadership teams: It’s time to stop watching the wrong fire.

Security and resilience. Business continuity management systems. Requirements

Cyber Resilience – Defence-in-depth principles

Becoming Resilient – The Definitive Guide to ISO 22301 Implementation: The Plain English, Step-by-Step Handbook for Business Continuity Practitioners

ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS)

ISO 22301 Free to read

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Cyber Resilience

May 05 2025

Security and resilience. Business continuity management systems. Requirements

Category: BCP,Cyber resiliencedisc7 @ 1:08 pm

1. Purpose and Scope:
The concept of business continuity in management systems focuses on preparing organizations to respond effectively to disruptions. Its primary goal is to ensure that essential business functions can continue during and after incidents such as cyberattacks, natural disasters, or system failures. Business continuity planning is an integral part of an organization’s broader risk management and security posture.

2. Integration with Management Systems:
Business continuity must be embedded into the overall management system, aligning with standards like ISO 22301. This integration ensures that continuity planning, implementation, and testing are not isolated activities but coordinated with information security, quality management, and operational strategies. It emphasizes a risk-based approach and continuous improvement.

3. Key Components:
A robust business continuity framework includes a business impact analysis (BIA), risk assessment, recovery strategies, and response plans. These elements help identify critical processes, assess vulnerabilities, and define acceptable downtime and recovery objectives. Regular training, awareness programs, and incident response drills support readiness and resilience.

4. Communication and Leadership Commitment:
Effective business continuity management depends on top-level commitment and clear communication channels. Leadership must allocate resources, define roles, and ensure all employees understand their responsibilities during a crisis. Internal and external communication strategies are also essential to maintain trust and manage stakeholder expectations.

5. Testing and Continuous Improvement:
To ensure resilience, organizations must regularly test and review their business continuity plans. Simulations, audits, and after-action reviews help identify gaps and improve preparedness. Lessons learned from real incidents or exercises should feed into an ongoing cycle of improvement, reinforcing the organization’s ability to adapt and recover quickly.

BS EN ISO 22301:2019+A1:2024 – TC

BS EN ISO 22301 is the international standard which specifies the requirements for a business continuity management system (BCMS). It helps you to identify potential threats to your business and build the capacity to deal with unforeseen events.

It enables an organization to have a more effective response and a quicker recovery, thereby reducing any impact on people, products and the organization’s bottom line.

What are the benefits of BS EN ISO 22301 – Business continuity management systems

BS EN ISO 22301 empowers organizations to put in place a business continuity management system. By implementing its principles and guidelines in your organization, your business can benefit from:

  • Reduced frequency and impact of disruptions
  • Ability to return to “business as usual” as swiftly as possible
  • Cost savings on reducing the impact of disruptions
  • Confidence that your plans are robust and ensures you are resilient and well-placed to deal with change
  • Increased stakeholder confidence and trust
  • Lower insurance premiums

Cyber Resilience – Defence-in-depth principles

Becoming Resilient – The Definitive Guide to ISO 22301 Implementation: The Plain English, Step-by-Step Handbook for Business Continuity Practitioners

ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS)

ISO 22301 Free to read

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: BCMS, ISO 22301

Feb 02 2022

10 Steps to Cyber Security

Category: Cyber resilience,cyber securityDISC @ 4:34 pm

10-Steps-to-Cyber-Security-2-1Download

8 Steps to Better Security: A Simple Cyber Resilience Guide for Business

Harden your business against internal and external cybersecurity threats with a single accessible resource. 

In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.  

Tags: Cyber Resilience, Steps to Cyber Security

Sep 04 2021

JAPANESE ROCKET ENGINE EXPLODES: CONTINUOUSLY AND ON PURPOSE

Category: Cyber resilienceDISC @ 4:01 pm
Japanese Rocket Engine Explodes: Continuously and On Purpose

Liquid-fuelled rocket engine design has largely followed a simple template since the development of the German V-2 rocket in the middle of World War 2. Propellant and oxidizer are mixed in a combustion chamber, creating a mixture of hot gases at high pressure that very much wish to leave out the back of the rocket, generating thrust.

However, the Japan Aerospace Exploration Agency (JAXA) has recently completed a successful test of a different type of rocket, known as a rotating detonation engine. The engine relies on an entirely different method of combustion, with the aim to produce more thrust from less fuel. We’ll dive into how it works, and how the Japanese test bodes for the future of this technology.

DEFLAGRATION VS. DETONATION

Humans love combusting fuels in order to do useful work. Thus far in our history, whether we look at steam engines, gasoline engines, or even rocket engines, all these technologies have had one thing in common: they all rely on fuel that burns in a deflagration. It’s the easily controlled manner of slow combustion that we’re all familiar with since we started sitting around campfires.

Tags: DEFLAGRATION VS. DETONATION

Apr 19 2021

Alarming Cybersecurity Stats: What You Need To Know For 2021

Category: Cyber Attack,Cyber Espionage,Cyber maturity,Cyber resilience,cyber security,Cyber Strategy,Cyber surveillance,Cyber Threats,Cyber War,Cybercrime,Cyberweapons,Information SecurityDISC @ 8:46 am
Cyber Attack A01

The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G,  and especially from greater tactical cooperation among hacker groups and state actors. The recent Solar Winds attack, among others,  highlighted both the threat and sophistication of those realities.

The following informational links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2021, it is worth exploring these statistics and their potential cybersecurity implications in our changing digital landscape.

To make the information more useable, I have broken down the cybersecurity statistics in several categories, including Top Resources for Cybersecurity Stats, The State of Cybersecurity Readiness, Types of Cyber-threats, The Economics of Cybersecurity, and Data at Risk.

There are many other categories of cybersecurity that do need a deeper dive, including perspectives on The Cloud, Internet of Things, Open Source, Deep Fakes, the lack of qualified Cyber workers, and stats on many other types of cyber-attacks. The resources below help cover those various categories.

Top Resources for Cybersecurity Stats:

If you are interested in seeing comprehensive and timely updates on cybersecurity statistics, I highly recommend you bookmark these aggregation sites:

 300+ Terrifying Cybercrime and Cybersecurity Statistics & Trends (2021 EDITION) 300+ Terrifying Cybercrime & Cybersecurity Statistics [2021 EDITION] (comparitech.com)·        

The Best Cybersecurity Predictions For 2021 RoundupWhy Adam Grant’s Newest Book Should Be Required Reading For Your Company’s Current And Future LeadersIonQ Takes Quantum Computing Public With A $2 Billion Deal

134 Cybersecurity Statistics and Trends for 2021 134 Cybersecurity Statistics and Trends for 2021 | Varonis

 2019/2020 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics  (cybersecurityventures.com)

Source: The State of Cybersecurity Readiness:

Cyber-Security Threats, Actors, and Dynamic Mitigation

Related article:

Top Cyber Security Statistics, Facts & Trends in 2022

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Cybersecurity Stats

Mar 24 2021

What businesses need to know to evaluate partner cyber resilience

Category: Cyber resilience,Vendor AssessmentDISC @ 9:32 am
What businesses need to know to evaluate partner cyber resilience

Many recent high-profile breaches have underscored two important cybersecurity lessons: the need for increased scrutiny in evaluating access and controls of partners handling valuable customer data, and the imperativeness of assessing a third party’s (hopefully multi-layered) approach to cyber resilience.

Given the average number of tech tools, platforms and partnerships today, having a clear and consistent partner evaluation process is critical for the protection of customer data and in limiting overall risk of exposure to cyber attacks. It is not an area where a business can “cut corners” to save time or dollars if the partnership cost seems too good to pass up – the long-term risk is simply not worth the short-term gain.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA) included security ratings or scorings as part of its cyber risk reduction initiative. This is significant as it showcases there’s a need for consistent industry measurement to give businesses an objective, quantifiable way of determining an entity’s cyber risk and the level of trust they may incorrectly give to their partners who handle their data. While severalagencies and government stakeholders are starting to use security ratings, this idea of a uniform scoring system is still a pretty novel concept that will continue to evolve.

In the meantime, here are four questions businesses should ask when determining a partner’s cyber resilience to reduce the possible risks that come with giving external parties access to sensitive data.

What are your current standards for protecting customer data?

IT Vendor Risk Management A Complete Guide - 2021 Edition by [Gerardus Blokdyk]

Tags: evaluate partner cyber resilience

Jun 16 2020

Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found

Category: Cyber Attack,Cyber Espionage,Cyber resilience,cyber security,Cyber Threats,Cyber War,CybercrimeDISC @ 10:19 am

The publication of ‘Vault 7’ cyber tools by WikiLeaks marked the largest data loss in agency history, a task force concluded.

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.

Source: Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found.

Wikileaks Vault 7: What’s in the CIA Hacking Toolbox?
httpv://www.youtube.com/watch?v=X45Bb8O-gMI

CIA Hacking Tools Released in Wikileaks Vault 7 – Threat Wire
httpv://www.youtube.com/watch?v=5LYSjLwkAo4

Download a Security Risk Assessment steps paper!

Download a vCISO template

Take an awareness quiz to test your basic cybersecurity knowledge

Subscribe to DISC InfoSec blog by Email




Jul 25 2019

Protecting Controlled Unclassified Information

Category: Cyber resilience,cyber securityDISC @ 12:04 am

Protecting Controlled  Unclassified Information 





CCPA: What You Need to Know About California’s New Privacy Law


CCPA Assessment:

A Roadmap to NIST 800-171 Compliance

DISC helps business owners in California to meet the new 2018 requirements of the CCPA and how to implement the National Institute of Standards and Technology’s (NIST) 800-171 cybersecurity framework. The roadmap is provided specifically to the CCPA either for a business, agency or organization that is required to meet this new State Law and describes both technical and administrative measures that will attain an acceptable level of compliance for State certifying officials. Assessment will include but not limited to compliance with policies and procedures, security strategy/plan, and plan of actions & milestones. The initial assessment will determine the as-is state of your data privacy program business, legal and regulatory requirements. DISC will provide a target state (to-be) which will include tech controls, mgmt. control, and ops control to build your data privacy program based on NIST 800-171. So basically the transition plan (roadmap) will enumerate the details of how to get from as-is state to to-be state.

DISC Cybersecurity consultant support business and agencies effectively to meet the 110 security controls in NIST 800-171 which has become the de facto standard for cybersecurity compliance. It ensures that security policies and practices of the framework meet the intent of CCPA. Adequate security is defined by ”compliance” with the 110 NIST 800-171 security controls.


NIST 800-171 Overview






Enter your email address:

Delivered by FeedBurner




Apr 10 2019

How to achieve cyber resilience in 7 steps

Category: Cyber resilienceDISC @ 5:28 pm

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/04/Cyber-Resilience-in-7-Steps.pdf” title=”Cyber Resilience in 7 Steps”]

 

  • Cyber Resiliency Metrics | MITRE


    • Enter your email address:

    Delivered by FeedBurner