Cyentia Industry Research Library: Lessons Learned

Following up on this with a few links related to the (now offline) Cyentia Industry Research Library. 1. Here's a blog post from 2019 in which we laid out a vision of where we wanted to take the Library. We obviously didn't get there, but I still believe these things would be valuable. https://lnkd.in/eGQd5qZc Side note: I still LOVE the idea of a Cochrane Library parallel for cybersecurity. https://lnkd.in/e3w43kru 2. Here's the research assessment criteria - or as we affectionately called it back then - CRAP. This was circulated to a few people (including Adrian Sanabria) but never left the draft mode. But again - I think these criteria still have merit and wish every industry report came with a rating along these lines. https://lnkd.in/eEPVi5sJ Not trying to resuscitate the Library. Just sharing in case someone else might attempt something similar in the future. The primary roadblock to implementing this at the time was the sheer volume of industry reports published. Assessing them all simply wasn't something we could sustain as a small company without significant funding. If LLMs had been generally available at that time, it might have been a different story. In fact, maybe someone can still write that story... Tony Martin-Vegue Daniel Woods Gabriel Bassett Robbie Robbins Matthew Rosenquist JR Kunkle

In May 2021, the Summit 7 had less than 900 YouTube subscribers. Then, "The History of CMMC" video went live: https://lnkd.in/e8_eXxYF 5 years later: 100x growth. Today, we are at 91,446 subscribers - tantalizingly close to 100,000. That video change the trajectory of my career (and made me a lightning rod for critics) because the context and analysis laid the foundation for making predictions about the future of cyber regulations for defense contractors: All of them have come true. - Baseline security requirements would increase over time because federal authors originally assumed too much about the security maturity of federal contractors (what I called "The Paradox of Burden"). - The systemic levels of fraud being committed by the defense industry exposed by increasingly dire cybersecurity breaches of unclassified systems would lead directly to 3rd-party verification (what is now called "CMMC"). - Those two trends combined with a decade of DoD rationale and public comment responses made it simple to know exactly what the eventual CMMC final rules would look like regardless of how long they might take. Ultimately, the combination of negligence, naïveté, and apathy across federal agencies and industry would slowly, but inevitably lead to a banquet of consequences. The dinner bell rang on November 10th, 2025. Along the way we've put out a lot of content on the channel. If you've found that content valuable, please consider subscribing and help us get to 100k. PS: be sure to turn on notifications so you don't miss the upcoming sequel 👀

This week, I am presenting a series of cyber threat intelligence webinars looking at how the threat landscape differs across industries. The first session today was focused on Financial Services, with another four taking place later this week covering: • Energy & Utilities • Healthcare • Retail • Information Technology At Canopius Group, I work closely with insureds to take technical threat intelligence and turn it into actionable information for cyber decision makers. These sessions are a good opportunity to dig into the tactics, trends, and attack pathways we’re seeing across different sectors, and what organisations should be focusing on in response. The priorities, attack paths, and operational concerns can look very different depending on the sector, especially when comparing areas like OT-heavy environments, healthcare operations, retail exposure, and large IT estates. The sign up link for future webinars in the series is below - it would be great to see you there! https://lnkd.in/eWVYZxCU

48% to 22%. In 2022, 48% of state CISOs said they were "extremely" or "very confident" they could protect public data. In the 2026 NASCIO-Deloitte study released this month, that number dropped to 22%. Confidence in local government and public higher education to protect data fell further. 63% of state CISOs now say they are "not very confident" in those entities. Four years ago that number was 35%. If you are a state, county, or agency security leader, this report is your headline. If you are a CISO in private industry, read it anyway. State CISOs are the early-warning system for the rest of us. They face every threat the private sector faces, on tighter budgets, with more public scrutiny, and slower procurement. Their confidence drop is calibrated, not pessimistic. Three things are happening simultaneously, and the report names them. 1. AI-accelerated attacks. Adversaries can generate and automate attacks at scale, and deepfakes now bypass verification controls most organizations still rely on. 2. Budget compression. 16% of states report cyber budget cuts this year. Two years ago that number was zero. MS-ISAC moved to fee-based membership and many states walked away. 3. Vendor blast radius. The Canvas breach, now under Congressional inquiry, showed one ed-tech vendor outage can touch 8,000 institutions in 72 hours. What I tell the security leaders I work with this week, public and private: Stop framing this as a defense problem. Your board, your legislature, or your agency head cannot help you defend better. They can help you reprioritize, refund, or restructure. Bring them that conversation. The 22% number is not your problem. It is your opening. The CISOs and agency security leaders who use this report to reset the conversation with their executive sponsors this quarter will get more done in the next 90 days than they have in the past two years. DM me if you want the talking points I am using with state and mid-market security leaders preparing for those conversations. #CISO #PublicSector #NASCIO #Cybersecurity #Leadership

A common question from boards: “How can we determine if our cyber reporting is truly useful?” A straightforward test: After reviewing the report, Can you clearly answer the following: • what are our top risks? • what evidence shows they are controlled? • where are we exposed? • what decisions do we need to make? If not, then the report may be informative, but not useful. Effective reporting should: ✔️ reduce uncertainty ✔️ highlight what matters ✔️ drive action ✔️ support accountability It should not: ❌ overwhelm with data ❌ focus only on metrics ❌ hide gaps behind dashboards In healthcare, Clarity at the board level directly impacts how quickly organisations respond during incidents. This week’s brief paper outlines a straightforward approach to testing and improving reporting effectiveness. #Healthcare #CyberResilience #BoardReporting #NSWHealth #PublicSector #CISO #RiskManagement #SOCIAct #DigitalHealth

Cybersecurity used to be about keeping attackers out, but that’s not the world we live in anymore. In this episode, Chris Boehm, Field CTO of Zero Networks, shares what healthcare security really looks like today. Here’s the uncomfortable truth: 👉 Most organizations assume breach is inevitable 👉 The real question is what happens next Once someone is inside your network: Can you see what they’re doing? Can you stop lateral movement? Can you contain the damage quickly? That’s where the shift to “Zero Trust” comes in, but here’s the catch: healthcare can’t afford more friction. We can’t be slowing down nurses, doctors, and patient care. So how do you secure everything without all that disruption? That’s the challenge and the opportunity. One of the biggest takeaways from this episode is that visibility is everything. If you don’t know what’s happening in your network, you can’t protect it. 🎧 Listen in: https://lnkd.in/ea-JmRGp

Two hours into a real incident, nobody on the bridge call is asking whether the backups ran. They're asking when clinicians can access records again. When student systems are back before the next intake. When the website, the tills, the call centre start serving people again. Different sectors, same question. And recent incidents have made the answer very public. That gap, between backup coverage and recovery confidence, is why I'd flag Cohesity's Catalyst on Tour. London | Monday 22 June The session worth the trip on its own is Inside a Cyber Attack. Rachel Higham, who led the technology recovery at Marks and Spencer, joins Karen Penman from PwC UK and James Blake of Cohesity (formerly Global Director of Cyber Transformation at J.P. Morgan). It's an unusually honest panel. Focused on the decisions leaders actually make under pressure, and what separates organisations that recover with confidence from those that don't. Pete O'Doherty, Commissioner at the City of London Police and NPCC lead for cybercrime, will also speak on the current UK threat landscape. This one's pitched at CIOs, CISOs and resilience leaders across enterprise, healthcare and higher education, rather than a product audience. If it's useful, the agenda is here: https://lnkd.in/e8GyBS3Y Happy to compare notes with anyone going and curious how others are thinking about recovery planning right now.

You probably need less data than you think. 📊 Most teams assume they need years of internal history to benchmark security performance. They don’t. Doug Hubbard, owner of Hubbard Decision Research, explained it well: your doctor doesn’t need years of personal data before prescribing medication. They rely on clinical trials that already proved what works across thousands of patients. Security is no different. The industry already has years of benchmark data available. The challenge isn’t collecting more, it’s using what already exists. #TBT to this episode with Doug. Watch it via the link in the comments. 👇 #cybersecurity #research #data #clientdata #VIAknowledgehub

I think we’re about to get very busy at Heimdal®. The latest NCSC guidance around the upcoming “patch wave” is a clear signal of what many of us in cybersecurity have been expecting for a while, vulnerability management is about to become a high-frequency, high-pressure operation across every organisation. For partners in particular, this is the moment to lean in. Pick up the phone and ask your customers a simple question: 👉 “How are you currently handling patching across your environment?” The answers are often more manual, inconsistent, and risk-heavy than most people expect. This is something we’ve been focused on at Heimdal® from day one, making patching faster, safer, and far less painful for IT teams who are already stretched. With the right approach to automated and prioritised patch management, this upcoming wave doesn’t have to become chaos, it can become manageable, controlled, and predictable. If there was ever a time to revisit how patching is being done across your customer base, it’s now. #vulnerbility #patching #cybersecurity #partner #channel

Jesper's comments below must resonate with so many: not only will these vulnerabilities expose swaths of technical debt, they will impact OS that cannot be replaced & yet is suddenly more at risk: the phrase 'patch wave' belies the effort that will be required to assess & prioritise activity needed. This isn't FUD: this is operational impact.