What Is a Policy
A Definition Updated for the AI Compliance Era Allow me to attempt a definition of a thing I have observed for two decades, across hundreds of corporate environments, and which has just…
Madame Colbac and the Russian Hat
A Note on Linguistic Confusion, Threat Attribution, and the Continental European Boardroom Some years ago, a senior executive at a European bank briefed her board on a cyber threat the company was…
The Post-Incident Communication as Liturgy
A Taxonomy of the Standardized Vocabulary of 2026 Breach Disclosures : There is a genre of corporate communication that, after twenty years of observation, has stopped pretending to be communication and has…
The Four-Month Cyber Resilience Act Countdown
Less than four months separate today from the moment when Article 14 of the EU Cyber Resilience Act becomes binding. On September 11, 2026, manufacturers of products with digital elements placed on…
Agentic, Self-Healing, and Other Press-Release Animals
Somewhere in the corridors of #RSAC2026, there exists a creature called the "AI-native, #ZeroTrust enabled, agentic, self-healing, autonomous security operations platform with continuous compliance posture management". It lives in press releases. It…
A Train to Anywhere
Notes from a Detached Observer of Senior Cybersecurity Governance - There is a fantasy that travels with me at the end of every working week. It is not, despite what the literature…
How Pfizer Allegedly Caused My ZTL Fine
A Crash Course in Pharmacovigilance for Weekend Alarmists : Yes, I know. You were scrolling, and someone posted that "Hantavirus is listed on page 33 of Pfizer's 38-page document, one of 1,233…
The Day the Operating System of Education Went Dark
ShinyHunters, Instructure, and the Canvas Breach of May 2026 : On May 3, 2026, a cybercriminal group called ShinyHunters announced they had breached Instructure, the company that runs Canvas, the learning management…
Claude Security and the Agentic AI Attack Surface in Q1 2026
On April 30, 2026, Anthropic launched a product called Claude Security. It is in public beta, available to Claude Enterprise customers, and it is designed, in the company's own framing, to counter…
When the Target Is a Clinic: The Healthcare Ransomware Crisis of Q1 2026
In the first three months of 2026, hospitals and clinics across multiple continents were forced to operate at reduced capacity, sometimes to close entirely, after ransomware groups locked down their core systems.…