Dark Readingjust now
DOMAIN 1 OF 8
Security & Risk Management — Strategic Lessons from the Field
How governance, risk, and compliance are evolving in 2026 — and what cybersecurity strategists are learning about board-level alignment, regulatory pressure, and risk that actually moves the needle.
Strategic perspective by Ishmael Chibvuri, CISM · updated just nowRisk management has moved out of the back office. In every engagement I've been part of over the last eighteen months, the conversation that used to happen in the audit committee now happens in the boardroom — and it happens in dollars, not in heat-map colors. That shift is real, and it changes what good looks like for a security program.
What's shifting right now
The three forces I'm tracking most closely:
- Material risk disclosure — SEC and equivalent regimes are forcing public companies to assess and disclose cyber incidents on tight clocks. The downstream effect is that every program now needs a defensible materiality framework, not just public companies. Vendors and partners are inheriting the same standard.
- AI risk surfacing inside enterprise risk registers — the gap between "we use AI somewhere" and "we govern AI as a risk class" closed faster than most boards expected. NIST AI RMF and the EU AI Act have given GRC teams a vocabulary; what's missing is the operational telemetry.
- Third-party concentration risk — single-provider outages and supply-chain compromises (think mid-tier SaaS, identity providers, CDN) have moved concentration risk from a footnote to a top-five concern.
What keeps proving true
- A risk you cannot quantify is a risk you cannot prioritize. Qualitative ratings inflate over time. Move to ranges (FAIR-style) even if the inputs are rough.
- Compliance is a floor, not a ceiling. Programs that optimize for the audit collect findings; programs that optimize for resilience collect avoided findings.
- The board doesn't need more dashboards. They need a story. Three numbers, one trend, one decision.
Below is the live wire across the domain — governance moves, regulatory shifts, and risk events that change the calculation.
// LIVE FEED
30 items · 5 sourcesLatest from across the industry
SecurityWeek1h ago
Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation. The post Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs appeared first on…
Dark Reading2h ago
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit
Exploiting the PAN-OS GlobalProtect VPN vulnerability requires certain conditions, but adversaries have done so in two attack waves that started in mid-May.
SecurityWeek3h ago
Dragos Acquires xIoT Security Firm Phosphorus
Dragos said customers will soon gain expanded asset visibility and integrated device intelligence, with automated remediation workflows and a unified platform experience to follow. The post Dragos Acquires xIoT Security…
CSO Online4h ago
Flowise’s MCP implementation can run ghost commands
Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads have a new near-max severity issue to worry about. Researchers at Obsidian Security have detailed a one-click remote code…
SecurityWeek4h ago
As the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution
AI’s use in the military is part of the administration’s larger push to grow the capability it sees as a unique American advantage. The post As the Pentagon Pushes for Battlefield AI, Some Military Leaders Urge Caution…
SecurityWeek5h ago
19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Proof-of-concept (PoC) exploit code has been released for the CIFSwitch flaw, which allows low-privileged users to escalate to root on vulnerable Linux systems. The post 19-Year-Old Linux Kernel Vulnerability Exposes Sy…
SecurityWeek6h ago
Recent Palo Alto Networks Vulnerability Exploited for Weeks
Hackers began exploiting CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS, four days after public disclosure. The post Recent Palo Alto Networks Vulnerability Exploited for Weeks appeared first on Se…
CSO Online9h ago
6 critical security gaps every CISO must address
CISOs acknowledge that no organization is completely safe, but many also admit their security measures aren’t where they’d like them to be. One-third of CISOs surveyed for Proofpoint’s 2025 Voice of the CISO Report said…
CSO Online13h ago
Press Release: CSO30 ASEAN & Hong Kong Awards 2026 open for nominations
The CSO30 ASEAN & Hong Kong Awards return in 2026, as an important moment to recognise the cybersecurity leaders and teams who are making resilience measurable across the region. In a landscape shaped by rapid threat ev…
SecurityWeek2d ago
Russian Spies Are Aggressively Seeking Western Technology as Sanctions Bite, Officials Say
Moscow’s agents are building fake companies, recruiting middlemen and deploying cyber spies and hackers who gather information that could be used to attack key infrastructure. The post Russian Spies Are Aggressively See…
SecurityWeek2d ago
Exploit Code Published for Critical Flowise RCE Vulnerability
The one-click vulnerability allows attackers to execute arbitrary code on self-hosted Flowise servers by tricking users into importing a malicious chatflow. The post Exploit Code Published for Critical Flowise RCE Vulne…
CSO Online2d ago
Russia-aligned crime group Greyvibe extensively uses AI in attacks
Researchers have uncovered a previously undocumented Russian group that makes extensive use of large language models (LLMs) in its attacks against private, government, and military organizations in Ukraine. It uses a va…
CSO Online2d ago
Microsoft and security researcher’s dueling posts about cybersecurity disclosures get nasty
Microsoft and a prominent cybersecurity researcher have gotten into a very public and rather personal exchange of unpleasantries about what responsible cybersecurity disclosures should mean in 2026. A cybersecurity rese…
Schneier on Security2d ago
Friday Squid Blogging: Another Squid
Someone named “Squid” seems to be a “West Country legend.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy.
Dark Reading2d ago
Name That Toon: Mark of (Cybersecurity) Progress
As part of Dark Reading's 20th anniversary package, we asked readers for a cybersecurity-related caption that captures their thoughts about the industry's last two decades.
SecurityWeek3d ago
In Other News: Trump Mobile Data Breach, FIFA World Cup Phishing, CISA Responds to Supply Chain Attacks
Noteworthy stories that might have slipped under the radar: Trump Mobile exposes customer data, phishers target the 2026 FIFA World Cup, CISA responds to recent supply chain attacks. The post In Other News: Trump Mobile…
CSO Online3d ago
DNS-AID will make AI agents easier to discover, says Linux Foundation
As AI agents become more numerous and more communicative, keeping track of where to find them is becoming increasingly important. Numerous proprietary agent registries are on the market, but the Linux Foundation suggest…
Dark Reading3d ago
As Global Powers Explore Humanoid Robots, Cyber-Risk Looms
The future of cybersecurity is germinating, as nation-states vie for dominance in the embodied AI market and its supply chain.
CSO Online3d ago
Certifiably random: Swiss researchers claim perfect random number source
Researchers in Switzerland claim to have built a perfect random number generator from two quantum superconducting chips, a 30-meter-long pipe, and some software. The resulting device could be used to generate cryptograp…
SecurityWeek3d ago
Charter Communications Data Breach Could Impact Nearly 5 Million
The notorious ShinyHunters extortion group leaked over 42 million records allegedly stolen from Charter in April. The post Charter Communications Data Breach Could Impact Nearly 5 Million appeared first on SecurityWeek.
Dark Reading3d ago
Asia's Cyber Insurance Market Shows Signs of Life
The cyber insurance industry has made relatively weak inroads into Asia due to a variety of factors, but that could be changing.
SecurityWeek3d ago
MokN Raises $15 Million for Phish-Back Platform
MokN's platform deploys realistic decoy access points to lure attackers into revealing compromised credentials, enabling organizations to respond before abuse occurs. The post MokN Raises $15 Million for Phish-Back Plat…
Dark Reading3d ago
With Complex Cloud Integrations, Small Errors Lead to Major Compromises
Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service.
Dark Reading3d ago
'The Com' Cyberattacks Support Violence & Sexploitation
Your organization's security failures have consequences for everyone else as well since this criminal gang uses its cyber winnings to support more violent and widespread crimes.
Schneier on Security3d ago
Chilling Effects
Younger Americans have soured on the second Donald Trump presidency, but they are not protesting it. Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have…
CSO Online3d ago
Notepad++ vulnerabilities could enable arbitrary code execution on Windows systems
Two arbitrary code execution vulnerabilities in Notepad++ let local attackers run commands of their choice on Windows machines by tampering with the editor’s XML configuration files, with both flaws rated High at CVSS 7…
CSO Online3d ago
The Gentlemen are coming for your files, and then your network
Ransomware operators have spent years refining the art of locking files. Now, some are working harder to get those lockers to every reachable system first. Microsoft’s recent warning of the Gentlemen ransomware revealed…
CSO Online3d ago
Cybersecurity trends in SEC filings
In 2023, the Securities and Exchange Commission (SEC) required public companies to include a new section in their 10-K annual filings that is devoted to cybersecurity. This section is meant to address “cybersecurity ris…
CSO Online3d ago
GDPR set the tone for regulatory action — and the AI fine pushback to come
Big tech firms continue to push back against fines levied for alleged violations of European data protection law, in what could be a harbinger for AI regulations to come. While lawyers and experts quizzed by CSO broadly…