Richard L.

The Australian Cyber Security Centre (ACSC), via the Australian Signals Directorate (ASD), has published updated guidance titled “Planning for Post-Quantum Cryptography.” It’s encouraging to see more national security agencies raising awareness and urging organizations to start preparing now. They correctly note that deploying protections against a CRQC may take longer than expected and highlight the risk of "harvest now, decrypt later" - which are all the right reasons to start now, but without panicking. While the ACSC’s push to "start planning for PQC right away" is wise, their recommended timeline (seen in the diagram below) raises some concerns. The guidance mentions, for example, that enterprises should have begun implementing PQC by the end of 2028 and should have completed the transition across the organization by the end of 2030. In other words, the ASD envisions that once an enterprise kicks off its migration (by 2028), it can fully replace or upgrade its cryptography within about two years. For most large enterprises, however, a two-year window to entirely swap out entrenched cryptographic systems is overly optimistic. Migrating to PQC is a massive, multi-year undertaking for a typical large organization. Roadmaps and guidelines from other bodies - such as the Post-Quantum Cryptography Coalition (which includes MITRE, Microsoft, and IBM), Moody’s, U.S. officials, and other security agencies - have estimated much longer timelines that dwarf the ACSC’s suggestion. I just posted on my blog a detailed quantum readiness program plan showing in detail why it’s a 10-year effort (if not more): https://lnkd.in/gds9FTFD. To be fair, the ACSC guidance’s intent is likely to set a bold but clear goal to galvanize action, rather than a hard-and-fast rule. However, when a super-busy CISO sees the diagram below, the risk is that they will only read that they have until 2028 to start and that it can be done in two years, and then put it in the back of their minds. In summary, Australia’s ACSC deserves credit for elevating post-quantum cryptography on the national agenda and providing practical guidance to get started. Their message aligns with global expert opinion: don’t wait for the quantum threat to become imminent; begin your preparations now. At the same time, it’s important to approach the timeline with realism. (Also, why is the risk exposure for "harvest now, decrypt later" data starting only mid 2027 in the diagram?!?) The gudiance: https://lnkd.in/gWCpZasV #PQC #QuantumReadiness #QuantumSecurity #QuantumResilience #QuantumResistance

190

10 Comments

Private security firms are under pressure. 🚨 SEON processes 1 million alarms every day. Every 10 seconds a response unit is dispatched. In between: an enormous false alarm rate. Control rooms are stretched to the limit. Every unnecessary dispatch burns money, people, and trust. Without AI, this volume is unmanageable. Resilience in security doesn’t mean putting more people on the phones. It means deploying intelligent systems that take the load off humans and respond faster when it really matters.

71

1 Comment

I hate to say I told you so… But as I predicted in previous posts, cyber threats are fuelling growth. SentinelOne just raised its annual revenue forecast on the back of rising global demand for AI-powered defence. Organisations are investing heavily in automation, AI-driven security tools and adaptive security capabilities. Boards are seeing the numbers - attacks are up, breaches are costly and vendors promising machine-speed protection are surging in value. For years, the strategy has been to build higher walls and patch faster. Now, it’s about autonomous systems that adapt in real time, reducing the gap between signal and remediation. Cybersecurity isn’t just about reacting anymore - it’s becoming predictive and adaptive. The organisations that thrive will be the ones that move just as quickly as the threats do.

33

8 Comments

Friday Thoughts: A good tabletop makes people slightly uncomfortable, because that’s when the most learning happens.   With the Cyber Security and Resilience Bill coming and CAF v4 updates now in place, tabletop exercises are becoming a compliance necessity. To achieve Objective D, organisations need to have incident response plans that show: - Coverage of the entire lifecycle of an incident. - Integration with business operations, supply chains and critical dependencies. - Address both known and previously unseen attack scenarios. - Understanding by everyone involved in running your essential functions. To know if it really works it needs to be lived, tested, refined, and stress-tested again. The problem? Too many tabletop sessions are sanitised. Predictable scripts. Too generic. No real chaos. No pressure. No exploration of “what if” when the unexpected happens. If you want them to have impact (and pass regulatory scrutiny): - Go beyond the SOC – involve PR, legal, ops, leadership. - Inject uncertainty – limit facts, create the pressure of partial information. - Challenge assumptions – what if your comms tool fails, or a supplier is the breach vector? -Document lessons learned and take action, make improvements and run the scenarios again to gauge how much you have improved. Is there anything I've missed? What's the best tabletop exercise you've been involved in? #caf #tabletops #cyber

30

8 Comments

Recommended reading for practitioners holding cyber risk roles.. I was well known for driving tabletop exercises in many sectors to reduce risks but it really applies so well in #cybersecurity. Tabletop exercises (TTXs) give teams the practice they need to spot gaps, strengthen response, and build the reflexes to act fast when attacks strike. Read Fortinet Aamir Lakhani’s perspective via SC Media: https://ftnt.net/6043AMt39

26

1 Comment

The future of vulnerability management tooling has never been more intensely competitive, as early consolidation has driven the large platforms to start pushing highly competitive offerings at helping companies achieve the idea of Continuous Threat Exposure Management (CTEM) - which yes, has been vulnerability management all along. You have: 1. Wiz + Dazz (acquired by Wiz) 2. Orca Security + Opus Security (Now Part of Orca Security) 3. Zscaler + Avalor Security, a Zscaler Company 4. Armis + Silk Security 5. Tenable + Vulcan 6. Invicti + Kondukto These players are rushing to provide holistic multi-cloud and on-prem vulnerability management capabilities to their customers via acquisition strategies. From what I've seen, Wiz's approach of having the team rebuild their capabilities in house has once again paid off, having the Universal Vulnerability Management (UVM) features tightly integrated with the platform. Independent players provide distinct benefits, especially with capabilities like reachability across multiple scanners. Some of the independent players doing a great job at vulnerability aggregation and normalization across large diverse environments are: 1. Axonius 2. Zafran Security 3. Phoenix Security | ASPM 4. ArmorCode Inc. 5. Seemplicity 6. Brinqa 7. Nucleus Security 8. DevOcean There are numerous other vendors in this category as well, but these providers all focus on unifying large sets of vulnerability information to drive results, especially for enterprises struggling with massive infrastructures.

278

60 Comments

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments