Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Hong Kong’s Protection of Critical Infrastructures (Computer Systems) Ordinance (Cap. 653) represents a major shift in cybersecurity regulation. The law moves beyond traditional compliance exercises and places a much stronger emphasis on continuous operational resilience. For designated Critical Infrastructure (CI) operators, the challenge is no longer simply deploying security controls.

Third-party assessments often succeed at one thing: surfacing where a vendor falls short. But the process that follows can be difficult to scale across a growing vendor ecosystem.

Anthropic recently announced the release of Claude Fable 5, a public version of its more powerful Mythos AI model. Technology that was previously only accessible to a select few organizations is now available to businesses at an enterprise level. AI vendors are building the guardrails while threat actors are studying their attack vectors. Essentially, we are giving the keys to the AI world to businesses and hoping the guardrails hold steady. Security teams need to prepare even faster now.

The recent wave of announcements surrounding Claude Mythos and Project Glasswing has certainly filled our feeds. While these developments are technically interesting, the real story for me lately has been what they reveal about where the cybersecurity market is heading and how quickly that evolution is reshaping the risk conversation.

Are the repeated warnings throughout the years taking effect? Although we would like to say they are, the answer is complex and, most likely, we aren’t quite there yet.

According to Bitsight Threat Intelligence, NoName057(16) remains one of the most visible pro-Russian hacktivist groups conducting distributed denial-of-service (DDoS) attacks against countries and organizations perceived as supporting Ukraine. This matters because the risk can extend beyond direct business ties to Ukraine, and the group may also target organizations that do business with vendors, suppliers, partners, or service providers perceived as supporting Ukraine.

For the record, I always thought the GRC was cool. NIST Framework? Yes please. Vendor risk register? Tell me more! Not everyone shared my enthusiasm for effective and efficient cyber risk reduction. Until now. Suddenly, seemingly overnight, managing the digital supply chain became really, really important. AI governance (a phrase that didn’t even exist a year ago) is now the topic of boardroom discussions. Yes, it will look different and operate in a new way.

For organizations within the Defense Industrial Base (DIB), the Cybersecurity Maturity Model Certification (CMMC) 2.0 represents more than a regulatory hurdle. It is becoming a core requirement for doing business with the Department of Defense and for protecting sensitive information across the defense supply chain.