Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In a recent roundup of strategic initiatives for CISOs, I argued that continuous assurance is the 2026 operating model. Across all ten initiatives, the pattern was clear. Security is no longer being evaluated by effort, it’s being evaluated by outcomes. Boards, customers, and regulators are no longer asking what tools you deployed or how busy your security team is. They are asking a simpler, harder question: Can you prove that your controls are working right now?

You can’t fix what you ignore. For years, organizations have raced to deploy software faster, often leaving a trail of unresolved vulnerabilities in their wake. We call this trail security debt, or flaws that are left unresolved over a year since being discovered, and it isn’t just a technical metric. It’s a compounding business risk that is growing harder to manage every year. Today, we are releasing the 2026 State of Software Security (SoSS) report.

The thing about blanket approaches is that they rarely work or scale. The same holds true for third-party cyber risk management. Treating every provider, stakeholder, or partner with the same intensity is neither productive nor cost-effective. While defaulting to treating every vendor at the same risk level is common, it is not a resilient security strategy.

We are witnessing the birth of a new profession in the blend of security engineering and security operations, a discipline that didn't exist five years ago because the systems it protects didn't exist five years ago. As artificial intelligence moves from experimental to essential and agentic systems begin to perceive, reason, act, and learn autonomously, we need defenders who can operate at the same velocity. I'm talking about the AI Security Engineer.

Financial services organizations moving to AWS often discover that retrofitting security and compliance controls costs three to five times more than building them in from the start. Compliance gaps discovered during audits can delay critical initiatives, trigger regulatory scrutiny, and expose organizations to unnecessary risk.

Update (February 24, 2026): @vmfunc has published part two of their series about Persona. You can read it here. We will update this post with part three when it is released. On February 16, 2026, security researchers @vmfunc, @MDLcsgo, and @DziurwaF published a blog post identifying exposed frontend source maps on a non-production subdomain under withpersona-gov.com.

So your team just uncovered a GDPR tracking violation, a consent anomaly that, after a deeper look, turns out to be a pixel firing regardless of consent state.” From the looks of it, it’s definitely an ePrivacy violation. But the harder question, the one you now have to race against time to answer, is whether this is also a notifiable breach under GDPR. For that determination, you now have 72 hours. One gets fixed with a tag manager update and a stern email to marketing.

Most websites host tracking systems that change continuously, tag by tag, pixel by pixel, version to version, often without anyone in privacy touching a line of code. Marketing adds a session replay script through the tag manager. Vendors quietly push updates to the tags. By the time it’s noticed in the next periodic review, the damage is done. Drift in tag behaviour leads to consent violations. And tracking scripts load and process data despite GCP signals.

Picture this: it’s 2am, your pager goes off, and you’re staring at a production database that’s on fire. You know exactly what’s wrong. You know exactly how to fix it. But you can’t touch anything because you’re waiting on someone to approve your access request. Meanwhile, your customers are down, your SLAs are bleeding out, and you’re refreshing Slack, and every minute you spend waiting is another minute of damage you could’ve prevented.

Sr. Technical Content Strategist Hockey has a saying that describes the problem security organizations face when trying to integrate AI:"You have to skate to where the puck is going, not where it has been". Think of the modern security stack. It's a fragmented architecture built layer by layer over decades. Tools are siloed, some overlapping, some operating in black boxes, and others that no one remembers installing.