Secure World News

The criminal extortion group ShinyHunters has struck Instructure a second time in less than a year, claiming to have stolen records tied to 275 million users across nearly 9,000 schools worldwide. The targeted platform—Canvas, which supports course delivery, assignments, grades, and messaging for more than 30 million active users—went offline for stretches this week as the company scrambled to respond. The timing is particularly damaging: finals season is underway at institutions across the country.

A new survey commissioned by Tosi, an OT security monitoring vendor, released following Operation Epic Fury reveals that U.S. oil and gas operators may be dangerously overestimating their ability to detect cyberattacks against operational technology (OT) systems—and security experts say the problem runs deeper than monitoring tools can fix.

The U.S. government has quietly secured something the AI industry has resisted for years: a seat at the table before models ship. The Commerce Department’s Center for AI Standards and Innovation (CAISI) announced Tuesday that Google DeepMind, Microsoft, and Elon Musk’s xAI have agreed to provide access to unreleased versions of their AI models for pre-deployment security and capability evaluations, Reuters and Bloomberg first reported. Combined with existing—and recently renegotiated—agreements from Anthropic and OpenAI, every major U.S. frontier AI lab now participates in voluntary pre-release government evaluations.

The cybersecurity workforce conversation has taken a wrong turn. Too many people frame AI in security operations as “automation that handles the boring stuff so humans can focus on important and interesting work.” That framing misses what’s actually changing.

In the cybersecurity field, there is often talk about “critical infrastructure” through the lens of power grids and financial switches. However, two new reports from the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) shift the spotlight to a sector where the blast radius of a breach is measured in spoiled inventory and empty grocery shelves.

The latest Cyber Security Breaches Survey, commissioned by the United Kingdom’s Department for Science, Innovation and Technology (DSIT) and the Home Office, provides a comprehensive baseline for the UK’s digital health. While the data reflects a UK-specific landscape, the trends identified—ranging from cyber hygiene fatigue to the rising cost of recovery—serve as a global bellwether for cybersecurity professionals.

In the early days of cloud adoption, security was often a game of “hustle”—manual triage, endless patching cycles, and human-led investigation. But according to Sysdig’s 2026 Cloud-Native Security and Usage Report, that era is officially over.

The cybersecurity skills gap has been a persistent headline for years, but in 2026, the narrative has shifted from a simple shortage of talent to a complex “convergence crunch.”

I seem to oscillate between extremes when it comes to AI’s impact on technology and the future of humanity, but once in a while something is publicized that makes me wonder where we are heading. Anthropic’s announcement of Mythos and the subsequent partnerships in Project Glasswing might be one of those moments. While Mythos shouldn’t be a surprise as it feels like a natural progression of AppSec, it is important that we understand what it can and cannot do, and what it will ultimately do to the industry that we know today.

The Greater Chicago cybersecurity community will gather for an impactful day of insights, networking, and collaboration at the 10th annual SecureWorld Chicago conference on May 20, 2026, led by three stellar keynote sessions.

  For more than a decade, the biennial NASCIO-Deloitte Cybersecurity Study has served as the definitive pulse check for state-level security. But the ninth edition, released in 2026, reads less like a progress report and more like a distress signal. The message from state Chief Information Security Officers (CISOs) is clear: the post-pandemic era of relative stability has been replaced by a “blistering pace” of AI-accelerated threats and a “dire” resource crunch. For cybersecurity professionals, this report is about more than just government tech; it’s a warning about the fragility of the public-sector foundation we all rely on. The most jarring data point in the 2026 study is the collapse of executive confidence. In 2022, nearly half (48%) of state CISOs felt “extremely” or “very confident” in their ability to secure public data. By 2026, that number has plummeted to just 22%. This isn’t just self-doubt; it is a rational response to an evolving battlefield. CISOs cite three primary barriers to success: Legacy infrastructure: The “technical debt” of aging systems that cannot be easily patched or modernized. Increased sophistication of threats: Specifically, the weaponization of Agentic AI by foreign adversaries to probe for weaknesses at machine speed. Insufficient funding: For the first time since 2024, CISOs are reporting budget reductions, with only 22% seeing any meaningful increase. For CISOs and security teams: the ‘whole-of-state’ pivot State CISOs are no longer just protecting the state capitol; they are being forced into a “whole-of-state” approach. Because confidence in local governments and higher education has hit an all-time low—with 63% of state CISOs expressing a lack of confidence in these entities—the state is becoming the “provider of last resort” for cybersecurity services. The Action: State teams must now architect for multi-tenancy, providing centralized security operations (SOC) and threat intelligence to resource-strapped municipalities and school districts. If you are a vendor or a business that interfaces with state government, the “maturity mirage” is over. As states adopt new AI guidelines (94% of CISOs are now actively involved in GenAI security policy), expect: Stricter procurement: States will likely mandate higher security standards for any software or service that touches public data, particularly around AI transparency. Shared liability: With budgets tightening, states will be less willing to absorb the risk of a third-party breach. The study reminds us that cybersecurity is a pillar of public safety. When state CISOs lose confidence, it impacts the reliability of everything from unemployment benefits to DMV services and water infrastructure. The takeaway: The public must move from being “users” to “aware stakeholders.” Just as we demand road safety, we must support policies that prioritize the modernization of the digital infrastructure that holds our most sensitive personal information. The AI paradox: defense vs. velocity While AI is the primary driver of the “blistering pace” of attacks, it is also the only tool that can keep up. State CISOs are in a race to adopt AI-driven defenses even as they struggle to maintain legacy systems. This creates a resource gap where teams are forced to choose between keeping the lights on for 20-year-old servers and investing in the AI tools needed to stop 2026-level threats. This year’s study includes insights from the CISOs of all 50 states, the District of Columbia, and the U.S. Virgin Islands. Responses from the survey uncovered five themes: Facing an evolving threat landscape: Rapid advances in attack sophistication are challenging state CISOs, with AI viewed as both an emerging threat vector and a powerful tool for cyber defense. Getting future-ready: CISOs are adopting new tools and regulatory frameworks to meet the evolving technology landscape. Looking at whole-of-state cybersecurity: The survey points to a growing interest in centralized state support for the cybersecurity efforts of local governments, public education, and critical infrastructure. The expanding CISO role: The proliferation of AI and generative AI (GenAI), as well as a growing appreciation of the need to safeguard public data, is bringing new responsibilities to the CISO role. Dealing with a resource crunch: Compared with recent survey cycles, CISOs tell us that their funding shortfalls are growing more dire, while continuing to face challenges around maintaining a cyber workforce with the needed skills. Some other key points within the report: CISOs expressed growing concerns regarding other parties that interact with their data, possibly based on the growing complexity of information networks, as third-party interactions may introduce risks to transparency, access and credentials, and other vulnerabilities. “The state has published a statewide acceptable use policy to help steer our customer agencies in AI usage,” one CISO remarked, “but vendors auto-enabling AI features in products already leveraged by our customers causes major concern for data protection, privacy and risk.” Another CISO said: “GenAI is advancing faster than existing governance structures can adapt, creating growing uncertainty around security, privacy and ethical use. Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied. This uncoordinated adoption has outpaced the development of formal security guidelines, governance models and ethical standards, leaving the state in a reactive position.”  One major question is how CISOs expect their SOCs to evolve over the next two to four years to better support local government entities and public higher education. Survey respondents offered a range of answers, from “We expect to offer county, municipal, and K-12 SOC services within the next four years” to “Growing to provide fusion center-type intelligence sharing with municipalities, with a potential to offer SOC services in the future” to “We don’t even have a SOC at the state level. We pay [vendors] to do that kind of work.” The 2026 NASCIO-Deloitte study is a wake-up call for cyber resilience in the public sector. It confirms that the era of treating cybersecurity as merely an IT problem is officially over. In a landscape where the “human-in-the-loop” is being outpaced by autonomous agents, the only path forward is a unified, whole-of-government approach backed by sustainable, long-term investment.

It’s a strange feeling when you realize the thing you trust the most with your work might be the one watching you the closest. No alarms go off. No ransom note shows up. Everything keeps working exactly as expected.

In the cybersecurity world, we often assume that small and medium-sized businesses (SMBs) are the lagging indicators of digital maturity. However, new research from Tech.co and Expert Market suggests that SMB leaders are becoming surprisingly surgical in their tech adoption.

I spent the first chapter of my career drinking from a literal firehose. As an analyst in the Canadian Armed Forces (CAF) during the peak of the Afghan war years, I often got thrown into a job or task and then formally trained up on it later. Operational needs always came first; they still do today. My job, crudely put, was to separate signal from noise and never blow the sources and methods that made the collection possible. Two decades later, I’ve gone from being an entry level SOC analyst at a MSSP to CISO at a global commercial enterprise with millions of active users. The only thing that’s really changed is the gauge of the pipe and the speed at which your newest analyst will wire it directly into their coffee cup if you don’t give them a better alternative.

A Florida man who worked as a ransomware negotiator at a U.S. cyber incident response firm has pleaded guilty to conspiring with the BlackCat/ALPHV ransomware group—feeding the attackers confidential information about his own clients while simultaneously negotiating on their behalf.

From my trade compliance connections, I saw that GE Aerospace faces a $36 million ITAR fine. This arises from a voluntary self-disclosure (VSD)—which is something the U.S.  Department of State encourages—of 116 ITAR violations within multiple categories. And China.

In the manufacturing sector, the traditional boundary between “the network” and “the floor” has effectively dissolved. According to Trackforce’s executive trends report, Cyber-Physical Security Convergence in Manufacturing, the manufacturing world is entering an era where operational uptime is inseparable from cybersecurity posture.

In cybersecurity, we often look for comfort in the numbers. If total vulnerability counts are down, we assume the defense is winning. But the BeyondTrust 13th annual Microsoft Vulnerabilities Report just shattered that illusion.

Last week, I posted an article about how AI makes us more efficient but actually makes us work more.

For the better part of the last two years, the cybersecurity community has watched the National Vulnerability Database (NVD) with a mix of concern and frustration. As the volume of Common Vulnerabilities and Exposures (CVEs) hit record highs, the “gold standard” of vulnerability enrichment seemed to be buckling under the weight of its own success.