All Posts

Every downturn has a signature collapse. 2001 had Enron. 2008 had Madoff and Lehman. 2022 had FTX. The pattern is consistent: tight money exposes models that only worked when capital was loose. This cycle’s prime candidate is hiding in plain sight, private credit and the private equity ecosystem it feeds. Private credit has ballooned from roughly $400 billion in 2014 to approximately $2 trillion today. Pension funds, insurance companies, and sovereign wealth funds poured in,

Every security program is built around a question that is quietly becoming obsolete: who is the user? We provision human accounts, enforce multi-factor authentication, run phishing training, and offboard employees on their last day. Meanwhile, the fastest-growing population on every network is not human at all. Service accounts, API keys, OAuth tokens, CI/CD secrets, machine identities, and now autonomous AI agents already outnumber human users in most enterprises by a facto

There’s a phrase quietly creeping into boardrooms, customer service scripts, and legal defenses: “The AI decided that”, “the system did it”. It sounds neutral, even reasonable. But increasingly, it’s becoming a shield, a way for companies to distance themselves from outcomes they’d rather not own. When a loan gets denied, a résumé gets filtered out, an insurance claim gets rejected, or a price gets jacked up, the answer is no longer “we decided.” It’s “the algorithm flagged i

We have a generation problem in cybersecurity, and it isn’t a skills shortage, it’s a skills mismatch. When I train my staff I train them to the real world, to think like a criminal. We’ve spent two decades training defenders to pass exams. CISSP, CISM, CISA, the entire ISACA canon: they teach control families, risk matrices, audit trails, and the comforting fiction that a properly documented framework keeps you safe, it certainly does not. These credentials produce people w

Let me show you the org chart the way I see it. The second Tuesday of every month, Microsoft drops its patches. You see a maintenance window. I see a confession, a public, detailed account of exactly what was broken and where. Diff the old code against the new, and the fix hands me the map to the flaw. The patch and the exploit come from the same blueprint. The day you learn what to repair is the day I learn what to hit. And here’s what makes my job easy: I already know how

Starbucks quietly retired the AI tool its workers used to count inventory this week, just nine months after rolling it out across more than 11,000 North American stores. The pitch was exactly what every vendor promises. Workers held a tablet up to the shelves, LIDAR and cameras scanned the syrups and milks, and the count happened faster and smarter than human hands ever could. Smarter supply chain optimization, the announcement said. That announcement has since been deleted

2026 is shaping up to be the year where IT leaders are asked to deliver more, faster, with less margin for error. But beneath the noise of AI hype and digital transformation headlines, three structural risks are quietly shaping the year ahead. These aren’t theoretical. They’re operational, measurable, and already impacting mid‑cap organizations. 1. AI infrastructure readiness is far lower than leaders assume. Executives are racing to deploy AI, but most environments aren’t r

Fraud in 2026 has become a structural threat to the U.S. banking system. AI‑enabled attacks, synthetic identities at industrial scale, and rising document fraud tied to immigration‑status pressure have created a fraud environment unlike anything banks have ever faced. What used to be a back‑office compliance function is now a strategic risk shaping capital allocation, customer trust, and long‑term viability. The 2026 State of Fraud data shows the shift clearly. Fraud rates co

In early January 2026, Ledger, the globally recognized manufacturer of crypto hardware wallets, revealed that its third‑party payment processor, Global‑e, suffered a security incident exposing customer names and contact information for individuals who had purchased devices through Ledger.com. Global‑e is a major cross‑border e‑commerce platform powering checkout workflows for hundreds of global brands, making it a classic example of a high‑volume third‑party dependency with d

CMMC has shifted from a long‑anticipated regulatory concept to an immediate operational requirement. For years, contractors operated under a self‑attestation model that varied widely in quality and rigor. That era is over. With the final rule published and the phased rollout underway, CMMC is now a pre‑award gate: if you are not compliant, you cannot bid. Period hard stop. At its core, CMMC is about protecting Federal Contract Information (FCI) and Controlled Unclassified In

Cybersecurity has always been a human discipline. The best practitioners weren’t defined by tools or degrees; they were shaped by experience, intuition, and the kind of pattern recognition that only comes from years in the trenches. But the industry is now sprinting toward commoditization and automation, and the truth is uncomfortable: this push is making us less safe. Penetration testing is the clearest example. What used to be a craft is now being sold like a commodity. Pri

Global IT spend is projected to reach $6.15T in 2026, up 10.8% year over year. The sharpest increases are in data center systems (up 31.7% to $653B) and software (up 14.7% to $1.43T), fueled by AI‑ready infrastructure and AI features embedded across the application stack. More than half of companies expect to increase IT budgets next year, but the scrutiny on ROI is tightening. Across company sizes, the definition of a healthy budget is becoming more consistent. Organizations

Markets don’t break down because of a single headline or a single politician. They break down when multiple macro forces collide at the same time, and that’s exactly what we’re watching unfold. The selloff across equities, crypto, and commodities isn’t about one personality; it’s about the structural signals flashing red across the system. The biggest shock came from the AI sector, where Alphabet’s disclosure of $185B in projected AI capex for 2026 forced investors to confron

Every recruiting season, graduates enter consulting believing the same story: that success comes from perfect grades, polished credentials, and preparing to get a stack of certifications. It’s the story many firms still cling to. But after years of hiring and leading hundreds of consultants, I can say with confidence: the people who thrive in this field rarely fit that narrow mold. If you’re fortunate enough to attend a top‑tier school, that’s great but the degree alone won’t

Boards finally understand that cybersecurity is not an IT problem. It’s a business‑risk problem with regulatory, financial, and insurance consequences. What they still struggle with is identifying who is actually qualified to run a cyber program. And when leaders can’t distinguish expertise from charisma, they fall back on the oldest failure mode in corporate governance: nepotism. Friends of friends. Someone who “worked at a big company once.” Someone who can talk frameworks

If an MSP touches your environment in any meaningful way, they should already have a SOC 2 Type II — or be actively working toward one. In 2026, there is no defensible reason for a service provider to operate without independent validation of their controls. And yet, many still do. Here’s the reality: if your MSP has any administrative privileges, any access to core systems, or performs any unsupervised tasks, they are part of your internal control environment. Their weakness

If the last decade belonged to malware, the next decade belongs to AI manipulation. Traditional man‑in‑the‑middle attacks were once about intercepting messages, quietly observing, and injecting just enough distortion to influence an outcome. That model hasn’t disappeared, but it has evolved. Today, the real battleground isn’t just the network, it’s the data and the AI systems interpreting it. We are no longer protecting only endpoints and firewalls. We are protecting the deci

In November, I told my fraud class that the next major driver of internal fraud wouldn’t come from traditionally high‑risk populations. It would come from the struggling upper‑middle and lower‑upper class, the employees who look stable on paper but are financially underwater in ways companies aren’t prepared to detect. The recent Investopedia analysis reinforces this shift: https://lnkd.in/eiCMan3U High‑income households earning $150K–$250K are now living paycheck to paychec

AI has become a privileged execution layer inside identity, data, and production systems. That shift demands controls engineered for determinism, forensic reconstruction, and adversarial pressure. These five controls form the minimum viable security architecture for any enterprise deploying AI at scale. 1. Deterministic Data Ingress Control (DDIC) AI risk begins at the input boundary. DDIC enforces strict determinism through schema‑locked validation, token‑class filtering, an

An effective AI governance model must function as an institutional control system that defines how AI is approved, monitored, secured, and audited across its lifecycle. The foundation is a formal AI policy that establishes the organization’s stance, obligations, and boundaries for AI use. It sets expectations for transparency, accountability, data protection, and human oversight, and it requires that all AI systems, internal, vendor supplied, or embedded in SaaS, comply with