Shawn Anderson's Cyber Blog

Cloud, Assurance, Forensics, Engineering

Category: Uncategorized

Many CISO’s makes for great conversation…

June 5, 2026 / / 0 Comments

Identity, Guardrails, and Contextual Visibility: Real-World Lessons from the CxO Security Forum

If you need a sign that the cybersecurity landscape has undergone a permanent phase shift, look no further than the structural changes reshaping our production environments. I recently had the privilege of sitting down with an incredible assembly of cybersecurity practitioners, engineering leaders, and market analysts at our latest CxO Security Forum held during the Gartner Security and Risk Summit at National Harbor. Thanks go out to Michael Hiskey for setting this up and Illumio for sponsoring the lunch.

Per our strict operational tradition, this gathering was conducted entirely under Chatham House Rules, meaning all CISO insights have been sanitized, and no security leaders are explicitly named or attributed to ensure a raw, unvarnished look at what’s actually happening on the front lines.

Beyond the intense architectural debates, the session doubled as an incredible literary launchpad: industry analyst Richard Stiennon was on hand signing his new book, advanced copies of Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense, capturing all of the new AI companies that are out there. At the same time, zero-trust pioneer Dr. Chase Cunningham showcased his book, Think Like an Attacker: Why Security Graphs Are the Next Frontier of Threat Detection and Response. Finally, we had John Woodruff, who shared insights from his book Agentic AI + Zero Trust: A Guide for Business Leaders.

From my perspective as a former CISO and current CTO, the absolute biggest operational takeaway from the forum is that the traditional security playbook isn’t just aging; it’s completely obsolete. During our technical session, an attendee stressed that engineering teams are experiencing massive visibility gaps when it comes to understanding AI applications at runtime. One of the attendees noted that trying to secure machine learning pipelines using static database auditing or old-school perimeter boundary checks is an absolute non-starter.

Organizations are dynamically ingesting massive quantities of unstructured data at the execution layer. As another attendee pointed out, security teams must deploy dynamic, runtime data classification capabilities right at the execution level to intercept malicious prompt overrides and stop corporate data leakage before the model processes the query.

Zero Trust – CISO know it’s a journey and not a destination…

This visibility crisis ties directly back into how we design and execute a modern Zero Trust strategy. Too many organizations treat zero trust as a passive product check-box, but as an attendee rightly pointed out, true resilience requires an aggressive, offensive-minded architecture that assumes compromise from day one. I have spent a good number of years speaking to the importance of “choosing a framework” and “architecture” and this session provided even more affirmation that my pulpit is not for nought. It’s critical CISO’s have the business acumen to lead up the chain as well as the technical prowess to lead their teams in the right direction. Without the architectural vision the program is doomed to fail.

The discussion heavily focused on leveraging real-time enterprise telemetry to fuel centralized policy engines. One attendee broke down how these automated engines must function as the central brain of your architecture, constantly calculating risk and dynamically broker credentials across users, data assets, and machine-to-machine microservices. When you stop looking at your network as a safe zone and start treating your internal infrastructure as a contested space, you’re forced to build the explicit guardrails necessary to choke off lateral movement and minimize the blast radius.

CISO’s need degrees, certs, 100 years of experience, and luck…

It was mutually agreed that unlike the CFO, CIO, COO, etc the CISO is expected to know about every discipline across the organization. They need to have some understanding of finance, business process, back-end systems, front line workers, and all the tech as well. It’s an insane amount of burden on one individual. There was mixed feeling about how to delegate and train up our teams as well. Some Execs felt that ISC2 has not kept up with the times and the certs are not useful for their teams while others felt some were needed to set a baseline of knowledge.

We had one recent grad in the room who has a degree in computer science and cannot land a role in cybersecurity (In spite of our so called 3.5m open Cyber Security reqs) because he is a recent college grad. He mentioned every “entry level” job required 3-5 years’ experience and he was wondering how one gets this without being able to land a job in the first place. The CISO’s voiced their concerns with students coming out unprepared and lacking basic knowledge in how networks actually work. Seems to be one focus and that’s “I can use AI” which could mean they know how to generate a cool picture but not how to see what traffic is coming over a specific port.

Finally, the room got incredibly real about the human cost of technical debt. An attendee broke down how the intense winter weather gridlock and localized school closures completely stalled out critical development pipelines and engineering support systems. It proved a vital point: if your security stack is a fragile legacy blueprint, real-world disruptions will cause immediate operational burnout. Engineering teams cannot keep drowning in manual triage every time an unexpected external stressor hits the architecture. We can’t boil the ocean, but as security leaders, we have to engineer low-overhead, automated orchestration layers that maintain continuity when manual workflows break down.

As security leaders, we have to look at our organization like an engineering blueprint, we can’t boil the ocean, but we must implement low-overhead, automated orchestration layers that decouple core security policies from manual human dependencies, so operations remain fully operational when things go sideways.

🚀 Investor’s Corner: Hot Topics & PE/VC Guidance

The deep structural transformations discussed during the forum are sparking a massive, multi-year procurement replacement cycle across enterprise security stacks, creating prime entry points for private equity and venture capital firms backing early-stage peer innovators (Seed / Series A).

Hot Topics Moving the Market

  • Shadow Automation & Agentic Scaffolds: Employees are actively bypassing corporate boundaries by wiring unauthorized AI agents directly into internal databases and sensitive corporate codebases to chase productivity shortcuts.
  • Runtime Input/Output Manipulation: Adversaries are shifting away from traditional network exploits toward runtime attacks like data poisoning, prompt injections, and dynamic instruction overrides.
  • The Non-Human Identity Explosion: The massive proliferation of microservices, automated workflows, and machine-to-machine APIs has turned API and non-human authentication into the primary attack vector for modern adversaries.

Early-Stage Peer Innovators to Track

Strategic Recommendations for PE/VC Firms

  1. Bet on Telemetry-Driven Policy Engines: Steer clear of fragmented point solutions. The platforms winning the market are those that seamlessly feed rich, distributed infrastructure telemetry directly into centralized, automated policy engines.
  2. Shift Capital Allocation to Runtime Defense: Static code analyzers and standard perimeter defenses are losing their premium. Focus investments on agile startups building inline, real-time protection and contextual, execution-layer data classification frameworks.

At the end of the day, our forum made one reality crystal clear:

The era of delayed log analysis and perimeter-based security boundaries is officially dead. Navigating this current landscape requires a total commitment to an offensive zero-trust posture, one anchored by continuous authentication, automated policy orchestration, and real-time visibility at the exact point of runtime data execution. For both security leaders looking to protect their enterprise and investors looking to deploy capital, the strategy moving forward means discarding legacy architecture and implementing the agile, runtime guardrails necessary to actively defend data in a contested space.

💬 Let’s Talk in the Comments!

  1. How is your team tackling runtime visibility and data classification for incoming unstructured AI pipelines?
  2. How are you re-architecting your central policy engines to keep track of non-human identity sprawl and machine credentials you can’t manually audit?
  3. When severe external stressors or environmental disruptions crash into your technical debt, how are you effectively leveraging low-overhead automation to keep your baseline security orchestration live?

#CyberSecurity #CISO #AI #MachineLearning #InsiderRisk #TheSecurityCafe #ThreatModeling #cxosecurityforum #startups #privateequity #venturecapital #gartner #CIO #CTO #cloudsecurity #onprem

Stay caffeinated, stay secure.

Please reach out to me or Boston Meridian Partners via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridian LinkedIn Page <- Follow this company!

About the Author:

I am Shawn Anderson, CTO and 2x former CISO, currently leading technical strategy at Boston Meridian. We are a boutique investment bank specializing in M&A and capital raises ($20m+) for the Cyber and Infrastructure sectors. Let’s connect on LinkedIn to discuss where the market is moving next.

AI Attack Lifecycle - Shawn Anderson

The Unified AI attack lifecycle

May 28, 2026 / / 0 Comments

The chain of change…

If you’ve been keeping up with our discussions here at The Security Cafe, or tracking the rapid evolution of enterprise pipelines, you already know one thing to be true: The traditional security playbook hasn’t just aged; it has fundamentally fractured. When we talk about the attack lifecycle, a concept pioneered conceptually by Lockheed Martin years ago, we used to picture binaries, command-and-control (C2) servers, and standard lateral movement across Windows subnets. But as enterprise workflows increasingly adopt Agentic AI, large language models, and automated data ingestion pipelines, the threat landscape has undergone a permanent phase shift. While you still need to understand what is coming in, through, and out of your environment the challenge is a multitude faster with the creation of AI.

Adversaries haven’t abandoned their old entry points; instead, they are using traditional delivery mechanisms to pull off entirely new, logic-based exploits. I have been in the trenches more times than I care to count. At the end of the day, we need to understand there are numerous ways the adversary (both in and out of the organization) will attack us.

To help visualize the problems in an AI world, I have mapped out a 6-Stage Unified AI Attack Lifecycle. It connects the foundational attack surfaces we manage every single day, Email Security, User Behavioral Risk, and Insider Threat Management, directly to the structural vulnerabilities of modern machine learning setups.

Here is exactly how an attack flows through this loop, and why your standard defense parameters might be missing the signal.

Step 1: The Initial Phishing E-mail (AI-Scaffolded Engineering)

The sequence begins exactly where the vast majority of enterprise breaches do: an external Phishing Mail. However, the AI context changes the sophistication of this initial delivery. Adversaries are now utilizing advanced offensive models to analyze public executive footprints and automatically write highly targeted, hyper-personalized spear-phishing scripts. They aren’t just aiming for low-level credentials anymore; they are explicitly targeting developers, ML engineers, and data system administrators who hold the keys to core production models.

Step 2: Unsafe User Actions (The Ingestion Trap)

Once the email hits the inbox, the attack chain splits based on user behavior: they might Browse a Website or Click a URL. In a traditional framework, this triggers a web exploit kit or a credential harvesting page.

In the modern enterprise AI context, this is where Indirect Prompt Injection thrives. If a user unknowingly directs an active, automated enterprise AI agent to process, read, or summarize the contents of that external web page, the hidden instructions embedded within the page take control. The AI agent silenty hijacks its own system instructions, executing unauthorized commands completely behind the scenes.

Step 3: Multi-Stage Interaction (Poisoned Attachments)

If the user follows the more direct path of opening a document asset via the “Open attachment” paperclip trigger, the attack transitions from perimeter email security straight into deep infiltration.

When a developer or data scientist opens a poisoned document on a client machine used to manage data warehouses or build model deployments, the adversary establishes localized persistence. By compromising the workspace of the staff building the models, the attacker gains direct, authenticated access upstream, bypassing the standard defenses guarding your core training data.

Step 4: Central Command, Monitoring, and Threat Management (The SIEM Anchor)

Running horizontally as a foundational arch beneath this entire exploitation sequence is your Security Information and Event Management (SIEM) environment. As I always stress to fellow security leaders, you have to treat your security posture like a blueprint where you can visualize the electrical, plumbing, and network routing simultaneously. Makes me miss the days of using Autocad.

The SIEM is your unified visibility layer. It is the core command structure responsible for logging, tracking, and cross-referencing events across the entire loop—ensuring that an anomalous outbound API call from an AI agent can be structurally correlated with an early phishing alert or an unusual endpoint interaction. There are a number of new startups who are working to bring the AI SOC to customers using pure automation. I list some of these at the end of this newsletter.

Step 5: Insider Threat Indicators (The Psychology of Risk)

Security isn’t just a technical challenge; it’s deeply behavioral. Below the main operational flow, we must constantly account for leading indicators of insider risk, which generally cluster into two core psychological profiles:

  • The Distracted and Careless: Well-meaning employees who are prone to pasting proprietary source code or highly confidential PII into unmonitored public models for quick productivity shortcuts, creating immediate exposure.
  • The Disgruntled or Disenchanted: Malicious or coerced insiders who actively abuse their authentic system credentials to bypass safety logic, clear code-validation rules, or deliberately introduce bias and backdoors directly into corporate fine-tuning training datasets.

Step 6: Data Leakage or Potential Sabotage (The Realized Event)

When these behavioral anomalies or unauthorized external actions go undetected, they culminate in a high-impact security event, marked by the Red Warning Triangle. In the machine learning era, this damage is divided into two distinct corporate impacts:

  • Unauthorized Data Leakage: High-volume extraction of confidential corporate data assets, intellectual property, or proprietary training weights via reverse-engineering or unmonitored model endpoints.
  • Potential Sabotage: The ultimate structural threat. The adversary successfully manipulates data pipelines, altering model layers and logic structures until the core predictive system is completely corrupted or operational workflows are entirely locked down.

The CISO’s Mandate: How to Use This Framework

As security professionals, our immediate assignment is simple: Do not try to boil the ocean. You don’t need to rebuild your security program from scratch to survive the AI era; you need to map your current tools and telemetry directly over this operational loop.

Take your existing Secure Email Gateways, your insider behavioral logging, your web content filters, and your SIEM rules, and overlay them onto these six phases. Look honestly for the blind spots. Where do you have great telemetry, and where are you completely blind to how data traverses your AI endpoints?

Once you document those structural gaps, you can build a realistic, risk-adjusted roadmap to defend the enterprise.

☕ Investor’s Corner: Capital, Churn, and the New Guard

As an advisor and CTO closely tracking technology deal flow, I am watching an aggressive reallocation of capital toward startups addressing structural gaps in the Unified AI Attack Lifecycle. Traditional endpoint and perimeter plays are heavily commoditized; the real valuation alpha right now is concentrated where machine learning pipelines meet autonomous execution.

If you are evaluating early-stage security bets or looking at infrastructure consolidation trends, here is what is happening across the market:

🚀 Early-Stage Startups to Watch (Seed / Series A)

We are tracking a wave of nimble, highly specialized entities built specifically to break the attacker’s progression along this modern lifecycle. A quick note before diving in: the following list isn’t an official endorsement, but rather a curated sampling of early-stage innovators that security leaders should actively monitor, evaluate, and engage with as they map out their defense roadmap.

  • The Vulnerability Test Layer (Phase 1/2): Companies like Armadin Security, XBOW, and Staris AI are capturing venture interest by shifting from manual testing to autonomous, AI-driven red-teaming capable of identifying deep logical flaws before offensive LLMs exploit them.
  • The Gateway & Proxy Layer (Phase 2/3): Startups including TrojAI, Prompt Security, and Lakera are establishing an early foothold as inline wrappers. They act as “firewalls for context strings,” sanitizing payloads to prevent indirect prompt injection.
  • The Non-Human Identity Layer (Phase 4/5): Solutions such as Onyx Security, Aembit, and Entro Security are solving the massive governance challenge of “Shadow Automation.” They manage privileges for automated worker agents, machine keys, and webhooks that outnumber human accounts in the enterprise.
  • The Autonomous SOC Layer (Phase 4/6): As telemetry volume explodes, Qevlar AI, 7AI, Crogl, and Dropzone AI are attracting late-Seed and Series A capital by engineering autonomous AI analysts capable of cross-correlating system alerts at machine speeds.

🎯 Key Market Drivers

  1. The Fallacy of the Legacy Tech Stack: Traditional Secure Email Gateways (SEGs) and standard SIEM rules are structurally blind to linguistic manipulation. Legacy platforms cannot identify semantic anomalies like indirect prompt injection or tensor dataset poisoning. This has created a massive greenfield replacement cycle for enterprise procurement.
  2. The “Agentic” Explosion: Organizations aren’t just using chat interfaces anymore; they are spinning up autonomous scripts and system integrations with live API read/write privileges. Securing non-human worker identities is the fastest-growing pain point for modern enterprise infrastructure.
  3. Training vs. Inference Infrastructure Costs: As market demand swings heavily toward inference (the actual operational queries hits on deployed models), security must move inline. Leaders are prioritizing high-throughput, low-latency security proxies that won’t choke data center capacities.

📈 What We Are Seeing in the Markets

We are seeing an intense amount of activity in the early rounds (Seed through Series A), driven by strategic venture arms (like CrowdStrike Falcon Fund and Okta Ventures) eager to co-invest alongside tier-1 institutional funds. Corporate buyers are hunting for immediate, plug-and-play architectural solutions.

The Takeaway for Private Capital: The standard cybersecurity playbook is fractured. The startups that can successfully integrate with existing data frameworks, prove they don’t break latency limits, and secure non-human automation parameters are commanding premium valuations and positioning themselves as prime consolidation targets over the next 18 to 24 months.

Let’s talk in the comments: How is your security organization adjusting to the risk of indirect prompt injection and shadow automation? Are you treating your AI agent identities with the same stringent perimeters as human accounts? What early-stage AI security vectors are currently sitting on your investment thesis for this year?

#CyberSecurity #CISO #AI #MachineLearning #InsiderRisk #TheSecurityCafe #ThreatModeling

Let’s Discuss

Is “Security by Design” still a pipe dream, or are we finally ready to architect with the assumption that the AI has already found the door?

Stay caffeinated, stay secure.

Please reach out to me or Boston Meridian Partners via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridian LinkedIn Page <- Follow this company!

About the Author:

I am Shawn Anderson, CTO and 2x former CISO, currently leading technical strategy at Boston Meridian. We are a boutique investment bank specializing in M&A and capital raises ($20m+) for the Cyber and Infrastructure sectors. Let’s connect on LinkedIn to discuss where the market is moving next.

Cybersecurity and convergence of IT/IoT/OT environments – It is time!

April 15, 2025 / / 0 Comments

The convergence of Information Technology (IT), the Internet of Things (IoT), and Operational Technology (OT) is reshaping industries, yet OT remains deeply rooted in its on-premises heritage. Industry trends estimate that 80-90% of OT systems are still managed locally, reflecting a historical preference for air-gapped or minimally connected setups to ensure uninterrupted operations in critical infrastructure. A prime example is the Programmable Logic Controller (PLC), a rugged industrial computer that automates processes like running assembly lines in manufacturing, regulating power grids in energy, or controlling water treatment in utilities. PLCs, with lifecycles often spanning 20-30 years, are built for reliability but rarely designed for cloud connectivity, anchoring many OT environments to legacy systems.

Thes systems are often incompatible with cloud connectivity. Recent market analyses highlight a slow but growing shift toward hybrid and cloud-based solutions, with cloud adoption in OT security and management projected to rise significantly—though it still lags on-premises dominance. This hesitancy stems from concerns over latency, cybersecurity risks, and regulatory compliance, particularly in sectors where downtime or breaches could have catastrophic consequences.

For CISOs, CIOs, and CTOs, navigating this transition is a strategic imperative. In this blog, we’ll explore four key points to help technology leaders prepare for this convergence and embrace a future-ready approach. During my three plus years at Boston Meridian we have come across a lot of exciting companies working in OT and helping to bridge the gap. The main topic of discussion coming up seems to be that of “active” vs “passive” or agent vs agentless based solutions. This is a tricky world to navigate because of the legacy of OT systems and the fact many of these operational systems are shifting over to the technical and security teams for monitoring. This requires architecture discussions and how to adopt new and emerging technologies for OT.

  1. The On-Premises OT Landscape and Emerging Cloud Adoption
    With 80-90% of OT systems still on-premises, industries prioritizing control—like manufacturing with its PLCs and SCADA, or energy with its grid management—favor localized setups to mitigate risks. However, IoT integration is nudging these sectors toward hybrid models, where cloud solutions enhance monitoring and analytics while preserving on-premises stability. Understanding this shift’s pace is critical for aligning with industry-specific needs.
  2. Why Hybrid Environments Are the Sweet Spot
    A hybrid approach blends on-premises reliability with cloud flexibility, delivering tailored benefits across OT-reliant sectors. It enables real-time insights and predictive maintenance—think centralized oversight for utilities or optimized logistics in transportation—all while maintaining security. This balance is especially appealing for industries like manufacturing and energy, where legacy systems must coexist with modern demands.
  3. Strategic Choices: Cloud, On-Premises, or a Blend?
    The path forward varies by industry. Staying on-premises offers control, crucial for oil and gas pipelines or healthcare’s smart systems, but limits scalability. Full cloud adoption suits data-driven monitoring in logistics yet risks latency in time-sensitive OT processes. A hybrid model often strikes the right chord—cloud analytics for non-critical workloads paired with local control for mission-critical operations—allowing leaders to tailor strategies to their sector’s realities.
  4. Leveraging AI, ML, and Vulnerability Analysis as the Convergence Catalyst
    Artificial Intelligence (AI) and Machine Learning (ML) transform raw data from IoT, IT, and OT systems into actionable intelligence, revolutionizing both architecture design and monitoring. In architecture design, AI-driven simulations help leaders model resilient hybrid environments, optimizing data flows between on-premises OT and cloud-based IT systems.

For example, in manufacturing, AI can predict how IoT sensors integrate with legacy PLCs, ensuring low-latency performance. ML algorithms refine these designs by learning from operational patterns, enabling adaptive architectures that scale securely—critical for energy grids or transportation networks. For monitoring, AI-powered anomaly detection identifies deviations in real-time, such as unusual equipment behavior in utilities or traffic anomalies in logistics, flagging potential failures before they escalate.

ML enhances this by continuously improving detection accuracy, learning from historical OT data to reduce false positives. Vulnerability analysis, a key AI/ML application, strengthens cybersecurity across converged environments. By scanning IoT devices, IT networks, and OT systems, AI identifies weaknesses—like outdated firmware in healthcare devices or misconfigured SCADA systems in oil and gas—prioritizing risks based on exploitability.

This proactive approach helps CISOs design segmented architectures that isolate critical OT assets while enabling secure cloud monitoring. Together, these technologies empower leaders to build robust, future-proof systems and maintain vigilant oversight, turning convergence into a competitive advantage.

Industries Poised to Benefit

This convergence impacts on a range of OT-dependent verticals, each with unique stakes:

  • Manufacturing: Industrial control systems and automation stand to gain from hybrid monitoring and AI-driven maintenance.
  • Energy and Utilities: Grid and water management can leverage cloud analytics while securing critical infrastructure.
  • Oil and Gas: Remote pipeline operations benefit from hybrid scalability without compromising safety.
  • Transportation and Logistics: Real-time coordination improves with AI and hybrid visibility.
  • Healthcare: Emerging OT in smart hospitals gains efficiency and security through strategic integration.

For technology leaders across these sectors, the IT/IoT/OT convergence demands action. What is the call to action:

Don’t wait for your organization to ask “what are we doing about OT?”. I know many of my peers are busy with the day to day, “blocking and tackling” and might feel they don’t have the time to look at this. You have to make the time.

Begin by assessing your infrastructure, how can cloud integration enhance your OT systems? Craft a roadmap balancing on-premises strengths with hybrid innovation, and harness AI to unlock data-driven potential. Whether you prioritize cloud agility, reinforce on-premises control, or blend both, preparation is key. Don’t underestimate the value of building architecture diagrams of the different systems. Make sure you have a strategy around vulnerability analysis and visibility. Finally, it’s about resilience and recovery as you WILL have issues. The adversaries are relentless and have more and more tools at their disposal every day.

In a few weeks I will be at the 2025 RSA Conference in San Francisco. I along with the team at Boston Meridian Partners would be happy to chat about the state of the markets or help you navigate the M&A process. Please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridian LinkedIn Page <- Follow this company!

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Mr. Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, he is also recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Mr. Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technological insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Boston Meridian Fireside chat at RSA Conference Reception 2024.
It's all about the data!

Observations from RSAC2024 – A Security Roadmap for AI

June 10, 2024 / / 0 Comments

Most of us have fully recovered from our very busy week at this year’s RSA Conference. The massive cyber security event which takes place in San Francisco with over 60k of my closest cybersecurity friends. As most of us already figured would be the topic de jour, there were very few if any in attendance, who were not talking about GenAI. Specifically, the impacts it is and will have on our industry and the rest of the world as we know it.

I have written about Artificial Intelligence (AI) in the past and how it’s going to be the integration of GenAi and different other solutions which will truly cause significant disruption. GenAI and the combination of other technologies such as robotics, medical, oil and gas exploration, retail delivery, fast food experience, and even tier 1 and 2 security operations center functions. This all sounds really cool and fascinates me with the massive potential GenAI has to impact the world.

Boston Meridian Partners, the company I work at, hosts a reception on Sunday evening each year prior to the conference. We host this meeting for numerous startups and friends from the private equity and venture capital world as well as many C suite executives with interest in cyber security. Our goal the past few years has been to get some top-notch speakers to share their wisdom with the crowd and this year’s speakers did not disappoint.

We had Chris Krebs from SentinelOne, Brian Finch from Pillsbury Winthrop Shaw Pittman LLP, and Kate Kuehn from WTI who shared key points on regulatory issues (Note: Thankfully we have the EU who have established many key requirements for the world to follow as our own US government has been slow to pass any legislation with real teeth). They also spent time talking about risk and the importance of collaboration and coordination. While we discussed many key investor topics around GenAI it couldn’t have been a better way to set the stage for the RSA Conference and our very full week of over 150 meetings from across the community. 1

I took away quite a few pointers as I met with startups, CEOs, speakers at numerous events, and in general discussion around a good craft beer or cocktail in the evenings. Here are some take aways from and things to ponder as we push GenAI initiatives in our companies and industries we support.

  1. As mentioned above, collaboration and coordination are key to success. It might seem like a no brainer but many of us are hardheaded and like to “go it alone” which can be a big mistake. It’s imperative we work closely with industry partners, government agencies, and relevant councils to manage AI-related risks and incidents. Fostering this collaboration will enhance GenAI security across the collective.
  2. Risk – I have spoken on this, written about it, and will shout it from the highest mountain as long as I have air in my lungs; “It’s about the data”. It’s super critical to conduct thorough risk assessments specific to GenAI deployments and focus on the data risk. It’s being sucked like a vacuum into these Large Language Models (LLMs) with little to no understanding where the data is going or how it is being used. It is critical for CIO’s and CISO’s to identify potential vulnerabilities, threats, and attack vectors related to AI technologies.
  3. Zero Trust and/or Secure by Design – We use the term “it’s easier to bake it in than spread it on like peanut butter” but often we find companies doing this very thing. Prioritize security from the outset. Ensure those GenAI systems are designed with zero trust (we trust nothing and no one without verification) and with security in mind, incorporating Multi-Factor Authentication, encryption, and access controls.
  4. Supply Chain and 3rd party security – Extending security considerations throughout the entire GenAI supply chain is now a must do these days. One cannot assume the suppliers are doing the right thing or have you in their best interest. They should, but it’s up to you to verify and set up the appropriate controls and service level agreements. This goes back to the “collaborate” discussion above and ensuring safe and responsible use of GenAI.
  5. Finally, we have the geek moment and have to allow technology and or the “hunters” to red team. This should be performed regularly as GenAI exercises and tabletops with the executive team’s involvement. By simulating attacks organizations can identify weaknesses and improve defenses. Since it’s often illegal to go on the offensive against adversaries we must have strong defenses in place.

Overall, it was another amazing week in San Francisco, and I enjoyed meeting so many innovative companies on the show floor. While GenAI is still in its infancy it has quickly become a show of force from all thing’s cybersecurity. GenAI will speed up our ability to do our jobs (but also the adversaries) but we have to be strategic and work faster through the traditional “blocking and tackling” abyss we so often fall into. Teamwork makes the dreamwork!

If you missed us at RSA, I along with the team at Boston Meridian Partners will be at Blackhat, Las Vegas this coming August so please reach out to us via our webpage and LinkedIn below.

www.bostonmeridian.com

Boston Meridan LinkedIn Page <- Follow this company!

Learn More: CISA Roadmap FAQs, CISA AI Roadmap, Cam Sivesind article on “cisa-roadmap-for-ai”, Grayson Milbourne – Forbes Article on “Small Business Roadmap for AI”

About the author

Shawn Anderson2 has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

  1. https://www.linkedin.com/in/christopherckrebs/
    https://www.linkedin.com/in/brianfinch-cybersecurity/
    https://www.linkedin.com/in/katekuehn/
    ↩︎
  2. www.linkedin.com/in/shawnanderson/ ↩︎

Due Care….Due Diligence…did you know and what did you do?

May 25, 2023 / / 0 Comments

I’ve been in this industry for more than a few decades and many times have come across cyber professionals and organizations who do not have a clear answer to this basic question: Why do we approach security the way we do? People have varying answers from “it’s my passion”, “bad guys are bad”, “the money”, “I love technology”, and many more. Rarely do I get the answer of “Because protecting our “fill in the blank” is the right thing to do.”

Many professionals I work with are in this because they see bad actors for what they truly are. Bad, not good, very low down, and sometimes outright evil actors. The adversary wants to own you, manipulate you, control you, or in the case of many nation states eventually break you. The terms of “Due Care” and “Due Diligence” are legal terms every cyber security professional should know on day one. These terms are drivers for everything we do. If we know we have an issue, then it’s important to protect and do something about it.  

Most cyber security professionals do not have a legal background so it is a good idea to brush up on these key terms so one can navigate the profession a little bit easier. These are as critical to me as confidentiality, availability, integrity, and non-repudiation. Topics I will discuss in a future blog because people need to be reminded from time to time.

Cybersecurity is a critical concern for organizations across all industries, with data breaches and cyber-attacks becoming increasingly common. Let’s face facts; the bad actors are bad, and they want to take companies down for reasons ranging from fame, they are mean, or worst case they represent a nation state who is in a digital war with the other country. In this context, due care and due diligence are two concepts often discussed in relation to cybersecurity. While both are important, they are distinct and serve different purposes.

Due care refers to the level of care that a reasonable person would take to protect their own personal information and that of others. It is a legal concept that obligates organizations to take reasonable steps to protect the personal information of their customers and employees from unauthorized access, use, and disclosure. Due care involves establishing and implementing reasonable security measures to protect data, such as using firewalls, encryption, and access controls. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss.

Due diligence, on the other hand, is a process of conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity. Due diligence involves evaluating the security posture of a company and identifying any vulnerabilities or gaps that may exist in its security infrastructure. Due diligence is often conducted before entering a business relationship with another organization or acquiring a new company.

In the context of cybersecurity, due diligence involves reviewing the security policies and procedures of a company, as well as conducting vulnerability assessments and penetration testing to identify any weaknesses in the security infrastructure. Due diligence also involves reviewing the security training and awareness programs in place for employees and evaluating the incident response and disaster recovery plans of the organization.

While due care and due diligence are distinct concepts, they are both important for maintaining effective cybersecurity practices. Due care is essential for establishing a baseline level of security and implementing best practices to prevent security breaches. Due diligence, on the other hand, is critical for identifying potential risks and vulnerabilities and developing strategies to address them. Together, these two concepts help organizations to maintain a strong security posture and minimize the risk of cyber-attacks and data breaches.

In conclusion, due care and due diligence are two critical concepts in cybersecurity that serve different purposes. Due care is a proactive approach that emphasizes the prevention of security breaches and data loss, while due diligence involves conducting a thorough investigation into a company’s security practices and assessing the risks associated with a particular transaction or activity.

Both concepts are important for maintaining effective cybersecurity practices and minimizing the risk of cyber-attacks and data breaches. Down the road I will address how these two very critical terms and corresponding activities can help leaders build out their risk posture and program.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

Cybersecurity Trends from a CTO/CISO perspective

April 11, 2023 / / 0 Comments

It’s been a fast 15 months since I started on this journey working as the CTO for an investment bank. I’ve traveled all over the United States, held conversations with 100’s of Venture Capital, Private Equity, and exciting newer security startups. There have been a few trends which keep bubbling to the top that I wanted to share with all of you. As we all know cybersecurity isn’t anything new but something all companies, large and small, need to be doing. Cybersecurity has become an increasingly important area of focus for businesses and governments, with the rising frequency and severity of cyber-attacks as well as the renewed governance focus at the board level.

As a result, there has been a growing interest in investing in cybersecurity companies and technologies. Here are some of the investment trends in cybersecurity:

Cloud Security: With more businesses moving their operations to the cloud, cloud security has become a top priority. Investors are looking for companies that provide cloud security solutions, such as cloud access security brokers (CASBs), cloud security posture management (CSPM) tools, and cloud workload protection platforms (CWPPs). Using rough numbers from quarterly earnings of the top 3 cloud providers (GCP, AWS, and Microsoft) they are roughly $350b annual revenue which is a small percentage of the overall global IT spend of $4.2T. This area will continue to grow.

Identity and Access Management (IAM): IAM solutions have become essential for managing access to corporate networks, applications, and data. Investors are looking for companies that provide IAM solutions such as identity governance and administration (IGA), multi-factor authentication (MFA), privileged access management (PAM), and User access management.

Artificial Intelligence (AI) and Machine Learning (ML): AI and ML are being used to enhance cybersecurity by enabling faster threat detection and response. Investors are looking for companies that provide AI and ML-powered solutions such as security analytics, threat detection and response, and fraud prevention. This area spooks me a bit as it’s moving so quickly and from what I’ve seen without any guardrails to keep it 100% safe, ethical, and working in the best interests of it’s creators.

Internet of Things (IoT) Security: As more devices become connected to the internet, IoT security has become a critical concern. Investors are looking for companies that provide IoT security solutions such as device management, data encryption, and firmware security. Other areas are Operational Technology (OT) which is a term defining a specific category of hardware and software whose purpose is to monitor and control the performance of physical devices. The other is Industrial Internet of Things (IIoT) designed to incorporate technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc.

Cyber Insurance: Cyber insurance has become increasingly popular as a way for businesses to mitigate the financial risks associated with cyber attacks. Investors are looking for companies that provide cyber insurance policies and risk assessment services. This is a growing area with a lot of unknown variables. Unlike traditional insurance such as life and auto the data available on cyber is limited to the past 40 years and is always advancing. This area will continue to mature and be extremely important as companies try to defer and manage their risk.

Cybersecurity Consulting and Integration: With cybersecurity becoming more complex, businesses are seeking the expertise of cybersecurity consultants to help them develop and implement effective cybersecurity strategies. Investors are looking for companies that provide cybersecurity consulting services. An offshoot of this is Cloud System Integration or Cloud SI. Companies who can help other companies to deploy the cloud solutions they have acquired to get it deployed in the quickest way possible. These companies who are “born in the cloud” have an advantage today because they have the ability to move at “cloud speed”. The issue is training the talent to do the work.

Overall, the cybersecurity industry is expected to continue to grow, and investors are expected to continue to invest in companies that provide innovative and effective cybersecurity solutions.

About the author

Shawn Anderson has an extensive background in cybersecurity, beginning his career while serving in the US Marine Corps. He played a significant role as one of the original agents in the cybercrime unit of the Naval Criminal Investigative Service.

Throughout his career, Anderson has held various positions, including Security Analyst, Systems Engineer, Director of Security, Security Advisor, and twice as a Chief Information Security Officer (CISO). His CISO roles involved leading security initiatives for a large defense contractor’s intelligence business and an energy company specializing in transporting environmentally friendly materials.

Beyond his professional achievements, Anderson is recognized for his expertise in the field of cybersecurity. He is a sought-after speaker, writer, and industry expert, providing valuable insights to both C-Suite executives and boards of directors.

Currently, Anderson serves as the Chief Technology Officer (CTO) for Boston Meridian Partners. In this role, he evaluates emerging technologies, collaborates with major security providers to devise cybersecurity strategies, and delivers technology insights to the private equity and venture capital community.

Overall, Shawn Anderson’s career journey showcases a wealth of experience in cybersecurity and leadership roles, making him a respected and influential figure in the industry.

© 2026 Shawn Anderson's Cyber Blog

Theme by Anders NorenUp ↑