The year that contained the SolarWinds aftermath through Q1, ProxyLogon in March, the Colonial-Ireland-Kaseya ransomware-against-critical-infrastructure escalation through May-July, the Pegasus Project's reframing of the commercial-offensive-market accountability conversation in July, the Black Hat USA paper presentation in August, the BlackCat emergence in late November, and the Log4Shell response that has dominated December has been, on the operational measure, the most demanding year I have run the company through. The customer-portfolio results are, despite the demanding environment, satisfactory; the company position is consequently strengthened.
The settled questions. Supply-chain attack is now structurally central to customer-organisation threat-modelling — SolarWinds and Log4Shell are the worked examples. State-actor capability against widely-deployed enterprise infrastructure is more capable than 2019's customer-organisation conversations had typically envisaged, and the customer-organisation threat-modelling has incorporated the reality. Critical-infrastructure ransomware has produced sustained political and regulatory response that is now the operational baseline. The commercial-offensive-market accountability conversation has shifted from research-community-only to political-and-regulatory-substantive. The post-Brexit UK regulatory landscape settled into operational normality through Q1 and Q2.
The opened questions. The Log4Shell cleanup will run for years and the open-source-foundation funding conversation will produce substantive policy output through 2022 and beyond. The Russia-Ukraine geopolitical environment, escalating through Q4 of this year, is producing a cyber-dimension that is going to be the dominant 2022 strategic conversation if (as the customer-organisation briefings of the past several weeks have been planning against) the situation continues to deteriorate. The political response to ransomware is still developing — the OFAC track is producing substantive infrastructure-disruption work but not yet at scale that materially changes the operator economics. The post-Pegasus commercial-offensive-market regulatory environment is still developing.
The patching marathon. The SolarWinds-driven supply-chain audit cycle through Q1. ProxyLogon and the Exchange Server response in March. The Codecov response in April. The PrintNightmare cycle through Q3. The various BlueKeep-and-similar Windows Server vulnerabilities. The Log4Shell cycles through December. The aggregate operational burden of the year's patching work has been higher than any previous year by a margin.
The breach-and-incident year. The Colonial Pipeline disruption in May. The Ireland HSE attack and recovery through May-September. The Kaseya supply-chain ransomware in July. Sustained ransomware-with-data-exfiltration cases against customer organisations across multiple sectors throughout the year. The customer-portfolio direct-impact incidents were limited (no customer-organisation incidents requiring ICO notification or substantive customer-organisation external communication) but the wider sector-and-economic context produced sustained engagement work.
The portfolio. Six vCISO clients carrying through the year. Fourteen SOC customers (steady at year-end after net-zero churn). Fifteen EmilyAI commercial customers (added three through the year, on the post-Black-Hat-and-post-research-paper momentum). Aggregate company revenue at approximately 108% of original full-year plan — the over-plan performance is principally on the EmilyAI commercial side, where the post-presentation customer-acquisition cadence exceeded expectations through Q3 and Q4. The team is at thirty-six at year-end. The financial position is healthy.
The book. "Detection at the Speed of Adversaries: GDPR-Era Operational Discipline" published in June by the same UK technical-publishing house. Reception has been similar to the 2019 book — UK security-community readership has engaged, academic-leaning readership has been receptive, the wider trade-press coverage has been moderate. The book's reception has produced two of the customer-engagement opportunities that landed in Q4. The next book is in early outline; the working theme is supply-chain security as a customer-organisation programme discipline, with the SolarWinds and Log4Shell material as the principal worked examples.
The personal note. I wrote 41 posts on the blog this year, slightly below the 2020 count, primarily because the Log4Shell response in December cut into writing time. The blog discipline continues to be the most useful single intellectual practice. The conferences this year were Black Hat USA in August (the lead engineer's presentation, the team's most substantive conference contribution to date), Infosec Europe in June (smaller booth presence than 2019, useful customer-prospect conversations), and BSides Manchester in October (post-Pegasus-Project-and-pre-Log4Shell, the kind of event that the practitioner community uses to compare notes between formal academic events).
Onward into 2022. The Log4Shell aftermath. The Russia-Ukraine geopolitical situation. The continuing ransomware escalation. The continuing supply-chain pattern. The product-roadmap execution against the BlackCat-and-similar evolution in operator capability. And whatever the year produces that I have not yet imagined.