The year that contained the Russia-Ukraine cyber-dimension of the war, the continuing supply-chain pattern, the Lapsus$-and-Oktapus social-engineering-driven cluster activity, the NIS2 formal adoption, the post-Australia regulatory response on Optus and Medibank, the LastPass disclosure, and the ChatGPT release has been operationally demanding and strategically reshaping in ways that the year-start planning did not fully anticipate.
The settled questions. The Russia-Ukraine cyber-dimension is operationally significant but bounded; the international spillover concern that NotPetya 2017 produced has not, on 2022's evidence, been replicated at comparable scale. The post-SolarWinds-and-post-Log4Shell supply-chain pattern continues; the operational disciplines (SBOM, vendor-trust-verification, build-system-integrity, update-channel monitoring) are now central to customer-organisation programme work. The phishing-resistant MFA migration is now substantively underway across the customer portfolio. The NIS2 transposition cycle is in motion and will be the dominant 2023-2024 regulatory-programme work. The post-Optus/Medibank Australian regulatory response demonstrates the international convergence on stricter privacy-and-cyber enforcement frameworks.
The opened questions. The post-ChatGPT language-model environment is going to be a substantial strategic theme through 2023 and beyond — both on the offensive-use side (phishing, social-engineering, deepfake content) and the defensive-use side (analyst-assistant functions, natural-language SOC interaction, detection-engineering automation). The EU AI Act's progression and the broader AI-regulation environment will produce substantive customer-organisation programme work. The post-Russia-Ukraine European energy-and-economic environment will continue to shape the macro-business context for the customer-portfolio strategic planning. The continued development of the geopolitical-cyber dimension — China-Taiwan tensions, North Korea, Iran — will produce specific operational concerns over 2023.
The customer-portfolio. Six vCISO clients carrying through. Sixteen SOC customers (added two through the year, no churn). Sixteen EmilyAI commercial customers (added two through the year, lost one in mid-year). Aggregate company revenue at approximately 102% of original full-year plan. The team is at thirty-eight at year-end. The financial position is healthy.
The book. "The Supply Chain Is the Customer's Programme: Operational Discipline After SolarWinds and Log4Shell" published in October by the same UK technical-publishing house. The title is, in retrospect, substantially overlong; the publisher pushed against this and I declined the suggestion. The reception has been comparable to the 2019 and 2021 books — the security-community readership has engaged, the academic-leaning readership has been receptive, the wider trade-press coverage has been moderate. Two customer-engagement opportunities that landed in Q4 traced back to the book.
The personal note. Forty-six posts on the blog this year, the highest count since 2016. The blog discipline continues to be the most useful single intellectual practice. The conferences this year were Black Hat USA in August (smaller team presence than 2021's paper-presenting form, customer-prospect-networking-focused), Infosec Europe in June (returned to in-person form), and BSides Manchester in October (where the post-Conti-leaks community conversation was particularly substantive).
Onward into 2023. The post-ChatGPT language-model integration. The continuing supply-chain work. The NIS2 readiness programme execution. The continuing ransomware escalation. And whatever the year produces that I have not yet imagined.