The year that contained the MOVEit mass-exploitation campaign, the Storm-0558 Microsoft signing-key compromise, the 3CX supply-chain attack, the EmilyAI v3.2 language-model integration release, the Scattered Spider hospitality-sector activity, the Okta support-tooling compromise, the 23andMe credential-stuffing-driven exposure, and the BlackCat seizure has been operationally demanding and strategically validating in ways that have strengthened the company's position.
The settled questions. The supply-chain pattern continues to be the dominant operational concern; the 2023 cases (3CX, MOVEit, Storm-0558, Okta-support) extend the post-SolarWinds-and-post-Log4Shell pattern with no abatement. The post-ChatGPT language-model environment is producing substantive product opportunity (the EmilyAI v3.2 launch is the demonstration), regulatory progression (the EU AI Act is in advanced legislative stages with formal adoption expected in early 2024), and threat-landscape evolution (offensive language-model use is operationally observable but has not, on 2023's evidence, produced step-change effects on the threat picture). The Scattered Spider / Lapsus$-pattern social-engineering capability against customer-organisation help-desk processes has produced sustained customer-organisation programme work on identity-verification posture. The NIS2 readiness programme execution across the customer-portfolio is on track for the October 2024 deadline.
The opened questions. The institutional-capital conversations have advanced through Q3-Q4 to the point where a transaction is plausible in 2024 if the right deal emerges; my disposition continues to be conservative but the optionality is substantive. The post-23andMe genomics-data-platform regulatory environment is going to develop through 2024 and beyond. The post-AI-Act-adoption regulatory environment for AI-systems will produce customer-organisation programme work that the customer portfolio is starting to plan for. The continuing US-China and Russia-Ukraine geopolitical environment will continue to shape the threat-actor landscape in ways the customer-organisation programme work will need to absorb.
The customer-portfolio. Six vCISO clients carrying through. Eighteen SOC customers (added two through the year, no churn). Twenty EmilyAI commercial customers (added four through the year, lost none). Aggregate company revenue at approximately 109% of original full-year plan, with the EmilyAI side substantially over plan and the services side modestly over. The team is at thirty-nine at year-end. The financial position is healthy.
The book. The language-model-environment book is in late draft and is on track for Q1 2024 publication. The working title is "The Model Is Part of the Programme: Operational Discipline in the Language-Model Era" — substantially less overlong than the 2022 supply-chain book's title.
The personal note. Forty-eight posts on the blog this year, the highest count of my blogging history. The blog discipline continues to be the most useful single intellectual practice. The conferences this year were Black Hat USA in August (continuing customer-prospect-networking pattern), Infosec Europe in June (returned in-person), BSides Manchester in October.
Onward into 2024. The institutional-capital conversation. The continuing supply-chain work. The NIS2 deadline (October). The continuing language-model environment evolution. The book publishes. And whatever 2024 produces.