The year that contained Operation Cronos (Lockbit disrupted, February), Change Healthcare (the largest single US healthcare cyber-incident in history, February-March), the XZ Utils backdoor (the most operationally consequential supply-chain compromise discovery of recent years, March-April), the EmilyAI book launch (February), the Snowflake-and-UNC5537 mass campaign (May-June), the CrowdStrike outage (the largest single IT outage in history, July), the National Public Data exposure (the largest single PII-disclosure on record, July-August), the NIS2 transposition deadline (October), the Salt Typhoon disclosures (December), and the Treasury BeyondTrust case (December 31) has been operationally consequential and strategically validating in ways that have settled several questions and opened several others.
The settled questions. The supply-chain pattern continues to be the dominant operational concern; the 2024 cases (XZ Utils, CrowdStrike, Treasury BeyondTrust, the broader Salt Typhoon pattern, the various Snowflake-customer-tenant compromises) extend the post-SolarWinds-and-post-Log4Shell pattern with no abatement. The state-actor cyber-capability against critical infrastructure is, on the cumulative 2021-2024 evidence, operationally substantive across multiple actor-clusters and across multiple infrastructure categories. The MFA-coverage-completeness discipline that the Change Healthcare case catalysed has been substantively prioritised across the customer-portfolio. The institutional-capital decision is settled in the negative for 2024. The NIS2 transposition cycle has been completed (operationally if not jurisdictionally uniform).
The opened questions. The post-Salt-Typhoon US-policy conversation about encryption-and-government-access is going to develop substantially through 2025 and beyond, in ways that will reshape the long-running policy environment. The post-XZ-Utils open-source-foundation-funding-and-maintainer-trust conversation continues to develop with substantive policy-and-funding output emerging through 2025. The post-CrowdStrike vendor-concentration-risk conversation will inform customer-organisation procurement-and-vendor-management discipline for years. The post-NPD data-broker-industry regulatory environment will produce substantive US-side legislative output through 2025-2026. The post-NIS2-deadline operational regime will produce the first GDPR-NIS2-comparable enforcement decisions through 2025-2026.
The customer-portfolio. Six vCISO clients carrying through. Eighteen SOC customers (no churn through the year). Twenty-four EmilyAI commercial customers (added four through the year, no churn). Aggregate company revenue at approximately 113% of original full-year plan, with the EmilyAI side substantively over plan. The team is at forty-one at year-end. The financial position is healthy; the bootstrapped position is operationally sustainable and strategically appropriate.
The book. "The Model Is Part of the Programme" published in February has had the most commercially-positive reception of the four published books. The 2024 sales and reception have been adequate to support the cost of writing-and-publishing and have produced substantive customer-engagement output as planned. The next book (regulatory-environment-as-a-customer-organisation-discipline) is in early outline.
The personal note. Forty-nine posts on the blog this year, comparable to 2023. The blog discipline continues to be the most useful single intellectual practice. The conferences this year were Black Hat USA in August (continuing customer-prospect-networking pattern, with the post-CrowdStrike-outage industry mood being substantively different from the pre-outage planning had assumed), Infosec Europe in June (good in-person form), and BSides Manchester in October.
Onward into 2025. The continuing supply-chain pattern. The continuing state-actor activity. The continuing language-model-environment progression. The post-NIS2 enforcement environment. The DORA deadline (January 17). The continuing EU AI Act compliance progression. And whatever 2025 produces.