Office cold, kettle on, pad open. The Log4Shell response of December has settled into operational tempo through the holiday period — the customer-portfolio audit work has continued without major escalations, the customer-organisation programme implications are being absorbed into the 2022 planning, and the team has rotated through the period with appropriate rest.
The portfolio. Six vCISO clients carrying through. Fourteen SOC customers. Fifteen EmilyAI commercial customers entering the year, with three additional prospects in late-stage commercial discussion for Q1 close. The team is at thirty-six at year-start. The 2022 hiring plan envisages four to six further hires through the year, slightly below the 2021 trajectory because of the Q4 slowdown in EmilyAI customer-acquisition that the Log4Shell response work consumed.
The dominant 2022 planning concern is the Russia-Ukraine geopolitical environment. The escalation through Q4 2021 has continued through the holiday period — Russian troop concentrations on the Ukrainian border, sustained diplomatic conversation with no clear resolution, the US-and-NATO public statements about response posture. The cyber-dimension is being widely anticipated by the security community (CISA Shields Up guidance, January, NCSC heightened-threat posture statements). The customer-portfolio briefings through the autumn have been incorporating Russia-Ukraine contingency planning as a substantive theme. The defensive disciplines that are relevant — segmentation against state-actor lateral-movement capability, identity-and-privileged-access controls, data-egress visibility, incident-response readiness, and supply-chain awareness against any vendor with material Russian or Ukrainian operations — are continuous with the post-SolarWinds and post-Log4Shell programme work, but the heightened operational tempo is going to make 2022 demanding regardless of how the geopolitical situation actually develops.
The EU NIS2 transposition cycle. The original NIS Directive of 2016 has been substantially revised by the NIS2 Directive (Directive (EU) 2022/2555 — to be formally adopted in autumn 2022 with the transposition deadline in October 2024). The NIS2 framework substantially expands the Operator-of-Essential-Services framework, increases the supervisory authority's enforcement powers, and imposes more detailed cyber-resilience requirements across more sectors. The customer-portfolio organisations that fall within scope (the manufacturer's overseas operations, the financial-services firm's various EU-side relationships, the retailer's various EU-side processor relationships) will need substantial programme work over the next two years. The 2022 customer-portfolio strategic planning is incorporating NIS2 readiness as an emerging programme theme.
The product-roadmap conversation. The post-Black-Hat momentum on EmilyAI through Q3 and Q4 2021 has produced a substantively wider customer-prospect base entering 2022. The 2022 roadmap priorities include the adversarial-robustness work that the Black Hat Q&A surfaced as a structural concern, the federated-learning research direction that the cross-customer-data-sharing question implies, and the continuing per-customer adaptation engineering that the increased customer base demands. The team's research agenda remains coupled to the product-engineering agenda; the discipline of doing both has held over the past six years and we are continuing to invest in both.
The book project. The supply-chain-security book that I noted in the 2021 retrospective is in active drafting through Q1. The structure is settled; the SolarWinds and Log4Shell material is the spine; the customer-engagement examples are anonymised across the portfolio.
The kettle has boiled. Inbox now.