- The State Privacy Law Stack Is Now Your Compliance Problemby Cody KellerIf your organization has been tracking state privacy legislation as a “watch and monitor” item, that posture is overdue for a change. Twenty states now have comprehensive consumer privacy laws in effect. Three more — Connecticut, Arkansas, and Utah — have significant updates or new provisions taking effect July 1, 2026. That’s thirty days from… Read more: The State Privacy Law Stack Is Now Your Compliance Problem
- Ransomware in 2026: The Playbook Most Organizations Have Is Already Outdatedby Cody KellerRansomware response has been a standard component of incident response planning for nearly a decade. Most organizations with a mature security program have a ransomware playbook — escalation paths, isolation procedures, backup recovery processes, and a decision framework around payment. The problem is that the environment those playbooks were written for has changed significantly, and… Read more: Ransomware in 2026: The Playbook Most Organizations Have Is Already Outdated
- When the Regulator Goes Dark: What CISA Budget Cuts Mean for Your Programby Cody KellerFor years, CISA served as a meaningful resource for organizations outside the enterprise security tier — threat intelligence sharing, incident response support, vulnerability advisories, regional coordination, and cybersecurity assessments available at no cost to critical infrastructure operators and public sector entities. That resource base has eroded significantly, and the organizations that haven’t adjusted their programs… Read more: When the Regulator Goes Dark: What CISA Budget Cuts Mean for Your Program
- The Identity Crisis Nobody Is Talking Aboutby Cody KellerMost organizations have mature processes for managing human identities. Onboarding, offboarding, access reviews, least privilege — these are established practices, even if execution is inconsistent. The problem is that human identities are no longer the majority of what’s accessing your systems. Service accounts, API keys, OAuth tokens, automation scripts, and now AI agents — non-human… Read more: The Identity Crisis Nobody Is Talking About
- CIRCIA’s Final Rule Is Almost Here. Are You Ready?by Cody KellerThe Cyber Incident Reporting for Critical Infrastructure Act has been in a holding pattern since CISA missed its original October 2025 deadline. The final rule is now expected in May 2026. If you’ve been treating CIRCIA as a future problem, that window is closing fast. RSA This post isn’t about what CIRCIA says in theory.… Read more: CIRCIA’s Final Rule Is Almost Here. Are You Ready?