Technology Risk Assessment

Three weeks ago, our Devsinc security architect, walked into my office with a chilling demonstration. Using quantum simulation software, she showed how RSA-2048 encryption – the same standard protecting billions of transactions daily – could theoretically be cracked in just 24 hours by a sufficiently powerful quantum computer. What took her classical computer billions of years to attempt, quantum algorithms could solve before tomorrow's sunrise. That moment crystallized a truth I've been grappling with: we're not just approaching a technological evolution; we're racing toward a cryptographic apocalypse. The quantum computing market tells a story of inevitable disruption, surging from $1.44 billion in 2025 to an expected $16.22 billion by 2034 – a staggering 30.88% CAGR that signals more than market enthusiasm. Research shows a 17-34% probability that cryptographically relevant quantum computers will exist by 2034, climbing to 79% by 2044. But here's what keeps me awake at night: adversaries are already employing "harvest now, decrypt later" strategies, collecting our encrypted data today to unlock tomorrow. For my fellow CTOs and CIOs: the U.S. National Security Memorandum 10 mandates full migration to post-quantum cryptography by 2035, with some agencies required to transition by 2030. This isn't optional. Ninety-five percent of cybersecurity experts rate quantum's threat to current systems as "very high," yet only 25% of organizations are actively addressing this in their risk management strategies. To the brilliant minds entering our industry: this represents the greatest cybersecurity challenge and opportunity of our generation. While quantum computing promises revolutionary advances in drug discovery, optimization, and AI, it simultaneously threatens the cryptographic foundation of our digital world. The demand for quantum-safe solutions will create entirely new career paths and industries. What moves me most is the democratizing potential of this challenge. Whether you're building solutions in Silicon Valley or Lahore, the quantum threat affects us all equally – and so does the opportunity to solve it. Post-quantum cryptography isn't just about surviving disruption; it's about architecting the secure digital infrastructure that will power humanity's next chapter. The countdown has begun. The question isn't whether quantum will break our current security – it's whether we'll be ready when it does.

Your Smarthome Is Talking—But Who’s Listening? Smart home devices offer incredible convenience, allowing us to control lights, locks, appliances, and cameras remotely. However, each of these Internet of Things (IoT) devices also represents a potential vulnerability in your home’s digital perimeter. Many users install these gadgets without changing default settings, leaving them wide open to cyber intrusions. Threat actors have exploited poorly secured devices to spy on households, manipulate smart locks, or gain access to broader home networks. To avoid these risks, we must treat IoT devices with the same caution as computers or smartphones. That means using strong, unique passwords, enabling two-factor authentication where possible, and consistently updating firmware. Network segmentation is another smart move—placing IoT devices on a separate Wi-Fi network to prevent them from interacting with sensitive systems like work laptops or home servers. Finally, it’s important to evaluate the necessity of each new connected device. Ask yourself if the benefits truly outweigh the privacy risks. Not every gadget needs to be online, and sometimes convenience can come at the cost of security. In an age where even your thermostat or baby monitor can be exploited, a little common sense goes a long way in protecting your privacy and peace of mind. #cybersecurity #IoT #smarthomes #securitycameras #babymonitors #webcams #smartappliances

Your Procurement Cycle is a Minefield of Risks. Are You Walking Blind? Procurement Excellence | 17 JAN 2026 - Procurement always navigates hidden risks that can derail projects, inflate costs, and tarnish reputations. Ignoring them? That’s the real risk. Here are 7 CRITICAL risks lurking in your procurement cycle + how to defuse them: #1. Performance Risk ↳Suppliers underdelivering on quality/timelines. ↳Fix: Clear KPIs. Penalty clauses. Regular performance reviews. #2.Specification Risk ↳Vague requirements lead to wrong deliverables. ↳Fix:Collaborate with stakeholders upfront & freeze specs before sourcing. #3. Supplier Financial Risk ↳Bankrupt suppliers = halted operations. ↳Fix:Run credit checks, diversify suppliers, demand financial disclosures. #4. Reputation Risk (ESG) ↳Child labor or pollution in supply chain = brand crisis. ↳Fix: Supplier ESG screenings. Audits. Sustainability clauses. #5. Price Volatility Risk ↳Market swings crush budgets. ↳Fix: Fixed-price contracts. Hedging strategies. Cost-indexed clauses. #6. Fraud & Corruption Risk ↳Kickbacks, fake invoicing, collusion. ↳Fix: Segregate duties. Whistleblower policies. AI-powered anomaly detection. #7. Contract Leakage Risk ↳Unused discounts, auto-renewals, scope creep. ↳Fix:Centralized contract repository. Milestone alerts. Spend analytics. #Bonus I: Over-Reliance Risk ↳One supplier holds 80% of your spend. ↳Fix: Strategic supplier diversification. #Bonus II: Cybersecurity Risk ↳Suppliers accessing your systems >>data breaches. ↳Fix:Vendor security assessments. Zero-trust architecture. #Bonus III: Supply Disruption Risk ↳Natural disasters, geopolitics or supplier failures. ↳Fix: Dual sourcing, Safety stock & Real-time supply chain monitoring. Risk Mitigation Playbook: ✅ Proactive: Map risks at EVERY stage ✅ Use AI for predictive analytics, blockchain for traceability. ✅ Train & empower teams to spot red flags early. ✅ Collaborate & partner with Legal, Finance, Operations. Risk-aware procurement NOT about avoiding suppliers Procurement can’t own risk alone! Build resilient, ethical & agile supply chains that drive sustainable value. What risks keep YOU up at night? ♻️ Share to help someone in your network. ➕️ Follow Frederick for more content like this. #ProcurementExcellence #RiskManagement #Leadership

The growing complexity of supply chain interdependencies is creating significant cybersecurity risks. In my latest article for the World Economic Forum’s Centre for Cybersecurity, I outline five key risk factors and what organisations must do to mitigate them: 1️⃣ Cyber Inequity – Large organisations are improving cyber resilience, but SMEs remain vulnerable. They must view cybersecurity as a business priority, while industry collaboration and policy support can help bridge the gap. 2️⃣ Limited Supply Chain Visibility – Expanding supply chains make it harder to assess supplier security. Without clear incentives, compliance gaps persist, increasing exposure to cyber threats. 3️⃣ Third-Party Software Vulnerabilities – AI and open-source adoption introduce new risks, yet only 37% of organisations assess AI tool security before deployment. A structured security framework is essential. 4️⃣ Dependence on Critical Providers – Over-reliance on a few key suppliers creates systemic points of failure. Resilient IT architectures and strong business continuity planning are critical. 5️⃣ Geopolitical Risks – Cyber threats are increasingly shaped by global tensions, disrupting supply chains and increasing attack sophistication. Organisations must integrate geopolitical risk assessments into their cybersecurity strategies. 𝗪𝗵𝗮𝘁’𝘀 𝗡𝗲𝘅𝘁? Organisations must prioritize visibility, support smaller partners, and invest in resilience. Strong business continuity planning, robust IT management, and proactive threat detection are non-negotiable. Cybersecurity is not just an IT issue—it’s a strategic imperative. Read the full article here: https://lnkd.in/g-yQ2QRa #CyberSecurity #SupplyChain #AI #RiskManagement

🧠 Quantum computing: What business leaders need to do right now Right now, criminal and state-sponsored hackers are intercepting and storing encrypted data they cannot yet decode. Likely targets include everything from corporate secrets and medical records to legal agreements and military communications. Why would these actors bother to steal data they can’t read? Because they are betting on developments in quantum computing that will eventually let them crack this encrypted data wide open. This isn’t a fringe theory. The NSA (National Security Agency), NIST (National Institute of Standards and Technology), and ENISA (European Agency for Cybersecurity) are all treating this “harvest now, decrypt later” scenario as a live threat that is serious enough to demand immediate action. The NSA has mandated that all U.S. national security systems must transition to quantum-resistant cryptography by 2035—with new acquisitions required to be compliant by 2027. In Europe, ENISA issued updated guidance in April 2025 warning that the threat is “sufficient to warrant caution, and to warrant mitigating actions to be taken,” and recommending that organizations begin deploying post-quantum cryptography immediately. NIST has launched a parallel global effort to develop the new cryptographic standards on which these transitions will depend. The message from all three bodies is the same: Organizations run a grave risk if they wait to begin upgrades until quantum computers can break current encryption standards. That is the reason business leaders need to pay attention to quantum computing now — not because the technology is ready, but because the risk is grave, and the cost of preparation is trivial compared with the cost of being caught flat-footed. 🔗 Find out how in our new Fast Company article here: https://lnkd.in/g54y88UE.

𝟏𝟎 𝐂𝐲𝐛𝐞𝐫𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤𝐬 𝐌𝐨𝐬𝐭 𝐓𝐞𝐚𝐦𝐬 𝐈𝐧𝐡𝐞𝐫𝐢𝐭 - 𝐍𝐨𝐭 𝐂𝐡𝐨𝐨𝐬𝐞 ! A big customer asks for SOC 2. A regulator mentions ISO or NIST. Suddenly your “strategy” becomes a messy stack of rules that nobody can clearly explain. Frameworks were meant to reduce confusion. Not multiply it. Here’s the truth 👇 If you remove the logos, most cybersecurity frameworks answer the same few questions: – What are we protecting, and how critical is it? – Which controls reduce real attacks first? – How do we prove trust to customers and regulators? – How do we improve over time instead of ticking boxes once? That’s it. The 𝟏𝟎 𝐦𝐚𝐣𝐨𝐫 𝐟𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤𝐬 simply sit at different points of that map. Some shape strategy: ➤ NIST CSF gives structure and direction Some formalize governance: ➤ ISO 27001 / 27701 turn security into a certifiable system Some drive action: ➤ CIS Controls tell engineers where to start Some build external trust: ➤ SOC 2, PCI DSS, HIPAA, HITRUST speak auditor language Some go deep where risk is highest: ➤ CSA CCM, NIST 800-53, 800-171 for cloud and government needs 𝐓𝐡𝐞 𝐦𝐢𝐬𝐭𝐚𝐤𝐞? Treating frameworks like competing religions. Strong 𝐭𝐞𝐚𝐦𝐬 𝐬𝐭𝐚𝐜𝐤 𝐭𝐡𝐞𝐦. One shapes strategy. One drives execution. One proves trust. Over time, the question changes from: “𝐀𝐫𝐞 𝐰𝐞 𝐜𝐨𝐦𝐩𝐥𝐢𝐚𝐧𝐭 𝐰𝐢𝐭𝐡 𝐗?” To: “𝐖𝐡𝐢𝐜𝐡 𝐦𝐢𝐱 𝐛𝐞𝐬𝐭 𝐞𝐱𝐩𝐥𝐚𝐢𝐧𝐬 𝐨𝐮𝐫 𝐫𝐢𝐬𝐤 𝐬𝐭𝐨𝐫𝐲 𝐭𝐨 𝐭𝐡𝐞 𝐩𝐞𝐨𝐩𝐥𝐞 𝐰𝐡𝐨 𝐦𝐮𝐬𝐭 𝐭𝐫𝐮𝐬𝐭 𝐮𝐬?” That’s when frameworks stop being paperwork and start acting like an operating system for security. Which framework actually helps your team make better decisions today? 👇 Which one does your organization rely on most right now? ------------ Hi, I'm Harris D. Schwartz 𝐅𝐫𝐚𝐜𝐭𝐢𝐨𝐧𝐚𝐥 𝐂𝐈𝐒𝐎 𝐚𝐧𝐝 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐋𝐞𝐚𝐝𝐞𝐫. I help CEOs and executive teams strengthen their security posture and build resilient, compliant organizations. With 𝟑𝟎+ 𝐲𝐞𝐚𝐫𝐬 𝐚𝐜𝐫𝐨𝐬𝐬 𝐍𝐈𝐒𝐓, 𝐈𝐒𝐎, 𝐏𝐂𝐈, 𝐚𝐧𝐝 𝐆𝐃𝐏𝐑, I know how the right security decisions reduce risk and protect growth. If you are planning how your security program needs to evolve in 2026, this is the right time to have that conversation. #CyberSecurity #SecurityFrameworks #RiskManagement #CISO #ISO27001 #NIST #SecurityStrategy

Most quantum boardroom conversations end without an agenda. They end with a posture — "we're monitoring quantum developments," "we're taking it seriously". Neither statement produces a plan. The distinction matters because quantum creates three problem classes, each with a different urgency and a different cost of inaction. A generic posture misaddresses all three at once. The right response, for most leadership teams, has three parts. The first is to defend now. Post-quantum cryptography belongs on the enterprise risk agenda as a current priority. That means building visibility into cryptographic dependencies across the enterprise, identifying migration priorities, and mapping third-party exposure. This is the part of the quantum agenda that cannot wait. The second is to explore selectively. Most leadership teams do not need a wide portfolio of quantum pilots. They need a small number of focused efforts on high-value problems where the workload aligns with quantum's actual strengths — evaluated against the strongest available classical alternative. Each effort should be a targeted test: one specific problem, one clear classical benchmark, one honest evaluation. The third is to build options. For companies in simulation-relevant sectors — pharmaceuticals, advanced materials, energy — the right posture is modest investment in partnerships and early hardware collaborations. The goal is R&D workflows that are ready to integrate quantum subroutines when the technology matures. The companies that benefit most will not necessarily be those spending the most today. They will be the ones best positioned to move when the moment arrives. The most common failure on quantum is conflating the urgency of the three classes — treating all three as equally distant or equally immediate, when each has a different clock running. The organizations that get this right understand early which problem classes matter to their business, which ones to set aside, and what the distinction demands of them starting Monday morning. https://lnkd.in/gkymW7Xm

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity

The attack surface is no longer the network; it is identity. According to Verizon’s Data Breach Investigations Report, roughly 74% of breaches involve a human element, and stolen credentials remain one of the most common initial access vectors. IBM’s Cost of a Data Breach analyses consistently show that identity-related incidents rank among the most expensive scenarios. This is not coincidence; it is mathematics. Organizational risk does not increase linearly with the number of users; it grows exponentially with the topology of privilege distribution. Even if the probability of compromising a highly privileged account is low, the blast radius can extend across the entire enterprise. Low probability multiplied by high impact creates systemic fragility. Claude Shannon defined entropy as a measure of uncertainty; in identity architectures, entropy is driven less by password complexity and more by privilege density, token lifetime, and federation chains. As entropy increases, control becomes harder while the attacker’s discovery cost decreases. Identity verification is therefore not a binary “secure/insecure” condition but a probability distribution with measurable error margins. Zero Trust may be strategically sound, but it is not mathematically zero. Identity is no longer a technical detail; it sits at the intersection of graph theory, probability, and economics. If we want to truly understand cybersecurity, we must analyze identity architecture not through intuition, but through mathematics. #CyberSecurity #IdentitySecurity #IAM #ZeroTrust #CyberWarfare #InformationTheory #RiskManagement #GraphTheory #CISO #CyberStrategy #DataBreach #Infosec #DigitalTrust #SecurityLeadership #IdentityBasedWarfare

Ever handed someone a USB that looked harmless—but wasn’t? I have. In the world of espionage, we had some very cool toys. I once handed a “special” USB device to an asset who had access to a sensitive network the intel community needed eyes on. It looked harmless. Ordinary, even. But it wasn’t. In our world, that was tradecraft. In your world? That same-looking USB might be swag from a conference booth. Except… the risk is the same. Insecure devices don’t just open backdoors — they open headlines, lawsuits, and trust gaps you can’t patch overnight. Here are some real-world examples: Military Smartwatch Scam (2023): U.S. Army personnel received unsolicited smartwatches. Turning them on triggered automatic connections to nearby phones and Wi-Fi, deploying malware to harvest sensitive data — and possibly camera access. The source? Overseas. The goal? Espionage and fake seller reviews. Juice Jacking: The FBI warns that public USB charging ports (airports, hotels, cafes) can silently install malware or tracking tools — a tactic known as juice jacking. USB Drop Attacks: Malicious actors leave infected USBs in public places, hoping someone plugs them in. One click, and it’s game over: data theft, ransomware, or remote access. Wearable Device Vulnerabilities: Many smartwatches and fitness trackers lack Bluetooth security, leaving them open to eavesdropping or active attacks — especially when cheaply made. Just because it's branded doesn’t mean it’s safe. Just because it's free doesn’t mean it’s clean. Here’s what can we do better: Training & Awareness ✔️ Educate your team: Make device security part of onboarding and training ✔️ Warn about giveaways: Just because it’s branded doesn’t mean it’s safe. ✔️ Teach skepticism:  Don't take or plug in USBs or devices from people you don’t know. (Yes, even from the booth with free espresso.) Policy & Prevention ✔️ Enforce a USB device policy: Monitor or restrict device access ✔️ Vet your swag: Vendors, stop buying bulk tech giveaways from unverified sources. ✔️ Avoid public USB stations: Use your own charger and plug into the wall (old school) Technical Controls ✔️ Use endpoint protection to scan devices before connection ✔️ Regularly audit and update security protocols ✔️ Monitor for unexpected RF, BLE, or Wi-Fi activity — especially in secure spaces Your attack surface isn’t just digital. Sometimes it comes with a logo and a lanyard or a blinking blue light. If you’re a leader, ask yourself:  - How are you securing your humans from hardware-level risks? - Does your team know what to do when something looks ordinary… but isn’t? - Do your giveaway devices come with supply chain transparency? Stay sharp. Stay skeptical. Stay secure. #HumanRisk #Cybersecurity #SpycraftForRealLife #SupplyChainRisk #CyberHygiene #LeadershipInSecurity #Espionage #ConferenceCulture #dataprotection #securityawareness #Spycraftfortheheart