risk-management

The Math Does Not Work Anymore: Why Patching Faster Is No Longer Enough

John Z Black Apr 12, 2026

Security Operations & Resilience #vulnerability-management #qualys #cisa-kev #bug-bounty #ai-security #patch-management #risk-management

Qualys analyzed a billion CISA KEV remediation records and found attackers are weaponizing critical vulns an average of seven days before patches exist. The human-scale remediation model has hit a structural ceiling.

Three Ransomware Gangs Own a Third of North America's Cybercrime. What That Means for Your Risk Model.

John Z Black Mar 30, 2026

Ransomware & Cybercrime #ransomware #qilin #akira #clop #north-america #threat-intelligence #risk-management

Qilin, Akira, and Clop together claimed roughly 34% of all recorded North American ransomware incidents in 2025 -- and that concentration is actually something defenders can use.

FedRAMP's Trust Gap: When Technical Warnings Lose to Procurement Momentum

John Z Black Mar 18, 2026

Policy, Law & Governance #fedramp #cloud-security #governance #procurement #assurance #public-sector #risk-management

Federal cyber experts reportedly called Microsoft's cloud a 'pile of shit' -- and approved it anyway. That's not just a Microsoft story. It's a story about what certification badges actually mean.