End of Year Reflection

Editors note 

As we pass Christmas and we get closer to the end of the year I reflect on the messages that I am seeing and hearing.

Some from my network and some from people we meet in passing.

This year I have felt that we are more digital than ever and we spend more time online that we do offline. I am resisting the urge to go onto Chat GPT to ask it for some stats or to pull up Gamma AI and generate a slide for me.

The things that have been resonating for me when it comes to tech for both individuals and for business are:

Identity

Data

Accountability and Ownership

AI implementation & AI Governance

People

Components Versus Systems

Will the computer systems take over the world in 2026

OR

Will we look to humanise more of our operations because we are already sick of AI responses and AI behaviours (even though much of it mimics us - or better versions of us)

Identity

I have been to many expos, had many meetings, and have spoken to many cyber warriors and tech gurus and builders.

There is no shortage of tools, and there is no shortage of people shouting from the rooftops about passwords, passkeys and MFA.

The conclusion is that we don’t have an issue with any of the above. We typically have a cultural issue.

A lack of accountabilities, combined with some corporate ego + lack of transparency tends to be a recipe for:

over-permissioned access

Dormant accounts

Shared accounts

Some of the above gets caught through audits, but some of it gets mixed as a result of complex architectures and third party relationships.

Audits tend to not deep dive enough due to scope and time constraints, and often a lack of skills + combined lack of patience from the auditee.

In order to get good visibility of identity you need to know what you have that is important. Then you need to look at who can access it and what can they do with it.

If your scope chooses to only select a series of systems (that you already know) without stepping back and scrutinising the entire environment - then you run a real risk of not reviewing what you don’t see.

Data

One of the first questions one needs to ask is

What data do I have

Where is this data

How do I classify this data

How do I protect data that is important to me

How do I restrict data that so people that shouldn’t see it can’t

The truth is and I have seen this on every engagement I have worked on.

Teams do not know where their data is - especially all of their sensitive data.

You can’t protect what you can’t see.

Accountability

On the whole we still don’t get this right.

Roles and responsibilities lack clarity and many are not clear on the scope of their responsibilities.

This gets even more blurred if you are expected to wear multiple hats.

Statistically we are saying there is some success as we are assigning owners of systems.

Where this falls down though is when systems collaborate or integrate with other systems, and now with an additional complexity of AI and Agents

Do owners of systems have enough clarity of what the true risks are for the systems they manage?

What about Third Parties?

System owners look at systems in isolation and in my opinion there isn’t enough collaboration across teams (or entities in the case of third parties) to understand the up, downstream, sideways, and external effects of entire systems as opposed to singular systems.

What about AI

I won’t hang on this point for too long.

AI has exploded onto the scene in 2025.

Every application and computing tool we use now is using some form of AI model.

Many are still grappling with how to implement AI to establish meaningful ROI.

The Cyber Warriors are extensively talking AI governance, but not just surface level, but deep in the engineering.

Feedback loops built into control(s) architectures.

That will be the rave in 2026 - in setting appropriate boundaries for AI and Agentic AI.

Foundational risk management though is still more important than ever.

We will talk more about this in 2026.

People

People are still important.

We still have an important role when it comes to technology and technology management.

And my reasoning for this is people will always want to be involved, and I think this will be the case until machines turn to us and tell us we don’t need you.

We are still the dominant super power.

In the world of cyber security we are still talking about burnout and over worked staff.

We now have a case of too much data, too many tools and just not enough man power to review the output and make decisions.

We have been talking about burnout quite a bit in 2025.

OK - bring in Agentic AI where we can eliminate some of the above?

Maybe - but then we loop around to point number one which is Identity - and how much access is safe to give to an Agent.

Components v Systems 

Just because all your components work flawlessly - doesn’t mean you have perfect systems or even controls for that matter.

Systems inevitably fail because of something. Its the feedback loops and the data that we receive that become important in being able to determine or forecast a systemic failure or problem.

Regular feedback allows us to view anomalies in real time and predict issues or problems down the track.

At the very least it gives us a chance to be prepared and respond quickly.

This weeks myth

Interesting Reading

Stuff to think about over coffee

I have decided not to include any readings this time.

Enjoy time with family over the holiday period.

Relax the brain and come back sharp for 2026.

Be safe.

Thank you for joining our community as we look to share practical and thought provoking topics when it comes to technology and security.

If you haven’t already Click the signup button to subscribe and get the latest newsletter directly to your inbox.

We will do our best to provide well researched and tested theories. Please comment, agree, disagree, or share your own experiences.

We want this to be a safe space to share any opinions with the object of true learning and experiences.

Many thanks

Rohan