Plus: Why Cybersecurity Knowledge Failures Cut Especially Deep |
| In the case of cybersecurity, “I don’t know” is almost always the wrong answer. It’s obvious that not knowing details about your cybersecurity risks is bad news for the company as a whole, but a new report from Kiteworks quantifies just how deep knowledge failures can go. Out of the businesses that were unaware of how many partners they work with, 42% didn’t know how often they were breached. Nearly half who didn’t know how often they were compromised couldn’t quantify litigation costs, while 24% didn’t know how long it took to detect breaches. And just over a third unaware of their employees’ AI use had any zero-privacy technology. “Our survey reveals a fundamental truth about modern data security: What you don’t know doesn't just hurt you—it multiplies exponentially," Kiteworks CMO Tim Freestone said in a statement. “Organizations operating blind face dramatically worse outcomes across every metric we measured. The cascade effect is undeniable: Unknown third-party relationships lead to missed breaches, which prevent compliance demonstration, which results in massive costs.” The costs of security breaches can climb into the millions, and Kiteworks found that mid-sized companies that work with 1,001 to 5,000 partners are in the most danger. More than two in five reported $3 million to $5 million in annual costs from security breaches—and 42% need one to three months to detect them. Knowledge is power, and that’s especially important in cases of cybersecurity. Kiteworks’ report recommends companies work toward improving their visibility both internally and among partners with whom they share information. In the last 10 years, cybersecurity defenses have been bolstered through CISA 2015, a law passed by Congress and signed by former President Barack Obama that establishes a framework for information sharing around threats, vulnerabilities and attacks. The law expires on September 30, and an updated version is working its way through Congress. I spoke with Edgard Capdevielle, CEO of critical infrastructure cybersecurity provider Nozomi Networks, about why he believes it’s so important to reauthorize the law. An excerpt from our conversation appears later in this newsletter.
If you like what you read here, you can easily share it online and on your social media pages. This newsletter, and all previous editions of Forbes CIO, can be found on our website here. |
|
| In today’s CIO newsletter: |
|
| Another tech billionaire saw his fortune cross the $400 billion mark this week, as Oracle cofounder and CTO Larry Ellison got nearly $100 billion richer in a single day, thanks to his 41% stake in his company, writes Forbes’ Phoebe Liu. It was the best-ever single-day gain for a billionaire, and one of Oracle’s best-ever trading days. The cloud computing company’s shares were up about 38% on Wednesday on blockbuster estimates for infrastructure revenue in its quarterly earnings report. Total revenue was up 11%, hitting $14.9 billion—with cloud infrastructure expected to be $18 billion this fiscal, then exponentially increasing to $32 billion in fiscal year 2027, then $73 billion, $114 billion and $144 billion in the three years following. Tuesday evening’s earnings report also says Oracle has $455 billion in remaining performance obligations for the quarter—an increase of 359%. Oracle’s performance, which was praised by analysts—Deutsche Bank analyst Brad Zelnick said those on the earnings call were “all kind of in shock in a very, very good way”—came through several multibillion-dollar contracts with tech companies seeking compute power and enterprise databases for AI. In the earnings press release, CEO Safra Catz said Oracle signed four new high-dollar contracts with three different customers in the quarter. Ellison noted that from Amazon, Google and Microsoft alone, revenue for Oracle’s MultiCloud database sector was up 1,529% in the quarter. On the earnings call, Zelnick said there was “no better evidence of a seismic shift happening in computing than these results that you just put up.” Ellison said on the call that while this growth is impressive, Oracle has more paths to expansion. The company is targeting the AI inference market, which will eventually be used to automate various tasks using AI-powered robotics and agents. It also has a new AI database setup and storage platform. More will be unveiled at the company’s AI World conference next month, Ellison said. By midday Thursday, Ellison’s fortune dropped to $378 billion. |
|
| Last week, Forbes announced its 10th annual Cloud 100 list, detailing the world’s top private companies in the cloud computing space. Companies are nominated and ranked based on their market leadership in various sectors, valuations, operating metrics and people and culture. Most of the companies on this year’s list are using AI to reshape their industry or computing in general, so it’s no surprise that the top two companies are AI chatbot and research giants OpenAI and Anthropic. Other companies from a wide variety of industries are near the top of the list as well, including fintech giant Stripe in the No. 3 spot, quick-reimbursing corporate travel and expense company Navan at No. 7, and clinical documentation company Abridge at No. 57. Newer companies also made the list. Anysphere, maker of generative coding tool Cursor, debuted on the list as No. 8. Meanwhile, Forbes also recognized rising stars—companies that are likely to appear on future lists. This list includes Brisk Teaching—maker of dozens of AI-powered tools that help educators create curriculum and provide feedback—and Assort Health, which uses generative AI to answer calls on behalf of medical specialists. Looking at the companies appearing on the Cloud 100 each year and evaluating their technology and ideas, one thing is clear: Companies need to evolve to be able to use AI or they will quickly become obsolete. |
|
| State legislators in Colorado successfully paused the effective date of their new comprehensive AI law for four months, but were not successful in making changes to it at a special session last month, writes Forbes senior contributor Alonzo Martinez. When Gov. Jared Polis signed the law in 2024, he did so with reservations and recommended that it be amended before it was enacted in 2026. As written, the law intends to protect people from “algorithmic discrimination”—an AI system treating individuals or groups differently based on protected characteristics in “high-risk” AI systems, which make consequential decisions dealing with individuals’ education, employment, finances, health care, housing, insurance, legal services and essential government services. When he signed the bill, Polis wrote that while it was one of the first in the country to attempt to regulate AI, it missed the mark by regulating the results of AI use instead of prohibiting discriminatory conduct, and created a “complex compliance regime.” Polis said he was concerned about how the law would impact AI developers, and urged the state legislature to work with stakeholders to ensure the law wouldn’t hamper their development of the new technology. At the special session last month, called primarily to address a new budget shortfall due to the federal government’s One Big Beautiful Bill Act, lawmakers did work on new versions of the bill, including one that had a broader framework that the tech sector opposed, Martinez writes. In the end, the only thing they could agree on was delaying implementation to June 30, 2026—meaning it can be more fully debated and amended at the regular legislative session beginning in January. |
|
 | | Nozomi Networks CEO Edgard Capdevielle. Nozomi Networks |
|
| | | Why CISOs Say Congress Needs To Quickly Reauthorize A Vital Cybersecurity Law |
|
|
|
| A decade ago, Congress passed the Cybersecurity Information Sharing Act of 2015, commonly referred to as CISA 2015. (This law has nothing to do with the establishment of the Cybersecurity and Infrastructure Security Agency under the U.S. Department of Homeland Security.) Although it was somewhat controversial when it passed, CISA 2015 provides a framework for companies and the government to freely share cybersecurity information including threat indicators and defensive measures. Over the last decade, it has become a vital part of cybersecurity prevention and defense in the U.S. However, the bill expires on September 30, and must be reauthorized. CISA 2015 is seen as a noncontroversial measure, and a beefed-up version updated for newer threats and AI—called the Widespread Information Management for the Welfare of Infrastructure and Government Act (WIMWIG)—passed the House Committee on Homeland Security with bipartisan approval last week. It awaits a full House of Representatives floor vote, and then must pass the Senate and get President Donald Trump’s signature. Edgard Capdevielle, CEO of Nozomi Networks, which provides cybersecurity for critical infrastructure in the IT, IoT and operational technology space, talked to me about why the reauthorization of CISA 2015 is so important. This conversation has been edited for length, clarity and continuity. Why is CISA 2015 so important? Capdevielle: It’s brought us a tremendous amount of collaboration. Threats can have a real impact [on operational technology] because of the critical infrastructure and sharing intelligence. Most critical infrastructure is held privately. We look to governments whenever you think about critical infrastructure—primarily because of all the regulatory coverage—but at the end of the day, operators tend to be private companies. Sharing intelligence has been fundamental. Tons of our products have to do with the customer’s ability to share what happened in their environment, so that we can all learn and protect. We like to say: One warning is everybody’s shield. When you find something or a particular group of hackers doing something somewhere, usually they’re going to repeat their techniques in [a similar company] because they have the same intent. Whether it’s extracting information from oil and gas or utilities or electric facilities, the mechanisms are the same—primarily because the infrastructure is fairly similar. Because you repeat a lot of things, it’s good to learn from them as soon as possible and share it with the government, with CISA. CISA can spread it to the rest of the environment so that we can all know as quickly as possible what’s happening. It’s been a fantastic collaboration where together we stand protected, separate we remain hacked, and nobody wants to see it end. The majority of the conversations are about renewing it and renewing it quickly. We need to do it by the end of September. It’s going to be interesting, just from a tactics perspective: How do you do it quickly enough? But I don’t think there is a dissent on the fact that it needs to be renewed. Let’s say that all of the things that need to come together don’t get there in time and the law expires. What would it mean and what would happen? The law did two things that are very important. One, it established a standard on how to exchange this information. That’s going to remain; nobody’s going to necessarily change the standards or how to do it. But the second thing that was super-important is it established a legal framework where companies that report and share threat intelligence don’t have any legal liability associated with sharing this information, and therefore the function could be operationalized outside of legal supervision or purview. So the CISOs could decide, and buy products that have the capabilities of capturing and sharing information with the government or with peers in the industry. If this expires, then we’re going to have to get the lawyers back in the room. The CISOs want to keep the company secure, and those that have more of a vision and mission want to keep the country secure. But the lawyers don’t necessarily have that motivation. It’s not that they’re evil or anything like that. Their job is to keep the company out of the courts, out of paying fees, out of legal trouble, and it’s going to add friction. The volume of exchange of information would dramatically decrease and that would absolutely make us less secure. There’s a very short timeframe between now and when this expires and everybody has to prepare for different scenarios. What would you tell CIOs and CISOs to be doing now to prepare for if the law isn’t reauthorized? Try to retain the ability to share threat intelligence on the CISO’s purview without complicating it with the office of the general counsel. Threat intelligence has been anonymized. The threat intelligence that we’re doing has been a standard MO for the last several years. The likelihood that somebody’s going to think it’s illegal all of a sudden is not high. The downside is going to be rare, so I would try to make sure that people continue doing it. It should be renewed quickly. That’s number one. If it’s not renewed, we should have some sort of extension and exception so that people can keep doing it. And if we don’t get that, I would encourage folks to try to continue so that we all remain safe. Together, sharing intelligence, we stand protected. Separate, we stand hacked. Nobody’s going to pull your ear for sharing threat intelligence. |
|
|
Alcohol distributor Southern Glazer’s Wine & Spirits named Steve Bronson as its new chief information officer. Bronson joins the company from McDonald’s Corporation, where he was the senior vice president of global technology infrastructure and operations.
|
|
Third-party administrator Sedgwick hired Vishy Padmanabhan for its new chief transformation officer role. Padmanabhan joins the company from Wells Fargo, and was a partner at Bain & Company prior to that.
|
|
Online marketplace Etsy appointed Rafe Colburn as its new chief product and technology officer, effective September 8. Colburn was previously chief technology officer for Etsy, and assumed the expanded role following the departure of Nick Daniel.
|
|
| Send us C-suite transition news at forbescsuite@forbes.com. |
|
| AI agents are everywhere, and some companies are specifically training them to replace employees. Here’s what you need to know about the proliferation of AI agents, and how to implement them to find the greatest success at your company. The tech space is full of partnerships, and it’s important to work with companies that share the same values, goals and priorities. Here’s how to ensure purpose is at the core of your partnerships. |
|
| | Several of one company’s chatbot transcripts became inadvertently accessible in Google search results. Which company are they from? | | A. | Anthropic | | B. | DeepSeek | | C. | Perplexity | | D. | Meta AI |
| | Check if you got it |
|
|
