Since 2023, the SEC has required public companies to explain how their boards oversee cybersecurity risk.

That means CISOs are getting some minutes in the boardroom to explain their company’s security posture to stakeholders. But standing in front of the class doesn’t mean everyone’s ready to pass the test: a recent report suggested those stakeholders aren’t understanding the cyber threat impact.

The 2026 Benchmark Report, released on Mar. 3 by cybersecurity insights group IANS Research and exec-recruitment firm Artico Search, reviewed responses from 17 board directors.

• They are getting together. An additional survey by the organization found that 95% of CISOs (out of 653 polled) provide regular updates to the board, with 60% engaging with the full group and just over one-third interacting with a board committee. About three in four (72%) of CISOs meet a committee quarterly.
• But the time is short. Just over half (51%) of CISOs meeting quarterly reported having between 15 to 30 minutes to speak. One in four of those meeting quarterly said they had fewer than 15 minutes.
• And something’s off. Only 30% of boards described the relationship with their CISO as “strong and collaborative.” Slightly more than half of the board respondents (53%) said reporting on the impact of evolving threats needs improvement.

How CISOs can speak up when it matters.—BH

At one point in the 2015 cyber thriller Blackhat, hacker Nicholas Hathaway (Chris Hemsworth) examines the malware on a USB drive. The camera lingers on Hathaway’s screen for a few extra seconds to let us know he is typing real commands like cat and autorun.inf.

The movie follows Hathaway as he tries to find the cyber-villain responsible for melting down a Hong Kong nuclear plant and disrupting the Chicago Mercantile Exchange.

In an interview with Variety eight years after the movie’s release, director Michael Mann said: “The subject may have been ahead of the curve, because there were a number of people who thought this was all fantasy. Wrong. Everything is stone-cold accurate.”

To that end, Blackhat features its share of autoruns, remote access Trojans (RATs), IP addresses, malicious payloads, and other only-in-IT terms that a cyber defense pro like Paul Taylor, associate director at cybersecurity company NCC Group, deals with day to day. Taylor currently conducts cyberattack simulations for banks.

What does Michael Mann’s thriller get right?—BH

What are they thinking?

When it comes to ransomware criminals, the answers can vary. Some organizations are sophisticated businesses where hackers are treated as employees with HR departments and paid time-off, while others are more ramshackle.

But they’re all dangerous—and after your data. Mike Puglia, general manager of cybersecurity labs at Kaseya, told IT Brew that financial motivation has been the constant motive of ransomware attackers. The tactics are much the same between groups: gaining access, exploiting vulnerabilities, escalating privileges, and deploying an encrypter to hold the data for payment.

“It’s Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes,” Puglia said.

Here’s how the game is played.—EH, CN

CollabWORK connects you to the hidden job market through IT Brew and other trusted channels. Browse roles curated specifically for this community by clicking through to the job board.

• Chief Engineer at Astrion
• Head of Site Automation Engineering at CSL Behring
• AWS DevOps Engineer at Deloitte LLP
• Software Engineer, CoCounsel AI Drafting at Thomson Reuters
• Associate CNO Software Engineer at MANTECH