Four Briefs Walk Into a Bar

TEC May 2, 2026

I retired so I wouldn't have to read papers like this anymore. Yet here we are.

Four landed in my group chat last week, all about Mythos, all from organizations that should know better. RSAC's CISO community brief. JPMorganChase's "10 Actions to Take Now." Cisco's "Shields Up." And the Cloud Security Alliance's "AI Vulnerability Storm" with a co-author list deep enough to qualify as its own ISAC. There's a fifth, a single-author thing that came up in the same thread, and it gets its own treatment at the end. None of these are bad people writing bad papers. They're decent people writing the papers their incentive structures let them write, and that's the more interesting failure mode.

In order.

RSAC: "Patch Faster," He Said, Sailing Into the Wind

The RSAC brief tells you to compress patch windows. Thirty days to fifteen to twenty-four hours for externally facing stuff. They acknowledge the tradeoff (more outages) and recommend pre-authorizing shutdowns. The pre-authorization piece is genuinely good and most programs don't have it. The rehydration-of-stateless-systems pattern is also right and underused. Two paragraphs out of twelve land.

Then they tell you to set a 24-hour SLA and I want to throw the PDF across the porch. We are not in a velocity contest we can win. Working exploits arrive in hours. Your patch QA does not. The structural gap doesn't close because you scream at it. When the gap is structural you stop competing on speed and start containing on architecture, which is segmentation, identity boundaries, disposable infrastructure. The RSAC brief mentions segmentation in one sentence inside a paragraph titled "Basic security hygiene." That is the headline buried as a footnote.

What's missing: agent identity, OT firmware, the question of what to retire. They were close. Picked the wrong main thrust.

JPMC: The 2018 Hygiene List, Now With "AI" Stapled On

JPMC's "10 Actions" is what happens when a security org with the brand reach to publish anything decides to publish a control gap analysis from 2018. Manage your assets. Run supported software. Filter outbound. Segment your network. Remove standing privileges. Test your IR plan.

None of it is wrong. All of it has been on every consultant's deck for a decade.

Be honest about who this is for. JPMC is signaling to other big banks and to regulators that the basics still matter. Fine, that's a real audience. For the rest of us, this is not the brief we needed. Nine of the ten items pre-date Mythos. The tenth (embed security into AI dev lifecycle) is the most generic of the ten. Threat model your AI. Treat AI assets as high-value. Validate AI-generated code. Yeah, no kidding, with what tools, owned by whom, against what budget, retiring what to make room?

JPMC has one of the best security programs on the planet. They could have published what they're actually doing, with the budget numbers and the names of the things they killed to make room. Instead they shipped a checklist a junior consultant could have generated from training data. That's a waste of the brand. Somebody at JPMC made a deliberate decision to publish this and not the other thing. I have a guess at who benefits from the choice. It isn't the rest of us.

Cisco: A Vendor Pitch In A Trench Coat, With One Telling Aside

Cisco gets the threat right and prescribes Cisco. In-line eBPF protections. Runtime exploit shields. AI-driven digital twins. Cool. Read your own bio.

The part worth a closer look is the consolidated-CVE pitch. Cisco argues the industry should stop assigning individual CVEs to "minor" vulnerabilities and roll them into release notes instead. They frame it as denying attackers a roadmap. Read it twice. A network vendor that has shipped a steady cadence of pre-auth RCE in their security products is arguing that the industry should publish fewer CVEs.

Set aside whether it's the right policy debate to have. The CVE program is creaking under volume and the conversation is worth having. But the messenger is wrong. This is a debate that needs to come from researchers, regulators, and the CVE Numbering Authorities, not from a vendor whose CVE count is the embarrassing part of the story. When Cisco proposes the framework that determines how Cisco bugs get counted, you don't have to be cynical to ask the next question.

The "harness AI for defense" section is a feature catalog. Move on.

CSA: The Committee Paper

The CSA brief is the one I expected to be the best. The author list is who you'd want in the room: Schneier, Inglis, Adkins, Joyce, Easterly, Venables, Yu, Moussouris, Stewart, Saxe. The reviewer list goes another hundred deep. The risk register maps to NIST CSF 2.0, OWASP LLM, OWASP Agentic, and MITRE ATLAS. The eleven priority actions name actual tools. The board talking points are usable. The honest acknowledgment of burnout and the human cost is more truthful than anything in the other three.

So why does it land softer than it should?

Because it's a committee paper, and a committee paper is what you write when you can't afford to tell anyone they're wrong. "Use AI" is the answer to roughly half the priority actions. Action 1: point AI at your code. Action 2: require AI agent adoption. Action 3: defend your agents. Action 11: stand up VulnOps powered by AI. Every problem looks like a nail. There's no list of what to retire to fund any of this. The closest the brief gets is "expanding these efforts while there is time is prudent," which is not a sentence anyone running a budget is going to act on.

The brief also tells you to deploy AI tooling without acknowledging that standard commercial models will refuse half your dual-use security work by policy. The OpenAI Trusted Access for Cyber program and the Anthropic Glasswing tier exist for a reason, and the brief mentions them in passing without telling the reader that getting on those lists takes weeks of GC and procurement work. "Use the agents" without "here's how you actually get an agent that will do the work" is advice that breaks on contact with a SOC.

And recommending that CISOs watch four hour-long [un]prompted talks as "essential viewing" is the moment the committee gave up. CISOs do not have four hours. They have one. Tell them what's in the videos.

A substantive paper that pulled its punches. Many smart people in one room, none empowered to say "stop doing X." The cost of consensus.

The Single-Author Brief

A friend still doing the job sent over the fifth paper, a single-author thing called Day-Zero Normal. It's been making the rounds. The author has a Fortune 500 chair, and he is the only writer in this stack who published a list of things to retire to make room for new work. SIEM rules engine. Annual pentest. SAST/DAST triage queues. TPRM questionnaires. Each one named, each one with a replacement.

That alone makes the paper more useful than the other four. Naming the thing the industry has agreed not to look at is rare and structurally hard, and the paper does it.

It's also a single-author paper with two reviewers, and you can feel both. The voice sells with peers and condescends to everyone else. The advice assumes a mature program with the budget headroom and the political capital to retire controls. That describes maybe twenty percent of CISOs reading. The 90-day plan reads like it was written by someone who can give an order. For most CISOs, weeks 9 through 12 is when you're still negotiating budget for the things in weeks 1 through 4. The Chromebook-tier endpoint section is the most provocative idea in any of the five briefs, and I think it's basically right, and I also know exactly how the executive conversation goes when somebody's told their laptop tier is correlated with their role description.

There's a self-contradiction worth flagging. The paper preaches divestment discipline and then proposes an "AI Security Lead" as a new director-level role. New role, no role retired. It's a small thing in the context of the document, but it's the move every brief in this stack ends up making, including the one supposedly built around resisting the move.

Net: the paper that got closest to a useful answer and that needed more reviewers and less swagger to land it for the median CISO. The other four didn't get that close, and most of them weren't trying to.

The Section Nobody Wrote

Here's the topic none of the five papers names directly, and which is going to eat a meaningful slice of the F500 alive.

A whole class of companies decimated their internal AppSec teams between 2018 and 2024 on the theory that they could outsource the work to bug bounty platforms. Why pay an engineer when HackerOne pays per finding? The math worked while the bounty economy was healthy. The engineers got laid off or attritioned, the institutional knowledge walked, the tooling was deprioritized, and the bug bounty platform became the entire AppSec function for several Fortune-scale shops I could name and won't. I watched a finance shop do exactly this in 2019. They're still trying to hire the team back.

That bet is collapsing in slow motion. HackerOne paused the Internet Bug Bounty in March. The low-severity bounty economy that paid researchers rent while they learned the craft is going away because Mythos-class scans eat that class of bug at the source. Platforms are pivoting to integrated AI scanning that they will charge you for at renewal. Researcher value moves up the stack to business logic and multi-step chains, the work the platforms are least good at coordinating.

If you outsourced AppSec to a bounty platform, here is your near-term reality. The platform is now your scanner vendor, not your researcher pool. The findings you get require deep internal context to triage, which you no longer have. The senior AppSec engineers you'd need to rebuild don't exist in the volume the market needs, because the training ground that produced them just got eaten by an LLM.

This is a five-to-ten-year staffing problem a meaningful slice of the industry created for itself. The 2018 procurement decision is now a 2026 hiring requisition you can't fill. Of the five papers, only Day-Zero Normal names the platform side, and it stops there.

The fix is the obvious one and the one nobody wants to fund. Hire the AppSec team back. Pay above market for the seniors who didn't leave the field. Treat the bounty platform as a scanner you supplement with humans, not a function you outsource to entirely. It's expensive, it's politically uncomfortable because it requires admitting the 2018 call was wrong, and it's the only move that works on a five-year horizon. Of course you can fix this. You have to stop pretending you can't.

The Shared Sin

Four of the five papers tell you to do more. The fifth tells you to do less, then assumes the kind of program that can hear that advice without flinching.

The eighty percent of CISOs in the middle, too big for SMB advice and too constrained for Fortune-scale swagger, got nothing actionable from any of the five. They got reminded that things are getting worse, that AI is everywhere, and that they should "consider" a few new initiatives.

Why hasn't anyone written the brief that lands for them? Because none of the organizations with the convening power to publish it can afford to tell their members to retire controls those members are paying vendors and consultants and auditors to keep alive. RSAC sells sponsorships to those vendors. CSA sells memberships to those consultants. JPMC's audience needs the controls to stay on the books for regulatory reasons. Cisco is one of the vendors. Somebody's getting paid for keeping it just like this.

It isn't you.

I'm retired and reading PDFs anyway. Don't be like me.

— The Expired CISO

Papers: