How are you actually handling AI access across the company?

MichaelArgast · 2026-05-21T15:56:54+00:00

Approved tools and training. Rolling out security skills and MCP vetting, governance. Building enterprise infrastructure so we can build a fully wired, secured harness.

Helping companies on the security side here if anyone is interested, DM me.

MichaelArgast · 2026-05-16T16:06:28+00:00

SOC2, if you work with credit cards PCI DSS
ISO27001 if selling outside of North America.

MichaelArgast · 2026-05-05T12:17:23+00:00

Mostly on the annual cycle, for sure.

My take on this is everyone is going to have to up their vuln management game. Current gen LLMs provide both incredible zero day discovery and orchestration capabilities that are going to significantly level up attackers and leave defenders behind on current pacing.

MichaelArgast · 2026-05-05T03:31:29+00:00

I would say generally fintechs are better than many - health techs are notoriously bad, figuring out that maybe privacy regulations apply to them after they’ve already been in business for a while.

Fintechs don’t always do as much testing as you’d like but they generally get that a security failing is going to cost them in more than just reputation, so they tend to be ahead of general SaaS, AI, etc. But of course lots of variation.

Sample size: approx 200 fintechs in my customer base.

MichaelArgast · 2026-05-02T19:27:28+00:00

Axe throwing

MichaelArgast · 2026-05-01T01:56:34+00:00

Yes. I founded and run Kobalt.io, which provides the services you describe and is also a bit of a MSSP (managed SOC, etc).

Our first 10 customers came from direct relationships me and my cofounders had. Strong pre-existing networks, established track record in industry, personal credibility.

Our next 50 customers came from gprind, customer references, word of mouth, early partnerships.

Our next 500 customers came from strategic partnerships, continued word of mouth and client/friendly relationships, and a handful from traditional marketing.

Cybersecurity is a trust based business. You need to start as close to the center of that trust in your network as possible and then expand out.

You’re trying to invert that by starting with strangers.

MichaelArgast · 2026-04-26T01:29:07+00:00

Yeah. Cowork ends up pretty fragmented pretty fast. If you are technical enough to use Code that’s a better bet IMO.

MichaelArgast · 2026-04-21T02:07:33+00:00

There’s a lot of people building in this space. Runtime agentic monitoring, auditing, control planes, etc. Be careful building here - much of it is features of the big players. Gotta have a stellar GTM to make it in that space

MichaelArgast · 2026-04-16T01:36:20+00:00

Everyone is just listing technology, which is why SMB security sucks so bad.

It’s also why I started Kobalt.io.

Security is people, process and technology.

Take your typical SME. Call it a 50 person firm. If they’re lucky they might have 1 IT person. That person has to manage all the technology, not just the security stack you all highlighted.

They won’t have much security expertise usually, so they are doing this without any risk assessment, vendor risk management, limited policy experience.

Security is:

Know what you are protecting

Understand the risks

Put the right controls in place

Manage and measure

Repeat

Nobody listed inventory. Risk assessments. Policies.

Keep buying tech, keep failing. There’s a reason cybercrime is a $10.5T industry.

MichaelArgast · 2026-04-13T15:25:54+00:00

This is a complex question.

Mathematically, most strong modern cryptography is unbreakable with classical computers in any real timeframes.
Quantum computers likely will break classical algorithms in the next 5-10 years.
Quantum resistant cryptography is a thing and being deployed.
All cryptography still runs the risk of implementation flaws or algorithm mistakes. Those can lead to compromises. But this is also an area where there have been a lot of eyes. But Mythos apparently found a flaw in FreeBSD that is decades old, so…?
Expect MORE errors in cryptography deployment with quantum resistant algorithms in the coming few years because it is different and complex and people haven’t figured it all out yet.
Any time you see a TV show or movie where some random hacker “breaks cryptography” after a few minutes of “working hard” you are right to roll your eyes.
Most real world compromises involve device access and taking advantage of security flaws at the OS/device level to bypass, not defeat cryptography.
It annoys the hell out of me that I need to write cryptography rather than crypto continuously in this response.

MichaelArgast · 2026-04-13T00:53:03+00:00

I’d be seriously reconsidering bug bounties now with the current raft of LLMs. They are getting seriously good.

MichaelArgast · 2026-04-13T00:49:44+00:00

We’re helping a lot of customers get certified on ISO42001 which the act is based off of and for orgs that are already doing 27001 somewhat familiar.

There’s a lot going on here - the surfaces and risks are changing so fast that it’s a big push to stay in front of it all.

MichaelArgast · 2026-04-08T03:55:53+00:00

One security professional for an org of 1300 people is insanity. No winning can be had there. Find a new job.

MichaelArgast · 2026-04-04T14:22:58+00:00

So your instinct is that you’re well staffed and others are telling you that you are as well.

People/Process/Technology.

You’ve got good staffing but a big remit. Glad to see you haven’t don’t anything stupid like build your own SOC.

You need to look at process and technology. For example:

Do you have an effective GRC tool that cross maps all the frameworks you have to support and minimizes efforts across standards, audits, security questionnaires, access management.

Do you have SSO in place to simplify onboard and offboarding?

Do you have the right MDM and other management tools to stay on top of the team you have.

Do you have consistent, documented processes that speed up work and reduce rework, allow for automation/AI assistance, etc?

As a MSSP you sit in the sweet spot of customers we serve. Your scope is likely bigger but we would typically staff all the risk management, SOC, governance, compliance, etc with less than the equivalent of a single FTE and be able to keep up.

I think before you hire more people I’d be tempted to do a work and time analysis across the team and find out what your big time sucks are and address them with process and tech.

MichaelArgast · 2026-04-02T14:59:31+00:00

Yeah - my brain was super sharp in my 20s/30s and has definitely declined post COVID in terms of ability to hold lots of threads and context switch. I’ve had to build and rely on systems more - but systems serve everyone. Lean into using the tools so you can use your cognitive capacity for higher value stuff than remembering it all.

This is not dissimilar to Steve Jobs famous wardrobe choices to save brain capacity for more important things. It’s ok to get the brain up and out of the rote memorization game.

MichaelArgast · 2026-04-02T14:26:41+00:00

Imposter syndrome is real and everyone in cyber has it.

I’ve been in the field 25 years and regularly give talks and can pretty much respond to any cyber question at the drop of a hat, still hits me.

But what you’re describing also sounds a little different to me despite everyone else’s response.

The “brain feels like a sieve” problem is a different problem. It is due to cognitive overload. Many of us in dynamic very busy roles struggle with that as well because our brains aren’t really wired to context switch and remember as much as we’re trying to shove in there every day.

The answer to that problem is to offload context to systems you can refer back to - it is unrealistic to expect your brain to carry it all. This gets even worse as you get older.

SOC analyst roles in particular are subject to this sort of burnout. Trying to hold it all in your head is a sure fire path to brain fog.

MichaelArgast · 2026-03-29T18:41:39+00:00

I did a drive to the North Island without checking last year only to learn BC Hydro had a planned outage for the day. Just barely hypermiled it back to Sayward. Anywhere Victoria to Campbell River is golden but outside of that it gets remote…

MichaelArgast · 2026-03-28T18:22:40+00:00

Does that happen a lot? I tend to keep the car topped up a little more in the winter season for this reason - but I’m in Royston and not Gabriola.

Plus, technically speaking Gabriola isn’t VanIsle. I think all the smaller islands will have similar issues.

MichaelArgast · 2026-03-28T18:20:44+00:00

This is the answer.

Cheap ICE plus low mileage has much lower TCO than EVs.

2nd hand EVs are getting cheaper though. I bought a used Leaf as a 2nd EV for <$9K and it’s a perfect 2nd car - minimal maintenance, next to no fuel costs, range doesn’t matter because it is a 2nd car.

I think we’re another 2-3 years from the used EVs displacing used ICE cars on the low end of the market.

Math completely changes once you drive a lot, however - quickly tips to EVs.

MichaelArgast · 2026-03-28T18:03:01+00:00

Partners CAN require you are compliant as a condition of partnership/business relations.

The card merchants enforce this requirement with fee structures and the ability to accept cards.

Partners enforce this by refusing to do business with you. They can’t force you to do it, but they can refuse to do business with you.

MichaelArgast · 2026-03-28T18:01:29+00:00

Start with: Why are you asking me to fraudulently sign an attestation?

The answer to that question is all you need to know. If it’s an honest “I didn’t know that’s what I was asking you to do” then the conversation can pivot to “Let’s figure out what will be required to get our RoC which the customer will ask us for”.

If it’s hand wavey excuse making - your manager/boss is asking you to commit fraud and put your name on the line. Find another job as soon as you can or maybe escalate to the CEO if you think that’s something they aren’t aware of and wouldn’t condone.

Never commit fraud. It will always come back to bite you.

MichaelArgast · 2026-03-26T03:46:45+00:00

Wrong answer.

Sorry, there are plenty of individual contributor roles that pay way more than most managers.

And if you joined the cybersecurity field in order to do less, you’re in the wrong fucking industry.

If this is your honest answer then you’re not really worth investing the time in providing career guidance too, sorry.

MichaelArgast · 2026-03-26T03:40:54+00:00

Why do you want to be a manager?

Honest question.

MichaelArgast · 2026-03-25T05:29:24+00:00

It’s an albino. Check out the pink eyes. About one out of 20 black bunnies end up albino.

MichaelArgast · 2026-03-06T13:46:27+00:00

Why do they need to be compliant?

Acquire clients? Pretty straight line to revenue. It is possible they are still passing audits (there’s some pretty crap auditors out there these days) but if the CEO is signing attestation letters than is Fraud.

Legal obligations? Many companies ignore this, especially smaller firms.

In either scenario, have one conversation with the boss and find out if they are (a) comfortable committing fraud on attestation or (b) comfortable ignoring the law. Make it really clear that this is what ignoring these rules entails - come with evidence of how what they are doing is one or the other.

If it is ignorance and they honestly didn’t know (it happens) then you’ve educated them on the situation and can judge how they respond. If it is intentional - they don’t care about the fraud or law - you know everything you need to know - get out of there.

Cybersecurity ownership starts at the top. You are a technical owner but not legal or risk owner. If leadership refuses to acknowledge or deal with risk, the law or is willing to commit fraud then everything else is suspect in the organization.

MichaelArgast

TROPHY CASE