From New York hospitals preparing to meet new mandates requiring a dedicated CISO, federal agencies ramping up AI for cyber defense, and experts weighing in on the Heathrow cyberattack, to CISOs embracing containment-focused strategies, shadow AI emerging as a major governance challenge, September proved to be a month of major, game-changing cybersecurity developments.

Agencies increasingly dive into AI for cyber defense, acting federal CISO says

Source: Cyberscoop

Federal agencies are ramping up the use of artificial intelligence to strengthen cybersecurity, according to acting Federal CISO Michael Duffy. He highlighted that AI is helping agencies identify vulnerabilities at scale and accelerate new technology adoption across government missions. With cyberattacks growing faster and more sophisticated, Duffy emphasized the need for updated policies and coordinated efforts to streamline tools, boost resilience, and ensure secure interactions with the public. The federal government is now poised to harness AI’s potential while carefully managing its risks to protect sensitive information.

Cyber experts react to London Heathrow hacker arrest

Source: Intelligent CISO

Cyber experts are weighing in after the arrest of a man linked to the cyberattack that disrupted London Heathrow and other major European airports. The incident, which targeted a software provider used for check-in and boarding, caused widespread flight delays and highlighted the vulnerability of even well-protected organisations. Experts emphasize that the attack exposes gaps in the cybersecurity industry’s approach, urging businesses to adopt holistic strategies, strengthen supply chain security, and prepare robust incident response plans. The case serves as a stark reminder that cyber threats are escalating in scale and sophistication, affecting both public and private sectors alike.

From prevention to rapid response: The new era of CISO strategy

Source: CSO Online

Modern CISOs are shifting from trying to prevent every breach to focusing on containment and rapid response. By segmenting networks, enforcing strict zero trust access, and monitoring behavior in real time, they limit the blast radius of attacks and reduce recovery time. In high-stakes sectors like fintech, security must be strong but seamless, balancing airtight protection with user-friendly experiences. The new cybersecurity playbook is clear: breaches will happen, but disasters are avoidable with proactive containment and resilient strategies.

Why Shadow AI Is the Next Big Governance Challenge for CISOs

Source: Infosecurity Magazine

Shadow AI is emerging as a major governance challenge as employees use AI tools like ChatGPT and Google Gemini outside IT oversight, exposing organizations to security, privacy, and compliance risks. Unlike traditional shadow IT, these tools often leave no trace, making bans ineffective and potentially driving usage further underground. Experts stress that the solution lies in visibility, monitoring, clear policies, and employee training, ensuring safe and approved AI adoption without stifling innovation. Companies that embrace these strategies can harness AI’s benefits while mitigating data breaches, regulatory issues, and operational risks.

New York Hospitals Face New Data Security Mandates

Source: HK law

Starting October 2, 2025, New York hospitals will face some of the nation’s toughest cybersecurity rules under 10 NYCRR § 405.46. The regulations go beyond HIPAA by requiring every hospital to appoint a Chief Information Security Officer who must annually review, update and attest to data security policies, approve compensating controls when encryption is not feasible and oversee yearly risk assessments. Hospitals must also run full cybersecurity programs to identify protect respond to and recover from cyber incidents. Although the rules do not list specific penalties the Department of Health can impose civil fines or even take enforcement action that could affect a hospital’s license if it fails to comply.