Welcome to this week’s edition of Cyber Motion, tailored for cybersecurity business leaders. In this newsletter, you’ll find practical strategies, cutting-edge insights, and fresh thinking designed to help your security-focused brand break through a crowded market. My goal is to equip you with the tools and ideas needed to thrive amid shifting threats, buyer skepticism, and evolving industry standards.
– Tobias
Not yet a subscriber? Sign up here.
INSIDE THIS EDITION
Salesforce woes
The crisis communication crisis
AI, AI, AI, and more AI
BEST OF THE WEEK
Salesforce ForcedLeak Bug - Salesforce has had a rough go of it recently. Researchers discovered a critical vulnerability in Salesforce's AI Agentforce platform that allows attackers to steal sensitive CRM data through indirect prompt injection attacks via Web-to-Lead forms. The flaw demonstrates how AI agents create fundamentally different attack surfaces compared to traditional systems, with attackers able to manipulate AI responses to exfiltrate customer data. (The Hacker News)
Cybersecurity Communication Problem - Security expert Ross Haleliuk argues that the cybersecurity industry suffers from a widespread communication crisis—security vendors struggle to clearly explain their solutions while CISOs and security teams often fail to effectively communicate with business stakeholders. The piece explores how this communication breakdown isn't intentional but rather reflects deeper structural challenges in how the industry discusses complex security concepts. (Venture in Security)
Agentic AI for Security Scale - Financial services security veteran Aaron Momin explains how autonomous AI agents can help organizations scale their cybersecurity capabilities without hiring additional security staff, addressing the critical talent shortage. He argues that in the AI-powered attack era, speed and autonomous response matter more than team size, with agentic AI enabling faster threat identification and response than traditional large security teams. (CIO.com)
THE DEEP DIVE
When the Supply Chain Burns: What the NPM Attack Taught Us About Crisis Communication
Supply chain attacks don't announce themselves with sirens. One day your vendors are fine, the next they're compromised, and suddenly you're explaining to your board why your "secure" software stack might be leaking credentials to GitHub repositories named after sci-fi sandworms.
The Communication Crisis Hidden in Plain Sight
The September NPM "Shai-Hulud" attack wasn't just another supply chain compromise. It was the first successful software worm in the JavaScript ecosystem, infecting over 500 packages before GitHub and CISA stepped in. The self-replicating malware didn't just steal credentials. It automatically spread to other packages, turning each compromise into a launching pad for the next.
But here's what most security coverage missed: this wasn't just a technical incident. It was a master class in how not to handle crisis communication.
While security teams scrambled to assess the scope of a worm that kept spreading, a more dangerous problem emerged. Organizations discovered they had no playbook for communicating vendor compromises to stakeholders. Board members received fragmented updates. Customers got radio silence. Partners learned about potential exposure through CISA alerts rather than official company channels.
The attack didn't resolve in hours. It evolved for days as researchers uncovered more infected packages. Each day without clear communication eroded trust that took years to build.
Three Communication Blind Spots That Killed Credibility
Blind Spot #1: The Scope Uncertainty Problem
Traditional breaches have defined boundaries. This worm kept spreading. Initial estimates of 180+ infected packages ballooned to over 500, with CISA ultimately urging organizations to "conduct reviews of all software leveraging the npm package ecosystem." How do you communicate impact when the impact keeps growing? Companies that handled this well acknowledged the uncertainty upfront rather than pretending to have complete information.
Blind Spot #2: The Authority Vacuum
When GitHub removed 500 packages from the registry, some organizations discovered their software suddenly wouldn't build. But who had authority to communicate about operational disruptions caused by security remediation? Engineering teams understood the technical fixes but couldn't speak to business continuity. Executive teams could address business impact but didn't grasp the technical nuances. The disconnect left stakeholders confused about both the problem and the solution.
Blind Spot #3: The Cascading Crisis
This attack started from credentials leaked in a previous incident, highlighting how security failures compound over time. But most crisis communication treats each incident in isolation. Organizations struggled to explain to stakeholders why an "old" credential leak suddenly became a "new" supply chain emergency. The companies that maintained credibility connected the dots explicitly rather than treating each security event as disconnected.
The Uncomfortable Truth About Vendor Dependencies
Here's what the Shai-Hulud incident really exposed: we've built cybersecurity programs around the illusion of control. We audit our own systems, train our own teams, and measure our own metrics. But when a worm automatically spreads through the open source ecosystem, your security posture becomes dependent on GitHub's incident response speed and CISA's public warnings.
The companies that handled this crisis well weren't necessarily the ones with the most secure architectures. They were the ones that had already grappled with a fundamental question: How do you maintain stakeholder trust when you're dependent on someone else's crisis management?
Some discovered their vendor risk assessments completely ignored communication competency. They never asked: "When you remove 500 packages from your registry, how do you help customers understand operational impact?" Others realized they needed different messaging for different types of dependencies. Critical infrastructure providers require different communication than development tools. Optional integrations need different messaging than core business systems.
The worm's self-replicating nature made traditional vendor management obsolete overnight. You couldn't just swap out a compromised vendor when the compromise kept spreading to new vendors automatically.
The Bottom Line
CISA's official warning came after security researchers and GitHub had already contained the spread. But many organizations are still discovering affected packages in their environments weeks later. The technical remediation continues, but the communication damage may be permanent.
The NPM attack revealed an uncomfortable truth: most cybersecurity leaders have sophisticated plans for their systems being compromised, but wing it when the entire ecosystem gets infected.
Your incident response plan isn't complete until it accounts for cascading vendor compromises. Because in today's interconnected world, your dependency's crisis communication failures become your crisis communication failures. This is especially true when those dependencies keep multiplying automatically.
The organizations that will emerge from this incident with stronger stakeholder relationships won't be the ones with the most secure systems. They'll be the ones that communicated most effectively when security failed at ecosystem scale.
Stay sharp,
Tobias
LOOKING FOR MORE?
Feedback or questions—reach out directly at [email protected].
Need help with your marketing strategy? Register for a 90-minute strategy call with me.
Looking for a fractional CMO? Visit The Chief Marketer to learn more about my fCMO services.