ArReko Gibbs, MSIS| CCSK|CCRMP|CSM

Something has changed in the security questionnaires I've been seeing lately.

The AI questions used to be optional, often vague, a single line asking whether the company "uses artificial intelligence." Now they're getting specific. What AI tools do you use. What data goes into them. How are employees governed in their use of those tools. Are there contractual restrictions with subprocessors using AI on your data. What's your policy on training models on customer information.

These questions are coming from customers. They're coming from larger partners doing vendor due diligence. They're starting to show up in audits.

Most of the SMBs I talk to aren't ready to answer them, not because they're doing anything wrong, but because they've never been asked to articulate it.

The companies that get out ahead of this aren't the ones with the most restrictive AI policies. They're the ones who can give a clear, honest answer to: where is AI used in our business, what data touches it, who reviewed it, and what's our position on the questions our customers are starting to ask.

That's not a technology project. It's a leadership exercise. And the businesses that treat it that way now will be in a much stronger position when the questions arrive, which is happening sooner than most people expect.

It's a fair question on its face. It's also the assumption that's gotten a lot of small businesses into trouble.

Attackers don't sort their targets the way a sales team does. They look for soft spots. Smaller businesses tend to run on fewer controls, less monitoring, and a long list of SaaS tools nobody has reviewed since the contracts were signed. That's not a small target. It's a convenient one.

The good news, if you can call it that, is the basics carry you a long way. A reasonable understanding of your environment. Real ownership over who can access what. Vendors that get reviewed more than once. A plan for the bad day that's written down somewhere people can find it.

I tell business owners this regularly: most SMBs don't have a cybersecurity problem. They have a visibility problem. Once you can see what you've got, the rest of the conversation gets a lot easier to have.

If your security posture feels more like guesswork than a plan, a gap analysis is a sensible place to start. We do this work at Cyber Analytical Solutions — happy to walk through what it looks like for your business.

An email that looks normal.

A payment request that seems routine.

A message that feels urgent enough to act on before slowing down to question it.

That is what makes these threats so effective.

For small and mid-sized businesses, security is not only about blocking malware or buying tools. It is also about building a culture where people are trained to slow down, verify, and recognize when something feels just believable enough to be dangerous.

That is one reason I believe security awareness still matters so much. Not because employees are the problem, but because trust is often the target.

There is a lot of energy that comes with creating, improving, and moving things forward. But one thing I keep coming back to is this:

Speed means very little if the foundation is not secure.

It is easy to focus on functionality, design, automation, and getting something working. What can get overlooked is whether the system is actually being built with the right controls, oversight, and security thinking behind it.

That matters.

Whether a business is building an internal application, adopting automation, or using new platforms to improve operations, the same principle applies: if it touches data, supports business decisions, or becomes part of the environment, security should already be in the conversation.

•Not later.

•Not after rollout.

•Not only when something goes wrong.

For SMBs especially, secure foundations matter because small oversights can create larger exposure over time.

Innovation is valuable.

But secure innovation is what creates lasting value.

I do not see it that way.

Security standards are not just about size. They are about structure, discipline, and consistency.

A business does not need to be a major enterprise to benefit from clearer policies, better access control, stronger vendor awareness, data protection practices, and a more defined approach to risk.

In many cases, SMBs are especially vulnerable because they are moving quickly, wearing multiple hats, and trying to grow while managing limited time and resources.

That is exactly why security standards matter.

They help create a stronger foundation.

They help reduce avoidable gaps.

They help businesses make better decisions before issues become real problems.

For SMBs, security maturity does not start with doing everything at once.

It starts with taking the right steps seriously.

1. AI agents are the "arms and legs" of modern work but they’re starting to move on their own. My new research reveals a massive gap between AI adoption and enterprise control.

2. The Adoption: 43% of orgs report that more than half their workforce uses AI agents regularly. This isn't a pilot program anymore; it’s the standard. #AIAgents

3. The Shadow: 54% report "shadow" or unsanctioned AI agents in use. If you can't see them, you can't secure them. This is the new hidden attack surface.

4. The Risk: 53% say agents are exceeding intended permissions. These agents are accessing data and systems they were never meant to touch.

5. The Reality: 47% have already experienced an AI agent-related security incident. The risk is no longer theoretical—it’s here.

This is a preview of the CAS dashboard platform currently in pilot development, designed to support cybersecurity, vendor risk, compliance, and executive reporting for small and mid-sized businesses.

At the same time, I have also spent the last 7 to 8 months rebuilding the Cyber Analytical Solutions website to create a stronger foundation for where the company is going. I appreciate everyone who has taken time to view the new site and share positive feedback on the new direction.

What I see ahead is a continued shift across cybersecurity, AI, rule-based automation, and other emerging technologies. I believe that shift creates real opportunity to help SMBs strengthen their security posture, improve risk visibility, and make better security decisions with confidence.

This work is still developing, but the vision is clear and the progress is real.

As AI-assisted development becomes more common, organizations should be cautious about how AI-generated code is introduced into business applications and internal environments.

At Cyber Analytical Solutions, we believe the concern is not simply the use of AI in development. The concern is the use of AI-generated code without appropriate verification, validation, security review, and experienced human oversight.

Code that appears functional is not automatically secure.

When AI-generated code is adopted too quickly, organizations may introduce risk through insecure logic, vulnerable dependencies, poor secrets handling, weak access control, insufficient input validation, insecure defaults, or limited security testing. Current guidance from NIST emphasizes that code should be evaluated for vulnerabilities and other issues before use, whether it is written by a human or generated by AI. �

NIST Publications +1

This is especially important in corporate environments, including internal applications, where rapid deployment can create hidden exposure across data handling, workflows, integrations, and business operations.

Strong governance matters here.

Before AI-generated code is deployed, organizations should ensure:

security review is performed

code is validated beyond basic functionality

dependencies and configurations are assessed

human oversight remains in place

senior engineering and security review are involved before production release

AI can improve development speed, but speed without control can increase risk.

Secure adoption requires structure, accountability, and human judgment.

At Cyber Analytical Solutions, the focus is on practical cybersecurity, risk visibility, and business-aligned support that helps organizations strengthen security posture and build resilience over time.

Strengthen Security | Reduce Risk | Build Resilience

The work matters. A lot.

But if people do not understand your value, your perspective, your discipline, or the problems you help solve, then the quality of the work can stay hidden longer than it should.

That is why communication matters.

Not inflated messaging.

Not noise.

Not pretending.

Clear communication.

As a founder, that has become one of the biggest reminders for me: credibility is strengthened not only by the work you do, but by your willingness to communicate it with consistency and purpose.

That applies in business, and it definitely applies in cybersecurity.

One thing I continue to respect about this work is that meaningful progress rarely happens all at once.

Whether you are building a business, improving a security program, strengthening governance, or helping clients reduce risk, the real movement comes from consistency.

Small steps matter.

Better awareness matters.

Stronger follow-up matters.

Clearer communication matters.

A lot of businesses think security improvement has to begin with something large and expensive.

Often, it starts with visibility.

Then structure.

Then better decisions.

Then maturity over time.

That applies to building a company too.

Consistency creates movement, and movement creates results.

Why Governance Matters More Than Many Businesses Realize

One of the areas businesses often underestimate is governance.

Too often, governance is seen as something formal, administrative, or only necessary when compliance enters the conversation.

But strong governance does something bigger than that.

It creates structure.

It improves accountability.

It supports decision-making.

It helps businesses manage risk before small issues become larger ones.

Whether it is vendor oversight, security ownership, policy alignment, or clearer risk processes, governance helps a business operate with more confidence and maturity.

That is one reason I continue to emphasize it so much.

Good governance is not just a security function. It is a business advantage.

At Cyber Analytical Solutions, we believe outreach should be informed, intentional, and rooted in business understanding.

Cybersecurity conversations are more effective when they are based on the client’s environment, likely challenges, vendor exposure, and operational risk.

A thoughtful approach creates better conversations than generic sales messaging ever will.

The goal is not simply to reach out. The goal is to bring value from the first interaction.

That is how stronger client relationships begin.

At Cyber Analytical Solutions, we believe cybersecurity communication matters just as much as cybersecurity capability.

Tumblr gives businesses an opportunity to educate, build trust, and create meaningful conversations around risk, security posture, governance, and resilience.

For small and mid-sized businesses, visibility matters. Decision-makers want to understand not only what a cybersecurity company does, but how it thinks.

That is why we continue to share practical insights that help businesses better understand security risks, vendor exposure, and the importance of proactive risk management.

Trust is built one conversation at a time.

This past week was a reminder that building a business takes more than vision. It takes consistency, patience, problem-solving, and the willingness to keep improving.

At Cyber Analytical Solutions, that mindset shapes how we support small and mid-sized businesses. We help organizations identify security gaps, strengthen protections, and take practical steps toward a stronger security foundation.

We appreciate the continued support as we continue to build and move forward.

A stronger security posture starts with knowing what needs attention first.

A lot of businesses know cybersecurity matters, but many are still trying to understand what that actually means in practical terms for their company.

For some, it means identifying gaps in their current security posture. For others, it means improving risk management, reviewing third-party exposure, strengthening internal processes, or simply knowing where to begin.

That is one of the reasons I built Cyber Analytical Solutions.

My focus is helping businesses cut through the noise and get clear on what matters most. That starts with identifying security gaps, understanding where risk may be building, and putting practical steps in place to strengthen the business over time.

For many small and mid-sized businesses, the challenge is not only whether security matters. It is knowing what needs attention first, what can create unnecessary exposure, and what actions will make the biggest difference.

That is where practical support matters.

Cyber Analytical Solutions is built to help businesses better understand their security posture, identify meaningful gaps, improve visibility, and take a more proactive approach to cybersecurity and risk management.

Not fear-based. Not overly complicated. Just real support, real insight, and real steps toward a stronger security foundation.

One of the biggest misconceptions in cybersecurity is that small businesses are not on an attacker’s radar.

That is simply not true.

Many small and growing businesses are targeted because they often do not have the same protections, processes, or visibility that larger organizations may already have in place. In many cases, threats are looking for the easiest point of entry, not the biggest company name.

The good news is that small businesses are not without options. The right approach starts with practical protections, clear processes, and better visibility into what is happening across the business environment.

That can mean strengthening public-facing systems, improving access controls, reviewing third-party risk, putting better monitoring in place, and making sure there is a process to identify and respond to issues early.

Cybersecurity is not only about tools. It is about awareness, process, and making smart decisions early before small issues become larger problems.

That is one of the reasons I built Cyber Analytical Solutions — to help businesses identify security gaps, strengthen protections, improve risk visibility, and build a more practical security foundation that supports growth.

Small businesses need cybersecurity too, and they deserve an approach that is practical, clear, and built for the way they operate.