November’s Top Security Stories: New Risks, Rules, and Resilience Efforts

November’s cybersecurity headlines spotlighted that the cyber status quo is cracking.  

Security teams are drowning in alerts, governments are rewriting the rules of defense, and critical infrastructure operators are bracing for attacks that move faster than their protections.

Across the industry, experts are sounding the same alarm that prevention isn’t enough. What organizations really need is resilience, the kind that’s built on observability, containment, and AI-driven clarity.

This month’s news features insights from top security experts on:

• Why security teams still struggle with alert fatigue and what they can do about it
• How the U.S. DoD’s new Cybersecurity Maturity Model Certification (CMMC) changes expectations for the Defense Industrial Base (DIB)
• Why the UK’s new Cyber Security and Resilience Bill may not be realistic enough to secure today’s critical infrastructure

Inside the SOC alert fatigue crisis and where AI can help

In a new TechSpective Podcast episode, From Alert Fatigue to Cyber Resilience: Rethinking the Future of the SOC with AI, host Tony Bradley sat down with Raghu Nandakumara, Illumio VP of industry strategy, for a conversation about one of cybersecurity’s oldest and most frustrating problems: alert fatigue.  

Bradley and Nandakumara dug into why alert fatigue persists after decades of promises from security information and event management (SIEM), security orchestration, automation, and response (SOAR), and detection tools. Today’s security operations center (SOC) teams ingest thousands of daily alerts from these tools, and most are meaningless — until one isn’t.  

Nandakumara described the tension. Analysts know most alerts are noise, but equally, you also know that you can’t just safely ignore everything. You don’t want to be that organization that ignores one bad thing.  

That reality has left teams exhausted, reactive, and, too often, breached.  

Nandakumara explained how Illumio is tackling this with Illumio Insights and its new AI-driven Insights Agent.  

Rather than drowning analysts in raw telemetry, Insights adds critical context, including mapping workloads, flows, and potential attack paths, to help teams spot the signal in the noise. From there, Agent takes over with actionable, role-based guidance.

As Nandakumara described it, AI-powered Agent can “find the needle in the haystack.” Then, it’ll immediately tell different roles, such as SOC analysts, threat hunters, responders, or compliance leaders, exactly what to do next.  

The conversation also hit on a bigger industry shift toward cyber resilience, not compliance, as the goal.  

Prevention still matters, but Nandakumara emphasized a hard truth: “At some point, that prevention capability is going to let one slip through the net.”  

That’s why Illumio focuses on containment to stop the spread of inevitable intrusions. Attackers may breach the perimeter, but they shouldn’t be able to move.

Pair that with AI-driven observability, Nandakumara argued, and organizations get both speed and clarity, two things today’s SOCs desperately lack.

Looking forward, Nandakumara sees the security stack trending toward interconnected AI agents all operating on a unified security graph. Tools will enrich a shared model of the environment and persona-based agents will act on it.  

Nandakumara encouraged leaders to embrace this evolution. “There is always going to be a very important role for human expertise,” he said. “AI just makes humans more productive.”  

There is always going to be a very important role for human expertise. AI just makes humans more productive.

The long-awaited DoD Cybersecurity Maturity Model Certification (CMMC) is finally law

In her MeriTalk article “Industry Leaders Say CMMC Rollout Redefines Security, Accountability Across the DIB,” Lisbeth Perez explored how the Department of Defense’s (DoD’s) long-awaited Cybersecurity Maturity Model Certification (CMMC) will officially take effect on November 10 and why it marks a seismic shift for the Defense Industrial Base (DIB).  

The rule introduces a three-tiered framework that ties cybersecurity standards directly to the sensitivity of the data contractors handle. The DoD plans to implement the program in four phases over the next three years.

After years of delays and debate, CMMC is no longer just cyber guidance. It’s the law.

The shift couldn’t be more urgent. Gary Barlet, public sector CTO at Illumio, told MeriTalk that CMMC is overdue but essential to national defense.  

Even amid the latest government shutdown, when many operations were paused, U.S. adversaries haven’t, explained Barlet. Agencies and the suppliers they do business with must remain committed to resilience.  

The bottom line is that compliance isn’t just paperwork but operational survival.

“CMMC ensures cybersecurity is no longer optional,” Barlet said. “It embeds accountability at every level and compels suppliers to address vulnerabilities often overlooked.”  

For the DIB, the message is clear that security is now a differentiator. Resilience is the new requirement of doing business with the U.S. government.

CMMC ensures cybersecurity is no longer optional. It embeds accountability at every level and compels suppliers to address vulnerabilities often overlooked.

The UK’s new Cyber Security and Resilience Bill targets critical infrastructure. But is it practical?

In his ITPro article “Cyber Security and Resilience Bill: Security experts question practicality, scope of new legislation,” reporter Ross Kelly broke down the UK’s newest attempt to harden national cyber defenses and why security leaders are split on whether the bill goes far enough.  

The proposed law lands at a moment of rising systemic risk. As Ross noted, new figures from the Office for Budget Responsibility show that a major attack on critical infrastructure could spike government borrowing by £30 billion, with the average cost of a significant cyberattack now topping £190,000.

The legislation aims to bring digital service providers and essential operators, including IT management for healthcare, water, energy, and transport, under unified minimum security standards for the first time.  

Organizations will be required to report significant incidents promptly and maintain robust response plans. Regulators and ministers receive sweeping authority to force action when national security is at risk.  

“Cybersecurity is national security,” said UK Technology Secretary Liz Kendall. “I’m sending them a clear message: the UK is no easy target.”

Illumio Director of Industry Solutions Trevor Dearing strongly welcomed the shift toward broader and earlier incident reporting. He said that it addresses a long-standing blind spot in critical infrastructure risk management.  

“The shift from reporting only successful breaches to reporting all cyber incidents is long overdue,” he said. He also praised new powers to isolate or monitor high-risk systems, calling them “a smart move” for reducing systemic exposure.

But is the bill practical enough for today’s threat landscape? Not all experts agreed.

The UK Information Systems Audit and Control Association (ISACA) Chief Global Strategy Officer Chris Dimitriadis criticized the bill’s narrow focus. He said it ignores where modern risk actually lives.  

“The era when cyber regulation could focus solely on critical national infrastructure is over,” he said. With UK organizations such as M&S, Co-op, and Jaguar Land Rover (JLR) recently hit by major breaches, he warned that “every major employer is part of the digital economy and therefore part of the threat landscape.”  

Dearing also noted that tougher penalties must be paired with investment in helping organizations, especially those with limited budgets, meet the new requirements.  

“It’s equally important that sufficient support is provided to help organizations achieve compliance,” he said.  

The UK’s new Cyber Security and Resilience Bill certainly marks meaningful progress for cybersecurity governance. But its execution and resourcing will determine whether it strengthens national resilience or simply adds another layer of paperwork to an already strained ecosystem.

Try Illumio Insights free to see how AI cuts alert noise, pinpoints real threats, and guides every role toward faster containment.