I was watching the Olympics recently and found myself thinking about the 2018 cyberattack on the 2018 Winter Olympics. (A great capture of this event is on Wired magazines site here)

We often view major sporting events as moments of unity, competition, and global celebration. Adversaries see something else: a global stage makes them extraordinarily attractive targets for cyber operations — whether the goal is disruption, embarrassment, geopolitical signaling, or simple chaos.

In 2018, the impact extended beyond Olympic IT systems. Nearby ski resorts, hotels, and supporting organizations were also affected. The lesson wasn’t just about event security — it was about ecosystem security.

As we look ahead to events like the FIFA World Cup matches coming to Dallas, the Super Bowl, or the World Series as just a few examples, we should assume interest from sophisticated threat actors — not just opportunistic criminals.

That’s one reason I absolutely “ate up” this entire presentation about threat intelligence in advance of FIFA games in Dallas. 

The visionary thinking behind this presentation is monumental and a great lesson to all – I highly recommend you read it too. Even if you’re not in Dallas the thoughts here will apply to nearly anyone at some point in the future.

The key lesson from is coordination.

When attackers operate across sectors, defenders must as well. Collective defense, cross-industry information sharing, pre-event joint exercises, and integrated incident response planning across public and private organizations are no longer “nice to have.” They are foundational.

History has already given us the warning. The question is whether we’re thinking broadly enough — across sectors, across cities, across ecosystems — before the next global moment arrives.

(I had too many deep thoughts to keep to a newsletter; visit this article I wrote for a deeper assessment of key strategic insights you can use in your profession right now).

Sandworm isn’t just a story about devastating cyberattacks. It’s a masterclass in attribution, geopolitics, systemic risk, and strategic blindness — and its lessons are even more relevant today than when the events first unfolded.

One of the biggest takeaways: attribution is hard. Initial conclusions are often wrong. What looks obvious in hindsight required years of technical forensics, intelligence integration, and international coordination. For security leaders, it’s a warning against rushing to judgment under media or board pressure.

The book also makes something clear: cyber is statecraft. These weren’t random hacks — they were geopolitical instruments. And while ransomware dominates headlines today, nation-state activity likely hasn’t slowed. It’s just harder to see through the noise.

The M.E.Doc supply chain compromise shows how one overlooked vendor can cascade into global disruption. The most dangerous phrase in cybersecurity? “Why would anyone target us?”

Sandworm ultimately forces leaders to confront uncomfortable truths about ecosystem risk, resilience under degraded conditions, and the blurred lines between criminal groups and nation-states.

If you’re a CISO, board member, or policy leader, this isn’t just a history lesson. It’s a strategic wake-up call.

The stakes are higher now.

Read the full article for an overview of the deeper insights you’ll glean from reading Sandworm.

🔗 If you’re new to the MITRE ATT&CK framework, check this out as a guide before you roll into the details.

🔗 FreePBX Zero Day Vulnerability breakdown - Understanding vulnerabilities can help you much beyond the tactical issue of the insecure technology.  Especially when the author breaks down the issue so clearly as you see here.

🔗 Read between the lines in this helpful article that helps you understand the recent Office zero day vulnerability. Many miss this important point -- threat actors were exploiting this vulnerability before publication of the CVE.

▶ Know someone who’d love this? Forward it their way.
▶ Did you receive this newsletter? Click here to subscribe.