Please welcome our newest member from France, Samira Marquaille Samira Marquaille is an IT Project Manager with more than 20 years of experience across both public and private sectors, with a strong focus on data privacy. She is skilled at uniting teams and fostering collaboration …
You’d think nation-state cyber attackers would be too busy targeting military secrets, critical infrastructure, or global financial systems to bother with your local optometrist, small engineering firm, or boutique consultancy. But you’d be wrong. As Rob Lemos in his recent Dark Reading article “Nation-State Threats …
The cybersecurity world runs on shared language.
We don’t often talk about it in those terms—but that’s exactly what the CVE (Common Vulnerabilities and Exposures) system is. A global taxonomy of flaws. A universal index of weakness. The quiet backbone that lets defenders coordinate responses in a coherent, time-sensitive, and standardised way.
This week, we almost lost it.
MITRE, the U.S. non-profit that has maintained the CVE database for the past 25 years, issued a warning: without urgent financial support, the program might have to shut down. For a moment, it looked like a cornerstone of global cyber defence could vanish not due to compromise, but because the funding simply… ran out.
In breaking news, that immediate crisis has been averted. MITRE’s contract has been extended by CISA (the US Cybersecurity and Infrastructure Security Agency)—giving the CVE program a last-minute reprieve.
But let’s be very clear: contract extended or not, if the stability of cybersecurity is dependent upon a single point of failure like the CVE program, then we were doing something wrong all along.
This isn’t just a funding story. It’s a governance failure. And a warning.
Think of CVEs like ISBN numbers for cybersecurity. Each known vulnerability gets a unique ID, a descriptor, and references to public advisories. This makes it possible for security vendors, IT teams, researchers, and regulators across the globe to talk about the same issue using the same label.
Without it, we’d see:
It’s one of the few places where the global cyber ecosystem has reached consensus.
And unlike, say, the metric system or date formatting conventions—which still spark furious debate—this agreed shared language is not just helpful, it’s vital.
Because ultimately, this isn’t about playing antics with semantics. It’s about enabling defenders to move fast, speak clearly, and act decisively—before the attackers do.
The CVE system underpins millions of software and hardware interactions. It’s built into everything from vulnerability scanners and SIEM tools, to third-party risk assessments and government guidance.
So when that structure comes under threat—even temporarily—the ripple effect is massive.
Yes, the CVE program is managed by a U.S. organisation, and yes, it’s historically funded through U.S. government contracts. But its reach is global. Cyber agencies across Australia, the EU, Singapore, Canada, the UK, and beyond rely on CVE-tagged data. Threat intelligence feeds are stitched together with CVEs as the reference point. Vulnerability disclosure laws, public alerts, and national security advisories depend on them.
It’s one of the rare areas where governments, private sector actors, and researchers use the same dictionary. If it vanishes, we don’t just lose convenience—we lose coordination. And in cyber, that costs time. And time costs everything.
The private sector benefits enormously from the CVE system. Many vendors submit vulnerabilities for cataloguing. Yet few have contributed meaningfully to its upkeep.
Governments reference it in policies and standards, but the funding model remains opaque, fragile, and U.S.-centric. What this moment exposed is a critical gap in global cyber infrastructure planning: we’ve built the digital equivalent of a universal translator—and expected someone else to maintain it.
There’s a real opportunity here to rethink that. Whether it’s through an international funding consortium, a public-private stewardship model, or formal multilateral support, we need to treat the CVE program like the critical infrastructure it is—not an afterthought.
Make no mistake: unless the underlying governance and funding structures change, there will be a next time.
If the CVE system shuts down or is significantly degraded, we can expect:
This isn’t just about one program or one week of funding uncertainty. It’s about resilience.
We can’t claim to be building trusted systems on a global scale while relying on legacy contracts, underfunded nonprofits, and hope.
Cybersecurity isn’t just about stopping breaches. It’s about building structures that can hold when the unexpected happens. And if something as essential as the CVE program can be taken to the brink so easily, we have to ask ourselves: what else have we built on sand?
We dodged a bullet this time; but maybe it’s time we stopped handing out ammunition in the first place.
Thanks for reading. If you’re in business, policy, or cyber, let this moment be your reminder: foundational systems matter. They don’t need bells and whistles—they need stability. And sometimes, the most important things are the ones quietly holding everything else together.
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
The Psychological Impacts of Cyberattacks This is the fourth episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack. What I will call the “Heroes”! Let’s Rewrite the Story …
📄 Download Feature PDF Want to connect? Here is Edna Conway’s professional profile. Feel free to say hello and show your support. 🔗 Connect on LinkedIn About the Author Saba Bagheri, PhD Cyber Threat Intelligence Manager at Bupa APAC Director at the Cybersecurity Advisors Network …
Co-Founder and CEO of 3 Steps Data
Global VP at CyAN
An award-winning author and advocate for cybersecurity, compliance, and digital sovereignty. Kim drives global conversations on data governance and user empowerment.
Cyber Threat Intelligence Manager at Bupa
APAC Director at CyAN
CISM, CEH, and CRISC certified. Based in Sydney, she brings deep expertise in ATT&CK®-aligned SOC operations and CTI, contributing to global threat intelligence collaboration.
📄 Download Feature PDF Want to connect? Here is Roxanne Pashaei’s professional profile. Feel free to say hello and show your support. 🔗 Connect on LinkedIn About the Author Saba Bagheri, PhD Cyber Threat Intelligence Manager at Bupa APAC Director at the Cybersecurity Advisors Network …
In my previous article, Unraveling Digital Sovereignty: The Delicate Balance of Digital Sovereignty: Insights and Imperatives, we explored the intricate balance between protecting national interests and promoting global digital cooperation. Building on that foundation, Part 2 of our series dives deeper into how nations can …
The Psychological Impacts of Cyberattacks
This is the third episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack.
What I will call the “Heroes”
The hidden impact of Cyberattacks
“Two or three days later, the paranoia sets in and it’s unbearable. The slightest call, the slightest thing that doesn’t work immediately, as it should generate fears and anxiety. It was really quite complicated during the weeks and months after the cyberattack. And today, it’s still something present.”
Excerpt From the Interview
During the genesis of my book, I analyzed cases where I interviewed people who had been involved in a major corporate cyberattack. I was also heavily involved in the long, arduous process of rebuilding IT and systems following such an event.
What shocked me the most? The human impact.
Most readers are familiar with the typical sequence of a cyberattack. Let dive into what happens next after the quick fix …
The RECONSTRUCTION PHASE
Once the company’s operations partially resume from the cyber crise, it will continue to face challenges due to the after-effects of the crisis. Disruptions have caused some customers to lose confidence, which will affect future sales. As internal stresses subside and the company strives to maintain equilibrium, workers gradually regain complete access to IT systems, enabling them to resume work, albeit in uncertain circumstances. For the IT and security teams—our Heroes—this period marks the transition toward a new kind of ‘normal’ in their daily activities.
As the crisis has ended, the company must promptly execute recovery strategies to minimize harm and enhance long-term resilience. This phase, which follows a crisis, is often full of challenges. It can become a new source of internal tension due to increased workloads. Various relational dynamics come into play, including the settling of scores that were initiated by tensions built up during the crisis. People look for someone to blame for mistakes, and the first departures are an inevitable consequence of such scrutiny.
At the same time, a complex dynamic arises concerning the recognition of the rescuers’ efforts and the management of relationships within the company. The teams that successfully contained the cyberattack deserve recognition and appreciation for their dedication and efficiency. This recognition is crucial to motivate the IT department to continue the rebuilding efforts. However, it is essential that this appreciation does not alienate staff who were not directly involved in resolving the cyberattack. It could lead to internal conflict, particularly regarding the implementation of company regulations and the management of privileges granted to the ‘Heroes’ during the crisis.
What are the 3 most common human consequences of a cyber crisis?
CONFLICT
The consequences of a cyberattack can be far-reaching and often lead to interpersonal conflicts within a team. Crisis communication was a critical challenge, as there is often a lack of clear, transparent, and timely information. Egos can clash when individuals compete for recognition or try to shift blame, further escalating tensions among team members. Miscommunication and secrecy further fuel these conflicts, as unclear or withheld information can lead to misunderstandings and mistrust. This leads to frustration and confusion. Searching for a guilty party can lead to a hostile environment, where people point fingers and scapegoat others, which undermines team cohesion. Some individuals may also try to position themselves as heroes, trying to improve their reputation by undermining collaboration and unity. These problems are exacerbated by individuals trying to conceal previous errors or questionable choices, out of apprehension about potential consequences. Some might even manipulate events, fabricating narratives that favor their own interests, adding yet another level of complexity.
BURNOUT
Following a cyberattack, IT professionals frequently experience high levels of burnout due to several factors. Disputes within the team can foster a hostile work atmosphere, where egos collide and finger-pointing intensifies stress. The daunting workload during and following the incident, combined with the pressure to address the emergency, can result in physical and psychological weariness. Post-traumatic stress is a common experience, with the intense pressure and fear of consequences persisting long after the event. Many individuals feel unappreciated for their efforts, which can demotivate and diminish their motivation. Additionally, the company’s secretive approach to handling the crisis often prevents employees from explaining the situation to their families, leading to isolation and further emotional strain. Collectively, these factors contribute to severe burnout, which negatively affects the well-being and productivity of those involved in the cyberattack response.
RESIGNATION
After a cyberattack, many IT professionals resign.
It is quite clear that cumulating the conflicts and burnout reasons mentioned above are largely sufficient to exceed the resignation threshold that an employee can afford.
These factors contribute to a high turnover rate among IT professionals, who leave to find better working conditions and a healthier work-life balance.
It struck me as unusual to observe:
• Those enduring the greatest hardship remain in their employment.
• Conversely, those who could emotionally handle it have resigned.
THINGS TO REMEMBER
Human factors significantly impact business operations, potentially leading to financial consequences due to prolonged recovery times and staff turnover. Losing specialized skills can decrease efficiency and necessitate team restructuring. Recovering comprehensively from a major cyberattack is a lengthy process that can take months or even years. Prioritizing the well-being of your human resources accelerates business recovery and enhances overall performance.
Stay tuned for the next episode.
And don’t forget: “Cybersecurity is like a seatbelt—most of the time you don’t need it, but when you do, you’ll be glad it’s there!”
Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the complexities of an ever-changing digital landscape.
Find him on LinkedIn: Didier Annet
Learn more in his book:
📖 Guide de survie aux cyberattaques en entreprise et à leurs conséquences psychologiques: Que fait-on des Héros ? (French Edition) – Available on Amazon
Coming soon: The English version – “What Happens to Heroes”
📄 Download Feature PDF Want to connect? Here is Daniela Fernandez’s professional profile. Feel free to say hello and show your support. 🔗 Connect on LinkedIn About the Author Saba Bagheri, PhD Cyber Threat Intelligence Manager at Bupa APAC Director at the Cybersecurity Advisors Network …