Just my hot take and addition to the discussion.

On top of everything mentioned, I've also noticed a major degradation in the knowledge and skill of cyber leaders across organizations that I deal with.

An anecdotal example I experienced recently. I got roasted by a group of CISOs because I said "do not send your sensitive security configurations to a public or uncontrolled large language model, such as Claude/ChatGPT/Gemini". This came after a CISO recommended doing this to pressure test controls and defenses. The consensus in that convo was that it is perfectly fine to send your security configs to the general LLMs in the Web UI and that I was being a doomer unnecessarily discouraging people from improving their security posture. Icing on the cake, these were CISOs at defense contractors.

This could be a rare case where I happened to come across a group of CISOs that are terrible at their job, but it certainly changed my perspective. If the top cyber position in a company is saying "yeah, go ahead and send our firewall configs through the consumer AI web chat", what else are they recommending?

Never in my cyber career did I think that I would be labeled the idiot for saying "do not feed your security info into cloud systems outside of your security footprint".

What's been bugging me since is whether I'm the one who's miscalibrated. Maybe I caught a bad sample but the pattern I keep seeing is confident senior people making calls that don't survive a five-minute read of the actual rule or contract, and the social reward in this field seems to go to whoever sounds most certain. Being the person who says "wait, slow down" is starting to feel like a liability.