Each story includes a specific action for CISOs, CIOs, and CTOs—something you can do in the next five business days.

Google's December 2025 Android security bulletin addresses 107 vulnerabilities, including two zero-days (CVE-2025-48633 and CVE-2025-48572) that are being actively exploited in targeted attacks. Both are high-severity flaws in the Android Framework affecting versions 13 through 16—one enables information disclosure, the other allows privilege escalation. (Source)

Google's phrasing—"limited, targeted exploitation"—typically indicates commercial spyware operations targeting high-value individuals.

🔐 CISO Take: If your organization has a BYOD policy or issues Android devices, this is urgent. Push the December 5, 2025 patch level immediately to managed devices. For BYOD, communicate the risk and require attestation of updated devices before accessing sensitive resources. Also worth checking: how current is your MDM inventory? Unpatched devices have a way of hiding.

💻 CIO Take: Pull your device inventory by OEM and check historical patch latency—how long did Samsung, Motorola, and others take to deploy the last 3 critical patches? If any OEM averages more than 30 days, that's a data point for your next device contract negotiation. Pixel isn't the only answer, but patch SLAs should be in your vendor agreements.

⚙️ CTO Take: Your mobile app can't trust the OS. If you're not already doing runtime integrity checks and certificate pinning, add them to your Q1 roadmap. Specific action: run your app on an Android 13 device with the November patch level and see what telemetry you get. If you can't detect the gap, neither can you detect an exploit.

AWS announced a wave of security products at re:Invent this week. The headline: AWS Security Agent, an AI agent that performs automated security reviews and pen testing during development. The agent builds customized attack plans based on your design docs, source code, and security policies, then adapts as it discovers new endpoints and vulnerabilities. (Source)

AWS also addressed a growing concern with agentic AI: identity and access control. CEO Matt Garman acknowledged that "you can't with certainty control what your agent does and does not access." The response: Policy in AgentCore, which lets enterprises set strict boundaries for what AI agents can do.

🔐 CISO Take: Ignore the Security Agent hype for now—automated pen testing won't find your business logic flaws. Focus on the AgentCore Policy announcement. If you have AI agents in production (or shadow AI you haven't found yet), your first action is inventory. Start by emailing each department head: "What AI tools is your team using?" If you can't answer that question in 48 hours, that's your December project.

💻 CIO Take: Add three questions to every vendor security review: (1) How do your AI agents authenticate to our systems? (2) Can we scope their data access to specific datasets? (3) Where's the audit log? If your procurement team isn't asking these yet, send them this list Monday. This is the same conversation we had about cloud vendors five years ago.

⚙️ CTO Take: If you're on AWS, try the Security Agent preview on one repo this month. Even if you don't adopt it, you'll see what it catches that your current SAST/DAST misses. For agent governance: before you ship any AI agent to production, require a one-page doc answering "what's the worst thing this agent could do with the access it has?" If your team can't answer, the agent isn't ready.

83% of organizations use AI in daily operations. Only 13% say they have strong visibility into how these systems handle sensitive data. That's the headline from a new Cybersecurity Insiders report surveying 921 security professionals. (Source)

The report warns that AI is "acting as an ungoverned identity"—a non-human user that reads faster, accesses more, and operates continuously. Two-thirds of organizations have caught AI tools over-accessing sensitive information, and 23% admit they have no controls for prompts or outputs.

🔐 CISO Take: This is the shadow IT problem all over again, except the shadow is moving faster and has broader access. Start your AI inventory this week. Pick your highest-risk data category—customer PII, financials, or source code—and ask the system owners one question: "What AI tools touch this data?" Document what you find. That's your baseline.

💻 CIO Take: The 83%/13% gap is a governance failure, not a technology failure. Fix it with one process change: no AI tool gets deployed without a one-page data access review answering three questions: (1) What data can it access? (2) Who approved that access? (3) Where are the logs? Add this to your IT project intake form by January 1.

⚙️ CTO Take: Run this test: pick one AI feature your team shipped this year. Can you pull a log showing exactly what data it accessed last Tuesday and why? If not, you have an audit gap. Fix it by instrumenting access logs before you ship another AI feature. Your CISO will ask eventually—better to have the answer ready.

What IT leaders are prioritizing right now

AI governance keeps coming up. IT leaders want automation, but they know they're flying blind on oversight.

Identity sprawl is getting worse. As SaaS portfolios grow, privilege management is becoming unmanageable.

Vendor replacement mentions are up. Nearly 1 in 10 priority submissions this quarter mention replacing an incumbent—up 3x from Q2. GRC, MDR, and email security are leading the pack.

Year-end is negotiation season. If you're unhappy with an incumbent, you have leverage right now.

These insights come from 5,000+ IT leaders in the DoGood network.

Members earn $100-$300 per 30-minute conversation with vetted vendors—and shape the products that serve enterprise IT.

→ Apply to Join

The CXO Brief is published weekly by DoGood.

Intelligence from 5,000+ IT leaders. 10 years of real conversations.