Skip to main content
Currently on loravaughn.com → visit Vaughn Cyber Group
Lora Vaughn

// BLOG

All posts.

Field notes from 20+ years in security. Plus the occasional detour into life, work, and whatever else is on my mind.

The CISO Who Buries Bad News Isn't Wrong. The System Is.

95% of CISOs feel pressured to suppress compliance findings. The industry response is that they need more backbone. That's the wrong read.

cisosecurity-leadershipgovernancecareersecurity-operations

Finding a Mentor Is Good Advice. Finding a Sponsor Is the Advice Nobody Gives You.

Mentors give you guidance. Sponsors spend their capital on you. Most career conversations focus on the first one. The second one is what actually moves careers.

careerleadershipwomen-in-techmentorshipinsights

Your Incident Response Plan Is Modeling the Wrong Threat Actor

LockBit dominated tabletops for years. The ransomware ecosystem has rotated. The groups hitting organizations right now are not the ones your IR team practiced against, and that gap has consequences.

ransomwareincident-responsecommunity-bankingsecurity-leadershipinsights
Featured image for Your AI Agent Has a Supply Chain. Did You Audit It?

Your AI Agent Has a Supply Chain. Did You Audit It?

One in four MCP servers expose AI agents to remote code execution. Most teams deploying agents do not know what an MCP server is. That is a supply chain problem disguised as an AI launch.

ai-securitysupply-chainvendor-riskai-governanceinsights
Featured image for "We Have an AI Policy" Is the New "We Passed the Audit"

"We Have an AI Policy" Is the New "We Passed the Audit"

OpenAI just admitted prompt injection isn't getting solved, and companies are wiring AI agents into production anyway. A policy document is not a control.

ai-governancesecurity-theatercommunity-bankingai-securityinsights
Featured image for Your no-code MVP can't legally hold the data it was built for

Your no-code MVP can't legally hold the data it was built for

No-code and AI app builders are great for prototypes, but they won't sign the agreement that lets you legally handle regulated data. Here's the line every founder needs to know before real data shows up.

hipaacompliancehealthcarestartup-securityinsights
Featured image for Your Ransomware Negotiator Might Be Playing Both Sides

Your Ransomware Negotiator Might Be Playing Both Sides

The DigitalMint conviction proves your IR vendor pre-vetting is part of your security program, not an afterthought. Here is what to ask before the next incident, not during it.

incident-responsesecurity-operationssecurity-strategyinsights
Featured image for We Used to Have Pockets. Then Someone Took Them

We Used to Have Pockets. Then Someone Took Them

A choir practice rant about why women's clothing has no real pockets, how that happened, and why a missing pocket was never really about the pocket.

personalculturecommentary
Featured image for The AI Questionnaire Your Vendors Aren't Ready For

The AI Questionnaire Your Vendors Aren't Ready For

Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.

third-party-riskvendor-riskai-securitycommunity-bankinginsights
Featured image for Your Tabletop Exercise Isn't Testing What You Think It Is

Your Tabletop Exercise Isn't Testing What You Think It Is

Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone else does.

incident-responsetabletop-exercisessecurity-leadershipinsights