Phishing simulation click rates are a metric, not a security outcome. AI just made real phishing dramatically harder to spot. Your tests haven't caught up.
Regulators have been citing 4th party risk for years. OAuth token chains are how it actually executes, and most vendor programs aren't built to catch it. Here's what to ask.
Most tabletop exercises are scripted theater that confirm what people already believe. Here's what actually breaks during a real incident, and how to design an exercise that finds it before someone else does.
Community banks have managed concentration risk for a century. Then we handed every customer record to a handful of SaaS aggregators. ShinyHunters is teaching us what that actually costs.
The DigitalMint conviction proves your IR vendor pre-vetting is part of your security program, not an afterthought. Here is what to ask before the next incident, not during it.
Your vendors' employees are using AI tools. That means your data is flowing to model providers you've never assessed. Here are the questions to start asking.
Why most cybersecurity guidance for community banks is useless, and what to do instead
Not sure if you need security leadership yet? Here's when a fractional CISO makes sense, what your options look like, and how to avoid overspending on security too early.
Your biggest deal just sent a 200-question security assessment. Here's your step-by-step playbook for responding without losing the deal or your mind.
On knowing the always-on CISO life isn't sustainable, doing it anyway, and what fractional work is teaching me about presence.
