Sign in Subscribe

Brian Weidner

Brian Weidner

NIST CSF 2.0 – GOVERN (GV.OV): Turning Governance Into Oversight That Works

NIST CSF 2.0 – GOVERN (GV.OV): Turning Governance Into Oversight That Works

In the previous post on GV.PO – Policies, Processes, and Procedures, we focused on how organizations define expectations for cybersecurity. But governance does not stop at documentation. Policies without oversight are aspirational at best—and risky at worst. This is where GV.OV (Oversight) comes in. Under NIST CSF 2.

NIST CSF 2.0 Policies, Processes, and Procedures (GV.PO): Turning Governance Into Operational Reality

NIST CSF 2.0 Policies, Processes, and Procedures (GV.PO): Turning Governance Into Operational Reality

After decades leading cybersecurity programs in large, global organizations, I’ve learned that governance only matters when it shows up in daily decisions. Policies that live in binders, processes that no one follows, and procedures that exist only for audits do not reduce risk—they create the illusion of control.

NIST CSF 2.0 Roles, Responsibilities, and Authorities (GV.RR): Eliminating Ambiguity in Cybersecurity Leadership

NIST CSF 2.0 Roles, Responsibilities, and Authorities (GV.RR): Eliminating Ambiguity in Cybersecurity Leadership

After more than twenty years leading cybersecurity programs in global enterprises, I’ve seen sophisticated security architectures fail for one simple reason: no one was truly accountable. Technology does not fail in isolation—organizations do. GV.RR exists to eliminate the ambiguity that undermines even the most mature security programs

NIST CSF 2.0 Risk Management Strategy (GV.RM): Turning Risk Tolerance Into Actionable Cyber Decisions

NIST CSF 2.0 Risk Management Strategy (GV.RM): Turning Risk Tolerance Into Actionable Cyber Decisions

After nearly two decades as a CISO in large, complex organizations, one truth has been constant: Most cybersecurity programs don’t fail because they lack controls—they fail because they lack a coherent risk strategy. NIST CSF 2.0 directly addresses this gap through GV.RM – Risk Management Strategy. If

NIST CSF 2.0 Organizational Context (GV.OC): Governing Cybersecurity With Business Clarity

NIST CSF 2.0 Organizational Context (GV.OC): Governing Cybersecurity With Business Clarity

As a CISO in a large, global organization, I’ve learned that most cybersecurity failures are not caused by missing controls or weak tools. They are caused by misalignment—between security, business priorities, risk tolerance, and decision-making authority. That is precisely why NIST CSF 2.0 elevated governance and

Generative AI Policies: Aligning Organizational Governance with the NIST AI Risk Management Framework

Generative AI Policies: Aligning Organizational Governance with the NIST AI Risk Management Framework

Generative AI is moving faster than most organizational control structures. Employees are already using tools like ChatGPT, Copilot, Claude, and image generators to write code, summarize documents, build presentations, and analyze data—often without security or legal review. Banning generative AI outright is rarely effective. Ignoring it is worse. What

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar